Microsoft Internet Security and Acceleration Server 2000 in Education Deployment Kit

 

Chapter 7

Protecting Departmental/Student LAN segments with ISA Server 2000

 

 

 

 

 

 

 

 

 

Dr. Thomas W Shinder

Debra Shinder

January 2004

 

 

Table of Contents

Network Topologies. 4

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs. 5

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs and Centralized Web Caching Server or Caching Array Placed on Campus Backbone. 6

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs and ISA Server 2000 Firewall Placed in Parallel with Current Internet Firewall 7

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs and Site to Site VPN Links Joining Trusted Networks  9

Configuring Firewall Chaining. 12

Installing the ISA Server 2000 Firewall Software on Windows Server 2003 LAN and Campus Backbone Network Firewalls  14

Install ISA Server Service Pack 1. 30

Install HotFix isahf255.exe. 33

Install Feature Pack 1. 35

Create a Base Configuration on the ISA Server 2000 LAN and Internet Edge Firewalls. 36

Configure Firewall Chaining Between the LAN Firewalls and Internet Edge Firewalls. 56

Create Access Policy to Control Outbound Access at the LAN and Internet Edge Firewalls. 64

Install the Firewall Client on the Internal Network Client Computer 83

Making the Connection. 89

Configuring Web Proxy Chaining. 100

Configuring Web Proxy Chaining to the ISA Server 2000 Firewall and Web Caching Server 100

Making the Connection. 114

Summary. 124

 

 

 

 

Educational institutions face unique challenges in securing their networks against intruders, attackers, viruses and malicious code. The academic environment is based on free and open flow of information, yet educational institutions are also bound by laws and policies designed to protect student privacy and proprietary information.

 

Thus, the balancing act between access and security is even more difficult than in the typical corporate environment. Schools and universities also must deal with many of the same threats and problems common to the business network, but in some cases on a much larger scale (for example, the prevalence of peer-to-peer (P2P) file sharing is greater on campuses).

 

Both students and teachers today depend on access to the Internet and internal network resources in order to do their jobs. The growing popularity of wireless networking on campus further complicates the task of securing campus networks.

 

Specific issues that must be addressed by today’s educational institutions include the following:

  • Need to keep confidential student information such as social security numbers, grades, etc. secure.
  • Need to keep financial records secure (student loan information, donor information, credit card numbers)
  • Need to protect the institution against vicarious liability stemming from P2P programs, student hackers and other student activities on the network that might violate state or federal law or incur civil liability.
  • Need to protect the integrity of administrative information such as grades against tampering.
  • Need to protect faculty/staff information (instructor notes, lesson plans, personnel records) from tampering and/or divulgence).
  • Need to protect the confidentiality of student medical records.
  • Need to protect the network against denial of service (DoS) and other attacks and viruses that impact productivity and access of network users.

 

Cost is another important factor for both public and private educational institutions that must operate within a defined – and often limited – budget. IT budgets are traditionally tight in the college/university environment, and IT departments are often understaffed, with administrators who are overworked and underpaid in comparison with their corporate counterparts. Due to the lower pay scales and the fact that students are often recruited to do much of the work, skill and/or experience levels may be lower than in the business world. Thus ease of use becomes a top priority when selecting a security solution.

 

ISA Server 2000 firewalls can be used within the campus to protect departmental or student LANs. In addition to protecting student LANs, an ISA Server 2000 computer can speed access to essential resources. ISA Server can act as both a firewall and a Web Proxy server for the campus network. These two components provide the following features for the LAN segment or segments behind the ISA Server 2000 machine:

 

  • Firewall

ISA Server 2000’s firewall features allow you to control inbound and outbound access into and out of the protected segments. You can place the ISA Server 2000 firewall in front of a departmental or student LAN and allow access to sites and protocols based on user account or group membership. Inbound access into the protected network can be controlled so that only selected servers and services can be accessed by hosts outside of the protected network. Firewall chaining can be used to make Internet access for departmental LANs independent of your current routing infrastructure as downstream ISA Server 2000 firewalls can communicate directly with upstream ISA Server 2000 firewalls.

 

  • Web Proxy

The Web Proxy component of ISA Server 2000 can be used to bring Web content closer to the protected network. The ISA Server 2000 Web Proxy server can be chained to upstream Web Proxy servers to allow users on the protected LAN to benefit from content located on their local cache as well as from content contained in a centralized cache that serves the entire institution. Caching at the local ISA Server 2000 reduces the amount of traffic on the campus backbone and the centralized cache reduces overall bandwidth consumption on the institution’s Internet links.

 

In this document, we will discuss the following:

 

  • Sample network topologies and how ISA Server 2000 firewalls and Web caching servers can be used on campus networks to provide departmental and student LAN protection and access control and Web caching
  • How to configure firewall chaining to make the ISA Server 2000 firewalls independent of your current routing infrastructure. Firewall chaining allows you to drop ISA Server 2000 firewalls into your current network infrastructure with a minimum of disruption
  • How to configure Web proxy chaining to bring Web content closer to users on the protected networks. Web Proxy chaining allows you to configure the Web Proxy servers to communicate directly with one another so that there is minimum disruption to the current network infrastructure
  • How to configure site to site VPN connections between departmental or student LANs. The site to site connections allow LANs separated across the campus backbone to communicate directly with one another without being subjected to firewall policies. These LANs can then be members of the same Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domain.

Network Topologies

ISA Server 2000 firewalls can be placed on a campus network with an existing routing and firewall infrastructure. Most educational institutions have an existing firewall and routing infrastructure that has evolved over time and reconfiguring the existing infrastructure could lead to a large amount of financial and administrative overhead.

 

The following ISA Server 2000 firewall topologies allow you to leave your current firewall and routing topologies in place and still benefit from the powerful application layer filtering and Web caching features available with ISA Server 2000.

 

  • ISA Server 2000 firewalls and Web caching servers placed at the edge of departmental and student LANs
  • ISA Server 2000 firewalls and Web caching servers placed at the edge of departmental and student LANs and a centralized Web caching server or server array located on the network backbone
  • ISA Server 2000 firewalls and Web caching servers placed at the edge of departmental LANs and an ISA Server 2000 firewall placed at the edge of the campus network. The ISA Server 2000 firewall is placed in parallel with an existing packet filtering firewall
  • ISA Server 2000 firewalls and Web caching servers placed at the edge of departmental and student LANs. Protected networks are joined via site to site links between ISA Server 2000 firewall/VPN gateways

 

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs

You can place ISA Server 2000 firewall and Web caching servers at the edge of the departmental and student LANs. This configuration allows you to replace only the devices at the edge of the departmental and student LANs and keep the current firewall and routing infrastructure in place.

 

Advantages of this configuration include:

 

  • The current firewall at the edge of the campus network is left intact. There is no need to change any of the settings on the current firewall at the campus network edge
  • Only the devices at the edge of the departmental and student LAN edges need to be replaced. You do not need to change the current routing infrastructure to support the new ISA Server 2000 firewall and Web caching servers
  • You can control access to and from the departmental and student LANs on a user or group basis. The user accounts and groups can be created on the ISA Server 2000 firewall and Web caching servers, or you can create Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domains on the LANs and create the user and group accounts there.
  • Traffic on the campus LAN and Internet link is reduced because popular Web content is stored on the local ISA Server 2000 firewall and Web caching server.

