ISA 2006 Lab Manual

ISA Server 2006

Lab Manual

Module A: Introduction to ISA Server 6

Module B: Configuring Outbound Internet Access 19

Module C: Publishing Web Servers and Other Servers 32

Module D: Publishing an Exchange Server 60

Module E: Enabling VPN Connections 82

Module F: ISA Server 2006 as Branch Office Gateway 105

Module G: Enterprise Management of ISA Servers 119

Module H: Configuring Load Balancing 138

Module I: Using Monitoring, Alerting and Logging 170

Lab version 3.0f (6-Aug-2006)

2 Lab Summary

Lab Summary

ContentsThere are nine modules in this lab. You can complete each of these lab modules independent of the other modules.

The monitor icons ( ) indicate which virtual machines are needed. The 06 code indicates exercises that are specific to ISA Server 2006. The EE code indicates exercises that are specific to ISA Server Enterprise Edition. The up arrow ( ) indicates exercises that depend on the previous exercise.

Lab Summary..........................................................................................................2Module A: Introduction to ISA Server..................................................................6

Exercise 1 Exploring the User Interface................................................................6Exercise 2 Ease of Use: Multiple Networks........................................................10Exercise 3 Ease of Use: Single Rule Base...........................................................14Exercise 4 Ease of Use: Monitoring....................................................................17

Module B: Configuring Outbound Internet Access............................................19Exercise 1 Allowing Outbound Web Access from Client Computers.................19Exercise 2 Enabling the Use of the Ping command from Client Computers.......23Exercise 3 Allowing Outbound Access from the ISA Server..............................25Exercise 4 Configuring ISA Server 2006 for Flood Resiliency...........................27

Module C: Publishing Web Servers and Other Servers.....................................32Exercise 1 Publishing a Web Server in the Internal Network..............................32Exercise 2 Publishing the Web Server on the ISA Server Computer..................36Exercise 3 Performing Link Translation on a Published Web Server..................40Exercise 4 Using Cross-Site Link Translation to Publish SharePoint Server......42Exercise 5 Publishing a Web Farm for Load Balancing......................................46Exercise 6 Publishing Multiple Terminal Servers...............................................54

Module D: Publishing an Exchange Server.........................................................60Exercise 1 Publishing Exchange Web Access - Certificate Management...........60Exercise 2 Publishing an Exchange Server for SMTP and POP3........................67Exercise 3 Publishing an Exchange Server for Outlook (RPC)...........................69Exercise 4 Publishing an Exchange Server for RPC over HTTP.........................72

Module E: Enabling VPN Connections................................................................82Exercise 1 Configuring ISA Server to Accept Incoming VPN Connections.......82Exercise 2 Configuring a Client Computer to Establish a VPN Connection.......85Exercise 3 Allowing Internal Network Access for VPN Clients.........................88Exercise 4 Configuring VPN Quarantine on ISA Server.....................................90Exercise 5 Creating and Distributing a Connection Manager Profile..................95Exercise 6 Using VPN Quarantine on the Client Computer..............................101

Module F: ISA Server 2006 as Branch Office Gateway...................................105Exercise 1 Configuring HTTP Compression to Reduce Bandwidth Usage.......105Exercise 2 Configuring ISA Server to Cache BITS Content.............................112

Den Par Flo Fir Ist

06

06

06

06

06

06

06


Exercise 3 Configuring DiffServ Settings to Prioritize Network Traffic...........116Module G: Enterprise Management of ISA Servers.........................................119

Exercise 1 Enterprise Policies and Array Policies.............................................119Exercise 2 Remote Management and Role-based Administration.....................126Exercise 3 Working with Configuration Storage Servers (Optional)................132

Module H: Configuring Load Balancing...........................................................138Exercise 1 Configuring Network Load Balancing (NLB).................................138Exercise 2 Examining Details on NLB..............................................................146Exercise 3 Using CARP to Distribute Cache Content.......................................156Exercise 4 Using CARP and Scheduled Content Download Jobs.....................164

Module I: Using Monitoring, Alerting and Logging.........................................170Exercise 1 Monitoring the ISA Server...............................................................170Exercise 2 Checking Connectivity from the ISA Server...................................173Exercise 3 Logging Client Computer Access....................................................176

4 Lab Summary

Lab SetupTo complete each lab module, you need to review the following:

Virtual PC

This lab makes use of Microsoft Virtual PC 2004, which is an application that allows you to run multiple virtual computers on the same physical hardware. During the lab you will switch between different windows, each of which contains a separate virtual machine running Windows Server 2003.

Before you start the lab, familiarize yourself with the following basics of Virtual PC:

To issue the Ctrl-Alt-Del keyboard combination inside a virtual machine, use the <right>Alt-Del instead.

To enlarge the size of the virtual machine window, drag the right bottom corner of the window.

To switch to full-screen mode, and to return from full-screen mode, press <right>Alt-Enter.

Lab Computers

The lab uses five computers in virtual machines.

Denver.contoso.com (green) is domain controller for the contoso.com domain on the Internal network. Denver runs DNS, RADIUS, Exchange 2003 SP1, SharePoint Services 2.0 and is also Certification Authority (CA).

Istanbul.fabrikam.com (purple) is Web server and client computer on the External network (Internet). Istanbul runs Outlook 2003. Istanbul is not member of a domain.

Paris (red) runs ISA Server 2006 Standard Edition. Paris has three network adapters, which connect to the Internal network, the Perimeter network and the External network (Internet). The Perimeter network is not used in this lab.

Florence (red) and Firenze (red) run ISA Server 2006 Enterprise Edition. Both computers have three network adapters. Florence and Firenze are in an array named Italy. Only Florence runs Configuration Storage server (CSS).


The computers cannot communicate with the host computer.

To allow you to examine and understand the traffic on the network, in each virtual machine Microsoft Network Monitor 5.2, which is part of Windows Server 2003, is installed.

To start the lab

Before you can do any of the lab modules, you need to start the virtual machines, and then you need to log on to the computers.

In each exercise you only have to start the virtual machines that are needed.

To start any virtual machine:

1. On the desktop, double-click the shortcut Open ISA 2006 Lab Folder.

2. In the lab folder, double-click any of the Start computer scripts.(For example: double-click Start Paris to start the Paris computer.)

3. When the logon dialog box has appeared, log on to the computer.

To log on to a computer in a virtual machine:

1. Press <right>Alt-Del (instead of Ctrl-Alt-Del) to open the logon dialog box.

2. Type the following information: User name: Administrator Password: passwordand then click OK.

3. You can now start with the exercises in this lab manual.

Enjoy the lab!

Comments and feedback

Please send any comments, feedback or corrections regarding the virtual machines or the lab manual to:

Ronald [email protected]

Lab version 3.0f (6-Aug-2006)

6 Lab Summary

Module A: Introduction to ISA Server

Exercise 1Exploring the User Interface

In this exercise, you will explore the user interface of ISA Server.

Note that the steps in this exercise and the other exercises in this module, do not enable, configure or test the functionality of ISA Server. In later modules, the functionality is configured and used in scenarios.

Tasks Detailed steps

Note: This lab exercise uses the following computer: Paris Refer to the beginning of the manual for instructions on how to start this computer. Log on to the computer.

Perform the following steps on the Paris computer.

1. On the Paris computer, explore the task pane.

a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.

The ISA Server console opens. This is the console from which all configuration of the ISA server is done.

b. In the ISA Server console, in the left pane, expand Paris, expand Configuration, and then select Add-ins.

Note: The Add-ins node is only used here as an example to start the exploration of the new user interface.

The user interface of the ISA Server console consists of three main parts: The tree pane (or left pane) - This pane contains a short list of nodes. The nodes logically group related management or configuration settings. The details pane (or right pane) - For each node in the left pane, the details pane contains detailed information related to the node. The details pane may contain several tabs, such as Application Filters and Web Filters for the Add-ins node. The task pane - The task pane contains a Tasks tab with relevant commands for the selected node in the tree pane, or for the configuration element in the details pane. The task pane also contains an Help tab with context sensitive help for the selected node or configuration element.

c. Drag the vertical divider between the tree pane (left) and the details pane, to make the details pane area larger or smaller.

d. On the vertical divider between the details pane and the task pane, click the arrow button.

The task pane closes to make a larger area of the screen available for the details pane.

e. Click the arrow button again.

The task pane opens again to allow access to the commands on the task pane.

f. Ensure that in the left pane, the Add-ins node is selected, and then in the


right pane, on the Web Filters tab, select (for example) RADIUS Authentication Filter.

Notice that the available commands in the task pane change, when a configuration element (a web filter in this example) is selected in the right pane.

g. In the right pane, right-click RADIUS Authentication Filter.

A context menu appears with commands applicable to this web filter. (Do not click a command on the menu.)

At any time, you can click the most common tasks in the task pane, or select from a more extensive list of commands by right-clicking the configuration element.

h. In the task pane, select the Help tab.

The Help tab in the task pane provides context-sensitive help information related to the selection configuration element.

i. In the task pane, select the Tasks tab.

The following task is related to the use of Virtual PC.

2. Explore how you can make the Virtual PC window larger, or switch to full-screen mode.

a. Drag the bottom right corner of the Paris window, to make the window larger or smaller.

Virtual PC installs a special video driver in the guest operating system, which allows you to select any arbitrary resolution, by dragging the bottom right corner of the Virtual PC window.

b. Press the Ctrl-key, and then drag the bottom right corner of the Virtual PC window, to snap the window size to standard resolutions, such as 800x600.

c. Press <right>Alt-Enter.

d. If a warning message box appears, click Continue to confirm that you can press <right>Alt-Enter again to return from full-screen mode.

The Virtual PC window switches to full-screen mode after you press <right>Alt-Enter. The resolution of the guest operating system is automatically adjusted to fill the entire screen of the host computer. You may need to maximize the ISA Server console window, in order to use the entire screen.

Virtual PC calls the <right>Alt key, the "host key".

e. Press <right>Alt-Enter again to return from full-screen mode.

3. Explore the main nodes in the ISA Server console:

- Configuration- Networks- Firewall Policy- Monitoring

a. In the ISA Server console, in the left pane, select Configuration.

A single ISA Server (or an array of multiple ISA Servers) has two main areas of configuration: Configuration node - This node contains all configuration settings that are relatively static. This includes Networks configuration, Cache configuration, Add-ins (application filters and Web filters) and General. You would typically not change the configuration of those elements very often. ISA Server 2006 Enterprise Edition also has a Servers node. Firewall Policy node - This node contains a single list of all the access rules (outgoing) and the publishing rules (incoming). These rules will change more often, since they reflect the business rules and firewall access policy of a company.

b. In the left pane, select Networks.

The Networks node contains the configuration of all the networks connected to the ISA Server. Network rules are defined between each network. This includes networks directly connected by network adapters such as External, Internal and Perimeter, virtual networks such as all the VPN Clients and Quarantined VPN Clients and special networks such as Local Host.

The initial configuration of the networks and the related firewall policy rules is done by selecting a network template from Templates tab in the task pane.

8 Lab Summary

(Do not change the network template now.)

Exercise 2 in this lab module explores the Networks configuration.

c. In the left pane, select Firewall Policy.

The Firewall Policy node contains a list of all access rules and publishing rules.

Exercise 3 in this lab module explores the Firewall Policy configuration.

d. If the task pane is closed, click the arrow button to open the task pane.

The task pane for the Firewall Policy node contains an additional tab named Toolbox. This tab has 5 sliding sections (Protocols, Users, Content Types, Schedules and Network Objects) that list all the rule elements that you can use in the access rules and publishing rules.

e. In the task pane, on the Toolbox tab, click the Protocols heading, and then click Common Protocols.

The rule elements, such as protocol definitions, are selected when new access rules or publishing rules are created.

f. In the task pane, on the Toolbox tab, click the Users heading, and then click New.

The New User Set wizard appears. A user set is a collection of users (from Windows, RADIUS or SecurID) and groups, defined together in a single set. You can apply an access rule or publishing rule to one or more user sets.

g. Click Cancel to close the New User Set Wizard.

h. In the left pane, select Monitoring.

The Monitoring node has multiple tabs (Dashboard, Alerts, Sessions, Services, Reports, Connectivity Verifiers and Logging) that allow you to monitor, control, investigate, troubleshoot and plan firewall operations. ISA Server 2006 Enterprise Edition also has a Configuration tab.

The Dashboard tab contains summary boxes for five of the tabs and a running System Performance monitor that displays a real-time graph of the current rate of allowed and dropped packets.

Exercise 5 in this lab module explores the Monitoring node.

i. On the Dashboard tab, click the Sessions summary box header.

The Sessions tab of the Monitoring node is displayed. This tab displays the client sessions that are currently active on the ISA Server. If you only want to see specific sessions, you can filter the session list.

Other tabs of the Monitoring node are explored in exercise 5 in this lab module.

4. Explore the Export and Import configuration commands.

a. In the ISA Server console, in the left pane, right-click Paris.

The context menu of the Paris node contains Export and Import commands. You can use these commands to export configuration setting to an XML file, and import the settings later at this computer or at another computer.

The Export and Import commands are present on the context menu of almost all the nodes in the left pane. This includes the Networks node, the Firewall Policy node and even individual rules and rule elements.


Exercise 2Ease of Use: Multiple Networks

In this exercise, you will explore how ISA Server uses multiple networks.




1. On the Paris computer, explore how ISA Server uses multiple networks with IP address ranges, instead of the concept of a Local Address Table (LAT).

a. On the Paris computer, in the ISA Server console, in the left pane, expand Paris, expand Configuration, and then select Networks.

One of the most important changes in ISA Server 2004 and ISA Server 2006, in comparison with ISA Server 2000, is the concept of multiple networks connected to the ISA Server, which are all treated similarly for configuration purposes.

All firewall policy rules can be defined in terms of Source network and Destination network.

b. In the right pane, on the (lower) Networks tab, right-click Internal, and then click Properties.

c. In the Internal Properties dialog box, select the Addresses tab.

Compare: ISA Server 2004 and ISA Server 2006 - The IP addresses of the Internal network only define what network interfaces are included in the network named Internal. Other networks, such as Perimeter are defined in a similar fashion. There is no equivalent to ISA Server 2000's Local Address Table (LAT). The application of packet filters, rules and Network Address Translation (NAT) or routing of IP packets is configured separately. ISA Server 2000 - The LAT is a very significant part of the configuration of ISA Server. It automatically determines on which network interface packet filters are applied and where NAT or routing of IP packets is performed.

d. Click Cancel to close the Internal Properties dialog box.

Notice that the Perimeter network is defined as the IP address range 23.1.1.0 - 23.1.1.255. The Local Host network is defined as the ISA Server computer itself. All other IP addresses belong to the External network.The VPN Client and Quarantined VPN Clients networks have dynamic membership and contain connecting VPN client computers.

e. On the Network Sets tab, right-click All Protected Networks and then click Properties.

f. In the All Protected Networks Properties dialog box, select the Networks tab.

Network Sets are groupings of existing Networks that can be used in firewall policy rules as well. This makes it easy to refer to all networks, or all related networks. You can define additional network sets.

The definition of the All Protected Networks network set is all existing networks, EXCEPT the External network.

ISA Server 2006 Enterprise Edition also allows you to define Networks and Network Sets at the enterprise-level, so that they can be used in all ISA Server arrays. With enterprise networks, individual array administrators don’t need to be aware of changes in the larger corporate networks. Changes to an enterprise network take effect without requiring an

10 Lab Summary

array administrator to make changes to an individual array.

g. Click Cancel to close the All Protected Networks Properties dialog box.

h. On the Start menu, click Control Panel, and then click Network Connections.

The Network Connections menu on the Start menu shows that Paris has three network adapters. To avoid confusion in the lab exercises, the network adapters on Paris were renamed as part of the lab setup from Local Area Connection (#2 and #3) to External Connection, Internal Connection and Perimeter Connection.

i. Click the Start button again to close the Start menu.

2. Explore how Network Rules define Network Address Translation (NAT) or routing of IP packets between networks.

For demonstration purposes, create and discard a new network rule.

a. In the ISA Server console, in the left pane, ensure that Networks is selected.

b. In the right pane, select the Network Rules tab.

Network rules define whether ISA Server will use NAT (replace client source address with ISA Server address) or Route (use client source address in request) for traffic between each pair of networks or network sets, if the firewall policy allows network traffic between these networks.

Currently, Paris uses Route for all traffic between the ISA Server computer and all networks (rule 1), between the VPN networks and the Internal network (rule 2) and between the Perimeter network and the External network (rule 4).It uses NAT for all traffic from the Internal and VPN networks to the Perimeter network (rule 3) and from the Internal and VPN networks to the External network (rule 5).

Route network rules automatically work in both directions. NAT network rules are defined in one direction. If there is no network rule defined between two networks, ISA Server does not allow traffic between those networks.

c. In the task pane, on the Tasks tab, click Create a Network Rule.

d. In the New Network Rule Wizard dialog box, in the Network rule name text box, type VPN Perimeter Access, and then click Next.

e. On the Network Traffic Sources page, click Add.

The Add Network Entities dialog box appears.

f. In the Add Network Entities dialog box, click Networks, click VPN Clients, and click Add,and then click Close to close the Add Network Entities dialog box.

g. On the Network Traffic Sources page, click Next.

h. On the Network Traffic Destinations page, click Add.

