Appendix A

Questions and Answers

Chapter 1

Review


What protocol enables Web browsers to connect automatically to an ISA Server computer?

Web Proxy Autodiscovery Protocol (WPAD).

What is the function of the HTTP redirector filter?

The HTTP Redirector Filter forwards HTTP requests from the Firewall and SecureNAT clients to the Web Proxy service. This creates transparent caching for clients that do not have their browser configured to direct to the Web Proxy service.

How and when is Active Directory directory services used in ISA Server configurations?

All users, rules, and configuration information can be centrally stored and managed in the Active Directory directory services. In ISA Server Enterprise Edition, the Active Directory directory services allows organizations to share schema, implement caching arrays, and automatically adopt enterprise settings, access policies, publishing policies and monitoring configurations.

What advantages does CARP provide over ICP?

First, ICP arrays have "negative scalability" in that the more servers added to the array, the more querying required between servers to determine location. This is avoided in CARP arrays because CARP provides a deterministic request resolution path that eliminates the need for query messaging between servers. Second, in an ICP network, an array can evolve into essentially duplicate caches of the most frequently requested URLs. The hash-based routing of CARP keeps this from happening, allowing all proxy servers to exist as a single logical cache.

What is the purpose of using a multitier policy approach with ISA Server Enterprise Edition?

By allowing both enterprise and array policies, you ensure that a corporate policy is implemented throughout the organization. At the same time, you are able to allow nuances at the department or branch level, enabling departmental managers to create additional rules as necessary.

What feature in Windows 2000 Advanced Server or Windows 2000 Datacenter Server benefits array performance in ISA Server Enterprise Edition?

ISA Server Enterprise Edition uses the Windows Network Load Balancing (NLB) Services of Microsoft Windows 2000 Advanced Server to provide fault tolerance, high availability, efficiency, and enhanced performance through the clustering of multiple ISA Server machines.

Chapter 2

Review


What hardware recommendations for processor speed, RAM, and hard drive capacity would you make for an ISA Server installation planned to run in Integrated mode and expected to receive 500 to 900 hits per second and to serve up to 2,000 users in your organization?

550 MHz Pentium III, 256 MB RAM, 10 GB free space on hard drive.

What are the requirements for installing ISA Server as an array?

The ISA Server computer must be a member of a Windows 2000 domain, and you must initialize the enterprise before installation.

What is the benefit of a perimeter network?

It allows external client access to your publishing servers without allowing them access to your internal network.

What measures must be taken to allow ISA Server to be co-located with a Web server?

ISA Server, like a Web server, listens on port 80 for incoming requests. To avoid this conflict, you can configure the Web server so that it listens on a port other than 80. Then, you can modify the ISA Server Web publishing rule so that ISA Server forwards the requests to the appropriate port on the Web server. Alternatively, you can configure the Internet Information Services (IIS) server to listen on a different IP address. You could set the IIS Server to listen on 127.0.0.1, thereby allowing it to accept requests only from the ISA Server computer.

What is the function of the LAT?

The LAT allows the ISA Server to determine which network adapter to use in order to access the internal network.

What measures must be taken to allow Web browsers of cache server clients to connect to an ISA server after a migration from proxy server?

You must either configure all downstream chain members (or browsers) connecting to the ISA Server to connect to port 8080, or you can configure the ISA Server to listen on port 80. This is necessary since, whereas Proxy 2.0 listened for client HTTP requests on port 80, ISA Server is configured upon installation to listen on port 8080.

Chapter 3

Review


You are configuring an ISA Server installation for Firewall and Web caching service in each of two company branch offices. You need to assess requirements and make recommendations about how to configure the client computers. In addition to the 20 employees at each branch office, there are 10 field workers who spend time at both offices and who plug their portable computers into any available Ethernet port when they arrive at either office. The office desktop computers are more or less permanently positioned, and you do not anticipate that you will need to set specific access rules configured for any user accounts. To maximize efficiency for installation and maintenance, which (if any) computers do you recommend be configured as SecureNAT clients, and which (if any) as Firewall clients?

Since desktop computers do not roam, and since you do not anticipate that access rules will be configured for specific user accounts, these computers should be configured as secure network address translation (SecureNAT) clients to simplify installation and maintenance (which will be minimal). The portable computers, on the other hand, should be configured as Firewall clients since they will profit from the use of automatic discovery, which only works with Firewall clients.

What is the difference between the Mspclnt.ini file and the Wspcfg.ini file on Firewall client computers?

Both files apply configuration settings for Winsock clients, but in processing Winsock requests, the Firewall Client software gives precedence to the Wspcfg.ini file over the Mspclnt.ini file. The Wspcfg.ini file is found in the specific directory of the Winsock application and therefore applies settings specific to a given client. If the Wspcfg.ini file cannot be found, or if no settings exist on the file, the Firewall Client application looks for settings in the Mspclnt.ini file, which is located in the Firewall Client installation folder. This file applies general Winsock settings that are not specific to any particular application.