 

The figure below shows the high-level placement of the ISA Server 2000 firewall and Web caching servers on the campus network.

 

 

 

 

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs and Centralized Web Caching Server or Caching Array Placed on Campus Backbone

You can build on the ISA Server 2000 firewall and Web caching server at the departmental and student LAN edge configuration by adding a Web-caching only ISA Server 2000 computer or array on the campus backbone.

 

The advantages of this configuration include:

 

  • The current firewall at the edge of the campus network is left unchanged. There is no need to alter any of the settings on the current firewall at the campus network edge
  • Only the devices at the edge of the departmental and student LAN edges need to be replaced. You do not need to change the current routing infrastructure to support the new ISA Server 2000 firewall and Web caching servers
  • You can control access to and from the departmental and student LANs on a user or group basis. The user accounts and groups can be created on the ISA Server 2000 firewall and Web caching servers, or you can create Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domains on the LANs and create theuser and group accounts there.
  • Traffic on the campus backbone is reduced because popular Web content for each protected LAN is cached on the local ISA Server 2000 Web caching server
  • Traffic on the Internet link is reduced because popular content for all protected LANs is cached on the centralized Web caching server or Web caching array

 

The figure below shows the high-level placement of the ISA Server 2000 firewall and Web caching servers at the LAN edges and a Web caching array on the backbone network.

 

 

 

 

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs and ISA Server 2000 Firewall Placed in Parallel with Current Internet Firewall

You can build on the ISA Server 2000 firewall and Web caching configuration at the departmental and student LAN edges by placing an ISA Server 2000 firewall and Web caching server at the Internet edge in parallel with existing Internet firewalls made by other vendors. You could also place an ISA Server 2000 firewall and Web caching server on the campus backbone network and configure firewall chaining between the LAN ISA Server 2000 firewalls, the backbone ISA Server 2000 firewall and the non-Microsoft Internet edge firewall.

 

The advantages of this configuration include:

 

  • The current firewall at the edge of the campus network is left unchanged. There is no need to alter any of the settings on the current firewall at the campus network edge
  • Only the devices at the edge of the departmental and student LAN edges need to be replaced. You do not need to change the current routing infrastructure to support the new ISA Server 2000 firewall and Web caching servers
  • You can control access to and from the departmental and student LANs on a user or group basis. The user accounts and groups can be created on the ISA Server 2000 firewall and Web caching servers, or you can create Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domains on the LANs and create theuser and group accounts there.
  • Centralized application layer filtering can be performed for all protected LANs at the Internet edge and/or on the campus backbone. This provides an additional tier of protection in the event that configuration errors are made on the LAN edge firewalls. Downstream ISA Server 2000 firewalls are chained to upstream firewalls
  • Inbound access scenarios to the campus backbone or protected LANs can be implemented at the network edge or campus backbone using ISA Server 2000’s sophisticated application layer filtering mechanisms
  • Traffic on the campus backbone is reduced because popular Web content for each protected LAN is cached on the local ISA Server 2000 Web caching server
  • Traffic on the Internet link is reduced because popular content for all protected LANs is cached on the centralized Web caching server or Web caching array

 

 

 

The figure below shows the high-level placement of the ISA Server 2000 firewall and Web caching servers at the LAN edges and ISA Server 2000 firewalls and Web caching servers on the corporate backbone and Internet edge.

 

 

 

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs and Site to Site VPN Links Joining Trusted Networks

Networks separated from one another over the campus backbone often need to share the same user database and security configuration. Because of the sensitive nature of communications that take place between trusted hosts, it is inadvisable to allow machines belonging to the same Windows security partition (Windows domain) to communicate freely over an untrusted network such as the campus backbone.

 

The solution to this problem is to join networks belonging to the same security partition (Windows domain) via a site to site VPN link. VPN connections are typically used to connect host systems or entire networks to one another over the Internet. However, the utility of VPN connections is not limited to only Internet communications. You can use the same VPN technology to join protected LAN segments to each other.

 

The advantages of this configuration include:

 

  • The current firewall at the edge of the campus network is left intact. There is no need to change any of the settings on the current firewall at the campus network edge
  • Only the devices at the edge of the departmental and student LAN edges need to be replaced. You do not need to change the current routing infrastructure to support the new ISA Server 2000 firewall and Web caching servers
  • You can control access to and from the departmental and student LANs on a user or group basis. The user accounts and groups can be created on the ISA Server 2000 firewall and Web caching servers, or you can create Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domains on the LANs and create theuser and group accounts there.
  • Traffic on the corporate LAN and Internet link is reduced because popular Web content is stored on the local ISA Server 2000 firewall and Web caching server.
  • Traffic can move between LAN segments joined by the VPN site to site link without incurring the overhead of firewall policy processing. All network traffic between trusted VPN connected segments is passed without requiring special firewall configuration to support complex protocols and complete support for voice/video communications between trusted segments
  • Joined segments can belong to the same Windows NT 4.0 or Windows 2000/Windows Server 2003 domain. Sensitive intradomain communications are never passed “in the clear” over the campus backbone network
  • Multiple networks can be connected using the site to site link and all networks can use Firewall and Web Proxy chaining within the VPN network. This obviates the need for a backbone or Internet edge located ISA Server 2000 firewall for centralized firewall management and control and also allows hierarchical Web caching, all based on a single user database (Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domain)

 

 

The four network topologies described in this section represent only a subset of the possible configurations. However, they provide examples of the possibilities and make it clear that you can introduce ISA Server 2000 firewall and Web caching servers into the campus network with a minimal amount of disruption.

Configuring Firewall Chaining

ISA Server 2000 firewall chaining allows you to configure customized firewall policies at the LAN edge of each of the departmental and student networks and also create a firewall policy that applies to all networks protected by the ISA Server 2000 firewall and Web caching servers.

 

One of the major advantages of using firewall chaining is that you do not need to configure the ISA Server 2000 firewalls at the corporate LANs to use the upstream ISA Server 2000 firewall as their default gateway. Instead, the ISA Server 2000 firewall at the departmental and student LAN edges can use any default gateway you like and forward Internet bound requests directly to the upstream firewall at the Internet edge or on the campus backbone.

 

Firewall chaining applies to all TCP and UDP communications moving through the ISA Server 2000 firewalls in the chain. For example, you can create a firewall policy that prevents users from accessing a list of Internet located domains and blocks the use of peer to peer file sharing applications. However, you do not want the LAN edge firewalls to use the upstream ISA Server 2000 firewall for ICMP communications (used for PING, PATHPING, tracert and other network utitlies). The ICMP communications need to go through your current Internet firewall.

 

Firewall chaining enables you to create this configuration because the TCP and UDP communications move from the downstream ISA Server 2000 firewalls to the upstream ISA Server 2000 firewall via direct communications; the downstream firewalls do not depend on their default gateway configuration to reach the Internet because they are configured to communicate directly with the upstream firewall. The ICMP communications can move through the network based on the default gateway configuration on the downstream ISA Server 2000 firewall.

 

In this section, we’ll present an example of how to configuration firewall chaining between LAN edge ISA Server 2000 firewall and Web caching servers and an upstream ISA Server 2000 firewall and Web caching server. The following procedures are covered in this document:

 

  • Install ISA Server 2000 on the Internet edge firewall and the departmental LAN firewalls
  • Configure the base ISA Server 2000 firewall configuration
  • Configure firewall chaining between the departmental LAN ISA Server 2000 firewalls and the Internet edge ISA Server 2000 firewall
  • Create access polices on the LAN firewalls and the Internet edge firewall

 

You should always perform your testing on a lab network before implementing the configurations on your production network. The figure below shows the setup of the lab network we’ll be using in the example discussed in this section.