The Add Network Entities dialog box appears again.

i. In the Add Network Entities dialog box, click Networks, click Perimeter, and click Add,and then click Close to close the Add Network Entities dialog box.

j. On the Network Traffic Destinations page, click Next.

k. On the Network Relationship page, select Route, and then click Next.

l. On the Completing the New Network Rule Wizard page, click Finish.

A new network rule is created. ISA Server will route IP packets from computers on the VPN Clients network to the Perimeter network.

Note: The new network rule is not applied yet.

The new VPN Perimeter Access network rule is only created for demonstration purposes. Do not apply the new rule to ISA Server.

m. On the top of the right pane, click Discard to remove the unsaved changes, such as the new VPN Perimeter Access rule.

n. Click Yes to confirm that you want to discard the changes.


3. Explore how network templates are used to configure network rulesand firewall policy rules.

a. In the ISA Server console, in the left pane, ensure that Networks is selected

b. In the task pane, select the Templates tab.

Network Templates are predefined XML files that contain common network topologies. They can be used to configure the network rules between networks and the firewall policy rules. The graphic associated with each network template helps you understand the selected network topology.

ISA Server 2006 includes five network templates (Edge Firewall, 3-Leg Perimeter, Front Firewall, Back Firewall and Single Network Adapter).

Normally, setting up ISA Server includes four steps:1 Install network adapters and assign IP addresses.2 Install the ISA Server software. The installation wizard asks you to specify the IP addresses of the Internal network.3 Open the ISA Server console and select the Network Template that most closely matches your network topology.4 Modify the created firewall policy rules to meet specific security requirements. For example limit access to specific users.

Note: Installing ISA Server 2006 Enterprise Edition also includes a step to install the Configuration Storage Server, which stores the configuration information of all ISA Server arrays.

c. On the Templates tab, click 3-Leg Perimeter.

Note: 3-Leg Perimeter is already the current active network template on Paris. It matches most closely the network topology of the lab environment. For demonstration purposes, this task explores the Network Template Wizard without changing any settings.

d. In the Network Template Wizard dialog box, click Next.

ISA Server allows you to export the current configuration to a backup (XML) file, which can be restored later.

e. On the Export the ISA Server Configuration page, click Next.

f. On the Internal Network IP Addresses page, click Next.

g. On the Perimeter Network IP Addresses page, click Next.

Each network template contains one or more firewall policy rule sets. These firewall policies allow you to start with a set of firewall policy rules that best matches your network and security policy.

h. On the Select a Firewall Policy page, in the Select a firewall policy list box, select Allow limited Web access, allow access to network services on Perimeter network.

i. In the Description list box, scroll to the end of the text to see a description of the firewall policy rules that are created, if this firewall policy is selected.

j. On the Select a Firewall Policy page, click Next.

k. On the Completing the Network Template Wizard page, click CANCEL (do NOT click Finish).

The network rules and firewall policy rules on the ISA Server are not changed.

4. Explore the client support configuration settings per network.

a. In the ISA Server console, in the left pane, ensure that Networks is selected, and then in the right pane, select the (lower) Networks tab.

b. Right-click Internal, and then click Properties.

c. In the Internal Properties dialog box, select the Firewall Client tab.

The Firewall Client tab specifies whether client computers on the selected network (Internal) can access other networks such as the Internet, through ISA Server, by using the Firewall Client software (port 1745).

d. Select the Web Proxy tab.

The Web Proxy tab specifies whether client computers on the

12 Lab Summary

selected network (Internal) can access other networks through ISA Server, by using a Web Proxy client such as a Web browser (port 8080).

e. Click Cancel to close the Internal Properties dialog box.


Exercise 3Ease of Use: Single Rule Base

In this exercise, you will explore how ISA Server uses a single list of firewall rules.




1. On the Paris computer, explore the single firewall policy rule list.

Create an access rule:

Name: Allow Web traffic to Internet

Applies to: HTTP

From network: InternalTo network: External

a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy.

ISA Server uses a single rule list for access rules and publishing rules.

b. In the right pane, on the Firewall Policy tab, select Default rule.

Note: New rules are added to the rule list before the currently selected rule. Although it does not make a difference when only the default rule exists, it is a good practice to always explicitly select an existing rule, before creating a new rule.

c. In the task pane, on the Tasks tab, click Create Access Rule.

d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web traffic to Internet, and then click Next.

e. On the Rule Action page, select Allow, and then click Next.

f. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add.

The Add Protocols dialog box appears.

g. In the Add Protocols dialog box, click Web, click HTTP, and click Add,and then click Close to close the Add Protocols dialog box.

h. On the Protocols page, click Next.

i. On the Access Rule Sources page, click Add.


j. In the Add Network Entities dialog box, click Networks, click Internal, and click Add,and then click Close to close the Add Network Entities dialog box.

k. On the Access Rule Sources page, click Next.

l. On the Access Rule Destinations page, click Add.

The Add Network Entities dialog box appears again.

m. In the Add Network Entities dialog box, click Networks, click External, and click Add,and then click Close to close the Add Network Entities dialog box.

n. On the Access Rule Destinations page, click Next.

o. On the User Sets page, click Next.

p. On the Completing the New Access Rule Wizard page, click Finish.

A new firewall policy rule is created that allows the HTTP protocol from the Internal network to the External network for all users. The External network represents the Internet.

Notice that the new rule has not been applied yet.

q. Do NOT click Apply to apply the new rule.

14 Lab Summary

2. Add the HTTPS and FTP protocol to the Allow Web traffic to Internet access rule.

a. In the task pane, on the Toolbox tab, in the Protocols section, click Web.

The Web protocol list opens up. The list includes HTTPS and FTP.

b. Drag HTTPS from the Toolbox to HTTP in the Protocols column of the Allow Web traffic to Internet access rule.

The HTTPS protocol is added to the access rule.

c. Drag FTP from the Toolbox to HTTP/HTTPS in the Protocols column of the Allow Web traffic to Internet access rule.

The FTP protocol is added to the access rule.

d. Click the box with the minus-sign in front of the Allow Web traffic to Internet access rule to display the access rule with multiple protocols on a single line.

Instead of dragging protocols from the toolbox to configure a firewall policy rule, you can also right-click on the rule, and select Properties, as is shown in the next task.

3. Explore the properties of the Allow Web traffic to Internet access rule.

a. Right-click the Allow Web traffic to Internet access rule, and then click Properties.

b. In the Allow Web traffic to Internet Properties dialog box, on the Protocols tab, click Add.

c. In the Add Protocols dialog box, click Common Protocols.

You can add any TCP/UDP protocol to the access rule. You can also add non-TCP/UDP protocols, such as Ping (ICMP) to the access rule.

d. Click Close to close the Add Protocols dialog box.

e. On the To tab, click Add.

Instead of applying the access rule to traffic to all destinations on the External network, you can limit access to specific destinations by using any of the other network entities (Computers, Address Ranges, Subnets, Domain Name Sets, URL Sets and Computer Sets).

f. Click Close to close the Add Network Entities dialog box.

g. On the From tab, click Add.

h. In the Add Network Entities dialog box, click Networks.

The Local Host network (representing the ISA Server computer) can be used as the source network in an access rule.

i. Click Close to close the Add Network Entities dialog box.

j. Click Cancel to close the Allow Web traffic to Internet Properties dialog box.

4. Explore the HTTP protocol scanning features of the Allow Web traffic to Internet access rule.

For demonstration purposes, configure the rule to block HTTP traffic from MSN Messenger.

HTTP Header:- User-Agent: MSMSGS

a. Right-click the Allow Web traffic to Internet access rule, and then click Configure HTTP.

b. In the Configure HTTP policy for rule dialog box, examine the five tabs with the HTTP filter settings.

ISA Server examines the contents of all HTTP traffic. This is called application level filtering, or content filtering. HTTP packets that do not meet the specifications on the General tab are blocked.

Many applications use HTTP as their transport protocol or even as tunnel protocol, because the HTTP port 80 is configured to be allowed through most firewalls. Application level filtering can block HTTP traffic that does not conform to the protocol specification or unwanted HTTP applications or content.These settings, such as limiting the maximum URL length, would have blocked the exploitation of vulnerabilities described in more than 40 different Microsoft Security Bulletins, between MS98-003 and now.

c. On the Signatures tab, click Add.

d. In the Signature dialog box, complete the following information: Name: MSN Messenger traffic


Search in: Request headers HTTP Header: User-Agent Signature: MSMSGSand then click OK.

e. Click OK to close the Configure HTTP policy for rule dialog box.

The Allow Web traffic to Internet access rule will allow HTTP traffic from a Web browser, but it will block HTTP traffic from MSN Messenger.

5. Explore the System Policy Rules in the Firewall Policy.

a. In the left pane, ensure that Firewall Policy is selected.

b. In the task pane, on the Tasks tab, click Show System Policy Rules.

In the right pane, 30 predefined access rules to or from the Local Host network (ISA Server computer) are shown. These are called System Policy Rules.

Note: ISA Server 2006 Enterprise Edition has four more system policies rules (31 to 34) which specifically apply to traffic to and from ISA Server arrays.

c. In the task pane, on the Tasks tab, click Edit System Policy.

The System Policy Editor dialog box appears. You can only make minimal changes to the system policy rules, but you can enable or disable most system policy rules.

d. Click Cancel to close the System Policy Editor dialog box.

e. In the task pane, on the Tasks tab, click Hide System Policy Rules.

Note: The following task is needed to avoid conflicts with other lab exercises.

6. Discard the Allow Web traffic to Internet access rule.

a. In the right pane, click Discard to remove the unsaved Allow Web traffic to Internet access rule.

b. Click Yes to confirm that you want to discard the changes.

If you clicked Apply during this exercise, the access rule is saved. Right-click the access rule, click Delete, and then click Apply and OK to delete the access rule again.

16 Lab Summary

Exercise 4Ease of Use: Monitoring

In this exercise, you will explore how ISA Server uses monitoring.




1. On the Paris computer, explore the new Monitoring features in ISA Server.

a. On the Paris computer, in the ISA Server console, in the left pane, expand Paris, and then select Monitoring.

The Monitoring node has multiple tabs that allow you to monitor, control, investigate, troubleshoot and plan firewall operations.

On the first tab (Dashboard), five of the other tabs are represented by summary boxes. By clicking the header of a summary box, you can go to the corresponding tab to see more details.

b. Select the Alerts tab.

The Alerts tab lists events that ISA Server informs you about. You can configure for which types of events ISA Server creates an alert.

c. Select the Sessions tab.

The Sessions tab shows the current SecureNAT, Firewall client, Web Proxy client and VPN client sessions. You can also disconnect client sessions on this tab.

d. Select the Services tab.

The Services tab displays the status of the Microsoft Firewall service and other related services.If you enable the ISA Server for VPN connections, then the Routing and Remote Access service status is also displayed.For ISA Server 2006 Enterprise Edition, if you enable NLB integration, then the Network Load Balancing driver status is also displayed.

e. Select the Reports tab.

The Reports tab lists the defined usage reports. Reports show you ISA Server activity over time, such as performance and security information. You can also create new reports on this tab.

f. Select the Connectivity Verifiers tab.

The Connectivity Verifiers tab allows you to define Connectivity Verifiers. A connectivity verifier periodically connects from the ISA Server to a computer that you specify, to test current connectivity by using either an HTTP GET request, a Ping request, or by attempting to establish a TCP connection to a port that you specify. ISA Server can use connectivity verifiers to alert you if a network connection fails.

g. Select the Logging tab.

Note: You may (temporarily) need to close the task pane in order to see the Logging tab.

The Logging tab is used to configure the Firewall Server log files, and to view the contents of the log files online.

h. In the task pane, on the Tasks tab, click Configure Firewall Logging.

ISA Server 2006 logging supports three log storage formats: MSDE Database (*.mdf), SQL Database (ODBC) or File (*.w3c, text).


i. Click Cancel to close the Firewall Logging Properties dialog box.

Note: The Logging tab also has an Live display mode that allows you to see the log entries from the ISA Server log files on the screen, immediately after they are written to the log files. If you want to limit the log entries that are displayed to simplify finding specific information in the log files, you can create a filter.

j. Close the ISA Server console.

18 Lab Summary

Module B: Configuring Outbound Internet Access

Exercise 1Allowing Outbound Web Access from Client Computers

In this exercise, you will configure ISA Server to allow outbound Web access for client computers on the internal network.


Note: This lab exercise uses the following computers: Denver - Paris - IstanbulRefer to the beginning of the manual for instructions on how to start the computers. Log on to the computers.

Perform the following steps on the Denver computer.

1. On the Denver computer, test your connectivity by opening Internet Explorer and attempting to connect to http://istanbul.fabrikam.com

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com, and then press Enter.

Internet Explorer is unable to connect to the Web site.

b. Look at the bottom of the Web page and view the reason why the Web page cannot be displayed.

ISA Server denies the request. (502 Proxy Error - ISA Server denied the specified URL). This is because you have not created any access rules yet.

The firewall policy on ISA Server always contains a rule named Default rule. This rule denies all network traffic. This mean that ISA Server denies any network traffic that you did not specifically allow in another rule.

c. Close Internet Explorer.


2. On the Paris computer, create a new access rule.

Name: Allow outbound Web traffic

Applies to: HTTP, HTTPS, FTP



The ISA Server console opens.

b. In the ISA Server console, expand Paris, and then select Firewall Policy.

c. In the right pane, on the Firewall Policy tab, select Default rule.

It is a good practice to always select an existing rule, before creating a new rule, to indicate where the new rule is added in the list.

d. In the task pane, on the Tasks tab, click Create Access Rule.

Instead of using the task pane, you can also right-click Firewall Policy, click New, and then click Access Rule.

e. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow outbound Web traffic, and then click Next.

f. On the Rule Action page, select Allow, and then click Next.

g. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add.


The Add Protocols dialog box appears.

h. In the Add Protocols dialog box, click Common Protocols, click HTTP, and click Add, click HTTPS, and click Add, click Web, click FTP, and click Add,and then click Close to close the Add Protocols dialog box.

Notice that the same protocols can be listed under multiple headings in the Add Protocols dialog box.

i. On the Protocols page, click Next.

j. On the Access Rule Sources page, click Add.


k. In the Add Network Entities dialog box, click Networks, click Internal, and click Add,and then click Close to close the Add Network Entities dialog box.

l. On the Access Rule Sources page, click Next.

m. On the Access Rule Destinations page, click Add.

n. In the Add Network Entities dialog box, click Networks, click External, and click Add,and then click Close to close the Add Network Entities dialog box.

o. On the Access Rule Destinations page, click Next.

p. On the User Sets page, click Next.

q. On the Completing the New Access Rule Wizard page, click Finish.

A new firewall policy rule is created that allows the FTP, HTTP and HTTPS protocols from the Internal network to the External network for all users.

The new rule has not been applied yet.

3. Apply the changes. a. Click Apply to apply the new rule, and then click OK.

4. Examine the network rule for connectivity between the Internal network and the External network.

a. In the left pane, expand Configuration, and then select Networks.

b. In the right pane, on the Network Rules tab, select the rule that defines the connectivity between the Internal network and the External network.

In the default configuration for the 3-Leg Perimeter network template, the network rule named Internet Access (rule 5) indicates that network traffic between the Internal network and the External network will use NAT.

5. Examine the Web Proxy settings of the Internal network.

a. On the Networks tab, right-click Internal, and then click Properties.

b. In the Internal Properties dialog box, select the Web Proxy tab.

The Enable Web Proxy clients check box indicates that ISA Server listens (on port 8080) for requests from Web Proxy clients on the Internal network.

c. Click Cancel to close the Internal Properties dialog box.


6. On the Denver computer, test your connectivity again by opening Internet Explorer and connecting to http://istanbul.fabrikam.com and by establishing an FTP session with istanbul.fabrikam.com.


Internet Explorer displays the Istanbul Web site. The access rule that you created grants access to network traffic to the Istanbul Web server.

b. In Internet Explorer, on the Tools menu, click Internet Options.

c. In the Internet Options dialog box, on the Connections tab, click LAN Settings.

Notice that Denver is indeed configured as Web Proxy client.

d. Click Cancel to close the Local Area Network (LAN) Settings dialog

20 Lab Summary

box.

e. Click Cancel to close the Internet Options dialog box.

f. Close Internet Explorer.

g. Open a Command Prompt window.

h. At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter.

The FTP server on Istanbul prompts you to log on. This result confirms that you can connect using the FTP protocol.

i. Type Ctrl-C to close the FTP session.

j. If the ftp> prompt appears, type quit, and then press Enter.

k. Close the Command Prompt window.


7. On the Paris computer, create a new Computer Set rule element.

Name: Restricted Internal Computers

Included in the set:10.1.1.5-10.1.1.8(Domain Controllers)


b. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Computer Sets, and then click New Computer Set.

c. In the New Computer Set Rule Element dialog box, in the Name text box, type Restricted Internal Computers.

d. Click Add, and then click Address Range.

e. In the New Address Range Rule Element dialog box, complete the following information: Name: Domain Controllers Start Address: 10.1.1.5 End Address: 10.1.1.8 Description: DCs on the internal networkand then click OK.

The example suggests that there are 4 domain controllers on the Internal network. The lab only has a single domain controller named Denver (10.1.1.5).

f. Click OK to close the New Computer Set Rule Element dialog box.

A new Computer Set rule element is created.