When automatic discovery is configured, what are the steps it takes to fulfill a client request?

First the client connects to a Domain Name System (DNS) or Dynamic Host Configuration Protocol (DHCP) server. The DNS server or the DHCP server should have a WPAD entry which points to a Web Proxy Autodiscovery (WPAD) server that indicates the ISA Server computer. Next, the requests of the client will be fulfilled by the ISA Server computer, as identified by the WSPAD entry in the DNS server or DHCP server.

Does configuring dial-up entries in ISA Server allow you to share a secure Internet dial-up connection among Web Proxy clients?

No. Web Proxy clients can share a secure dial-up connection without having a dial-up entry configured in ISA Server. Configuring a dial-up entry allows SecureNAT clients to share a secure dial-up connection.

Having recently switched from a dedicated connection to a dial-up connection to the Internet, you disabled your external network adapter and configured a dial-up entry for your existing dial-up connection. However, when your ISA Server dials up to your ISP through this dial-up connection, none of your clients can connect to the Internet any longer. What is the first step you should take to troubleshoot the problem?

Whenever you enable or disable a network adapter, you will need to restart the Firewall and Web Proxy services before you can re-establish connectivity to your ISA Server clients.

Chapter 4

Review


Under which of the following conditions will John be able to access the Internet through Internet Security and Acceleration Server 2000 (ISA Server)? Assume that the default Allow site and content rule is in place, and that no other rules or filters have been configured.

You configure a protocol rule to allow access to all IP traffic for any request. You then configure a second protocol rule denying access to all IP traffic for user John. You have not modified the default array properties for outgoing Web requests. Will John be able to access the Internet through a Web browser on a secure network address translation (SecureNAT) client?

John will be able to access the Internet through the Web browser. Because the default array properties for outgoing Web requests have not been modified to require user identification, and because you have not configured an allow-type rule that requires authentication, John's Web session will remain anonymous, and the deny rule will not affect him.

You configure a protocol rule to allow access to all IP traffic for all domain users. John is a member of the group Domain Guests (and not Domain Users), and the default array properties for outgoing Web requests have not been changed. Will John be able to access the Internet through a Web browser on a secure network address translation (SecureNAT) client?

John will not be able to access the Internet through the Web browser. Because you have configured an allow-type protocol rule for Domain Users, this rule will force all Web Proxy clients to authenticate themselves. Once authenticated, John will not be able to access the Web because he is not a member of the group Domain Users.

You configure a protocol rule to allow access to all IP traffic for any request. You then configure a second protocol rule denying access to all IP traffic for Domain Guests. John is a member (only) of the group Domain Guests, and the default array properties for outgoing Web requests have been changed to require identification for unauthenticated users. Will he be able to access the Internet through a Web browser on a Firewall client?

John will not be able to access the Internet because anonymous access has been disabled. His session is now subject to authentication by the Web Proxy service, and since he is a member of the group Domain Guests, his request will be denied.

You configure a protocol rule to allow access to all IP traffic for all members of the group Domain Users. John is a member of the group Domain Users. Will he be able to establish an FTP connection across the Internet from a command prompt on a computer not configured with a Firewall client?

John will not be able to access the Internet through an FTP client because his computer is not configured as a Firewall client. For non-Web requests, only firewall clients can send account information to ISA Server. Since John remains cannot be authenticated, his request will be denied.

What protective measure can you take if you detect an IP half scan attack originating from a certain network ID?

You can create a site and content rule or IP packet filter to block all traffic from the range of IP addresses for the network ID.

What are three conditions under which you need to create IP packet filters instead of protocol rule or site and content rules to allow Internet connectivity?

You need to create IP packet filters when you publish servers that are located on a perimeter network, or DMZ, when you run applications or other services on the ISA Server computer that need to listen to the Internet, and when you want to allow access to protocols that are not based on User Datagram Protocol (UDP) or Transmission Control Protocol (TCP).

You have configured a site and content rule that denies access to two destinations: ftp://movies.acme.com/clips and ftp://radio.acme.com. Assuming that your users have permissions to download files from the FTP site, will your users be able to download content through FTP clients on ftp://movies.acme.com? Will they be able to download content from ftp://radio.acme.com/songs?

They will be able to access ftp://movies.acme.com because the rule denies access only to the subfolder. They will not be able to access ftp://radio.acme.com/songs because this subfolder is implicitly denied by the rule denying access to //radio.acme.com.

If you wanted to block a group of Windows 2000 users from downloading all audio content during 10 a.m. and 4 p.m. weekdays, how many policy elements would you need to create?

You would only need to create one policy element, a schedule for the hours between 10 a.m. and 4 p.m. Audio content is a preconfigured content group policy element, and Windows 2000 users and groups are configured outside of ISA Server. Once you have created this schedule, you can create a site and content rule to deny the group access to the audio content group at all destinations during the scheduled hours.