 

 

  • All machines are configured with a subnet mask of 255.255.255.0
  • The client machines on the LAN networks are configured as DNS servers and the DNS servers can perform recursion to resolve Internet domain names
  • The client machine on LAN-2 is configured as a domain controller in the msfirewall.org domain (this configuration will be used later to test VPN site to site configurations)
  • The LAN-1 and LAN-2 ISA Server 2000 firewalls are configured to use the DNS servers on the LAN segments they protect; access policies allow the DNS servers outbound access to DNS queries
  • The ISA Server 2000 firewalls on LAN-1, LAN-2 and at the edge of the simulated campus network are installed in integrated mode.
  • ISA2 is a member of the msfirewall.org domain (Active Directory domain on LAN-2)
  • If you are using operating system virtualization (virtual machine) software, you should configure each network segment to be on a different Ethernet broadcast domain. In our example, the simulated campus backbone network is on VMNet2, LAN-1 is on VMNet4 and LAN-2 is on VMNet3. The external interface of the ISA Server 2000 firewall on the edge of the campus network is bridged with the physical interface on the test machine, which allows it to access Internet resources via the live network’s Internet connection.

 

IP Configurations for each machine are listed in the table below.

 

Machine

IP address

Subnet Mask

Default Gateway

DNS address

FIREWALL-ext

Valid on live network

Valid on live network

Valid on live network

None

FIREWALL-int

192.168.10.1

255.255.255.0

None

Valid on live network

ISA1–ext

192.168.10.2

255.255.255.0

192.168.10.1

None

ISA1-int

10.0.1.1

255.255.255.0

None

10.0.1.2

ISA2-ext

192.168.10.3

255.255.255.0

192.168.10.1

None

ISA2-int

10.0.2.1

255.255.255.0

None

10.0.2.2

CLIENT1

10.0.1.2

255.255.255.0

10.0.1.1

10.0.1.2

CLIENT2

10.0.2.2

255.255.255.0

10.0.2.1

10.0.2.2

 

 

Installing the ISA Server 2000 Firewall Software on Windows Server 2003 LAN and Campus Backbone Network Firewalls

In our example, the ISA Server 2000 software will be installed on three Windows Server 2003 computers. ISA Server 2000 can be installed on either Windows 2000 or Windows Server 2003. While the firewall software works equally well on both operating systems, Windows Server 2003 is the operating system of choice because of its superior default level of security and higher performance.

 

Perform the following steps on each of the ISA Server 2000 firewalls:

 

Locate your ISA Server 2000 CD-ROM disk and put it into the CD-ROM drive or connect to a network share containing the ISA Sever 2000 installation files. Perform the following steps to install ISA Server on a Windows Server 2003 machine:

 

  1. Double click on the ISAAutorun.exe file on the ISA Server CD, local hard disk, or network share point.

 

 


  1. Click on the Install ISA Server link on the Internet Security & Acceleration Server 2000 splash page.

 

 


  1. You will see an ISA 2000 dialog box informing that you need to install ISA 2000 Service Pack 1. Error messages will occur during the installation. Don’t be concerned about these errors, as we will later perform the required procedures to prevent them from becoming a problem.  Click Continue.

 

 


  1. Click Continue on the Welcome to the Microsoft ISA Server installation program page.

 

 


  1. Enter your CD Key in the CD Key dialog box. Click OK.

 

 


  1. Write down your Product ID as listed in the Product ID dialog box. Click OK in the Product ID dialog box after writing this number down.
  2. Click I Agree in the Microsoft ISA Server Setup dialog box.

 

 


  1. Click the Full Installation button in the installation type dialog box. You can use the Add/Remove Programs applet later if you want to remove some ISA Server features.

 

 


  1. In this example, we are installing ISA Server in standalone mode, not in enterprise array mode. Click Yes in the dialog box that asks if you want to continue.

 

 


  1. Select the Integrated mode option on the Select the mode for this server page. You want to take advantage of the full power of your ISA Server firewall. Integrated mode gives you everything the Web Proxy and Firewall services have to offer. Click Continue.

 

 


  1. On the Web cache page, select a drive on which the Web cache file will be stored. The drive must be formatted in NTFS. Enter the desired size of the cache in the Cache size (MB) text box and then click the Set button. Click OK.

 

 


  1. On the LAT page, click the Construct Table button. On the Local Address Table page, remove the checkmark in the Add the following private ranges checkbox. Put a checkmark in the Add address ranges based on the Windows 2000 Routing Table checkbox.

 

Remove the checkmark from the checkbox representing the external interface, and leave the checkmark in the checkbox for the internal interface. Click OK in the Local Address Table dialog box, then click OK in the Setup Message dialog box that informs you that the LAT was constructed based on the Windows 2000 routing table (in spite of the fact that you’re installing ISA Server on a Windows Server 2003 machine).

 

 


  1. Click OK on the LAT dialog box after reviewing the entries in the Internal IP ranges list.

 

 


  1. Unlike Windows 2000, Windows Server 2003 does not install IIS services by default. You will see a dialog box telling you that you’ll have to install the SMTP service if you want to run the SMTP Message Screener. Click OK to continue.

 

 


  1. The ISA Server services are installed. You will see a warning balloon informing you that ISA 2000 will cause Windows to become unstable. Close the balloon, remove the checkmark from the Start ISA Server Getting Started Wizard checkbox, and then click OK in the Launch ISA Management Tools dialog box.

 

 


  1. Click OK in the dialog box that informs you that setup was completed.

 

 


  1. Click OK in the dialog box that informs you that setup has failed to start one or more services.

 

 

Now you’re ready to install ISA Server Service Pack 1.

 

 

 

Install ISA Server Service Pack 1

The next step is to immediately install ISA Server Service Pack 1. You can download Service Pack 1 at http://www.microsoft.com/isaserver/downloads/sp1.asp Download SP1. Download the Service Pack to a machine on the internal network, scan it for viruses, then copy it to the ISA Server. Perform the following steps after copying the service pack to the ISA Server:

 

  1. Close the ISA Management console. Double click on the isasp1.exe file. Type a path for the location in which you want to put the temporary files in the Choose Directory for Extracted Files dialog box. Click OK.

 

 


  1. Click I Agree in the End User License Agreement (EULA) dialog box.

 

 


  1. Click OK in the Microsoft ISA Server 2000 Update Setup dialog box. The computer will restart.

 

 

That’s all there is to installing ISA Server service pack 1.

 

 

 

Install HotFix isahf255.exe

Log onto the machine after the ISA Server service pack 1 installation routine restarts the machine. There are a few hotfixes and updates you need to install on the Windows Server 2003/ISA Server machine to ensure that everything works correctly. You can download the HotFix pack, isahf255.exe at http://www.microsoft.com/downloads/details.aspx?familyid=77d89f87-5205-4779-b1ab-fc338283b2d9&displaylang=en

 

Download the file to a machine on the internal network, scan it for viruses, and then copy it to the ISA Server. Perform the following steps after copying the file to the ISA Server:

 

  1. Double click on the isahf255.exe file. Read the description of the hotfix and then click I Agree in the ISA Server 2000 hot fix 255 (331062) dialog box. Type a path for the temporary files in the Choose Directory for Extracted Files dialog box, then click OK.