8. Create a new access rule.

Name: Deny restricted computers

Action: Deny

Applies to: All outbound traffic

From: Restricted Internal ComputersTo network: External

a. In the Firewall Policy list, select the Allow outbound Web traffic rule.

The new rule will be added before the selected rule.

b. In the task pane, on the Tasks tab, click Create Access Rule.

c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Deny restricted computers, and then click Next.

d. On the Rule Action page, select Deny, and then click Next.

e. On the Protocols page, in the This rule applies to list box, select All outbound traffic, and then click Next.

f. On the Access Rule Sources page, click Add.

g. In the Add Network Entities dialog box, click Computer Sets, click Restricted Internal Computers, and click Add,and then click Close to close the Add Network Entities dialog box.

h. On the Access Rule Sources page, click Next.

i. On the Access Rule Destinations page, click Add.

j. In the Add Network Entities dialog box, click Networks, click External, and click Add,and then click Close to close the Add Network Entities dialog box.

k. On the Access Rule Destinations page, click Next.

l. On the User Sets page, click Next.

m. On the Completing the New Access Rule Wizard page, click Finish.


A new firewall policy rule is created that denies all network traffic from the computers in the Restricted Internal Computers set to the External network.

The new rule is listed first in the firewall policy rule list.

n. Click Apply to apply the new rule, and then click OK.


9. On the Denver computer, test your connectivity again by opening Internet Explorer and attempting to connect to http://istanbul.fabrikam.com.


Internet Explorer is unable to connect to the Web site (502 Proxy Error). ISA Server denies access to the Istanbul Web site, because Denver (10.1.1.5) is in the Restricted Internal Computers set and is denied access by the new access rule.

b. Close Internet Explorer.


10. On the Paris computer, move the Allow outbound Web traffic rule, before the Deny restricted computers rule.


b. In the right pane, right-click the Allow outbound Web traffic rule (order 2), and then click Move Up.

The Allow outbound Web traffic rule (order 1) is now listed before the Deny restricted computers rule (order 2).

c. Click Apply to save the changes, and then click OK.


11. On the Denver computer, test your connectivity again by opening Internet Explorer and connecting to http://istanbul.fabrikam.com.


Internet Explorer displays the Istanbul Web site, even though the Firewall Policy list contains a rule that denies access from the Denver (10.1.1.5) computer.

Note: To evaluate access, ISA Server follows the Firewall Policy rule order very strictly. Currently the Allow rule for Web traffic from Denver is listed before the Deny rule for all protocols from Denver.



12. On the Paris computer, delete the Deny restricted computers access rule.


b. In the right pane, right-click the Deny restricted computers rule, and then click Delete.

c. Click Yes to confirm that you want to delete the rule.

The access rule is deleted.

d. Click Apply to save the changes, and then click OK.

22 Lab Summary

Exercise 2Enabling the Use of the Ping command from Client Computers

In this exercise, you will configure ISA Server to allow ICMP network traffic, used by the Ping command, from client computers on the internal network.




1. On the Denver computer, use the Ping command to test connectivity with istanbul.fabrikam.com

a. On the Denver computer, open a Command Prompt window.

b. At the command prompt, type ping istanbul.fabrikam.com, and then press Enter.

The ping requests time out, because by default the ISA Server does not allow outgoing ping requests (ICMP type 8 packets) from computers on the internal network to the Internet.

c. Close the Command Prompt window.



Name: Allow outbound Ping traffic

Applies to: PING



b. In the right pane, select the first rule to indicate where the new rule is added to the rule list.


d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow outbound Ping traffic, and then click Next.

e. On the Rule Action page, click Allow, and then click Next.


g. In the Add Protocols dialog box, click Common Protocols, click PING, and click Add,and then click Close to close the Add Protocols dialog box.

The PING protocol definition is ICMP protocol, ICMP type 8.










A new firewall policy rule is created that allows the ICMP protocol, ICMP type 8, from the Internal network to the External network for all users.


q. Click Apply to apply the new rule, and then click OK.

3. Examine the PING protocol definition.

a. In the task pane, on the Toolbox tab, in the Protocols section, expand Common Protocols, right-click PING, and then click Properties.

b. In the PING Properties dialog box, select the Parameters tab.

Note: A protocol definition for a firewall policy rule, can use other protocols than only TCP (IP protocol 6) or UDP (IP protocol 17).

c. Click Cancel to close the PING Properties dialog box.


4. On the Denver computer, use the Ping command to test connectivity with istanbul.fabrikam.com again.


b. At the command prompt, type ping istanbul.fabrikam.com, and then press Enter.

The Istanbul computer returns four echo replies, because ISA Server allows outgoing echo requests from the computers on the internal network to the Internet.

Note: All firewall policy rules are stateful. This means that a single rule allows the request and the corresponding reply to the sender.


Perform the following steps on the Istanbul computer.

5. On the Istanbul computer, use the Ping command to test connectivity with the ISA Server.

a. On the Istanbul computer, open a Command Prompt window.

b. At the command prompt, type ping 39.1.1.1, and then press Enter.

The ping requests time out, because the ISA Server does not allow incoming ping requests from computers on the Internet. The Allow outbound Ping traffic access rule only allows replies to earlier outgoing ping requests to come from the Internet.


24 Lab Summary

Exercise 3Allowing Outbound Access from the ISA Server

In this exercise, you will configure ISA Server to allow outbound access from the ISA Server computer.




1. On the Paris computer, test your connectivity by attempting to establish an FTP session with istanbul.fabrikam.com.

a. On the Paris computer, open a Command Prompt window.

b. At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter.

After one minute, the ftp command will time out ("Host is unreachable"). By default, ISA Server does not allow an FTP connection from the ISA Server to the Internet.

c. At the ftp> prompt, type quit, and then press Enter.

d. Close the Command Prompt window.


Name: Allow FTP from firewall

Applies to: FTP

From network: Local HostTo network: External

a. In the ISA Server console, in the left pane, select Firewall Policy.



d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow FTP from firewall, and then click Next.

e. On the Rule Action page, click Allow, and then click Next.


g. In the Add Protocols dialog box, click Web, click FTP, and click Add,and then click Close to close the Add Protocols dialog box.



j. In the Add Network Entities dialog box, click Networks, click Local Host, and click Add,and then click Close to close the Add Network Entities dialog box.

The Local Host network represents the ISA Server computer.







A new firewall policy rule is created that allows the FTP protocol from the ISA Server to the External network for all users.



3. Test your connectivity again by establishing an FTP session with istanbul.fabrikam.com.

a. Open a Command Prompt window.

b. At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter.

The FTP server on Istanbul prompts you to log on. This result confirms that you can connect using the FTP protocol.

c. Type Ctrl-C to close the FTP session.

d. If the ftp> prompt appears, type quit, and then press Enter.

Note: ISA Server uses firewall policy rules to define access between any defined network, including traffic that starts or ends at the ISA Server computer itself (Local Host network).

e. Close the Command Prompt window.

4. Show the System Policy Rules in the Firewall Policy.



In the right pane, 30 predefined access rules to or from the Local Host network are shown. These are called System Policy Rules.

Note: ISA Server 2006 Enterprise Edition has four more system policies rules (31 to 34) which specifically apply to traffic to and from ISA Server arrays.

5. Test your connectivity by opening Internet Explorer and connecting to http://istanbul.fabrikam.com and by using the Ping command to istanbul.fabrikam.comand todenver.contoso.com.

a. Open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com, and then press Enter.

Internet Explorer is unable to connect to the Web site (Error 403 Forbidden - ISA Server denied the specified URL).


System policy rules 18, 19, 23, 26, 29 and 30 all list outgoing Web access (HTTP) from the ISA Server (Local Host). However, rules 23, 26 and 30 only apply to specific destinations (watson.microsoft.com, microsoft.com, windows.com, windowsupdate.com and remote management computers), and rules 18, 19 and 29 are disabled, unless updated certificate revocation lists (CRLs) are downloaded (18), HTTP connectivity verifiers for monitoring are created (19), or scheduled download jobs are defined (29).

If you want to allow outgoing Web access from the ISA Server to the Istanbul Web server, then you have to create a new access rule.

c. Open a Command Prompt window.

d. At the command prompt, type ping istanbul.fabrikam.com, and then press Enter.

The Istanbul computer on the External network returns four echo replies.

e. At the command prompt, type ping denver.contoso.com, and then press Enter.

The Denver computer on the Internal network returns four echo replies.

f. Close the Command Prompt window.

System policy rule 12 allows outgoing Ping from the ISA Server to all networks.

6. Hide the System Policy Rules in the Firewall Policy.


b. In the task pane, on the Tasks tab, click Hide System Policy Rules.

In the right pane, the System policy rules are hidden again.

c. Close the ISA Server console.

26 Lab Summary

Exercise 4Configuring ISA Server 2006 for Flood Resiliency

In this exercise, you will configure ISA Server to block a large number of TCP connections from the same IP address.

Note: This exercise applies to new functionality in ISA Server 2006.




1. On the Paris computer, examine the flood mitigation settings.



b. In the ISA Server console, in the left pane, expand Paris, expand Configuration, and then select General.

c. In the right pane, under Additional Security Policy, click Configure Flood Mitigation Settings.

ISA Server 2006 can help stop the flooding of connections from three different kind of attacks: Worm propagation - A computer on the internal network starts sending out network packets to different IP addresses on the Internet. TCP denial-of-service attack - An attacker sends out TCP packets in order to use up all the resources at the firewall, or server behind the firewall. HTTP denial-of-service attack - A computer on the internal network sends a very large number of HTTP request over the same connection.

In all these cases, the Firewall Engine component of ISA Server limits the number of connections, connection requests, and half-open connections per minute, or per rule, from a particular IP address.

d. In the Flood Mitigation dialog box, on the Flood Mitigation tab, click the second Edit button.

As an example of a limit, ISA Server allows a maximum of 160 concurrent TCP connections from the same IP address. There is also a custom limit (400) that applies to a set of exception IP addresses.

e. Click Cancel to close the Flood Mitigation Settings dialog box.

f. In the Flood Mitigation dialog box, select the IP Exceptions tab.

You can specify the IP addresses of computers to which the custom limit applies.

2. Disable the logging of network traffic blocked by flood mitigation settings.

a. In the Flood Mitigation dialog box, select the Flood Mitigation tab.

b. Clear the Log traffic blocked by flood mitigation settings check box.

To avoid overwhelming the log file with identical block entries, after the flood mitigation settings have blocked an attack, you can disable the logging of those blocked network connections.

c. Click OK to close the Flood Mitigation dialog box.


Name: Allow Web access (Flood)

a. In the left pane, select Firewall Policy.

b. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list.



Applies to: HTTP


d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (Flood), and then click Next.



g. In the Add Protocols dialog box, click Common Protocols, click HTTP, click Add,and then click Close to close the Add Protocols dialog box.



j. In the Add Network Entities dialog box, click Networks, click Internal, click Add,and then click Close to close the Add Network Entities dialog box.



m. In the Add Network Entities dialog box, click Networks, click External, click Add,and then click Close to close the Add Network Entities dialog box.




A new firewall policy rule is created that allows the HTTP protocol from the Internal network to the External network.

4. Apply the changes. a. Click Apply to apply the changes, and then click OK.


5. On the Denver computer, configure Internet Explorer not to use a proxy server.

a. On the Denver computer, open Internet Explorer.



d. In the Local Area Network (LAN) Settings dialog box, clear the Use a proxy server for your LAN check box, and then click OK.

When you configure Internet Explorer to use a proxy server, all HTTP connections to the ISA Server use the same connection to the Web Proxy TCP port 8080. In this exercise, you use two Internet Explorer windows, which should count as two separate connections.

e. Click OK to close the Internet Options dialog box.

6. Use Internet Explorer to connect to http://istanbul.fabrikam.com/web.asp

a. In Internet Explorer, in the Address bar, type http://istanbul.fabrikam.com/web.asp, and then press Enter.

Internet Explorer displays the content of the web.asp page from Istanbul. This is a single TCP connection from the Denver computer.

b. Do not close Internet Explorer.

7. Use the C:\Tools\tcpflooder.vbs tool to create 200 concurrent TCP connections.

a. Use Windows Explorer (or My Computer) to open the C:\Tools folder.

The Tools folder contains a script named tcpflooder.vbs, which attempts to set up 200 connections to IP addresses 42.1.0.0 through 42.1.19.9.

Note: By default, ISA Server allows a maximum of 160 concurrent TCP connections from the same IP address.

b. Right-click tcpflooder.vbs, and then click Open.

c. Click Yes to confirm that you want to start TCP Flooder.

Please wait 10 seconds while TCP Flooder attempts to set up the 200 TCP connections.

Note: The IP addresses on the 42.1.0.0 network do not exist in the

28 Lab Summary

lab environment, but Denver will set up a maximum of 160 TCP connections with ISA Server. ISA Server blocks the remaining 40 TCP connections.

d. Press OK to acknowledge that 200 TCP connections are created.

e. Close the Tools folder.

8. In Internet Explorer, refresh the existing Web page, and attempt to create a second connection to http://istanbul.fabrikam.com/web.asp

a. In the Internet Explorer windows, on the toolbar, click the Refresh button.

If the Internet Explorer connection did not time out yet, then the Server time on the Web page is changed. That is an indication that the page refreshed successfully.

Even though ISA Server has blocked connections from Denver (10.1.1.5), existing connections, such as the one in the Internet Explorer window can still be used.

b. On the Start menu, click All Programs, and then click Internet Explorer.

A second Internet Explorer window opens.

c. In Internet Explorer, in the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter.

ISA Server blocks new connections from 10.1.1.5. After a few moments, Internet Explorer displays an error page to indicate that it cannot display the page.

d. Close the Internet Explorer windows.

Note: ISA Server blocks traffic based on the flood mitigation settings for 60 seconds. To avoid the situation where an attacker uses a large number of network packets with a spoofed sender IP address to intentionally block another computer, ISA Server will first complete a TCP three-way handshake to verify that the sender IP address is not spoofed.


9. On the Paris computer, examine the flooding alert.

a. On the Paris computer, in the ISA Server console, in the left pane, select Monitoring.

b. In the right pane, select the Alerts tab.

c. In the task pane, on the Tasks tab, click Refresh Now.

d. In the alert list, expand the Concurrent TCP Connections from One IP Address Limit Exceeded alert, and then select the alert line below that.

Notice in the Alert Information description that ISA Server identifies which IP address (10.1.1.5) exceeded the configured limit of concurrent TCP connections. This information allows you to further investigate the cause of the high number of connection attempts.

10. Configure the log viewer filter conditions:Log Time: Last Hour

Client IP:Equals 10.1.1.5

Destination IP:Greater or Equal 42.1.0.0

a. In the right pane, select the Logging tab.


b. In the task pane, on the Tasks tab, click Edit Filter.

c. In the Edit Filter dialog box, in the conditions list, select the Log Time - Live condition.

d. In the Condition drop-down list box, select Last Hour, and then click Update.

The condition is changed to Log Time - Last Hour.

e. Complete the following information: Filter by: Client IP Condition: Equals Value: 10.1.1.5and then click Add To List.

f. Complete the following information: Filter by: Destination IP Condition: Greater or Equal


Value: 42.1.0.0and then click Add To List.

g. Click Start Query to close the Edit Filter dialog box.

After a few moments, the log viewer displays all log entries from 10.1.1.5 to the 42.1.0.0 network from the last hour. The most recent log entry is listed first.

h. Scroll to the top of the list of log entries.

Notice that the most recent log entry is for the connection to an IP address that is a close to 42.1.15.9. That is a exactly 160 concurrent TCP connections. The last IP address may be a little lower, if ISA Server had existing connections, or may be a little higher if ISA Server closed a few TCP connections already.

To avoid overwhelming the log file with identical block entries, you configured Flood Mitigation to not log traffic that is blocked by the flood mitigation settings (all connections to IP address close to 42.1.16.0 through 42.1.19.9).

Note: The following tasks are needed to avoid conflicts with other lab exercises.

11. Restore the log viewer filter conditions:

Log Time: Live

Client IP: (remove)

Destination IP: (remove)

a. In the task pane, on the Tasks tab, click Edit Filter.

b. In the Edit Filter dialog box, in the conditions list, select Log Time - Last Hour.

c. In the Condition drop-down list box, select Live, and then click Update.

The condition is changed to Log Time - Live.

d. In the conditions list, select the Destination IP condition, and then click Remove.

e. In the conditions list, select the Client IP condition, and then click Remove.

f. Click Start Query to close the dialog box.

g. In the task pane, on the Tasks tab, click Stop Query.


12. On the Denver computer, configure Internet Explorer to use a proxy server.




d. In the Local Area Network (LAN) Settings dialog box, complete the following information: Use a proxy server for your LAN: enable Address: 10.1.1.1 Port: 8080 Bypass proxy server for local address: enableand then click OK to close the Local Area Network (LAN) Settings dialog box.



30 Lab Summary

Module C: Publishing Web Servers and Other Servers

Exercise 1Publishing a Web Server in the Internal Network

In this exercise, you will configure ISA Server to publish a Web server on the internal network to client computers on the Internet.




1. On the Paris computer, create a new Web listener.

Name: External Web 80

SSL: disable

Network: ExternalCompression: disable

Authentication: none




c. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Web Listeners, and then click New Web Listener.

d. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80, and then click Next.

e. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next.

f. On the Web Listener IP Addresses page, complete the following information: Listen on network: External ISA Server will compress content: disableand then click Next.

g. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next.

h. On the Single Sign On Settings page, click Next.

i. On the Completing the New Web Listener Wizard page, click Finish.