Chapter 5

Review


A Web Proxy client requests a Web object, and ISA Server consults the cache to see whether a valid version of the object exists. It then finds that the cached version of the object has expired. Following the applicable routing rule, ISA Server then contacts the remote source over the Internet to retrieve the object, but it finds that the remote source cannot be contacted. What does ISA Server do next?

ISA Server checks to see whether you have configured the server to return expired objects from the cache. This setting is configured on the Advanced tab of the Cache Configuration Properties sheet. If you selected the Return The Expired Object Only If Expiration Was radio button, so long as the specific expiration time did not pass, the object is returned from the cache to the user.

How does ISA Server determine whether to cache a Web object that has been retrieved from its original location?

ISA Server determines whether the object is cacheable by checking its properties against the parameters set in the Cache Configuration Properties sheet. For example, it checks to see whether its size surpasses the maximum size set on the Advanced tab, and if the object's address contains a question mark (?), it checks to see whether dynamic content is configured to be cached. If the object meets these conditions, and if you configured the routing rule's cache properties to cache the response, ISA Server caches the object and returns the object to the user.

Under what conditions will ISA Server cache dynamic content?

ISA Server caches dynamic content if you have enabled dynamic content caching (on the Advanced tab on the Cache Configuration Properties sheet) and if the routing rule applied to the request specifies that content should always be cached (on the Cache tab of the Routing Rule's Properties sheet). For scheduled content downloads, you need to configure ISA Server to cache dynamic content in the download job's properties.

What is negative caching, and how do you enable it?

Negative caching is the caching of error response messages returned to ISA Server when a requested Web object is not available from a remote location. To enable negative caching, select the Advanced tab on the Cache Configuration Properties sheet, and then click the Cache Objects Even If They Do Not Have An HTTP Status Code Of 200 check box.

How does ISA Server handle a scheduled content download when the Web server from which the object is being downloaded requires client authentication?

In such an instance, the scheduled content download will fail.

Chapter 6

Review


Which types of publishing rules are available in Firewall mode? In Cache mode?

In Firewall mode, only server publishing rules are available. In Cache mode, only Web publishing rules are available.

Using ISA Server, how would you publish an Simple Mail Transfer Protocol (SMTP) server that is located on a perimeter network?

Create an Internet Protocol (IP) packet filter allowing packet transmission of the protocol Transmission Control Protocol (TCP) in both directions, with the local port set to 25 and the remote port set to Any. Set the local computer as the IP address of the SMTP server.

When ISA Server receives a Hypertext Transfer Protocol (http) request, which protocols can ISA Server use to bridge the request to the internal destination server?

Requests can be bridged as HTTP, Secure Sockets Layer (SSL), or File Transfer Protocol (FTP).

What port does Internet Information Service (IIS) Web server use to listen to requests, by default? What port does the automatic discovery feature use to listen to requests? What port does ISA Server use to listen to internal and external requests by default?

IIS listens for requests on port 80 by default. Automatic discovery also listens for requests on port 80 by default. ISA Server listens for internal requests on port 8080 and for external requests on port 80 by default.

If you have a mail server hosted on the ISA Server computer, what four IP packet filters would you need to create to allow both internal and external clients access to SMTP and Post Office Protocol 3 (POP3) services?

For SMTP, you would need one IP packet filter allowing inbound TCP connections on local port 25 from any remote port and another IP packet filter allowing outbound TCP connections on all local ports from remote port 25. For POP3, you would need one IP packet filter allowing Inbound TCP connections on local port 110 from any remote port, and another IP packet filter allowing outbound TCP connections on all local ports from remote port 110.

Chapter 7

Review


You have created an enterprise policy and now you want to apply that policy to the array Branch1. How can you apply the enterprise policy to the array? Under what circumstances will array-level policies be deleted? Under what circumstances will you be unable to apply the policy to the array?

You can apply the enterprise policy to the array by accessing the enterprise policy's properties and selecting the array to which you want the policy applied. Array-level protocol rules and site and content rules are deleted when they are incompatible with the enterprise policy you are applying. You will be unable to apply the policy to the array when the array has been configured to use an array policy only.

How can you modify your default enterprise policy when the defaults are being used by existing arrays?

To change your default enterprise policy when the policy is being used, you must modify each array to use custom enterprise settings.

How can you allow a computer within an array to handle more than its proportional share of network requests?

To allow an array member to accept a greater share of the network requests than are configured by default, you can modify the load factor for that particular computer. You can access this setting through the Computers folder in ISA Management. Access the server's properties dialog box and select the Array Membership tab.

Do standalone ISA Servers need to be installed in a domain? Can you apply an enterprise policy to a standalone ISA Server installation?

Standalone servers need to be installed in a domain, but it does not have to be a Windows 2000 domain. This is because standalone server configuration information is stored in the registry, not in the Active Directory store. You cannot apply an enterprise policy to a standalone ISA Server installation.