 

 


  1. Click I Agree in the EULA dialog box.
  2. Click OK in the Microsoft ISA Server 2000 Update Setup dialog box informing you that the update was successfully applied.

 

 

Note that you do not need to restart the server. The next step is to install Feature Pack 1.

 

 

 

Install Feature Pack 1

Feature Pack 1 (FP1) is not required. You do not have to install ISA Server 2000 Feature Pack 1 on the Windows Server 2003/ISA Server 2000 machine to get ISA Server 2000 working correctly. However, we highly recommend that you install ISA Server Feature Pack 1 because it adds several new and useful features. You can download ISA Server Feature Pack 1 at http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en

 

Download the feature pack to a machine on the internal network and scan it for viruses. Then copy the file to the ISA Server and perform the following steps:

 

  1. Double click on the isafp1.exe file. Type a path for the extracted files in the Choose Directory For Extracted Files dialog box.

 

 

  1. Click I Agree in the Feature Pack 1 EULA dialog box.
  2. Click OK in the Microsoft ISA Server 2000 Feature Pack 1 dialog box. Leave the checkmark in the Read about ISA Server Feature Pack 1 checkbox to learn more about what you get with Feature Pack 1.
  3. A browser window opens and provides information about ISA Server 2000 Feature Pack 1. You can read this now, or you can read it later at your leisure.

Create a Base Configuration on the ISA Server 2000 LAN and Internet Edge Firewalls

There are a few configuration options you may want to implement on every ISA Server 2000 firewall and Web caching server you deploy. You should consider performing the following actions after installing ISA Server 2000 firewalls:

 

  • Configure Autodiscovery and server performance parameters
  • Enable IP Routing and Intrusion Detection
  • Configure Intrusion Detection
  • Filter IP options and IP fragments
  • Enable PPTP passthrough
  • Configure the Firewall client and Web Proxy client installation options
  • Configure the LDT
  • Disable the HTTP Redirector

 

Perform the following steps to configure these options:

 

  1. Open the ISA Management console and expand the Servers and Arrays node in the left pane of the console. Right click on your server name and click Properties.

 

 

  1. In the server Properties dialog box, click on the Autodiscovery tab. Place a checkmark in the Publish automatic discovery information checkbox. Leave the default port number in the Use this port for automatic discovery requests checkbox.

 

Automatic discovery allows Firewall and Web Proxy clients to automatically configure themselves to work with the ISA Server 2000 firewall and Web caching server. You do not need to visit each workstation to configure it to use the ISA Server 2000 firewall and Web caching server when autodiscovery is enabled.

 

*       Note:

Please see Chapter 5 Automating ISA Server 2000 Client Configuration for more information on how to use automatic discovery to automatically configure Firewall and Web Proxy clients.

 

 

 


  1. Click on the Performance tab. Drag the slider bar to most closely match the number of hosts that will connect to the ISA Server 2000 firewall and Web caching server per day.

 

Click Apply.

 

 


  1. Select the Save the changes and restart the service(s) option in the ISA Server Warning dialog box and click OK.

 

 


  1. In the ISA Management console, expand the Access Policy node and right click on the IP Packet Filters node. Click Properties.

 

 


  1. In the IP Packet Filter Properties dialog box, place checkmarks in the Enable Intrusion detection and Enable IP routing checkboxes.

 

The Enable Intrusion detection checkbox turns on the ISA Server 2000 intrusion detection mechanisms. When an intrusion is detected, ISA Server can send an alert to the ISA Server 2000 Event Log and even send an email message to you.

 

The Enable IP routing option can significantly improve performance for SecureNAT clients. In addition, this option allows internal network clients to use the ICMP and PPTP protocols to connect to Internet hosts. For example, if you want to allow outbound PING or tracert, you will need to enable IP routing. Note that you do not need to enable IP routing if you want to use ICMP or PPTP from the ISA Server 2000 firewall and Web caching server itself.

 

 


  1. Click the Packet Filters tab. Place a checkmark in the enable filtering of IP fragments and Enable filtering IP options checkboxes.

 

The Enable filtering of IP fragments option prevents certain well-known exploits from using IP fragments to compromise your servers. You should be careful with this option because it can impair streaming media and IPSec-based protocols that require certificate exchange. If you find that you have problems with streaming media or IPSec protocols when fragment filtering is enabled, then disable this option and see if that improves the situation.

 

The Enable filtering IP options option allows the ISA Server 2000 firewall and Web caching server to block IP options, such as loose source routing. This improves the security of the ISA Server 2000 firewall and should always be enabled unless you have a specific reason to not enable this option.

 

 


  1. Click on the Intrusion Detection tab. Place a checkmark in each of the attack checkboxes. You can use the default number of attacks on well-known ports and all ports. Note that if you lower these numbers, you will see more false positives. If you raise the numbers too high, you might miss a potential attacker. Try using the default values for a while and see if those values meet your needs.

 

 


  1. Click on the PPTP tab. If you wish to allow internal network clients behind the ISA Server 2000 firewall and Web caching server to connect to PPTP VPN servers on the Internet, then you should place a checkmark in the PPTP through ISA firewall checkbox. Note that if you enable this option, all machines configured as SecureNAT clients will be able to connect to external PPTP VPN servers. You cannot exercise per user/group or per/address access control on this option.

 

Click Apply and then click OK.

 

 


  1. In the ISA Management console, click on the Client Configuration node. Right click on the Firewall Client entry in the right pane of the console and click Properties.

 

 


  1. On the General tab of the Firewall Client Properties dialog box, select the DNS name option and type in the fully qualified domain name for the ISA Server 2000 firewall and Web caching server’s internal interface. All machines on the internal network will need access to a DNS server that is able to resolve this name to the IP address on the ISA Server 2000 firewall’s internal interface. If you do not have such a DNS server available to the internal network clients, then select the IP address option and enter the IP address of the internal interface of the ISA Server 2000 firewall computer.

 

Place a checkmark in the Enable ISA Firewall automatic discovery in Firewall Client. This allows the Firewall client computer to automatically configure itself by contacting the ISA Server 2000 firewall and Web caching server and downloading configuration information. You should always configure this option if you wish to avoid the administrative overhead of configuring each machine’s firewall client software individually.

 

Note that these settings are configured when the Firewall client software is installed. If you have already installed the Firewall client software on a group of computers, these settings will have no effect on the settings on those computers.

 

Click Apply and then click OK.

 

 


  1. Right click on the Web Browser entry in the right pane of the console and click Properties.

 

 


  1. On the General tab of the Web Browser Properties dialog box, place a checkmark in the Configure Web browser during Firewall client setup checkbox. Enter the fully qualified domain name of the ISA Server 2000 firewall and Web caching server in the DNS name text box. Make sure that the internal network clients are able to resolve this name to the IP address of the internal interface of the ISA Server 2000 firewall and Web caching server. If the clients on the internal network are not able to resolve this name, then the client may not be able to connect to the Web proxy service successfully.

 

Place a checkmark in the Automatically discover settings checkbox. This allows the Web Proxy client to obtain valuable configuration information from the ISA Server 2000 firewall and Web caching server’s Web Proxy service. Note that you will need to create the appropriate WPAD entries in either DNS or DHCP in order for this to work correctly. Please refer to Chapter 5 Automating ISA Server 2000 Client Configuration for more information on how to configure the WPAD entries.