A new Web listener (port 80 on the IP address on the adapter on the External network) with the name External Web 80 is created.

j. Click Apply to save the changes, and then click OK.

2. Examine the effect of the Web listener definition on the listening ports.


b. At the command prompt, type netstat -ano | find ":80", and then press Enter.

The output of the command shows the listening ports that contain ":80". Currently the ISA Server does NOT listen on port 80. The creation of the Web listener definition did not change the listener configuration of the firewall yet.


Note: The displayed line with port 8080 on the internal IP address 10.1.1.1, is the opened Web Proxy port for client computers on the Internal network.The last column lists the process ID of the process that listens on the port.


3. Create a Web publishing rule.

Name: Web Home Page (on Denver)

Publishing type:single Web site

Internal site name:denver.contoso.com

Public name:www.contoso.com

Web listener:External Web 80

Delegation: none



c. In the task pane, on the Tasks tab, click Publish Web Sites.

Instead of using the task pane, you can also right-click Firewall Policy, click New, and then click Web Site Publishing Rule.

d. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Web Home Page (on Denver), and then click Next.

e. On the Select Rule Action page, select Allow, and then click Next.

f. On the Publishing Type page, select Publish a single Web site, and then click Next.

g. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server, and then click Next.

h. On the Internal Publishing Details page, complete the following information: Internal site name: denver.contoso.com Use a computer name or IP address: disable (is default)and then click Next.

i. On the next Internal Publishing Details page, complete the following information: Path: (leave empty) Forward the original host header: disable (is default)and then click Next.

j. On the Public Name Details page, complete the following information: Accept requests for: This domain name (type below): Public name: www.contoso.com Path: (leave empty)and then click Next.

k. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80, and then click Next.

If you did not create the Web listener before starting the New Web Publishing Rule Wizard, you can click the New button and create a new Web listener definition from the Select Web Listener page.

l. On the Authentication Delegation page, select No delegation, and client cannot authenticate directly, and then click Next.

m. On the User Sets page, click Next.

n. On the Completing the New Web Publishing Rule Wizard page, click Finish.

A new Web publishing rule is created which publishes the Web site at denver.contoso.com (10.1.1.5) as www.contoso.com on the External network.

o. Click Apply to apply the new rule, and then click OK.

4. Examine the effect of the Web publishing rule on the listening ports.



The output of the command shows that the process with process ID nnnn (last column) listens on the external IP address 39.1.1.1 on port 80.

c. At the command prompt, type tasklist /svc | find "nnnn", and then

32 Lab Summary

press Enter. (Replace nnnn with the actual process ID displayed in output of the previous step.)

The output of the command shows that the process with process ID nnnn has image name wspsrv.exe and hosts the Microsoft Firewall service (fwsrv).


Note: For performance reasons, all Web publishing rules, server publishing rules, and all outgoing Web access, Firewall client and SecureNAT client traffic is handled by the Microsoft Firewall service (wspsrv.exe). In earlier versions of ISA Server, multiple different services were responsible for this traffic.

5. Examine the network rule for connectivity between the External network and the Internal network.

a. In the ISA Server console, the left pane, expand Configuration, and then select Networks.

b. In the right pane, on the Network Rules tab, select the rule that defines the connectivity between the Internal network and the External network.

In the default configuration for the 3-Leg Perimeter network template, the network rule named Internet Access (rule 5) indicates that ISA Server will use NAT for network traffic from the Internal network to the External network.

Because network traffic in the other direction (from the External network to Denver on the Internal network) goes against the NAT direction, you need to create a publishing rule to allow this network traffic.


6. On the Istanbul computer, verify that www.contoso.com resolves to 39.1.1.1.


b. At the command prompt type ping www.contoso.com, and then press Enter.

The output of the ping command verifies that www.contoso.com resolves to the external IP address of Paris 39.1.1.1. (ISA Server does not reply to the ping request.)


7. Connect to the published Web server on www.contoso.com, and attempt to connect to 39.1.1.1.

a. Open Internet Explorer. In the Address box, type http://www.contoso.com, and then press Enter.

Internet Explorer displays the home page of Denver. ISA Server successfully published the Denver home page as www.contoso.com on the External network (Internet).

b. In the Address box, type http://39.1.1.1, and then press Enter.

Internet Explorer displays an error page. ISA Server returns error code 403 (Forbidden - The server denied the specified URL).

Currently the home page of Denver is only published with the public name www.contoso.com, not when using the IP address 39.1.1.1 directly.


8. On the Paris computer, add the 39.1.1.1 public name to the Web Home Page (on Denver) Web publishing rule.


b. In the right pane, select the Web Home Page (on Denver) Web publishing rule.

c. In the task pane, on the Tasks tab, click Edit Selected Rule.

d. In the Web Home Page (on Denver) Properties dialog box, on the Public Name tab, click Add.

e. In the Public Name dialog box, type 39.1.1.1, and then click OK.

The Web publishing rule now contains two public names: www.contoso.com and 39.1.1.1.


f. Click OK to close the Web Home Page (on Denver) Properties dialog box.

g. Click Apply to apply the changed rule, and then click OK.


9. On the Istanbul computer, connect to the published Web server on 39.1.1.1.

a. On the Istanbul computer, in Internet Explorer, ensure that http://39.1.1.1 is in the Address box, and then click the Refresh button.

Internet Explorer displays the home page of Denver. ISA Server successfully published the Denver home page as www.contoso.com and 39.1.1.1 on the External network (Internet).


34 Lab Summary

Exercise 2Publishing the Web Server on the ISA Server Computer

In this exercise, you will configure ISA Server to publish a Web server on the ISA Server to client computers on the Internet.




1. On the Paris computer, configure the default Web site to use port 81, and then start the Web site.

a. On the Paris computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

The IIS Manager console opens.

b. In the IIS Manager console, expand PARIS (local computer), expand Web Sites, right-click Default Web Site (Stopped), and then click Properties.

c. In the Default Web Site (Stopped) Properties dialog box, on the Web Site tab, in the TCP port text box, type 81, and then click OK.

The default HTTP TCP port is 80. Because ISA Server uses port 80 for publishing Web sites (and publishing automatic discovery information for Web clients), the Web site on the ISA Server computer must be changed to another port.

d. Right-click Default Web Site (Stopped), and then click Start.

The default Web site is started. The Web site listens on port 81.

e. Close the IIS Manager console.

2. Examine the effect of starting the default Web site on the listening ports.



The output of the command shows that the process with process ID mmmm (last column) listens on all IP addresses (0.0.0.0) on port 81.

c. At the command prompt, type tasklist /svc | find "mmmm", and then press Enter. (Replace mmmm with the actual process ID displayed in output of the previous step.)

The output of the command shows that the process with process ID mmmm hosts the World Wide Web Publishing Service (W3SVC), which is part of IIS.

Currently, the Firewall service listens on port 80, and IIS listens on port 81.



Name: Products Web Site (on Paris)


Internal site name: ParisIP address: 10.1.1.1




d. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Products Web Site (on Paris), and then click Next.


f. On the Publishing Type page, select Publish a single Web site, and then


Port: 81

Public name:www.contoso.com/products


Delegation: none

click Next.


h. On the Internal Publishing Details page, complete the following information: Internal site name: Paris Use a computer name or IP address: enable Computer name or IP address: 10.1.1.1and then click Next.

Note: After completing the wizard, the destination TCP port of the rule can be set to 81.

10.1.1.1 is the IP address of Paris on the Internal network.

i. On the next Internal Publishing Details page, complete the following information: Path: (leave empty) Forward the original host header: disable (is default)and then click Next.

j. On the Public Name Details page, complete the following information: Accept requests for: This domain name (type below): Public name: www.contoso.com Path: productsand then click Next.

The public name of the Web site is www.contoso.com/products.





A new Web publishing rule is created that publishes the Web site at 10.1.1.1 (Paris) as www.contoso.com/products on the External network.

o. In the right pane, select the Products Web Site (on Paris) Web publishing rule, and then in the task pane, on the Tasks tab, click Edit Selected Rule.

p. In the Products Web Site (on Paris) Properties dialog box, select the Paths tab.

Web publishing rules can redirect requests that contain a path (/products) to the root of a Web site (/).

q. Select the Listener tab.

Notice that the rule applies to requests received on port 80.

r. On the Bridging tab, in the Redirect requests to HTTP port text box, type 81.

The Web publishing rule now redirects requests for www.contoso.com/products (port 80) to 10.1.1.1 (port 81).

s. Click OK to close the Products Web Site (on Paris) Properties dialog box.

The Products Web Site (on Paris) and the Web Home Page (on Denver) Web publishing rules share the same Web listener named External Web 80. The public name that is used in the incoming Web requests determines which Web publishing rule applies.

Because the public name of the Web Home Page (on Denver) rule (www.contoso.com) is a superset of the public name of the Products Web Site (on Paris) rule (www.contoso.com/products), it is important that the Products Web Site (on Paris) rule (currently order 1) is listed before the Web Home

36 Lab Summary

Page (on Denver) rule (currently order 2).

t. Click Apply to apply the new rule, and then click OK.


4. On the Istanbul computer, connect to the published Web servers on www.contoso.com/productsandwww.contoso.com.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://www.contoso.com/products, and then press Enter.

Internet Explorer displays the home page of Paris (10.1.1.1). ISA Server successfully published the Paris home page as www.contoso.com/products on the External network.

b. In the Address box, type http://www.contoso.com, and then press Enter.

Internet Explorer displays the home page of Denver (10.1.1.5). This result confirms that ISA Server publishes two Web sites now.



5. On the Paris computer, create a Web publishing rule.

Name: Public Web Site (on Paris)


Internal site name: ParisIP address: 10.1.1.1Path: publicweb/*Port: 81

Public name:public.contoso.com


Delegation: none




d. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Public Web Site (on Paris), and then click Next.





i. On the next Internal Publishing Details page, complete the following information: Path: publicweb/* Forward the original host header: disable (is default)and then click Next.

The published Web site is 10.1.1.1/publicweb.

j. On the Public Name Details page, complete the following information: Accept requests for: This domain name (type below): Public name: public.contoso.com Path: (remove /publicweb/*, and leave empty)and then click Next.

The public name of the Web site is public.contoso.com.






A new Web publishing rule is created that publishes the Web site at 10.1.1.1/publicweb (Paris) as public.contoso.com on the External network.

o. In the right pane, select the Public Web Site (on Paris) Web publishing rule, and then in the task pane, on the Tasks tab, click Edit Selected Rule.

p. In the Public Web Site (on Paris) Properties dialog box, select the Paths tab.

Web publishing rules can redirect requests for the root of a Web site (/) to a path (/publicweb) on a Web server.You can also translate a path in the public name, to another path on the published Web server.

q. On the Bridging tab, in the Redirect requests to HTTP port text box, type 81.

The Web publishing rule now redirects requests for public.contoso.com (port 80) to 10.1.1.1/publicweb (port 81).

r. Click OK to close the Public Web Site (on Paris) Properties dialog box.

s. Click Apply to apply the new rule, and then click OK.


6. On the Istanbul computer, connect to the published Web servers on public.contoso.com.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://public.contoso.com, and then press Enter.

Internet Explorer displays the home page of Paris (10.1.1.1) from the /publicweb folder. ISA Server successfully published the Paris home page in the /publicweb folder as public.contoso.com on the External network.


38 Lab Summary

Exercise 3Performing Link Translation on a Published Web Server

In this exercise, you will configure ISA Server to enable link translation for a published Web site.




1. On the Istanbul computer, connect to the Web page www.contoso.com/links.htm.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://www.contoso.com/links.htm, and then press Enter.

Internet Explorer displays a demonstration Web page for the Link Translation Filter. The Web Home Page (on Denver) Web publishing rule from an earlier exercise makes the links.htm page available on the External network (Istanbul).

Notice that the two of the three images are displayed correctly. The first image uses a relative address (pic1.jpg). Internet Explorer automatically adds the current host name (www.contoso.com) to the relative address. The second image uses the full name of the Web server computer itself (denver.contoso.com), which ISA Server automatically replaces (translates) with www.contoso.com, so that it can be resolved when the Web server is published on the Internet. The link to the third image still uses the internal name (ronsbox) of the Web server computer, and does not resolve correctly on the Internet.

b. Hold the mouse pointer over the Translated link for pic1.jpg URL.

In the status bar, you can see that Internet Explorer translates the <a href="pic1.jpg"> HTLM code to include the entire address that is used in the Address box.

c. Right-click on the displayed image (pic1.jpg), and then click Properties.

In the Properties dialog box, you can see that Internet Explorer also translates <img src="pic1.jpg"> HTML code to include the entire address.

d. Click Cancel to close the Properties dialog box.

e. Do not close Internet Explorer.


2. On the Paris computer, examine the Link Translation Filter Web filter.

a. On the Paris computer, in the ISA Server console, in the left pane, expand Configuration, and then select Add-ins.

b. In the right pane, select the Web Filters tab.

One of the Web filters is the Link Translation Filter. Responses from published Web servers pass through the list of Web filters, including the Link Translation Filter, before they are sent to the client computers.

3. Examine the current link translation mappings for the Web Home Page (on Denver) Web publishing rule.

a. In the left pane, select Firewall Policy, and then in the right pane, select the Web Home Page (on Denver) Web publishing rule.

This Web publishing rule redirects requests for www.contoso.com (and 39.1.1.1) to the Web server on denver.contoso.com.

b. In the task pane, on the Tasks tab, click Edit Selected Rule.

c. In the Web Home Page (on Denver) Properties dialog box, select the


Link Translation tab.

By default, link translation is applied to Web publishing rules.

Based on the names used in the rule definition, ISA Server will create link translation mappings (such as "http://denver.contoso.com" to "http://www.contoso.com") to perform link translation for this Web publishing rule. This ensures that the second graphical image (using http://denver.contoso.com) is displayed correctly.

d. On the Link Translation tab, click Mappings.

Internet Explorer opens a Web page that displays the currently defined link translation mappings for this rule, including the mapping from URL http://denver.contoso.com to URL http://www.contoso.com.

e. Close Internet Explorer.

f. Click Cancel to close the Web Home Page (on Denver) Properties dialog box.

4. Create a new global link translation mapping:

Replace this text:http://ronsbox

With this text:http://www.contoso.com

a. In the left pane, select General.

b. In the right pane, under Global HTTP Policy Settings, click Configure Global Link Translation.

c. In the Link Translation dialog box, select the Global Mappings tab.

In ISA Server 2006, you can define global link translation mappings that apply to all Web publishing rules.

d. On the Global Mappings tab, click Add.

e. In the Add Mapping dialog box, complete the following information: Internal URL: http://ronsbox Translated URL: http://www.contoso.comand then click OK.

It is a good practice to also consider adding a link translation mapping for https://ronsbox, but that is not needed for this exercise.

f. Click OK to close Link Translation dialog box.

g. Click Apply to save the changes, and then click OK.


5. On the Istanbul computer, refresh the content of the Web page at www.contoso.com/links.htm again, by pressing Ctrl-F5 or Ctrl-Refresh.

a. On the Istanbul computer, in Internet Explorer, ensure that the http://www.contoso.com/links.htm Web page is opened.

b. Hold the Ctrl-key, and then click the Refresh button on the toolbar, to refresh the content of the Web page.

The third image (pic3.jpg) is also displayed correctly.The Link Translation Filter on ISA Server has translated the http://ronsbox link that was returned by the Denver Web server for the URL of pic3.jpg, to http://www.contoso.com.


40 Lab Summary

Exercise 4Using Cross-Site Link Translation to Publish SharePoint Server

In this exercise, you will configure ISA Server to publish a SharePoint Server.

The portal Web site contains links to other Web servers. By using cross-site link translation, you can access the links from the published portal Web site.





1. On the Denver computer, connect to http://portal, and examine the links on the Project-D Portal Web site.

a. On the Denver computer, open Internet Explorer. In the Address box, type http://portal, and then press Enter.

Internet Explorer displays a sample Project-D Portal Web site, which runs on Denver on IP address 10.1.1.10.

b. In the portal Web site, under Shared Documents, move the mouse pointer over Agenda (do not click).

In the status bar, notice that the Agenda.doc link refers to http://portal.

c. Click Agenda.

d. In the File Download dialog box, click Open to confirm that you want to open the Agenda.doc file.

WordPad opens the Agenda.doc file.

e. Close WordPad.

f. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click).

In the status bar, notice that the Research Web Site link refers to http://server1.

It is very common that SharePoint sites contain links to other servers on the internal network.

g. Click Research Web Site.

Internet Explorer opens the research.htm file on server1. Server1 is a Web site running on Denver on IP address 10.1.1.21.

h. On the toolbar, click the Back button.

i. Close Internet Explorer




SSL: disable





c. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible).

Note: If a Web Listener named External Web 80 is already created



(If this is not done already)

in an earlier exercise, then you can skip the rest of this task.

d. If a Web listener named External Web 80 does not exist, then right-click Web Listeners, and then click New Web Listener.

e. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80, and then click Next.

f. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next.

g. On the Web Listener IP Addresses page, complete the following information: Listen on network: External ISA Server will compress content: disableand then click Next.

h. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next.

i. On the Single Sign On Settings page, click Next.

j. On the Completing the New Web Listener Wizard page, click Finish.