ISA Server includes three wizards to simplify VPN configuration. What is the purpose of each of these three wizards?

The Local ISA Server VPN Configuration wizard allows you to set up the local ISA Server computer to initiate and receive connections. The Remote ISA Server VPN Configuration wizard allows you to configure the remote ISA Server computer to initiate and receive connections. The ISA Virtual Private Network Configuration wizard allows roaming users to connect to the VPN.

Chapter 8

Review


What four major components does the H.323 standard define for real-time, network-based, interactive videoconferencing?

H.323 defines terminals, gateways, gatekeepers, and multipoint control units (MCUs).

What functions does H.323 Gatekeeper provide for H.323 videoconferencing clients?

H.323 Gatekeeper provides address translation that allows H.323 clients to call each other by specifying aliases instead of IP addresses. H.323 Gatekeeper also provides automatic client registration through the RAS protocol. Next, it allows you to apply call control rules and routing rules that specify where to forward calls. Finally, a gatekeeper is also necessary if you want to videoconference through firewalls or use an H.323 gateway to route client calls through the PSTN.

Describe the process by which an H.323 client registered with H.323 Gatekeeper on one network calls the e-mail alias of an H.323 client registered with H.323 Gatekeeper on another network.

The H.323 client connects with your local H.323 Gatekeeper. When H.323 Gatekeeper does not recognize the domain specified in the e-mail alias as an internal address, it forwards the call to the ISA Server computer within your company. ISA Server looks up the address for the domain and makes the query over the Internet to resolve the domain name's associated IP address. When the ISA Server at the remote organization receives the query for the H.323 client alias, it contacts its internal H.323 Gatekeeper to obtain the correct in-house address. The H.323 Gatekeeper at the remote site then translates the alias into a network address for its ISA Server. The remote ISA Server then sends a confirmation back to the ISA Server at your company and establishes the connection. From this point through the end of the communication, both ISA Servers hold open the link established by the H.323 Gatekeepers.

An H.323 client attempts to call another client by specifying the client's alias, someone@microsoft.com. Two e-mail address rules match the requested alias. The first rule specifies the suffix pattern microsoft.com and has a metric of 4. The second specifies the exact pattern microsoft.com and has a metric of 5. Which rule will be applied to the call?

The second rule will be applied because an exact pattern type always takes precedence over a suffix pattern type.

What is the benefit of a call routing rule configured to route to a gateway destination?

When a call gets forwarded to an H.323 gateway, the gateway can allow the call to traverse to the PSTN.

Chapter 9

For the first Web connection in the log (initiated at 02:31:35), was the traffic heavier from the client to the server, or vice versa?

The traffic was heavier from the server to the client. The cs-bytes value is 259, and the sc-bytes value is 2200.

For this same connection, was the Web request fulfilled from the cache or from the Internet?

The request was fulfilled from the cache, as evidenced by the s-object-source value of Cache.

At what time was a connection reset by the remote side?

02:34:47. This is the time that the Web Proxy service received an sc-status code value of 10054.

Was the object requested at 02:31:45 found in the cache? Had the object been modified? What source was ultimately used to fulfill the request?

The object was found in the cache, but the object had been modified. The Internet was the ultimate source of the request. This is known because the s-object-source value for the request is VFInet.

Which Web operation was conducted at 04:55:14? Was the destination found?

A POST operation was made, and the destination was not found. This is because the s-operation value is POST and the sc-status value is 404.

Review


What four actions may be configured for an alert? Which of these actions is enabled by default whenever an alert is enabled?

You may configure an alert to send an e-mail message, run a specific program, log the event in the Windows Event Log, stop or start any ISA Server service. By default, alerts are configured to log the event to the Windows 2000 Event Log.

What would the name be for a Firewall service log file in ISA format created on October 23, 2002?

The log file would be named FWSD20021023.

What credentials must a user have to configure a report job?

The user must have local administrator privileges on every ISA Server computer in the array, and the user must be able to access and launch DCOM objects on every ISA Server in the array.

What is one disadvantage of applying a bandwidth priority other than the default bandwidth priority to a connection?

New bandwidth priorities require more processing power than the default bandwidth priority does.

What is the advantage of using ISA Server Performance Monitor to view data gathered by ISA Server performance counters?

ISA Server Performance Monitor allows you to monitor ISA Server data separately from other system data, and it includes 21 ISA Server performance counters that are preloaded into System Monitor, the real-time monitoring tool.

Chapter 10

How many connections are currently active on the external interface of the ISA Server computer? Look at the foreign address for each of those connections. Which ports being used in foreign addresses to send information to the external interface of your ISA Server computer?

Answers will vary.

Look at the end of the output list. Compared to your answer in Step 5, How many more connections are active on the external interface of the ISA Server computer? Do you see any active ports on foreign addresses that you did not list before? After you view this data, which foreign port can you determine is used to send Web data to the local external IP address?