 

Place a checkmark in the Set Web browsers to use automatic configuration script. This is a very important setting and should always be enabled. You lose a great deal of flexibility in Web Proxy client configuration if this option is not selected. Select the Use default URL if you do not wish to configure your own automatic configuration script. If you wish to write your own automatic configuration script, then select the Use custom URL option and enter the appropriate URL.

 

*       Note:

You can significantly improve the performance of your ISA Server 2000 Web Proxy clients when the autoconfiguration script is used by the Web Proxy clients. Always use this option unless you have a compelling reason not to do so.

 

 


  1. Click on the Direct Access tab. Place a checkmark in the Bypass proxy for local servers checkbox. This option allows the Web Proxy clients to not use the ISA Server 2000 firewall and Web Proxy server to access resources on the internal network that can be accessed via a single label name. For example, when this option is selected, a user connecting to a Web server with the URL http://server1 will connect directly to the Web server and the connection will not be proxied by the ISA Server 2000 firewall and Web caching server. This can significantly improve the performance of your ISA Server 2000 firewall and Web caching server because the server does not need to proxy connections from trusted internal network hosts to servers located on the internal network.

 

Place a checkmark in the Directly access computers specified in the Local Domain Table (LDT) checkbox. This allows the Web Proxy clients to connect directly to servers that are located on the LDT. For example, if your internal network domain is corp.net, then connections to servers such as www.corp.net and mail.corp.net are made directly to these servers and are not proxied by the ISA Server 2000 firewall and Web caching server.

 

You can also click the Add button and add servers or domains that aren’t included on the LDT. You can put external domains on this list. For example, you can put the hotmail.com and the msn.com domains on the LDT. This allows the machine configured as a Web Proxy client to bypass the Web Proxy service to connect to these domains. Note that the machine must also be configured as a Firewall client or SecureNAT client to take advantage of directly accessing these external domains.

 

 


  1. Click the Backup Route tab. Place a checkmark in the If ISA Server is unavailable, use this backup route to connect to the Internet. Select the Direct access option. The result of these selections is that if the Web Proxy service on the ISA Server 2000 firewall and Web caching server is disabled, then the machine will try to take advantage of its Firewall or SecureNAT client configuration if it is configured as one of these types of clients. If the machine is configured as only a Web Proxy client, then it will not be able to use Direct access, because it has no mechanism by which it can directly access Internet resources.

 

You also have the option to use an Alternative ISA Server. When you select this option, the Web Proxy client will use another Web Proxy server if the Web Proxy service on the server it is configured to use is unavailable. This provides a method of automatic failover for the client in the event the primary server the Web Proxy client is configured to use becomes unavailable.

 

Click Apply and then click OK.

 

 


  1. Expand the Network Configuration node and right click on the Local Domain Table (LDT) option. Point to New and click LDT entry.

 

 


  1. On the New LDT Entry dialog box, enter the computer name or domain name in the Name text box. The instructions on the page provide information on how to use wildcards to denote multiple hosts and domains.

 

The entries on the LDT are used to tell the Firewall and Web Proxy clients that they should contact machines on the LDT directly and not go through the ISA Server 2000 firewall machine. This is a very important concept. The firewall has enough to do without servicing hosts on the internal network that need to connect to internal network resources.

 

Click OK.

 

 


  1. In the ISA Management console, expand the Extensions node and click on the Application Filters node. In the right pane of the console, right click on the HTTP Redirector Filter entry and click the Disable command.

 

While the HTTP Redirector is a potentially valuable feature included with ISA Server 2000, it does create authentication issues that can at times become problematic. For that reason, it is always better to configure the internal network clients as Firewall and Web Proxy clients. While only Windows-based computers can be configured as Firewall clients, almost all browsers for all operating systems support the Web Proxy client configuration. In addition, Web Proxy clients can be configured to autodetect the ISA Server 2000 Web Proxy service, so you never need to visit the client workstations to configure the Web Proxy client.

 

 


  1. Select the Save the changes and restart the service(s) option and click OK.

 

 


  1. Note that the icon to the left of the HTTP Redirector Filter entry in the right pane of the console has a red down pointing arrow on it. This indicates that it is disabled.

 

 

Configure Firewall Chaining Between the LAN Firewalls and Internet Edge Firewalls

Firewall chaining allows ISA Server 2000 firewall and Web caching servers to directly communicate with one another. The firewall service from a downstream ISA Server 2000 firewall directly communicates with the Firewall service of an upstream ISA Server 2000 firewall. The advantages of this configuration include:

 

  • Firewall chaining is independent of the current routing infrastructure. As long as the downstream ISA Server 2000 firewall knows the route to the upstream ISA Server 2000 firewall, it will be able to forward packets to the upstream ISA Server 2000 firewall service
  • The firewall service can control access based on user credentials. The downstream firewall service is able to forward credentials to the upstream ISA Server 2000 firewall service. This enforces authentication at multiple locations. If the upstream server is not able to authenticate the user, the downstream ISA Server 2000 firewall can provide credentials that are used instead of the user credentials to allow access
  • Firewall chaining enables strong, user/group based access control at multiple levels. This prevents unauthorized Internet access even when a downstream ISA Server 2000 firewall becomes disabled
  • Firewall chaining allows you to implement separate firewall policies based on the locations of the firewalls. Downstream ISA Server 2000 firewalls have granular user/group based access controls configured on them, while upstream ISA Server 2000 firewalls may have less restrictive access controls as long as the downstream can authenticate

Machines on the campus backbone network will not be able to connect to the Internet because they are not able to connect to either a downstream or upstream ISA Server 2000 firewall server. This prevents network compromise by uses that obtain unauthorized access to the campus backbone network.

 

In a campus environment, you can take advantage of firewall chaining by chaining LAN edge ISA Server 2000 firewalls to upstream ISA Server 2000 firewalls at the Internet edge of the campus network. You can even locate an ISA Server 2000 firewall on the campus backbone network behind an existing traditional packet filtering firewall. Both of these configurations allow you to leverage the multilayer access control you get when implementing a firewall chaining configuration.

 

Firewall chaining requires configuring the downstream ISA Server 2000 firewall to directly communicate with the upstream ISA Server 2000 firewall. Next, the upstream ISA Server 2000 firewall is configured with an access policy that allows communications from the downstream ISA Server 2000 firewall access to the Internet.

 

Perform the following steps to configure the downstream ISA Server 2000 firewall on the edge of the protected LAN segments:

 

  1. Open the ISA Management console, expand the Servers and Arrays node and expand your server name. Right click on the Network Configuration node and click on the Properties command.

 

 


  1. In the Network Configuration Properties dialog box, select the Chain to this computer option. Enter the fully qualified domain name in the text box under the selected option button. Make sure that this computer can resolve the name you enter in this text box to the IP address of the internal interface of the upstream ISA Server 2000 firewall. If the DNS server used by the downstream ISA Server 2000 firewall cannot resolve this name, then you can create a HOSTS file entry on the downstream computer that correctly resolves this name.

 

*       Warning:

Name resolution is the most common issue related to failed ISA Server 2000 firewall and Web caching configurations. Pay very close attention to name resolution issues when configuring ISA Server 2000 firewalls.