3. Create a Web publishing rule to publish a SharePoint server.

Name: Portal Web Site


Internal site name:portal

Public name:portal.contoso.com


Delegation: none

a. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list.

b. In the task pane, on the Tasks tab, click Publish SharePoint Sites.

c. In the New SharePoint Publishing Rule Wizard dialog box, in the SharePoint publishing rule name text box, type Portal Web Site, and then click Next.

d. On the Publishing Type page, select Publish a single Web site, and then click Next.

e. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server, and then click Next.

f. On the Internal Publishing Details page, in the Internal site name text box, type portal, and then click Next.

g. On the Public Name Details page, in the Public name text box, type portal.contoso.com, and then click Next.

h. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80, and then click Next.

i. On the Authentication Delegation page, select No delegation, and client cannot authenticate directly, and then click Next.

j. On the Alternate Access Mapping Configuration page, select SharePoint AAM is not yet configured, and then click Next.

ISA Server forwards the public name (portal.contoso.com) to the SharePoint site. If SharePoint limits which names can be used to access the site, then you have to add portal.contoso.com to the Extranet URL list (Alternate Access Mapping list) on the SharePoint site.

k. On the User Sets page, click Next.

l. On the Completing the New SharePoint Publishing Rule Wizard page, click Finish.

A new Web publishing rule is created, which publishes the SharePoint site portal as portal.contoso.com on the External network.



5. On the Istanbul computer, connect to http://portal.contoso.com, and examine the links on the Project-D

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://portal.contoso.com, and then press Enter.

Internet Explorer displays the sample Project-D Portal Web site.

42 Lab Summary

Portal Web site. This result demonstrates that you have successfully published the SharePoint site.

b. In the portal Web site, under Shared Documents, move the mouse pointer over Agenda (do not click).

In the status bar, notice that the Agenda.doc link refers to http://portal.contoso.com.

The SharePoint publishing rule wizard configured the Web publishing rule to forward the original host header (http://portal.contoso.com) to the SharePoint site.SharePoint uses that information to create URLs that refer to the host name (portal.contoso.com) that the client can use.

c. Click Agenda.

d. In the File Download dialog box, click Open to confirm that you want to open the Agenda.doc file.

WordPad opens the Agenda.doc file.

You can access documents on the published SharePoint Web site, in the same way you can access them on the internal network when connecting to http://portal.

e. Close WordPad.

f. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click).

In the status bar, notice that the Research Web Site link refers to http://server1.

g. Click Research Web Site.

Internet Explorer on Istanbul is not able to resolve the name server1 name to connect to the Web server on the internal network.

h. On the toolbar, click the Back button.

i. Close Internet Explorer.


6. On the Paris computer, create a Web publishing rule.

Name: Server1 Web Site


Internal site name:server1

Public name:web1.contoso.com


Delegation: none


b. In the right pane, select the first rule to indicate where the new rule is added.


d. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name, type Server1 Web Site, and then click Next.




h. On the Internal Publishing Details page, in the Internal site name text box, type server1, and then click Next.

i. On the next Internal Publishing Details page, leave the Path text box empty, and then click Next.

j. On the Public Name Details page, in the Public name text box, type web1.contoso.com, and then click Next.






A new Web publishing rule is created, which publishes the Web site server1 as web1.contoso.com on the External network.


8. Examine the list of per-server link translation mappings.

a. In the left pane, expand Configuration, and then click General.

b. In the right pane, click Configure Global Link Translation.

ISA Server 2006 maintains a per-server (or per-array) list of URL text replacement mappings that are applied to the content of HTTP response packets through any Web publishing rule in the array.

c. Select the Global Mappings tab.

The mappings are created automatically based on the internal site name and the public name of existing Web publishing rules, but you can also add custom mappings.

The mapping to replace http://server1/ with http://web1.contoso.com/ is based on the new Server1 Web Site rule, and will be used by the Portal Web Site rule.

d. Click Cancel to close the Link Translation dialog box.

Note: On ISA Server 2006 Enterprise Edition, you can enable link translation across arrays. This means that an array can use link translation entries from other arrays in the same Enterprise.


9. On the Istanbul computer, connect to http://portal.contoso.com, and examine the links on the Project-D Portal Web site.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://portal.contoso.com, and then press Enter.

Internet Explorer displays the sample Project-D Portal Web site. The site is published through the Portal Web Site publishing rule.

b. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click).

In the status bar, notice that the Research Web Site link refers to http://web1.contoso.com.

The Portal Web Site rule used the link translation entry from the Server1 Web Site rule.

c. Click Research Web Site.

Internet Explorer displays the Research Web page from Server1. The site is published through the Server1 Web Site publishing rule.

d. On the toolbar, click the Back button.


44 Lab Summary

Exercise 5Publishing a Web Farm for Load Balancing

In this exercise, you will publish two Web servers (10.1.1.21 and 10.1.1.22) as a Web farm. ISA Server load balances Web requests to servers in a Web farm.

The exercise uses both Cookie-Based Load Balancing and Source-IP Based Load Balancing.







SSL: disable







c. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible).

Note: If a Web Listener named External Web 80 is already created in an earlier exercise, then you can skip the rest of this task.

d. If a Web Listener named External Web 80 does not exist, then right-click Web Listeners, and then click New Web Listener.

e. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80, and then click Next.

f. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next.

g. On the Web Listener IP Addresses page, complete the following information: Listen on network: External ISA Server will compress content: disableand then click Next.

h. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next.

i. On the Single Sign On Settings page, click Next.

j. On the Completing the New Web Listener Wizard page, click Finish.


2. Create a new Server Farm network element.

Name: Shop Web Servers

Addresses:- 10.1.1.21- 10.1.1.22

Monitoring: http://*/

a. In the task pane, on the Toolbox, in the Network Objects section, right-click Server Farms, and then click New Server Farm.

The New Server Farm Definition Wizard opens.

b. In the New Server Farm Definition Wizard dialog box, in the Server farm name text box, type Shop Web Servers, and then click Next.

c. On the Servers page, click Add.

d. In the Server Details dialog box, complete the following information: Computer name or IP address: 10.1.1.21 Description: Shopping Web Server 1


and then click OK.

e. On the Servers page, click Add again.

f. In the Server Details dialog box, complete the following information: Computer name or IP address: 10.1.1.22 Description: Shopping Web Server 2and then click OK.

Note: The Denver computer runs two Web sites at addresses 10.1.1.21 and 10.1.122.

g. On the Servers page, click Next.

h. On the Server Farm Connectivity Monitoring page, complete the following information: Send an HTTP/HTTPS GET request: enable (is default) Current URL: http://*/ (is default)and then click Next.

ISA Server will monitor the connectivity to the servers in the Shop Web Servers farm by connecting to each of the Web servers (using GET http://10.1.1.21/, and GET http://10.1.1.22/) every 30 seconds.

i. On the Completing the New Server Farm Wizard page, click Finish.

j. In the HTTP Connectivity Verification dialog box, click Yes to confirm that you want the connectivity verifiers system policy to be enabled.

The wizard enables system policy 19 to allow the HTTP GET request from the ISA Server to the Web servers in the Shop Web Servers farm.

3. Create a new Web publishing rule.

Name: Sales Web Site

Type: Publish server farm

Internal name:store.contoso.com/shop

Server farm:Shop Web Servers

Load balance mechanism:Cookie-based

Public name:www.contoso.com/shop


Delegation: none


b. In the task pane, on the Tasks tab, click Publish Web Sites.

c. In the New Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Sales Web Site, and then click Next.

d. On the Select Rule Action page, select Allow, and then click Next.

The Publishing Type page has three choices: Publish a single Web site - You create a single rule for a single Web site. Publish a server farm - You create a single rule for multiple Web sites with identical content. ISA Server load balances requests. Publish multiple Web sites - You create a separate rule for each published Web site with only a single run of the wizard.

e. On the Publishing Type page, select Publish a server farm of load balanced Web servers, and then click Next.

f. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server or server farm, and then click Next.

g. On the Internal Publishing Details page, in the Internal site name text box, type store.contoso.com, and then click Next.

Note: When you publish a server farm, ISA Server does not use the internal site name (store.contoso.com) to find the published servers. Instead, later in the wizard you specify the Server Farm network element, which lists the addresses of the servers in the farm.The internal site name is used as host header when connecting to the farm servers, and it is used in automatic Link Translation mappings.

h. On the next Internal Publishing Details page, complete the following information: Path: shop/* Forward the original host header: disable (default)and then click Next.

i. On the Specify Server Farm page, complete the following information: Select the server farm (drop-down list box): Shop Web Servers Cookie-based Load Balancing: enable (is default)

46 Lab Summary

and then click Next.

ISA Server can use two different methods to load balance request to the servers in the farm: Cookie-based Load Balancing - ISA Server uses round-robin to distribute new connections to the Web servers. It sends a temporary session cookie to each client that connects, so that client session affinity to the selected Web server is maintained. Source-IP based Load Balancing - ISA Server uses a hash value of the client's IP address to distribute connections to the Web servers. All requests from the same client IP address go the same Web server.

Note: For load balancing Outlook Web Access or SharePoint access, both of which use Internet Explorer, the Cookie-based Load Balancing is the recommended solution. For load balancing Outlook RPC over HTTP access, you need to use Source-IP based Load Balancing. Outlook cannot work with HTTP cookies.

j. On the Public Name Details page, complete the following information: Accept request for: This domain name (type below) Public name: www.contoso.com Path (optional): /shop/* (automatic)and then click Next.


l. On the Authentication Delegation page, in the drop-down list box, select No delegation, and client cannot authenticate directly, and then click Next.



A new Web publishing rule named Sales Web Site is created. The icon with the four small servers indicates that this rule publishes a server farm.


5. Examine the connectivity verifiers for the Shop Web Servers farm.

a. In the ISA Server console, in the left pane, select Monitoring.

b. In the right pane, select the Connectivity Verifiers tab.

Note: You may (temporarily) need to close the task pane in order to see the Connectivity Verifiers tab.

c. Right-click the first Farm: Shop Web Servers connectivity verifier, and then click Properties.

d. In the Farm: Shop Web Servers Properties dialog box, select the Connectivity Verification tab.

Every 30 seconds, ISA Server connects to the published Web servers (using GET http://10.1.1.21/, and GET http://10.1.1.22/). If the Web server responds with HTTP code 200 (OK) within 5 seconds, ISA Server considers the Web server to be available, and load balances requests to the Web server.

Note: For the GET http://*/ request to succeed, the Web server must accept anonymous access to the root, and must have a default document available. Otherwise, the connectivity verifier fails to connect.

e. Click Cancel to close the Farm: Shop Web Servers Properties dialog box.

When the Web servers are available, the connectivity verifier icon contains a green check mark, and the Result column displays the observed response time.


6. On the Istanbul computer, use Internet Explorer to connect to

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter.


http://www.contoso.com/shop/web.asp

Internet Explorer displays the web.asp page from Web server 10.1.1.21 (Server1). The client did not include a cookie in the Web request.

Note: Due to the round-robin nature of the Cookie-based Load Balancing, and depending on earlier Web requests that you may have done, it is possible that the Web page in this task is returned from 10.1.1.22. In that case, close the Internet Explorer window, and connect to the Web address again.

b. On the toolbar, click the Refresh button to refresh the content of the Web page.

The same Web server handles the Web request. For the second and the subsequent requests, the client includes the session cookie (starting with ISAWPLB), which it received in the response of the first request. The cookie text contains a Global Unique Identifier (GUID) that ISA Server uses to identify which Web server it should send the Web request to. This ensures the session affinity with the same Web server. (ISAWPLB stands for ISA Web Publishing Load Balancing.)

Note: In the response, ISA Server also forwards an ASP Session cookie from the Web server to the client computer.

7. Create two new Internet Explorer sessions, and connect to http://www.contoso.com/shop/web.asp

a. On the Start menu, click All Programs, and then click Internet Explorer.


b. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter.

The new Web request does not contain a session cookie. Therefore ISA Server forwards the request to the other Web server 10.1.1.22 (Server2), and includes a new cookie in the response.

c. On the toolbar, click the Refresh button to refresh the content of the Web page.

The second Internet Explorer session uses a different cookie.

d. On the Start menu, click All Programs, and then click Internet Explorer again.

A third Internet Explorer window opens.

e. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter.

ISA Server load balances the third session to Web server 10.1.1.21 (Server1) again.


8. On the Denver computer, stop the Server1 Web Site to simulate a connectivity problem with the Web server on 10.1.1.21.

a. On the Denver computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.


b. In the IIS Manager console, expand DENVER (local computer), expand Web Sites, and then select Server1 Web Site.

c. Right-click Server1 Web Site, and then click Properties.

Notice that Server1 Web Site is listening on IP address 10.1.1.21.

d. Click Cancel to close the Server1 Web Site Properties dialog box.

e. Right-click Server1 Web Site, and then click Stop.

The Web site at 10.1.1.21 is no longer responding to Web requests.


9. On the Istanbul computer, attempt to refresh the content of the Web pages that were from

a. On the Istanbul computer, switch to one of the Internet Explorer windows that currently displays the web.asp page from 10.1.1.21 (Server1).

b. On the toolbar, click the Refresh button to refresh the content of the

48 Lab Summary

10.1.1.21 (Server1). Web page.

Internet Explorer displays an error message: Bad request (invalid hostname).

c. Wait 20 seconds, and then on the toolbar, click the Refresh button again.

Internet Explorer displays the web.asp page from 10.1.1.22 (Server2). ISA Server has forwarded the Web request to the remaining Web server in the farm.

Note: Because ISA Server checks the connectivity to the 10.1.1.21 Web server every 30 seconds, and then waits for the timeout for another 5 seconds, on average it takes 15+5 seconds after the Web server is no longer available, before ISA Server forwards all the Web requests to the other Web server. Due the way http.sys works on the Denver computer, it still returned a response (Bad request) when connecting to 10.1.1.21.

d. Switch to the other Internet Explorer window that displays the web.asp page from 10.1.1.21 (Server1).

e. On the toolbar, click the Refresh button.

Internet Explorer immediately displays the web.asp page from 10.1.1.22 (Server2).


10. On the Paris computer, examine the connectivity verifier and the alert for the connection to 10.1.1.21.



Notice that the icon for the connectivity verifier to 10.1.1.21 contains a red mark, indicating a connectivity issue.

c. In the right pane, select the Alerts tab.

d. In the task pane, on the Tasks tab, click Refresh Now.

e. In the right pane, expand the No Connectivity alert, and then select the lower No Connectivity line.

The alert information describes that the connection to 10.1.1.21 failed.

f. Right-click the lower No Connectivity line, and then click Reset.

g. Click Yes to confirm that you want to reset the No Connectivity alert.


11. On the Denver computer, start the Server1 Web Site.

a. On the Denver computer, in the IIS Manager console, right-click Server1 Web Site, and then click Start.

The Web site at 10.1.1.21 is available again.


12. On the Istanbul computer, refresh the Web page from 10.1.1.22, and create a new connection to http://www.contoso.com/shop/web.asp.

a. On the Istanbul computer, switch to any of the Internet Explorer windows that currently displays the web.asp page from 10.1.1.22 (Server2).


ISA Server continues to forward the Web requests to 10.1.1.22 (Server2), even though 10.1.1.21 is available again. All current sessions already use a cookie that contains the GUID of Server2, and will stay on this Web server. This is referred to as client stickiness.

c. On the Start menu, click All Programs, and then click Internet Explorer.

A new Internet Explorer session opens.

d. Wait 20 seconds, and then in Internet Explorer, in the Address box, type


http://www.contoso.com/shop/web.asp, and press Enter.

Internet Explorer displays the web.asp page from 10.1.1.21 (Server1). ISA Server load balances all new connections.

Note: It may take 30+5 seconds before ISA Server detects that the Web server at 10.1.1.21 is available again. If the web.asp page is returned from 10.1.1.22, then close the Internet Explorer window, wait a few seconds, and try again.

e. Close all Internet Explorer windows.


13. On the Paris computer, change the load balancing mechanism for the Sales Web Site rule to Source-IP based.


b. In the right pane, right-click the Sales Web Site rule, and then click Properties.

c. In the Sales Web Site Properties dialog box, on the Web Farm tab, in the Load Balancing Mechanism section, select Source-IP based.

ISA Server will no longer send cookies to manage load balancing Web requests, but will use a hash of the source IP address instead.

d. Click OK to close the Sales Web Site Properties dialog box.



15. On the Istanbul computer, create two new Internet Explorer sessions, and connect to http://www.contoso.com/shop/web.asp

a. On the Istanbul computer, on the Start menu, click All Programs, and then click Internet Explorer.

b. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter.

Internet Explorer displays the web.asp page from Web server 10.1.1.22 (Server2).

c. On the toolbar, click the Refresh button to refresh the content of the Web page.

In the response to the first Web request, ISA Server did not include an ISAWPLB cookie, but instead only forwarded the ASP Session cookie that the Web server provides.

d. On the Start menu, click All Programs, and then click Internet Explorer.


e. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter.

The new Web request is also handled by the same Web server 10.1.1.22 (Server2). Unlike cookie-based load balancing, ISA Server does not round-robin the Web requests to the Web servers, but uses the hash of the client IP address (39.1.1.7). All Web requests from the Istanbul computer will go to the same Web server.