Port 80 is used to send Web data to the local computer.

To which local ports on the external interface of ISA Server computer is this Web data sent? These are dynamic ports that vary from connection to connection. Write the number corresponding to these ports in the space below.

Answers will vary. Several dynamic ports are active on the external interface.

Review


Your network configuration consists of an ISA Server installed on a DMZ. The address space behind the ISA Server consists of the 192.168.0.0/24 subnet, and the DMZ in front of the ISA Server computer has been configured with the 192.168.1.0/24 subnet. The ISA Server computer has an internal address of 192.168.0.1 and an external address of 192.168.1.99. The external gateway has an address of 192.168.1.1.

You are unable to access the Internet from any client computer behind ISA Server. On the ISA Server computer, you run the Route print command at the C:> prompt and receive the output shown in Figure 10.5.

Figure 10.5 Routing Table – Question 1

What is the error in the routing table? How can you fix the problem by using the Route command?

The problem with the routing table is that it has not been configured with a default route pointing to the external gateway. To fix the problem, you can type the following command:

route add 0.0.0.0 mask 0.0.0.0 192.168.1.1

You can avoid the problem by adding a persistent route. You can achieve this either by adding a static route in the Routing and Remote Access console or by using the –p switch with the ROUTE utility, as follows:

route add –p 0.0.0.0 mask 0.0.0.0 192.168.1.1

You could spot a SYN attack in progress with the Netstat command. SYN attacks are distinguished by a flood of half-open connections originating from spoofed source addresses with incrementally increasing port numbers.

What is the purpose of attempting to Telnet to a specific TCP or UDP port?

When you can successfully Telnet a specific TCP or UDP port, this means that the service located at that port can accept commands from external users. This may be a desirable condition if you want to publish a service on a given port, but it may also be a security hazard if certain exploitable services are left open to attack.

If you run the Local ISA Server VPN Configuration wizard and specify L2TP as the authentication protocol, how many IP packet filters will be created? Which ports will be opened statically by these IP packet filters?

Two IP packet filters will be created to allow the L2TP protocol, at ports 500 and 1701.

Appendix B

Questions

You plan to upgrade the two existing computers in the Seattle office running Windows NT 4.0 Server and Proxy Server 2.0 to ISA server. You also plan to deploy ISA Server at Contoso's two branch offices in Paris and Orlando, as shown in Figure B.1. The Contoso Microsoft Exchange Server computer, published internally in the Proxy Server 2.0 environment, sends and receives Internet mail for internal clients.

Figure B.1 Established network at Contoso, Ltd. showing the future placement of ISA Server computers

What must you do to successfully upgrade your Proxy Server 2.0 installation environment to ISA Server?

Remove the two Proxy 2.0 members from the array and then upgrade their operating system installations to Windows 2000 Server and Service Pack 1. Windows 2000 Setup will warn you that Proxy Server 2.0 is not compatible, but it will continue with the upgrade. Once the Windows 2000 Server installation is complete, update the Active Directory schema for the domain by running the Initialize The Enterprise routine. Install ISA Server on the first computer and create an array and enterprise policy. Install ISA Server on the other computer and migrate it to this new array. The cache from the Proxy Server 2.0 computer will be deleted and a new cache will be created for ISA Server. Settings from the Proxy Server 2.0 installation will be migrated to the new array depending how the enterprise policy is configured. Refer to the ISA Server Help file topic titled "Microsoft Proxy Server 2.0 array considerations" for a table describing how rules migrate between Proxy Server 2.0 and ISA Server.

After the migration to ISA Server, the Seattle Exchange Server computer cannot send and receive e-mail from the Internet. What changes must you make to allow it to do this?

Publishing an Exchange Server computer in a Proxy Server 2.0 environment requires that the server run the Winsock client with a custom configuration file, WspClnt.ini. This configuration is not supported in ISA Server.

On the Exchange Server computer rename or delete WspClnt.ini and configure it as a secure network address translation (SecureNAT) client by setting the internal network adapter's default gateway to the Internet Protocol (IP) address of the internal network adapter in the ISA Server computer. Verify the default gateway and other network adapter settings with the command ipconfig /all. Do not install the Firewall Client software on the Exchange Server computer. You must publish the e-mail server in ISA Server so that external Simple Mail Transfer Protocol (SMTP) mail will be forwarded to it. Run the Secure Mail Server wizard and ISA Server will walk you through steps to publish SMTP, Post Office Protocol 3 (POP3), and Exchange Server Remote Procedure Call (RPC) ports. Publishing the SMTP protocol permits the Exchange Server computer to receive mail from the Internet. The POP3 and RPC protocols allow external clients to connect to the Exchange Server computer to receive mail. Alternatively, without the help of the wizard, manually create a server publishing rule for the SMTP Server protocol definition and the others, as required. The Exchange Server computer initiates its own outbound connections independent of any publishing (inbound) Transmission Control Protocol/Internet Protocol (TCP/IP) session and connection. Therefore you must create a protocol rule that permits SMTP (port 25) outbound traffic from the Exchange Server computer to external clients (i.e., the Internet) to send outbound mail.