 

 


  1. Place a checkmark in the Use this account checkbox. Click the Set Account button. In the Set Account dialog box, enter an account name that the downstream ISA Server 2000 firewall can use to authenticate on the upstream ISA Server 2000 firewall. The format for the User entry is one of the following:

 

ComputerName\Username

DomainName\Username

 

If the upstream ISA Server 2000 firewall is not a member of a domain, then use the ComputerName\Username format. If the upstream ISA Server 2000 firewall is a member of a domain, then use the DomainName\Username format. Do not use the Browse button, as it will not enter the fully qualified domain name of the server. Enter the password for this account in the Password text box and confirm it in the Confirm password text box.

 

The downstream ISA Server 2000 firewall will forward the credentials of the client making the original request to the upstream ISA Server 2000 firewall. If the upstream ISA Server 2000 firewall is a member of the same domain as the client issuing the request, then the upstream ISA Server 2000 firewall will be able to authenticate the user based on the requesting user’s credentials. However, in most cases the upstream ISA Server 2000 firewall is not a member of the same domain as the client on the network behind the downstream ISA Server 2000 firewall. In this event, the upstream ISA Server 2000 firewall will use the credentials entered in the Set Account dialog box to authenticate the connection request.

 

Note that the account you configure here must exist on the upstream ISA Server 2000 firewall. In this example, we have configured the Administrator account to be used. In a production environment, you should create an account that is used only by the downstream ISA Server 2000 firewall service. You may wish to create separate accounts for each downstream ISA Server 2000 firewall so that if one account is breached, the other account(s) will remain intact.

 

Click OK in the Set Account dialog box.

 

 


  1. Click Apply and then click OK on the Network Configuration Properties dialog box.

 

 


  1. Close the ISA Management console.

 

Create Access Policy to Control Outbound Access at the LAN and Internet Edge Firewalls

 

The next step is to configure access policy on the firewalls at the edge of the LANs and the upstream firewalls. Perform the following steps on the upstream firewall on the edge of the campus LAN:

 

1.       In the ISA Management console, expand the Servers and Arrays node and then expand your server name. Expand the Access Policy node and right click on the Protocol Rules node. Point to New and click Rule.

 

 

2.       Type a name for the Protocol Rule in the Protocol rule name text box on the Welcome to the New Protocol Rule Wizard page. Give the rule a name that indicates that it applies to the access control applied to the downstream ISA Server 2000 firewall. In this example, we’ll use the name ISA2 Access to indicate that this rule is designed to control outbound access from the downstream ISA Server 2000 firewall named ISA2.

 

 

3.       On the Rule Action page, select the Allow option and click Next.

 

 

4.       You select the protocols you want to allow the downstream ISA Server 2000 firewall outbound access to on the Protocols page. You may want to set a policy that limits outbound access to the same protocols that are allowed outbound access at the downstream ISA Server 2000 firewall, or you may want to create a superset of protocols. It depends on how many downstream firewalls you configure and what protocols are configured on them. You can create multiple Protocol Rules to support custom protocol access requirements for multiple downstream ISA Server 2000 firewalls.

 

In this example, we’ll select the All IP traffic protocol. This allows the downstream ISA Server 2000 firewall access to all protocols through the upstream ISA Server 2000 firewall. Note that the downstream ISA Server will still need to authenticate before it has access to these protocols.

 

Click Next.

 

 

5.       Use the default selection Always on the Schedule page. Click Next.

 

 

6.       On the Client Type page, select the Specific users and groups option. Click Next.

 

 

7.       On the Users and Groups page, click the Add button. This brings up the Select Users or Groups dialog box. In this example, we want to allow only the Administrator account on the upstream firewall to have access. Enter the name of the Administrator account in the Enter the object name to select text box. Click the Check Names button to confirm that you listed the account correctly.

 

Click OK in the Select Users and Groups dialog box.

 

 

8.       The account you select now appears on the Users and Groups page. Click Next.

 

 

9.       Review your settings on the Completing the New Protocol Rule Wizard page and click Finish.

 

 

10.   The Protocol Rule now appears in the right pane of the ISA Management console.

 

 

At this point, the front-end firewall at the edge of the campus network will allow access to all TCP and UDP protocols to the LAN edge firewall that can successfully authenticate via a Firewall chaining authenticated connection.

 

The next step is to configure the LAN edge firewalls with access policies. In this example, we will create a simple access policy that allows outbound access to the HTTP, HTTPS and FTP protocols. Notice that this policy is much more restrictive than the policy we implemented at the edge of the campus backbone network.

 

Perform the following steps at the firewalls on the edge of the LANs (ISA2 and ISA1):

 

1.       In the ISA Management console, expand the Servers and Arrays node and then expand your server name. Expand the Access Policy node and right click on the Protocol Rules node. Point to New and click Rule.

 

 

2.       Enter a name for the rule in the Protocol rule name text box on the Welcome to the New Protocol Rule Wizard page. In this example, we will name the rule Web Access. Click Next.

 

 

3.       On the Rule Action page, select the Allow option and click Next.

 

 

4.       On the Protocols page, select the Selected protocols option in the Apply this rule to drop down list. Put a checkmark in the FTP Download only, HTTP and HTTPS checkboxes. Put a checkmark in the Show only selected protocols checkbox. Click Next.

 

*       TIP:

This is a standard protocol rule used to give the average user access to most Web resources while reducing the risks of allowing dangerous protocols such as peer to peer, IRC and other protocols that could put your network at a serious security disadvantage.

 

 

 

5.       Use the default selection Always on the Schedule page. Click Next.

 

 

6.       On the Client Type page, select the Specific users and groups option and click Next.

 

 

7.       Click the Add button on the Users and Groups page. In this example, we’ll allow all Domain Users access to the HTTP, HTTPS and FTP download. Click the Object Types button and put a checkmark in the Groups checkbox.

 

Click the Locations button and select the domain name.

 

Enter Domain Users in the Enter the object names to select text box. Click the Check Names button to confirm that you entered the group name correctly.

 

Click OK in the Select Users or Groups dialog box.

 

 

8.       The group name appears on the Users and Groups page. Click Next.

 

 

9.       Review your settings on the Completing the New Protocol Rule Wizard page and click Finish.

 

 

10.   The Protocol Rule appears in the right pane of the console.

 

 

 

We need to create a second rule that allows outbound DNS queries, so that Internet domain names can be resolved. The client systems on each of the protected LANs are configured as DNS servers that can perform recursion to resolve Internet host names. Run the New Protocol Rule Wizard again and use the following parameters:

 

Rule Name: DNS Query

Rule Action: Allow

Protocols: DNS Query and DNS Zone Transfer

Schedule: Always

Client Type: Any Request

Install the Firewall Client on the Internal Network Client Computer

Only machines configured as Web Proxy or Firewall clients can send credentials to the ISA Server 2000 firewall so that granular user/group based access control can be performed by the firewall. The Firewall client makes ISA Server 2000 firewalls absolutely unique among network firewalls. Non-ISA Server 2000 firewalls can perform limited user/group based access control using RADIUS for only Web based protocols. In contrast, the Firewall client software allows you to control access for all UDP and TCP protocols on a user/group basis. The firewall client is one of the most compelling aspects of ISA Server 2000 and should always be used on your Microsoft Windows clients.

 

*       WARNING:

The Firewall client should generally be installed on all Windows operating systems that support the Firewall client software. There are two major exceptions to this rule: do not install the Firewall client on machines that you are publishing to the Internet and do not install the Firewall client on a domain controller.