16. On the Denver computer, stop the Server2 Web Site to simulate a connectivity problem with the Web server on 10.1.1.22.

a. On the Denver computer, in the IIS Manager console, right-click Server2 Web Site, and then click Stop.

The Web site at 10.1.1.22 is no longer responding to Web requests.


17. On the Istanbul computer, attempt to refresh the content of the Web page that was from

a. On the Istanbul computer, switch to one of the Internet Explorer windows that currently displays the web.asp page from 10.1.1.22 (Server2).

b. On the toolbar, click the Refresh button to refresh the content of the

50 Lab Summary

10.1.1.22 (Server2). Web page.

Internet Explorer displays an error message: Bad request (invalid hostname).


Internet Explorer displays the web.asp page from 10.1.1.21 (Server1). ISA Server has forwarded the Web request to the remaining Web server in the farm.


18. On the Denver computer, start the Server2 Web Site.

a. On the Denver computer, in the IIS Manager console, right-click Server2 Web Site, and then click Start.

The Web site at 10.1.1.22 is available again.

b. Close the IIS Manager console.


19. On the Istanbul computer, attempt to refresh the content of the Web page that was from 10.1.1.21 (Server1).

a. On the Istanbul computer, switch to the Internet Explorer window that currently displays the web.asp page from 10.1.1.21 (Server1).


ISA Server may still forward the Web request to 10.1.1.21.

After an average of 20 seconds, the connectivity verifier on ISA Server detects that Web server 10.1.1.22 is available again.


Internet Explorer displays the web.asp page from 10.1.1.22 (Server2).

Note: With cookie-based load balancing, ISA Server continues to forward requests to the same Web server, after the original Web server is available again - called client stickiness.With source-IP based load balancing, ISA Server falls back to forwarding Web request to the original Web server. There is no client stickiness.

d. Close all Internet Explorer windows.



20. On the Paris computer, delete the Sales Web Site rule, and delete the Shop Web Servers farm.


b. In the right pane, right-click the Sales Web Site rule, and then click Delete.

c. Click Yes to confirm that you want to delete Sales Web Site.

The Sales Web Site rule is deleted.

d. In the task pane, on the Toolbox tab, in the Network Objects section, expand Server Farms.

e. Under Server Farms, right-click Shop Web Servers, and then click Delete.

f. Click Yes to confirm that you want to delete Shop Web Servers.

The Shop Web Servers farm and the two related connectivity verifiers are deleted.



Exercise 6Publishing Multiple Terminal Servers

In this exercise, you will configure ISA Server to publish a terminal server (remote desktop) on the Internal network and publish a terminal server on the ISA Server computer.




1. On the Denver computer, use System properties to enable remote desktop.

a. On the Denver computer, on the Start menu, click Control Panel, and then click System.

b. In the System Properties dialog box, on the Remote tab, enable Enable Remote Desktop on this computer.

c. Click OK to acknowledge that remote connection accounts must have passwords, and that the correct port must be open for remote connections.

Note: Terminal Services (Remote Desktop) uses TCP port 3389.

d. Click OK to close the System Properties dialog box.


2. On the Paris computer, create a server publishing rule:

Name: Publish RDP (on Denver)

Server: 10.1.1.5

Protocols: RDP (Terminal Services) Server



c. In the task pane, on the Tasks tab, click Publish Non-Web Server Protocols.

The New Server Publishing Rule Wizard opens.

d. In the New Server Publishing Rule Wizard dialog box, in the Server publishing rule name text box, type Publish RDP (on Denver), and then click Next.

e. On the Select Server page, in the Server IP address text box, type 10.1.1.5, and then click Next.

f. On the Select Protocol page, in the Selected protocol drop-down list box, select RDP (Terminal Services) Server, and then click Next.

g. On the Network Listener IP Addresses page, select External, and then click Next.

h. On the Completing the New Server Publishing Rule Wizard page, click Finish.

A new server publishing rule is created that publishes RDP (TCP port 3389) on 10.1.1.5 (Denver) on the External network.

i. Click Apply to apply the new rule, and then click OK.

3. Use the C:\Tools\fwengmon /C command to examine the active creation objects.



The output of the command shows that currently no process has registered with the TCP driver to listen on port 3389.

Notice that creating a Server Publishing rule does NOT cause the TCP driver or UDP driver to listen on the specific port. Only the ISA Server kernel-mode firewall engine listens to the port. This makes it very easy to

52 Lab Summary

publish services that run on the ISA Server itself.

Note: Creating a Web Publishing rule does cause the TCP driver to listen on the Web listener port (for example port 80).

c. Type cd \tools, and then press Enter.

d. Type fwengmon /?, and then press Enter.

The Firewall Kernel Mode Tool (fwengmon.exe) is a tool you can use to analyze and troubleshoot firewall connectivity by monitoring the ISA Server kernel-mode firewall engine.

You can download the tool from www.microsoft.com/isaserver/downloads.

e. Type fwengmon /C, and then press Enter.

The output lists the table of active creation objects in the firewall engine. A creation object represents acceptable network traffic that causes ISA Server to create a new connection.

The creation object with Destination 39.1.1.1:3389 is created by the Publish RDP (on Denver) server publishing rule. In other words, not the TCP driver, but the kernel-mode firewall engine listens on TCP port 3389.

f. Do not close the Command Prompt window.


4. On the Istanbul computer, create a remote desktop connection to 39.1.1.1 (Paris)

a. On the Istanbul computer, on the Start menu, click All Programs, click Accessories, click Communications, and then right-click Remote Desktop Connection, and click Pin to Start menu.

Remote Desktop Connection on Istanbul is used multiple times in this exercise. For ease of use, Remote Desktop Connection is now added to the main Start menu list.

b. On the Start menu, click Remote Desktop Connection.

c. In the Remote Desktop Connection dialog box, in the Computer text box, type 39.1.1.1, and then click Connect.

39.1.1.1 is the external IP address of Paris.

The Log On dialog box of Denver appears.

d. In the Log On to Windows dialog box, complete the following information: User name: Administrator Password: passwordand then click OK.

You can successfully log on to Denver through a remote desktop connection.

5. Use the netstat command to examine the client IP address of the remote desktop connection.

a. In the remote desktop connection to Denver, open a Command Prompt window.


The output shows that Istanbul (39.1.1.7) has established remote desktop connection to Denver (10.1.1.5).


6. Log off the remote desktop connection.

a. In the remote desktop connection to Denver, on the Start menu, click Log Off.

b. Click Log Off to confirm that you are sure you want to log off.

The remote desktop connection is reset. The Istanbul desktop appears again.


7. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left pane, select


change the Publish RDP (on Denver) rule.

Requests appear to come from: ISA Server computer

Firewall Policy.

b. In the right pane, right-click Publish RDP (on Denver), and then click Properties.

c. In the Publish RDP (on Denver) Properties dialog box, on the To tab, select Requests appear to come from the ISA Server computer.

For each Web Publishing rule (default: appear to come from the ISA Server computer), and Server Publishing rule (default: appear to come from the original client), you can specify how ISA Server forwards requests to published servers.

Specifying how requests are forwarded to published servers is especially important in network load balancing (NLB) scenarios where return network traffic must go back through the same ISA Server.

d. Click OK to close the Publish RDP (on Denver) Properties dialog box.

e. Click Apply to save the changes, and then click OK.



a. On the Istanbul computer, on the Start menu, click Remote Desktop Connection.

b. In the Remote Desktop Connection dialog box, in the Computer text box, type 39.1.1.1, and then click Connect.


c. In the Log On to Windows dialog box, complete the following information: User name: Administrator Password: passwordand then click OK.

9. Use the netstat command to examine the client IP address of the remote desktop connection.

a. In the remote desktop connection to Denver, open a Command Prompt window.


The output shows that the remote desktop connection to Denver (10.1.1.5) is now coming from IP address 10.1.1.1 (Internal network address of Paris).


10. Log off the remote desktop connection.

a. In the remote desktop connection to Denver, on the Start menu, click Log Off.

b. Click Log Off to confirm that you are sure you want to log off.

The remote desktop connection is reset. The Istanbul desktop appears again.


11. On the Paris computer, change the Publish RDP (on Denver) rule.

Publish on port: 3390


b. In the right pane, right-click Publish RDP (on Denver), and then click Properties.

c. In the Publish RDP (on Denver) Properties dialog box, on the Traffic tab, click Ports.

d. In the Ports dialog box, complete the following information: Publish on this port instead of the default port: 3390and then click OK.

Both Web Publishing rules and Server Publishing rules can redirect traffic from one port number to another port number on the published server.

e. Click OK to close the Publish RDP (on Denver) Properties dialog box.

The server publishing rule now redirects RDP network traffic on

54 Lab Summary

39.1.1.1 port 3390 to 10.1.1.5 port 3389.

f. Click Apply to save the changes, and then click OK.

12. Use the C:\Tools\fwengmon /C command to examine the active creation objects.

a. In a Command Prompt window in the C:\Tools folder, type fwengmon /C, and then press Enter.

The firewall engine listens on IP address 39.1.1.1 port 3390.


13. On the Istanbul computer, create a remote desktop connection to 39.1.1.1:3390 (Paris)


b. In the Remote Desktop Connection dialog box, in the Computer text box, type 39.1.1.1:3390, and then click Connect.


This result confirms that you successfully published the remote desktop of Denver port 3389 on the External network of Paris port 3390.

c. Click Cancel to close the Log On to Windows dialog box.

The Istanbul desktop appears again.

d. Click Close to close the Remote Desktop Connection dialog box.


14. On the Paris computer, use System properties to enable remote desktop.

a. On the Paris computer, on the Start menu, click Control Panel, and then click System.

b. In the System Properties dialog box, on the Remote tab, enable Enable Remote Desktop on this computer.



15. Use the netstat command, and the C:\Tools\fwengmon /C command to examine the effect of enabling remote desktop.

a. In a Command Prompt window, type netstat -ano | find ":3389", and then press Enter.

The output of the command shows that the process with process ID nnnn (last column) on Paris listens on all IP addresses (indicated by 0.0.0.0) on port 3389.

b. At the command prompt, type tasklist /svc | find "nnnn", and then press Enter. (Replace nnnn with the actual process ID displayed in the output of the previous step.)

The output of the command shows that the process with process ID nnnn has image name svchost.exe, and host the Terminal Services service (TermService).

Note: By default Terminal Services service listens on all IP addresses on port 3389. This includes the external IP address on Paris (39.1.1.1). However, this does not mean that the firewall engine currently allows incoming network traffic on the External network on port 3389.

c. At the command prompt, in the C:\Tools folder, type fwengmon /C, and then press Enter.

The firewall engine does not listen on IP address 39.1.1.1 port 3389.

16. Create a server publishing rule:

Name: Publish RDP (on Paris)

Server: 10.1.1.1



c. In the task pane, on the Tasks tab, click Publish Non-Web Server Protocols.

The New Server Publishing Rule Wizard opens.

d. In the New Server Publishing Rule Wizard dialog box, in the


Protocols: RDP (Terminal Services) Server

Server publishing rule name text box, type Publish RDP (on Paris), and then click Next.

e. On the Select Server page, in the Server IP address text box, type 10.1.1.1, and then click Next.

f. On the Select Protocol page, in the Selected protocol drop-down list box, select RDP (Terminal Services) Server, and then click Next.

g. On the Network Listener IP Addresses page, select External, and then click Next.

h. On the Completing the New Server Publishing Rule Wizard page, click Finish.

A new server publishing rule is created that publishes RDP (TCP port 3389) on 10.1.1.1 (Internal network of Paris) on the External network.

i. Click Apply to apply the new rule, and then click OK.

17. Use the netstat command, and the C:\Tools\fwengmon /C command to examine the effect of enabling remote desktop.

a. In a Command Prompt window, type netstat -ano | find ":3389", and then press Enter.

The Terminal Services service listens on all IP addresses (including 39.1.1.1) on port 3389.

b. At the command prompt, in the C:\Tools folder, type fwengmon /C, and then press Enter.

The firewall engine listens on IP address 39.1.1.1 port 3389.

Note: Even though the TCP driver registers the Terminal Services service to listen on 39.1.1.1 port 3389, the firewall engine intercepts and inspects the network traffic, before it is forwarded to the registered service. This is called "port stealing".

Port stealing allows you to publish a service that runs on the ISA Server computer, without any special configuration to the service itself. This avoids having to disable socket pooling, configure the service to only listen on the IP address on the Internal network, or to listen on an alternate port. This is especially useful for small business scenarios. (However, this does not apply to Web Publishing rules.)




b. In the Remote Desktop Connection dialog box, in the Computer text box, type 39.1.1.1, and then click Connect.

The Log On dialog box of Paris appears.

This result confirms that you successfully published the remote desktop of Paris the External network of Paris.

c. Click Cancel to close the Log On to Windows dialog box.

The Istanbul desktop appears again.

d. Click Close to close the Remote Desktop Connection dialog box.



19. On the Denver computer, use System properties to disable remote desktop.

a. On the Denver computer, on the Start menu, click Control Panel, and then click System.

b. In the System Properties dialog box, on the Remote tab, in the Remote Desktop box, clear Enable Remote Desktop to this computer.

c. Click OK to close the System Properties dialog box.

56 Lab Summary


20. On the Paris computer, use System properties to disable remote desktop.

a. On the Paris computer, on the Start menu, click Control Panel, and then click System.

b. In the System Properties dialog box, on the Remote tab, in the Remote Desktop box, clear Enable Remote Desktop to this computer.



Module D: Publishing an Exchange Server

Exercise 1Publishing Exchange Web Access - Certificate Management

In this exercise, you will enable access to the Exchange Server for clients that use Outlook Web Access (OWA). You configure ISA Server to use SSL Bridging, because you want to encrypt the connection with the SSL protocol (HTTPS), but you also want to inspect the traffic at the ISA Server computer.

This exercise also demonstrates the new certificate management functionality of ISA Server 2006.




1. On the Denver computer, import the denver.contoso.com Web server certificate from the C:\Tools\Certs folder.

a. On the Denver computer, use Windows Explorer (or My Computer) to open the C:\Tools\Certs folder.

The Certs folder contains a Web server certificate for denver.contoso.com, and a script to import the certificate and private key in the local machine store.

b. In the Certs folder, right-click denver-certload.vbs, and then click Open.

c. Click Yes to confirm that you want to import the certificate.

d. Click OK to acknowledge that the import of the certificate is complete.

e. Close the Certs folder.

2. Configure IIS to use the denver.contoso.com Web server certificate.

a. On the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.


b. In the IIS Manager console, expand DENVER (local computer), expand Web Sites, right-click Default Web Site, and then click Properties.

c. In the Default Web Site Properties dialog box, on the Directory Security tab, click Server Certificate.

d. In the Welcome to the Web Server Certificate Wizard dialog box, click Next.

e. On the Server Certificate page, select Assign an existing certificate, and then click Next.

f. On the Available Certificates page, select the certificate for denver.contoso.com that has the intended purpose of Server Authentication (do not select a certificate with another intended purpose), and then click Next.

g. On the SSL Port page, in the SSL port this web site should use text

58 Lab Summary

box, type 443, and then click Next.

h. On the Certificate Summary page, click Next.

i. On the Completing the Web Server Certificate Wizard page, click Finish.

The Default Web Site on Denver can now use the denver.contoso.com Web server certificate for HTTPS connections.

j. Click OK to close the Default Web Site Properties dialog box.

k. Close the IIS Manager console.


3. On the Paris computer, import the mail.contoso.com Web server certificate from the C:\Tools\Certs folder.

a. On the Paris computer, use Windows Explorer (or My Computer) to open the C:\Tools\Certs folder.

The Certs folder contains a Web server certificate for mail.contoso.com, and a script to import the certificate and private key in the local machine store.

b. In the Certs folder, right-click mail-certload.vbs, and then click Open.



4. For demonstration purposes, import invalid certificates from the C:\Tools\Certs\Invalid folder.

a. In the Certs folder, open the Invalid folder.

The Invalid folder contains certificates that demonstrate a few common mistakes with using certificates on ISA Server, and a script to import the certificates.

b. In the Invalid folder, right-click certload-invalid-Paris.vbs, and then click Open.

c. Click Yes to confirm that you want to import the certificates.

d. Click OK to acknowledge that the import of the certificates is complete.

Later in this exercise, you will see how ISA Server helps identify the invalid certificates.

e. Close the Invalid folder.

Note: On ISA Server 2006 Enterprise Edition, when you configure a Server Authentication certificate to create SSL connections, the same certificate (same name) must be installed on all array members.

5. Create a new Web listener.


SSL: enable


Certificate: mail.contoso.com

Authentication: HTTP Authentication - Basic

a. On the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.



c. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Web Listeners, and then click New Web Listener.


e. On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next.


g. On the Listener SSL Certificates page, click Select Certificate.

By default, the Select Certificate dialog box only shows the Web server certificates that are installed correctly.

h. In the Select Certificate dialog box, disable Show only valid certificates.


To help you troubleshoot common certificate mistakes, ISA Server lists imported certificates that are not valid. The certificates named cert2.contoso.com to cert5.contoso.com are the invalid certificates that you imported earlier in the exercise.

i. In the certificates list, select each of the certificates cert2.contoso.com to cert5.contoso.com to see the problem with the certificate.

ISA Server can identify the following problems with certificates: cert2.contoso.com - The certificate is installed in the current user store, instead of the local machine store. cert3.contoso.com - The certificate is installed without private key. cert4.contoso.com - The certificate has expired. cert5.contoso.com - The certificate is not yet valid.