The Contoso main office and two branch offices are in the same Windows 2000 domain. The branch offices are directly connected to the main office by two 1.54 mbps T1/E1 wide area network (WAN) connections. The Orlando office is connected to the Internet via a 256 kbps circuit and the Paris office is connected over a dial-up 56 kbps Integrated Services Digital Network (ISDN) line. Seattle and Orlando clients use Windows 2000 Professional, and the Paris office uses a mix of Windows 2000 and UNIX clients. You have migrated to two ISA Server computers as a single array in Seattle and wish to deploy ISA Server computers in the two branch offices to increase Internet application performance. You want to provide a redundant connection to the Internet for all offices and log Web activity by user. You also want to centrally manage this solution from Seattle and route all Internet traffic through the main branch array.

How would you deploy ISA Server into these branch offices to provide centralized management?

Install ISA Server at the two branch offices in Integrated mode to provide caching and secure the redundant Internet connections. Configure ISA Server at the branch offices as separate arrays and name them Paris and Orlando, respectively. Add the new Paris and Orlando arrays to the enterprise policy that includes the Seattle array. The enterprise policy enables centralized management of the protocol, site and content rules, and many of the array policy elements.

Describe how to improve Web and File Transfer Protocol (FTP) performance for the three offices.

Configure caching for the three arrays to provide optimum Web and FTP performance. From the properties of the Network Configuration node in ISA Management, chain the Paris and Orlando branch office arrays to the main office Seattle array. For each array, configure all outgoing Web requests to "resolve requests within array before routing." Enable this from the array properties Outgoing Web Requests tab. This creates a hierarchical cache and all outgoing requests will use the Cache Array Routing Protocol (CARP) to efficiently determine what array (if any) contains the cached object before being routed directly to the Internet. For each array, enable the HTTP Redirector Filter application filter to allow SecureNAT and Firewall clients to take advantage of caching. This option appears in the details pane of the Application Filters node. To help relieve Internet traffic congestion during work hours, configure scheduled caching to shift network usage to off-peak times. Enable and configure active caching to refresh popular content in the cache before it expires. Scheduled caching and active caching are configured from the Cache Configuration node in ISA Management.

After configuring caching for the arrays, you notice in Performance Monitor that the Cache Hit Ratio is low. What can you do to improve the Cache Hit Ratio?

The Cache Hit Ratio provides a quick means of determining the effectiveness of your caching configuration. A Cache Hit Ratio of zero means that caching is not functional, and a low cache hit ratio means that most of the requests are being served from the Internet and that the content is not cacheable or the cache size is too small. Increase the size of the cache or increase the time-to-live (TTL) for cached objects.

Describe how to route all Internet traffic from the branch offices through the Seattle ISA Server array while providing a backup connection if the primary connection fails.

Create a destination set that includes the internal computers within each branch office. For each branch office array (Paris and Orlando), create a routing rule to route all requests not in the branch office destination set to a specified upstream server and enter the name of the main branch array (Seattle). In the same routing rule, specify that when the primary route is unavailable retrieve the requests directly from the backup route via the dedicated Internet connection in Orlando or the ISDN dial-up connection in Paris.

You review the Web proxy logs and notice that all of the users are anonymous. What changes should you make to log the names of these users?

The Windows 2000 Professional clients running Microsoft Internet Explorer support Web Proxy user authentication. On UNIX platforms, configure the clients with a (Conseil Européen pour la Recherche Nucléaire) CERN–compatible browser that also supports Web Proxy user authentication. From the Properties dialog box on each array, click the Outgoing Web Requests tab and then enable the Ask Unauthenticated Users For Identification check box to provide user level authentication and logging. From this same property dialog box, select integrated authentication (the Integrated check box) or digest authentication (the Digest With This Domain check box) for a secure means of authentication and select basic authentication (Basic With This Domain check box) for Hypertext Transfer Protocol (HTTP) authentication compatibility. This last option allows browser clients that do not support Windows NT Challenge/Response authentication to authenticate using clear-text account information. If the client's browser is not able to transparently pass authentication information to the ISA Server computer, the browser will prompt the user for authentication information. This authentication is valid for the session and independent of Web server site authentication requests.

The users in the Paris office have been denied access to some regional sites because their outgoing source IP address is that of the Seattle office ISA Server computer instead of a Paris IP address.

How would you permit all regional traffic (defined as all sites in the .fr top-level domain) originating from the Paris office to route to the Internet through the ISDN dial-up line and continue to route the remaining traffic through the main office?

Create a destination set that includes *.fr domains and a routing rule that retrieves these requests directly. Order the rule appropriately so that it is processed before the other routing rules that route traffic to the main office array.