 

 Perform the following steps to install the Firewall client on the clients located on the protected LANs:

 

  1. Click Start and click the Run command. In the Run dialog box, type the UNC path to the mspclnt share on the ISA Server 2000 firewall on the protected LAN. Run the setup.exe program in the mspclnt share. Click OK.

 

 


  1. The security mechanism in Windows Server 2003 warns you that the file may not be safe. Click Open on the File Download dialog box.

 

 


  1. Click Next on the Welcome to the Install Wizard for Microsoft Firewall Client page.

 

 


  1. Click Next on the Destination Folder page.

 

 


  1. Click Install on the Ready to Install the Program page.

 

 


  1. Click Finish on the Install Wizard Completed page.

 

 

Making the Connection

In this scenario, we are testing firewall chaining only. In a production environment, you should enable both Web Proxy and Firewall chaining. In addition, you should implement autodiscovery for both Firewall and Web Proxy client to automate their configuration. Autodiscovery allows all your ISA Server 2000 clients to automatically configure themselves and obviates the need to configure the client systems manually.

 

In order to test our firewall chaining configuration, we need to perform the following steps:

 

  • Disable autodiscovery for the Firewall client

We disable autodiscovery on the Firewall client because we have not configured a WPAD entry in DNS. In a production environment, you should create a WPAD entry on your DNS server to support Firewall client autodiscovery and autoconfiguration

 

  • Disable the Web Proxy client settings on the browser

We need to disable the Web Proxy client configuration because we have not yet configured Web Proxy chaining. In a production environment, you should enable both Firewall and Web Proxy chaining

 

Note:

For more information on Firewall and Web Proxy client autodiscovery and autoconfiguration, please see Chapter 5 Automating ISA Server 2000 Client Configuration.

 

 

  1. Double click the Firewall client icon located in the system tray. This brings up the Firewall Client Options dialog box. Remove the checkmark from the Automatically detect ISA server  checkbox. Click OK.

 

 


  1. Right click the Internet Explorer icon on the desktop and click Properties.

 

 


  1. Click the Connections tab on the Internet Properties dialog box.

 

 


  1. Remove the checkmarks from all the checkboxes on the Local Area Network (LAN) Settings page. Click OK.

 

 


  1. Click OK on the Internet Properties dialog box.

 

 

Now that the autodetection setting on the Firewall client and the proxy configuration on the Web Proxy client are disabled, we can make the connection. Remember that we removed the Web Proxy settings on the browser so that the browser would use the Firewall client software to access the Internet instead of the Web Proxy client configuration.

 

1.       Open Internet Explorer and go to the www.microsoft.com Web site. Notice that the Firewall client icon in the system tray changes its appearance so that a green up pointing arrow appears on it. This indicates that the browser used the Firewall client application to access the Internet. The Firewall client software sent the user credentials to the ISA Server 2000 firewall at the edge of the LAN. The ISA Server 2000 firewall confirmed that the user account had permission to access the HTTP protocol and passed the connection to the upstream ISA Server 2000 firewall at the edge of the campus network.

 

 

2.       In the Web browser, go to ftp://ftp.microsoft.com. Notice that the green up pointing arrow appears on the Firewall client icon. This indicates that the browser is using the Firewall client software to access the Microsoft FTP site.

 

*       Note:

The browser will be able to access the FTP site, but the command line FTP client will not. The reason for this is that in a Firewall chaining environment, only PASV mode requests will work correctly.

 

 

3.       When you view the sessions in the Sessions node of the ISA Management console of the ISA Server 2000 firewall at the edge of the protected LAN segment, you will see that the client has established a firewall session with the logged on user name appearing in the console. The SYSTEM user connection is being used by the DNS server on the internal network client.

 

 

4.       At the upstream ISA Server 2000 firewall, you can see in the Session node of the ISA Management console an active Firewall Session by the SYSTEM user of client computer ISA2. The SYSTEM has authenticated using the credentials supplied in the Firewall chaining configuration. Notice that the account name does not show up as the User Name at the upstream ISA Server 2000 firewall.

 

 

5.       The Firewall log file at the downstream ISA Server 2000 firewall shows the user name of the logged on user who made the connection attempt and the application used to make the connection. You can see the name of the downstream ISA Server 2000 firewall in the log file entries.

 

 

6.       The upstream ISA Server 2000 firewall at the edge of the campus network also shows the name of the user who created the original request to the downstream ISA Server 2000 firewall in the chain. This is valuable information, as it shows user connections at both the downstream and upstream servers, even through the upstream server actually used the credentials of the Administrator that were configured in the Firewall Chaining Configuration dialog box.

 

 

 

Configuring Web Proxy Chaining

Web Proxy chaining works in a fashion similar to that of Firewall chaining. Web Proxy clients behind the ISA Server 2000 firewall and Web caching servers at the edge of the departmental and student LANs send their initial requests directly to the Web Proxy service to their ISA Server 2000 firewall and Web Proxy server. The LAN’s ISA Server 2000 firewall and Web Proxy server then forwards these requests directly to an upstream ISA Server 2000 Web proxy server.

 

The advantages to this configuration include:

 

  • Web Proxy chaining is independent of the current routing infrastructure. As long as the downstream ISA Server 2000 firewall and Web caching server knows the route to the upstream ISA Server 2000 firewall or Web caching server, it will be able to forward packets to the upstream ISA Server 2000 firewall service
  • The Web Proxy service can control access based on user credentials. The downstream Web Proxy service is able to forward credentials to the upstream ISA Server 2000 Web Proxy service. This enforces authentication at multiple locations. If the upstream server is not able to authenticate the user, the downstream ISA Server 2000 firewall or Web Proxy server can provide credentials that are used instead of the original user credentials to allow access
  • Web Proxy chaining enables strong, user/group based access control at multiple levels. This prevents unauthorized Internet access even when a downstream ISA Server 2000 Web Proxy service becomes disabled.
  • Web Proxy chaining allows you to implement separate access policies based on the location of the Web Proxy servers. Downstream ISA Server 2000 Web Proxy servers have granular user/group based access controls configured on them, while upstream ISA Server 2000 Web Proxy servers may have less restrictive access controls as long as the downstream can authenticate successfully
  • Machines on the campus backbone network will not be able to connect to the Internet because they are not able to authenticate to either a downstream or upstream ISA Server 2000 Web proxy server. This prevents network compromise by users who obtain unauthorized access to the campus backbone network.
  • The upstream Web proxy server can cache content from multiple LAN Web proxy servers. Users behind the ISA Server 2000 firewall and Web Proxy protected LAN first access the contents of their local cache. If the content is not located on the local cache, the LAN ISA Server 2000 firewall and Web Proxy server forwards the request to the upstream Web Proxy service. If the content is contained in the upstream Web Proxy server’s cache, that content is returned to the downstream Web Proxy service and cached locally, then returned to the client that made the request
  • ISA Server 2000 Enterprise edition allows you to create an array of Web Proxy servers. A Web Proxy array can significantly enhance the Web caching performance and perform load sharing and balancing between members of the array.

 

In the following exercise, we’ll build on the Firewall chaining configuration perform above. The difference will be that the Web Proxy will be configured as a Web Proxy client so that requests are forwarded directly to the Web Proxy service on the LAN edge ISA Server 2000 firewall and Web caching server.