On ISA Server 2006 Enterprise Edition, there is one more certificate problem that is identified: The certificate is not imported on all array members.

j. In the certificates list, select mail.contoso.com, and then click Select.

k. On the Listener SSL Certificates page, click Next.

l. On the Authentication Settings page, complete the following information: Authentication method: HTTP Authentication (is default) Basic: enable Digest: disable (is default) Integrated: disable (is default)and then click Next.

m. On the Single Sign On Settings page, click Next.

n. On the Completing the New Web Listener Wizard page, click Finish.


6. Create an OWA mail server publishing rule:

Name: Publish mail (OWA)

Version:Exchange Server 2003


Public name:mail.contoso.com


Delegation:Basic Authentication


b. In the task pane, on the Tasks tab, click Publish Exchange Web Client Access.

c. In the New Exchange Publishing Rule Wizard dialog box, in the Exchange Publishing rule name text box, type Publish mail (OWA), and then click Next.

d. On the Select Services page, complete the following information: Exchange version: Exchange Server 2003 (is default) Outlook Web Access: enable (is default) Leave the other check boxes disabled (is default)and then click Next.

e. On the Publishing Type page, select Publish a single Web site, and then click Next.

f. On the Server Connection Security page, select Use SSL to connect to the published Web server, and then click Next.

g. On the Internal Publishing Details page, in the Internal site name text box, type denver.contoso.com, and then click Next.

The specified name of the Web mail server must match exactly the name in the certificate on the Denver Web server. Otherwise Internet Explorer on the client computers fails to connect, and displays an error message (500 Internal Server Error - The target principal name is incorrect).

h. On the Public Name Details page, complete the following information: Accept requests for: This domain name (type below): Public name: mail.contoso.comand then click Next.

The specified public name must match exactly the name in the certificate on Paris. Otherwise the connecting client computers will display a

60 Lab Summary

security alert message (The name on the security certificate is invalid.).

i. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 443, and then click Next.

j. On the Authentication Delegation page, select Basic Authentication, and then click Next.


l. On the Completing the New Exchange Publishing Rule Wizard page, click Finish.

A new Web publishing rule is created, which publishes the three OWA virtual directories on the Web site denver.contoso.com as mail.contoso.com on the External network.

7. Examine the new OWA mail server publishing rule named Publish mail (OWA).

a. In the right pane, right-click Publish mail (OWA), and then click Properties.

b. In the Publish mail (OWA) Properties dialog box, select the To tab.

OWA requires that the original host headers (https://mail.contoso.com) are forwarded to the published server (Denver).

c. Select the Traffic tab.

The OWA publishing rule only allows HTTPS access, not HTTP access.

d. Select the Paths tab.

The OWA publishing rule only allows access to the three virtual directories needed for OWA (/public, /exchweb and /exchange).

e. Select the Listener tab.

The certificate name (mail.contoso.com) exactly matches the name on the Public Name tab.

f. Select the Bridging tab.

ISA Server redirects incoming requests to the SSL port. It will create a new SSL connection from the ISA Server to Denver. The name on the To tab exactly matches the name in the certificate on Denver.

g. Click Cancel to close the Publish mail (OWA) Properties dialog box.

8. Apply the new rule. h. Click Apply to apply the new rule, and then click OK.

The new Publish mail (OWA) rule is applied.


9. On the Denver computer, configure IIS to require SSL on the virtual directories used by OWA:

/Exchange/ExchWeb/Public

a. On the Denver computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.


b. In the IIS Manager console, expand Default Web Site, right-click Exchange, and then click Properties.

/Exchange, /ExchWeb and /Public are the three virtual directories used by Outlook Web Access (OWA).

c. In the Exchange Properties dialog, on the Directory Security tab, in the Secure communications box, click Edit.

d. In the Secure Communications box, enable Require secure channel (SSL), and then click OK.

Now that IIS has a Web server certificate configured, only secure access (HTTPS) to the OWA virtual directories should be allowed.

e. Click OK to close the Exchange Properties dialog box.

Repeat the same configuration step for the /ExchWeb virtual directory.

f. Right-click ExchWeb, and then click Properties.


g. In the ExchWeb Properties dialog box, on the Directory Security tab, in the Secure communications box, click Edit.

h. In the Secure Communications box, enable Require secure channel (SSL), and then click OK.

i. Click OK to close the ExchWeb Properties dialog box.

Repeat the same configuration step for the /Public virtual directory.

j. Right-click Public, and then click Properties.

k. In the ExchWeb Properties dialog box, on the Directory Security tab, in the Secure communications box, click Edit.

l. In the Secure Communications box, enable Require secure channel (SSL), and then click OK.

m. Click OK to close the Public Properties dialog box.

n. Close the IIS Manager console.


10. On the Istanbul computer, use Internet Explorer to securely connect to https://mail.contoso.com/exchange

Send an e-mail to Administrator to test the secure OWA connection to ISA Server.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter.

An authentication dialog box for mail.contoso.com appears.

Note: On Istanbul, mail.contoso.com resolves to 39.1.1.1 (Paris).

b. In the Connect to mail.contoso.com dialog box, complete the following information: User name: Administrator Password: password Remember my password: disable (is default)and then click OK.

Internet Explorer displays the Outlook Web Access Inbox of the Administrator. The yellow lock icon at the bottom of the screen indicates that the connection uses SSL.

Note: The root certificate of Denver CA is already installed as trusted root certificate on Istanbul.

c. On the OWA toolbar, click New.

d. In the new message window, complete the following information: To: Administrator Subject: Test mail through Secure OWA - 1 (Message): Publish Exchange using Secure OWAand then click Send.

Internet Explorer sends the message.

After a few moments a new message appears in the Inbox. This result shows that Internet Explorer successfully connected to the Exchange Server on Denver, by using a secure OWA connection to ISA Server.

e. After a few moments, in the left pane, click Inbox to refresh the display of the Inbox contents.


Note: In the following steps, HTML Form Authentication is configured. The advantage of using HTML Form Authentication is that the authentication credentials are not cached on the client computer. This is especially important when users are connecting from public computers. The credential information is kept in a (temporary) session-cookie while the OWA connection is open.


11. On the Paris computer, configure the External Web 443 Web listener to use HTML Form Authentication.

a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy

b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners, right-click External Web 443, and then click Properties.

62 Lab Summary

c. In the External Web 443 Properties dialog box, on the Authentication tab, in the Client Authentication Method drop-down list box, select HTML Form Authentication.

d. On the Forms tab, click Advanced.

The HTML Form Authentication allows you to specify idle session timeout values for client browsers on public computers and client browsers on private computers.

e. Click Cancel to close the Advanced Form Options dialog box.

f. Click OK to close the External Web 443 Properties dialog box.

The Web listener is now configured to use HTML Form Authentication.

g. Click Apply to save the changes, and then click OK.


12. On the Istanbul computer, use Internet Explorer to securely connect to https://mail.contoso.com/exchange again.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter.

The Office Outlook Web Access authentication Web page appears.

b. In the Office Outlook Web Access page, complete the following information: Security: This is a private computer Use Outlook Web Access Light: disable (is default) Domain\user name: contoso\administrator Password: passwordand then click Log On.

When using HTML Form Authentication, the user indicates whether the client browser is on a public computer or on a private computer.

Internet Explorer displays the Outlook Web Access Inbox.




13. On the Paris computer, configure the External Web 443 Web listener to use Basic authentication.



c. In the External Web 443 Properties dialog box, on the Authentication tab, complete the following information: Client Authentication Method: HTTP Authentication Basic: enable Digest: disable (is default) Integrated: disable (is default)and then click OK to close the External Web 443 Properties dialog box.

The Web listener is now configured to use Basic HTTP authentication.



Exercise 2Publishing an Exchange Server for SMTP and POP3

In this exercise, you will configure server publishing rules on the ISA Server to allow access to the Exchange Server by using the SMTP and POP3 protocols.




1. On the Istanbul computer, start Outlook Express, and then attempt to connect to the Exchange Server (POP3) by clicking Send/Recv.

a. On the Istanbul computer, on the Start menu, click All Programs, and then click Outlook Express.

b. In Outlook Express, on the toolbar, click Send/Recv.

c. In the Logon - Contoso mail dialog box, complete the following information: User Name: Administrator Password: passwordand then click OK.

Outlook Express attempts to connect to the server at IP address 39.1.1.1 (ISA Server) by using the POP3 protocol. ISA Server blocks the connection. After a few moments, Outlook Express displays an error message that the connection to the server has failed.

d. Click Hide to close the error message box.


2. On the Paris computer, create a mail server publishing rule:

Name: Publish mail

Protocols: SMTP, POP3

Server: 10.1.1.5



c. In the task pane, on the Tasks tab, click Publish Mail Servers.

The New Mail Server Publishing Rule Wizard opens. This is a specialized version of the general New Server Publishing Rule Wizard and New Web Publishing Rule Wizard.

d. In the New Mail Server Publishing Rule Wizard dialog box, in the Mail Server Publishing rule name text box, type Publish mail, and then click Next.

e. On the Select Access Type page, select Client access: RPC, IMAP, POP3, SMTP, and then click Next.

f. On the Select Services page, complete the following information: POP3 (standard port): enable SMTP (standard port): enable Leave all other check boxes disabledand then click Next.

g. On the Select Server page, in the Server IP address text box, type 10.1.1.5, and then click Next.

h. On the Network Listener IP Addresses page, select External, and then click Next.

i. On the Completing the New Mail Server Publishing Rule Wizard page, click Finish.

64 Lab Summary

Two new server publishing rules are created: Publish mail SMTP Server, and Publish mail POP3 Server.

3. Apply the changes. a. Click Apply to apply the new rules, and then click OK.


4. On the Istanbul computer, in Outlook Express, connect to the Exchange Server, by clicking Send/Recv.

Send an e-mail to [email protected] to test the SMTP and POP3 connections to ISA Server.

a. On the Istanbul computer, in Outlook Express, on the toolbar, click Send/Recv.

b. If the Logon - Contoso mail dialog box appears, complete the following information: User Name: Administrator Password: passwordand then click OK.

Outlook Express is able to connect with the POP3 protocol to the Exchange Server (10.1.1.5) published by ISA Server on its external interface (39.1.1.1).

c. On the toolbar, click Create Mail.

d. In the New Message window, complete the following information: To: [email protected] Subject: Test mail through SMTP/POP3 - 2 (Message): Publish Exchange using SMTP/POP3and then click Send.

Outlook Express immediately sends the e-mail message.

Notice that a new message does not show up in the Inbox. Unlike some of the other methods (OWA, RPC) that can be used to connect to the Exchange Server, the SMTP/POP3 connection does not support New Mail Notification.

e. On the toolbar, click Send/Recv.

A new message appears in the Inbox. This result shows that Outlook Express successfully connected to the Exchange Server on Denver, by using SMTP/POP3 connections to ISA Server.

f. Close Outlook Express.


Exercise 3Publishing an Exchange Server for Outlook (RPC)

In this exercise, you will publish the Exchange Server (Denver) for Remote Procedure Call (RPC) access by Microsoft Outlook clients. This allows the full functionality of Outlook.




1. On the Paris computer, create a mail server publishing rule:

Name: Publish mail

Protocols: Outlook (RPC)

Server: 10.1.1.5



c. In the task pane, on the Tasks tab, click Publish Mail Servers.

d. In the New Mail Server Publishing Rule Wizard dialog box, in the Mail Server Publishing rule name text box, type Publish mail, and then click Next.

e. On the Select Access Type page, select Client access: RPC, IMAP, POP3, SMTP, and then click Next.

f. On the Select Services page, complete the following information: Outlook (RPC) (standard port): enable Leave all other check boxes disabledand then click Next.

g. On the Select Server page, in the Server IP address text box, type 10.1.1.5, and then click Next.

h. On the Network Listener IP Addresses page, select External, and then click Next.

i. On the Completing the New Mail Server Publishing Rule Wizard page, click Finish.

A new server publishing rule named Publish mail Exchange RPC Server is created.

2. Examine the RPC Filter application filter.

a. In the left pane, expand Configuration, and then select Add-ins.

b. In the right pane, on the Application Filters tab, select RPC Filter.

When a firewall policy rule uses a RPC protocol, the RPC Filter listens to requests from client computers on TCP port 135. Client computers are then redirected to higher port numbers on the ISA Server. The RPC Filter will dynamically open these ports. It is not necessary to open these higher ports statically on the firewall.

3. Examine the new mail server publishing rule named Publish mailExchange RPC Server.


b. In the right-pane, select Publish mail Exchange RPC Server, and then in the task pane, on the Tasks tabs, click Edit Selected Rule.

c. In the Publish mail Exchange RPC Server Properties dialog box, select the Traffic tab.

The new mail server publishing rule allows traffic for the Exchange RPC Server protocol. This is a specialized version of the RPC Server protocol. The RPC Filter will dynamically open ports for RPC requests that are related to Exchange Server only.

d. On the Traffic tab, click Properties.

e. In the Exchange RPC Server Properties dialog box, select the Interfaces

66 Lab Summary

tab.

A service can register itself with the RPC Service, using its Universal Unique Identifier (UUID). Client computers include the UUID in the RPC requests, to indicate which service they want to connect to. The default Exchange RPC Server protocol definition in ISA Server 2006 supports 17 different RPC UUIDs related to Exchange services. These are all published on a dynamically assigned port, if a connection request is received.

f. Click Cancel to close the Exchange RPC Server Properties dialog box.

g. Click Cancel to close the Publish mail Exchange RPC Server Properties dialog box.

4. Apply the new rule. a. In the right pane, click Apply to apply the new rule, and then click OK.

The new Publish mail Exchange RPC Server rule is applied.


5. On the Istanbul computer, start Outlook 2003, and then examine the network connections.

Use: netstat -ano

Use: Connection Status


b. At the command prompt, type netstat -ano | find "EST", and then press Enter.

The output of the command displays zero or more established TCP/IP network connections from the Istanbul computer, before Outlook is started.

You can use the netstat -ano command, without the find part, to see a complete list of current network connections.

c. On the Start menu, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2003.

Outlook 2003 starts and displays the Inbox of the Administrator.

d. Switch to the Command Prompt window.

e. At the command prompt, type netstat -ano | find "EST", and then press Enter.

The output of the command displays four (or less) established connections from Istanbul (39.1.1.7) to the ISA Server (39.1.1.1). Outlook initially set up an RPC connection to TCP port 135, and was then redirected to a dynamically opened higher port on the ISA Server.


g. Press the Ctrl-key, and then click the Outlook icon in the system tray area.

When the Ctrl-key is not pressed, the Connection Status option does not appear on the context menu of the system tray Outlook icon.

h. In the context menu of the system tray Outlook icon, click Connection Status.

The Exchange Server Connection Status window lists four connections from Outlook to Denver.contoso.com. The term TCP/IP in the Conn column indicates that RPC connections are used.

In the next exercise, Outlook will use RPC over HTTP connections to the Exchange Server.

i. Click Close to close the Exchange Server Connection Status window.

6. Send an e-mail to Administrator to test the RPC connection to ISA Server.

a. In Outlook, on the toolbar, click New.

b. In the new message window, complete the following information: To: Administrator Subject: Test mail through RPC - 3 (Message): Publish Exchange using RPCand then click Send.

After a few moments Outlook sends the message from the Outbox. It will then appear in the Inbox. This result shows that Outlook successfully connected to the Exchange Server on Denver, by using RPC connections to the


ISA Server.

c. In the Inbox, select the new message.

d. Close Outlook.

68 Lab Summary

Exercise 4Publishing an Exchange Server for RPC over HTTP

In this exercise, you want to provide Microsoft Outlook clients with the full functionality of Outlook when they connect to the Exchange Server. However, in this exercise, directly publishing Exchange Server through the Remote Procedure Call (RPC) protocol is not possible. You will configure ISA Server to tunnel RPC traffic inside HTTP (HTTPS) traffic. This uses the RPC over HTTP protocol.

Note: This exercise uses the same Web server authentication certificates (mail.contoso.com and denver.contoso.com) that you used in the Outlook Web Access (OWA) exercise earlier. If you have completed that exercise, you can skip the first three tasks in this exercise.




1. On the Paris computer, import the mail.contoso.com Web server certificate from the C:\Tools\Certs folder.

a. On the Paris computer, use Windows Explorer (or My Computer) to open the C:\Tools\Certs folder.

The Certs folder contains a Web server certificate for mail.contoso.com, and a script to import the certificate and private key in the local machine store.

b. In the Certs folder, right-click mail-certload.vbs, and then click Open.





2. On the Denver computer, import the denver.contoso.com Web server certificate from the C:\Tools\Certs folder.

a. On the Denver computer, use Windows Explorer (or My Computer) to open the C:\Tools\Certs folder.

The Certs folder contains a Web server certificate for denver.contoso.com, and a script to import the certificate and private key in the local machine store.

b. In the Certs folder, right-click denver-certload.vbs, and then click Open.




3. Configure IIS to use the denver.contoso.com Web server certificate.



b. In the IIS Manager console, expand DENVER (local computer), expand Web Sites, right-click Default Web Site, and then click Properties.

c. In the Default Web Site Properties dialog box, on the Directory Security tab, click Server Certificate.

d. In the Welcome to the Web Server Certificate Wizard dialog box, click Next.