In Seattle, Contoso Ltd. wants to deploy three Web servers in a Web farm using Network Load Balancing (NLB). The Web farm will be located in a perimeter network and protected by ISA Server. External clients can access this Web farm via HTTP and Secure Hypertext Transfer Protocol (HTTPS) protocols as shown in Figure B.2. These Web servers need to connect to and exchange information across MS SQL Sockets (TCP port 1433) with a Microsoft SQL Server computer that is located in the internal network.

Figure B.2 Configuring a perimeter network and publishing servers using ISA Server

How would you configure the perimeter network and publish the three Web servers to allow the required access?

Configure the ISA Server computer that will connect to the perimeter network with a third network adapter (172.16.0.1/24). The network adapter connecting to the perimeter network must be defined as an external network in ISA server. Verify that the Local Address Table (LAT) of the Seattle array does not include the perimeter network (172.16.0.0/24). Communication between two external networks (such as from the Internet to the perimeter network) across the ISA Server computer is handled by IP Routing and restricted by IP Packet Filters. To permit this enable IP Packet Filters and IP Routing for the Seattle array. Both of these options are configured in the properties of the IP Packet Filters node. This node is located below the Access Policy node in ISA Management.

Configure the Seattle array to allow Internet access to the perimeter network. Create an IP Packet Filter for HTTP (port 80), and HTTPS (port 443) that allows all remote users access to this local perimeter network.

In order for the Web servers to communicate with the SQL Server on the internal network, you must publish the SQL Server computer. The SQL Sockets protocol is not defined in the default installation of ISA Server. Therefore, create a new protocol definition named SQL Sockets and define its properties as inbound direction TCP port 1433. You want your external Web users to access the Web servers that in turn access the SQL Server. You do not want other external users directly accessing the SQL Server. Limit access to only the Web servers using a Client Address Set. Create a Client Address Set that includes the IP address of each of the Web servers (172.16.2–4). Confirm that IP Packet Filtering is enabled. If IP packet filtering is not enabled, the server publishing rule applies to all clients, and the Client Address Set is not reference. Next, publish the server using the protocol and client set you just defined. Configure the publishing rule so that the external interface address is the perimeter network adapter IP address (172.16.0.1) and the internal address is the SQL Server IP address (192.168.0.10). Configure the SQL Server as a SecureNAT client by setting its network adapter's default gateway to the IP address of the internal network adapter in the ISA Server computer (192.168.0.1).

Contoso Ltd. purchased a proprietary server application and installed it on the internal network. You wish to allow remote access to this application for employees only. The employees will access this application by first connecting to the Internet and then running a client application that uses TCP port 2122.

Explain how to publish the proprietary server application.

Web server publishing supports rule restrictions that apply to both client address sets and to user and group. However, server publishing rules only support client address sets (IP address), so you must identify and restrict access based on IP address ranges alone. Create a client address set or sets that include all of your remote users, such as the IP address range of Contoso's Internet Service Provider (ISP).

Next, create an inbound protocol definition for TCP port 2122. A protocol must be defined as inbound for it to be listed in the available server publishing protocols. Publish the server by specifying the external IP address of the ISA Server computer and the internal IP address of the proprietary server application. Restrict access to the defined client address set.

The Contoso networking group has redesigned the network to create an Information Technology (IT) maintenance subnet and added a Quality Assurance (QA) lab on its own subnet as illustrated in Figure B.3. However, since adding these new subnets and routers, the QA staff members are unable to access the Internet from their lab.

Figure B.3 ISA Server configuration for complex subnets

What should you reconfigure on the ISA Server computer and on the clients in these subnets to restore connectivity?

Check the routing table for the ISA Server computer and add a destination and gateway for the QA lab assigned to the ISA Server computer's internal interface. In this example, the ISA Server computer must be configured to route packets destined for the 192.168.1.0/24 and 192.168.2.0/24 subnets to the gateway 192.168.0.2 via the interface 192.168.0.1. Use the route command to verify and troubleshoot the routing problem. Configure the default gateway of the intermediate routers to point to the router upstream, and ultimately to the internal interface of the ISA Server computer.

Verify that the default gateways for SecureNAT clients are configured for the appropriate intermediate router IP address. For this example, configure the computers in the QA lab with a default gateway of 192.168.2.1. Also, verify that the proxy address for the Firewall clients and Web Proxy clients are configured for the Internal IP address of the ISA Server computer (192.168.0.1). Once the intermediate routers and the clients are configured correctly, TCP/IP routing will ensure client connections.

Executive management is asking you to reduce expenses in your department. You think you can do this by replacing the dedicated T1/E1 WAN connection between the main office and the Paris branch office with a virtual private network (VPN) connection and by upgrading the dial-up ISDN connection connecting the Paris office to the Internet with a higher-capacity circuit. You want the Paris office to access its Internet content directly and to no longer be managed from or through the main office in Seattle. Staff in the Seattle office will initiate the VPN connection. You have also created a separate domain for Paris and located its domain controller in the Paris office. The networking team has successfully upgraded the network and you have removed the dial-up adapter from the Paris ISA Server computer and added the external network adapter to connect the Paris office to the Internet, as shown in Figure B.4.