 

Configuring Web Proxy Chaining to the ISA Server 2000 Firewall and Web Caching Server

The first step is to configure Web Proxy chaining on the downstream ISA Server 2000 firewall and Web proxy server. The configuration enables the LAN edge ISA Server 2000 firewall and Web proxy server to forward Web Proxy client requests directly to the upstream ISA Server 2000 firewall and Web proxy server or array.

 

Perform the following steps on the LAN edge ISA Server 2000 Firewall and Web proxy server:

 

  1. In the ISA Management console, expand the Servers and Arrays node and then expand your server name. Expand the Network Configuration node and right click on the Routing node. Point to New and click Rule.

 

 


  1. Enter a name for the Web Routing Rule in the Routing rule name text box on the Welcome to the New Routing Rule Wizard page. Click Next.

 

 


  1. On the Destination Sets page, select the All external destinations from the Apply this rule to drop down list. Click Next.

 

 


  1. On the Request Action page, select the Route to a specified upstream server option. Click Next.

 

 

  1. On the Primary Routing page, enter the following information:

 

Server or array

This is the fully qualified domain name of the upstream ISA Server 2000 Web Proxy server. It is very important that the downstream ISA Server 2000 firewall and Web proxy server be able to resolve this name to the IP address of the upstream ISA Server 2000 Web proxy server. If the upstream Web Proxy server has a single IP address on a single network interface, then make sure the downstream ISA Server 2000 firewall and Web Proxy server can resolve the name to that address. If the upstream ISA Server 2000 Web Proxy server is configured with an internal and external interface, then make sure this name resolves to the internal IP address of the upstream ISA Server 2000 Web Proxy server. If the DNS server configured on the downstream ISA Server 2000 firewall and Web Proxy server cannot resolve this name using the DNS server it is configured to use, then create a HOSTS file entry on the downstream ISA Server 2000 firewall and Web Proxy server that maps this name to the IP address of the upstream Web Proxy server.

 

Port

You can leave the port at its default value of 8080. This is the default port number used by the upstream Web Proxy server’s Outgoing Web Requests listener.

 

Authentication

Select the Integrated Windows option from the Authentication drop down list box.

 

 


  1. Click the Set Account button. In the Set Account dialog box, enter a user account that the downstream ISA Server 2000 firewall and Web proxy server can use to authenticate with the upstream Web proxy service. You can use the same account you configured for Firewall chaining, or you can use a separate account to increase the level of security. You may also wish to create separate accounts on the upstream ISA Server 2000 Web proxy server for each LAN ISA Server 2000 firewall and Web proxy server that will forward requests to it. Keep in mind that these accounts are created on the upstream Web proxy server.

 

Click OK in the Set Account dialog box.

 

 


  1. Click Next the Primary Routing page.

 

 


  1. On the Backup Routing page, select the Ignore requests option. Click Next.

 

 


  1. On the Cache Retrieval Configuration page, select the A valid version of the object; if none exists, retrieve the request suing the specified requested action. Click Next.

 

 


  1. On the Cache Content Configuration page, select the If source and request headers indicate to cache, then the content will be cached. Click Next.

 

 


  1. Review your settings on the Completing the New Routing Rule Wizard page and then click Finish.

 

 


  1. The new Web Routing rule appears in the right pane of the console.

 

Making the Connection

In the previous exercise in which we used only the firewall chaining configuration, we disabled the Web Proxy client configuration on the browser so that we could see how the Firewall chaining configuration worked without introducing issues related to the Web Proxy service or Web Proxy client. Now that the Web Proxy chaining configuration is enabled, we can reconfigure the browser as a Web Proxy client and then establish the Internet connection via Web Proxy chaining.

 

Perform the following steps to reconfigure the browser and establish a Web Proxy client connection:

 

  1. Right click on the Internet Explorer icon on the desktop and click Properties.

 

 


  1. Click the Connections tab in the Internet Properties dialog box. Click the LAN Settings button.

 

 


  1. In the Local Area Network (LAN) Settings dialog box, put a checkmark in each of the checkboxes. The Proxy server information was automatically entered into these checkboxes during the Firewall client installation.

 

Click OK.

 

 


  1. Click on the Advanced tab in the Internet Properties dialog box.

 

 


  1. Remove the checkmark from the Enable folder view for FTP sites checkbox. Click OK.

 

 


  1. Open Internet Explorer and visit the www.microsoft.com Web site. Notice that the Firewall client icon does not have a green up pointing arrow. This indicates that the Firewall client software did not intercept the request sent by the Web browser. Instead, the Web Proxy client configuration enabled the Web browser to forward the request directly to the Web Proxy service on the ISA Server 2000 firewall and Web caching server.

 

 


  1. Using Internet Explorer, visit the Microsoft FTP site. Again, notice that the Web Proxy client bypasses the Firewall client software by forwarding the request directly to the Web Proxy service.

 

 


  1. On the LAN edge ISA Server 2000 firewall and Web caching server, you can see the Web Proxy session established by the user on the protected LAN segment. An anonymous request appears in the console because Web Proxy clients always send an anonymous request first. Because authentication is required by the Protocol Rule, the Web Proxy service returns to the Web Proxy client a request for credentials. Only after the credentials are sent by the Web Proxy client and then verified by the Web Proxy service is the connection allowed.

 

 


  1. The ISA Server 2000 Web proxy server in front of the LAN ISA Server 2000 firewall Web proxy server shows a Web session from the account configured in the Web proxy chaining configuration. Notice that the original user account is not used to authenticate this connection; only the account used by the Web proxy chaining configuration on the downstream Web proxy server is used.

 

 


  1. The Web proxy log on the downstream ISA Server 2000 firewall Web caching server shows the name of the user who authenticated with the downstream Web Proxy. Included in the log is the name of the user and the user’s domain. In addition, the name of the downstream Web proxy server is included along with the name of the upstream Web proxy server.

 

 

  1. The Web proxy log on the upstream ISA Server 2000 Web proxy shows the user name for the account configured in the Web Proxy chaining configuration. Note that this is different from the information we saw in the Firewall service log on the upstream ISA Server 2000 machine. In the case of firewall chaining, we saw the name of the original user making the request in the log. In the case of Web proxy chaining, we only see the name of the account configured in the Web proxy chaining configuration.

 

 

Summary

ISA Server 2000 firewalls and Web caching servers can be used within the campus to protect departmental or student LANs. In addition to protecting student LANs from external attack, an ISA Server 2000 machine can act as a Web Proxy server. These two components provide both protection and improved Web browser performance for departmental and student LANs.

 

In the educational environment, access and security are equally vital. The ideal learning environment is dependent on the free flow of information, but schools and universities operate under a plethora of laws and regulations that require restriction of unauthorized access to confidential information. ISA Server provides a solution that can enhance access while providing the security that educational institutions need.

 

In this document, we discussed a number of topologies in which ISA Server 2000 firewalls and Web proxy servers can be used together with an existing firewall infrastructure. We then went over some of the advantages of Firewall and Web Proxy chaining and how those features can be used to increase security and simplify ISA Server 2000 deployments. We then finished this document with detailed, step by step examples and explanations of how to set up and configure Web Proxy chaining, Firewall chaining, Firewall client installation and Web Proxy client configuration.

 

Intrusion detection through centralized NT/2000 security event log monitoring!
Intrusion detection through centralized NT/2000 security event log monitoring!