Figure B.4 Revised network in Paris office expanded for VPN

What are the steps that you must perform to reconfigure the ISA Server computer to support this new topology?

Remove the Paris ISA Server array from the enterprise policy and uninstall ISA Server to remove the member computer from the array. Add this computer to the Paris domain and run the ISA Enterprise Initialization tool to update the new Paris domain Active Directory schema for ISA Server. Reinstall ISA Server and create a new ISA Server array in the Paris domain. This will add the computer to this new array. Add protocol and site and content rules to allow Paris staff members Internet access.

In Seattle, configure a VPN connection to the Paris office by walking through a Local VPN configuration. On the Paris ISA Server computer, use the Configure A Remote Virtual Private Network wizard and the VPN data file created when configuring the Local VPN to set up the Paris office VPN endpoint.

You have configured the VPN for the Seattle office but are unable to connect to the Paris office. What configurations should you review to troubleshoot this connection?

Check the specified protocol. ISA Server supports both Layer Two Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP). L2TP uses the Internet Protocol Security (IPSec). Also be sure to properly configure the remote endpoint by importing the appropriate *.vpc VPN wizard file. By default the VPN wizard does not permit two-way connection initiation unless specified. Also, run the Routing and Remote Access console to ensure that the static routes are configured and the demand-dial interface appearing in the details pane of the General node is operational.

Contoso Ltd. employs a remote sales force that travels the world and connects to the main office via a toll-free private connection modem service. This direct access is expensive and often busy during times of heavy use. You believe you can save money and provide more people access by configuring a VPN using ISA Server.

Explain how to migrate the users from this private dial-up service to VPN across an ISA Server deployment.

Run the Virtual Private Network Configuration wizard in ISA Management on the Seattle array. Running this wizard starts Routing and Remote Access Server and configures it with VPN ports for PPTP and L2TP tunnels. The wizard also adds four IP Packet Filter rules to permit PPTP and L2TP packets access to the ISA Server computer. For each client, configure a dial-up account to the Internet and a secondary VPN connection. For Windows 2000 clients, use the Network Connection wizard and configure a new connection to a private network through the Internet. Specify the VPN host name as the IP address or fully qualified domain name of the external adapter on the ISA Server computer.

These remote users frequently visit the other two Contoso offices and dock their portable computers into the Local Area Network (LAN). However, whenever they are not connected to their home office LAN, they are unable to access the Internet. These users run the Firewall Client software.

Why are the users not able to access the Internet from remote offices? Describe an administratively efficient means for fixing this problem without manually configuring every portable computer.

The Firewall client or Web Proxy client and the ISA Server computer might not be configured for automatic discovery. From the Control Panel on a client computer, double-click the Firewall Client icon and select the Automatically Detect ISA Server check box. The automatic discovery of a Web Proxy client is done through the client's Web browser. When automatic discovery is disabled clients will be unable to update their connections to other ISA Server computers automatically, such as when visiting other offices.

ISA Server supports updating clients over the Web Proxy Auto Discovery Protocol (WPAD). From the array properties dialog box, click the Auto Discovery tab. Then, select the Publish Automatic Discovery Information check box and specify the port for automatic discovery requests. By default this is port 80. This port designation is the default port for the Web server. Therefore, if you are running Internet Information Services (IIS) on the ISA Server computer, verify that no Web sites on the server are using port 80, otherwise it will conflict with autodiscovery set to the same port. Use a tool such as netstat –an to check for other applications sharing this port. Next, configure either DNS or DHCP to configure the clients with the appropriate WPAD entry. Detailed instructions for how to configure the DNS and DHCP entries are located in this training kit and in the ISA Server Help files.

The Orlando office has reorganized and re-branded with a new company name. To reflect this, the entire office has migrated to a new Active Directory domain. However, the network traffic from Orlando is still configured to route to the Internet via the Seattle office ISA Server computer.

After the domain change, you notice that your network traffic to the Internet has increased significantly and your users have slower intranet access. The Orlando staff members run the Firewall Client software. What is the most likely reason for the network delay that users are experiencing?

Check the logical locations for both the internal and external domain name servers (DNS) and confirm that the clients are not configured to resolve internal computer requests by external name servers. With the Firewall Client software enabled, the client sends name resolution requests to be resolved by the ISA Server computer instead of the client resolving them. Because clients are using the Firewall Client software, configure the Local Domain Table (LDT) with the names of the internal domains. The Firewall Client software will first query the LDT for its destination domain. If the domain is listed then the client will resolve the name locally and not forward the request to the ISA Server computer for name resolution. This is an efficient means for resolving names of internal domains. This LDT query will only work with computers configured as Firewall clients.