Note: If the Modify the Current Certificate Assignment page appears, then you have already assigned the denver.contoso.com certificate to the Default Web Site.In that case, cancel the wizard, close the IIS Manager console, and continue with the next task.

e. On the Server Certificate page, select Assign an existing certificate, and then click Next.

f. On the Available Certificates page, select the certificate for denver.contoso.com that has the intended purpose of Server Authentication (do not select a certificate with another intended purpose), and then click Next.

g. On the SSL Port page, in the SSL port this web site should use text box, type 443, and then click Next.

h. On the Certificate Summary page, click Next.

i. On the Completing the Web Server Certificate Wizard page, click Finish.

The Default Web Site on Denver can now use the denver.contoso.com Web server certificate for HTTPS connections.

j. Click OK to close the Default Web Site Properties dialog box.

k. Close the IIS Manager console.

4. Install the RPC over HTTP Proxy network service.

a. On the Start menu, click Control Panel, and then click Add or Remove Programs.

b. In the Add or Remove Programs window, click Add/Remove Windows Components.

c. On the Windows Components page, select the Networking Services component (do NOT select the check box), and then click Details.

d. In the Networking Services dialog box, select the RPC over HTTP Proxy check box, and then click OK.

e. On the Windows Components page, click Next.

Please wait while Setup installs the RPC over HTTP Proxy network service.

f. On the Completing the Windows Components Wizard page, click Finish.

Typically you would install RPC over HTTP Proxy on an Exchange front-end server. In this lab you only use a single Exchange server computer (Denver), and therefore install the network service on this computer.

g. Close the Add or Remove Programs window.

5. In the IIS Manager console, examine the RPC Proxy Server extension.



b. In the IIS Manager console, expand DENVER (local computer), and then in the left pane, select Web Service Extensions.

A new Web Service Extension is installed (RPC Proxy Server Extension). The status of the extension is Allowed.

Note: In an earlier exercise to configure OWA, you have already requested a Web server certificate named denver.contoso.com, and loaded the certificate in IIS.

6. Configure the /Rpc virtual directory:

Anonymous access: No

Authentication method: Basic authentication only

Require SSL: Yes

a. In the IIS Manager console, expand Web Sites, expand Default Web Site, and then in the left pane, select Rpc.

ISA Server will publish the /Rpc virtual directory to allow RPC over HTTP access to the Exchange Server.

b. Right-click Rpc, and then click Properties.

c. In the Rpc Properties dialog box, on the Directory Security tab, in the Authentication and access control box, click Edit.

d. In the Authentication Methods dialog box, enable Basic authentication.

70 Lab Summary

e. In the IIS Manager warning message box, click Yes to confirm that you want to continue.

Basic authentication results in password being transmitted over the network without encryption. You will configure the virtual directory to require SSL on the RPC over HTTP connection, to protect the credential information.

f. In the Authentication Methods dialog box, complete the following information: Enable anonymous access: disable Integrated Windows authentication: disable (is default) Basic authentication: enable (done in previous step)and then click OK.

Basic authentication is now the only enabled authentication method on the /Rpc virtual directory.

g. On the Directory Security tab, in the Secure communications box, click Edit.

h. In the Secure communications box, enable Require secure channel (SSL), and then click OK.

To secure the basic authentication passwords used by RPC over HTTP, SSL is required on the /Rpc virtual directory.Effectively this makes it RPC over HTTPS.

i. On the Directory Security tab, click View Certificate.

The Default Web Site on Denver uses a Web server certificate named denver.contoso.com. ISA Server will publish https://denver.contoso.com/rpc to allow access to the Exchange Server.

j. Click OK to close the Certificate dialog box.

k. Click OK to close the Rpc Properties dialog box.

l. Close the IIS Manager console.

7. Configure the RPC Proxy network service to communicate with the Exchange Server and Global Catalog server (denver.contoso.com) on the following ports:

6001, 6002 and 6004


b. At the command prompt, type cd \tools\reskit, and then press Enter.

The Reskit folder contains a configuration tool (rpccfg.exe) from the Windows Server 2003 Resource Kit.

At each of the steps below, press Enter after the command.

c. Type rpccfg /hd.

The output of the command displays which ports on which computer the RPC Proxy service is allowed to create an RPC connection to.The default setting is: Denver 100-5000.

d. Type rpccfg /hr Denver.

This removes the current port range settings for Denver.

The next commands add the required port ranges for both the NetBIOS name, and the fully qualified domain name (FQDN) of the (back-end) Exchange Server and Global Catalog server.The RPC connections to the Exchange Server are done at port 6001 (Store), 6002 (DSReferral) and 6004 (DSProxy).

e. Type rpccfg /ha Denver 6001 6002 6004.

f. Type rpccfg /ha denver.contoso.com 6001 6002 6004.

g. Type rpccfg /hd.

The RPC Proxy service can now create RPC connections to the Exchange Server (6001 and 6004) and Global Catalog server (6002) on the required ports.

Instead of using the rpccfg.exe tool, you can also directly edit the ValidPorts value in the registry. The next command shows the current value of the ValidPorts setting.

h. Type reg.exe query HKLM\Software\Microsoft\Rpc\RpcProxy.

Note: Earlier Exchange Server 2003 documentation described that


you must also add port 593. This port is used for DCOM access. However, when unpatched, a vulnerability in the DCOM RCP interface allows an attacker to run code with Local System privileges on the affected system. The W32/Blaster worm exploited this vulnerability. This is described in Microsoft Knowledge Base article 826382, and Microsoft security bulletin MS03-26.Outlook does not require the use of TCP port 593 when connecting to the Exchange Server using RPC over HTTP, so do not include that port number in the configuration of the RPC Proxy service.

i. Close the Command Prompt window.

Note: When you deploy Exchange in a front-end/back-end scenario, and have Exchange Server 2003 SP1 or higher installed on the front-end server, you do not need to configure the ValidPorts setting manually. In that case, the front-end Exchange Server automatically manages the ValidPorts value.

8. Configure the Global Catalog server (Denver) to use port 6004 for RPC over HTTP connections.

a. On the Start menu, click Run.

b. In the Run dialog box, type regedit.exe, and then click OK.

c. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key.

d. Right-click the Parameters key, click New, and then click Multi-String Value.

e. In the New Value #1 text box, replace the text by typing NSPI interface protocol sequences, and then press Enter.

A new REG_MULTI_SZ value named NSPI interface protocol sequences is created.

f. Right-click the NSPI interface protocol sequences value, and then click Modify.

g. In the Edit Multi-String dialog box, type ncacn_http:6004, and then click OK.

The Global Catalog server will listen on TCP port 6004 for RPC connections from the RPC Proxy network service.

The server computer needs to restart, before this setting is active.

h. Close the Registry Editor window.

9. Restart the Denver computer.

a. On the Start menu, click Shut Down.

In the next step, ensure that you RESTART Denver, instead of Shut down Denver.

b. In the Shut Down Windows dialog box, complete the following information: What do you want the computer to do: Restart Option: Other (Planned) (is default) Comment: Changed RPC Proxy settingsand then click OK.

The Denver computer restarts. This will take a few minutes.

10. Log on to the computer:

User name: AdministratorPassword: passwordLog on to: CONTOSO

a. After the restart, at the Welcome to Windows dialog box, press <right>Alt-Del (instead of Ctrl-Alt-Del).

b. In the Log On to Windows dialog box, complete the following information: User name: Administrator Password: password Domain: CONTOSOand then click OK to log on.


11. On the Paris computer, disable the existing rule that publishes the Exchange Server by using RPC.


b. In the right pane, right-click Publish mail Exchange RPC Server, and

72 Lab Summary

then click Disable.

The reason this rule is disabled in the lab, is to clearly demonstrate that Outlook 2003 on Istanbul will connect to the Exchange Server on Denver by using RPC over HTTPS, and not using RPC directly.



SSL: enable


Certificate: mail.contoso.com

Authentication: HTTP Authentication - Basic

a. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible).


b. If a Web listener named External Web 443 does not exist, then right-click Web Listeners, and then click New Web Listener.

c. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 443, and then click Next.

d. On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next.

e. On the Web Listener IP Addresses page, complete the following information: Listen on network: External ISA Server will compress content: disableand then click Next.

f. On the Listener SSL Certificates page, click Select Certificate.

By default, the Select Certificate dialog box only shows the Web server certificates that are installed correctly.

g. In the certificates list, select mail.contoso.com, and then click Select.

h. On the Listener SSL Certificates page, click Next.

i. On the Authentication Settings page, complete the following information: Authentication method: HTTP Authentication (is default) Basic: enable Digest: disable (is default) Integrated: disable (is default)and then click Next.

j. On the Single Sign On Settings page, click Next.

k. On the Completing the New Web Listener Wizard page, click Finish.


13. Create a new RPC over HTTPS Web publishing rule.

Name: Publish mail(RPC over HTTPS)

Version:Exchange Server 2003


Public name:mail.contoso.com


Delegation:Basic Authentication


b. In the task pane, on the Tasks tab, click Publish Exchange Web Client Access.

The RPC connection from the Outlook client is inside a secure Web connection (HTTPS) to denver.contoso.com/rpc.

c. In the New Exchange Publishing Rule Wizard dialog box, in the Exchange Publishing rule name text box, type Publish mail (RPC over HTTPS), and then click Next.

d. On the Select Services page, complete the following information: Exchange version: Exchange Server 2003 (is default) Outlook Web Access: disable Outlook RPC/HTTP(s): enable Leave the other check boxes disabled (is default)and then click Next.


f. On the Server Connection Security page, select Use SSL to connect to the published Web server, and then click Next.

g. On the Internal Publishing Details page, in the Internal site name text


box, type denver.contoso.com, and then click Next.

The internal site name must match exactly the name in the certificate on the Denver Web server.

h. On the Public Name Details page, complete the following information: Accept requests for: This domain name (type below): Public name: mail.contoso.comand then click Next.

The public name must match exactly the name in the certificate on Paris.

i. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 443, and then click Next.

j. On the Authentication Delegation page, select Basic Authentication, and then click Next.


l. On the Completing the New Exchange Publishing Rule Wizard page, click Finish.

A new Web publishing rule is created that publishes the Web site at denver.contoso.com (/rpc) as mail.contoso.com (/rpc) on the External network.

14. Examine the new Web publishing rule named Publish mail (RPC over HTTPS).

a. In the right pane, right-click Publish mail (RPC over HTTPS), and then click Properties.

b. In the Publish mail (RPC over HTTPS) Properties dialog box, select the Path tab.

The RPC over HTTPS Web publishing rule only allows access to the /rpc virtual directory.

c. Click Cancel to close the Publish mail (RPC over HTTPS) Properties dialog box.

15. Apply the new rule. a. Click Apply to apply the new rule, and then click OK.

The new Publish mail (RPC over HTTPS) rule is applied.


16. On the Istanbul computer, use Internet Explorer to verify the configuration of the secure Web publishing rule, by connecting to https://mail.contoso.com/rpc.

The expected error code is 401.3 (Access denied due to an ACL).

a. On the Istanbul computer, open Internet Explorer. In the Address box, type https://mail.contoso.com/rpc, and then press Enter.

b. In the Connect to mail.contoso.com dialog box, complete the following information: User name: Administrator Password: password Remember my password: disable (is default)and then click OK.

Because the /Rpc virtual directory does not allow direct access, Internet Explorer displays the Connect to mail.contoso.com dialog box two more times.

c. In the Connect to mail.contoso.com dialog box, type Administrator and password for the second time, and then click OK.

d. In the Connect to mail.contoso.com dialog box, type Administrator and password for the third time, and then click OK.

Internet Explorer displays an error Web page (HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL).This is the expected result.

Using Internet Explorer to connect to the /Rpc virtual directory has no functional meaning in the context of the RPC over HTTP protocol. However, this is a quick way to verify that the Web listener, the Secure Web publishing rule and the Web server certificates on both the ISA Server and the RPC Proxy server (Denver) are configured correctly.The expected error message is the 401.3 error Web page.Note: When running Windows Server 2003 without SP1, the expected error

74 Lab Summary

message is HTTP Error 403.2 (Forbidden: Read access is denied).


Note: If you are running Outlook 2003 on Windows XP SP1, you will need to install the update package described in Microsoft Knowledge Base article 331320, before you can do the tasks below.(In this lab, Outlook 2003 on Istanbul runs on Windows Server 2003.)

17. Configure the e-mail account in the current Outlook profile to use RPC over HTTP:

URL: mail.contoso.com

Use SSL only: Yes

Principal name:msstd:mail.contoso.com

On fast/slow networks, use HTTP first: Yes

Proxy authentication: Basic

a. On the Start menu, click Control Panel, and then click Mail.

b. In the Mail Setup - Outlook dialog box, click E-mail Accounts.

c. In the E-mail Accounts dialog box, select View or change existing e-mail accounts, and then click Next.

The Control Panel applet attempts to connect to the Exchange Server (by using RPC). After a few moments, a message box appears to notify you that the Exchange Server is unavailable.

d. Click Cancel to close the Connecting to Microsoft Exchange Server message box.

e. On the E-mail Accounts page, ensure that Contoso mail is selected, and then click Change.

f. On the Exchange Server Settings page, click More Settings.

g. In the Microsoft Exchange Server dialog box, on the Connection tab, enable Connect to my Exchange mailbox using HTTP, and then click Exchange Proxy Settings.

h. In the Exchange Proxy Settings dialog box, complete the following information: Use this URL (https://): mail.contoso.com Connect using SSL only: enable (is default) Mutually authenticate the session: enable Principal name for proxy server: msstd:mail.contoso.com On fast networks, connect using HTTP first: enable On slow networks, connect using HTTP first: enable (is default) Proxy authentication settings: Basic Authenticationand then click OK.

The msstd form is Microsoft's standard to refer to RPC principal names. After connecting, Outlook verifies that it is connected to the correct server, by using the msstd principal name.

The distinction between a fast network and a slow network is determined by the speed that the network adapter reports. If it reports less than 128 Kbps, it is considered a slow network.If this option is enabled, Outlook attempts to connect by using HTTP (RPC over HTTP) first, and then by using TCP/IP (RPC).

Using Basic Authentication (instead of NTLM Authentication) allows Outlook RPC/HTTPS connections, even when ISA Server 2006 is configured to use HTML Form Authentication. Outlook does not support form authentication, but ISA Server 2006 will automatically fall back to Basic Authentication when a non-browser application connects.

i. Click OK to close the Microsoft Exchange Server dialog box.

j. On the Exchange Server Settings page, click Next.

k. In the Connect to Denver.contoso.com dialog box, complete the following information: User name: contoso\administrator Password: passwordand then click OK.

The Control Panel applet should already be able to connect to the Exchange Server (by using RPC over HTTPS).

l. On the E-mail accounts page, click Finish.

m. Click Close to close the Mail Setup - Outlook dialog box.

18. Start Outlook 2003, and a. Open a Command Prompt window.


then examine the network connections.

Use: netstat -ano

Use: Connection Status

b. At the command prompt, type netstat -ano | find "EST", and then press Enter.

The output of the command displays zero or more established TCP/IP network connections from the Istanbul computer, before Outlook is started.

c. On the Start menu, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2003.

d. In the Connecting to Denver.contoso.com dialog box, complete the following information: User name: contoso\administrator Password: passwordand then click OK.


e. Switch to the Command Prompt window.

f. At the command prompt, type netstat -ano | find "EST", and then press Enter.

The output of the command displays multiple established connections from Istanbul (39.1.1.7) to the ISA Server (39.1.1.1). All the connections are using TCP port 443 on the ISA Server.

g. Close the Command Prompt window.

h. Press the Ctrl-key, and then click the Outlook icon in the system tray area.

i. In the context menu of the system tray Outlook icon, click Connection Status.

The Exchange Server Connection Status window lists four connections from Outlook to Denver.contoso.com. The term HTTPS in the Conn column indicates that RPC over HTTPS connections are used.

j. Click Close to close the Exchange Server Connection Status window.

19. Send an e-mail to Administrator to test the RPC over HTTP connection to ISA Server.

a. In Outlook, on the toolbar, click New.

b. In the new message window, complete the following information: To: Administrator Subject: Test mail through RPC over HTTP - 4 (Message): Publish Exchange using RPC over HTTPand then click Send.

After a few moments Outlook sends the message from the Outbox. It will then appear in the Inbox. This result shows that Outlook successfully connected to the Exchange Server on Denver, by using secure RPC over HTTP connections to the ISA Server.

c. In the Inbox, select the new message.

d. Close Outlook.

Note: In the tasks below, you will configure ISA Server 2006, to use both Outlook Web Access (OWA) using HTML Form Authentication, and Outlook RPC/HTTPS using HTTP/Basic Authentication on the same Web Listener, and same IP address (for mail.contoso.com). That is not possible in ISA Server 2004.You can only perform the tasks below, if you completed the OWA exercise earlier in this module.

20. Use Internet Explorer to connect to https://mail.contoso.com/exchange

a. Open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter.

An authentication dialog box for mail.contoso.com appears.

The Web publishing rules Publish mail (OWA) and Publish mail (RPC over HTTPS) both use the same Web listener named External Web 443. The Web listener is currently configured to use HTTP/Basic Authentication.

b. In the Connect to mail.contoso.com dialog box, complete the following information: User name: Administrator Password: password Remember my password: disable (is default)

76 Lab Summary

and then click OK.

Internet Explorer displays the Outlook Web Access Inbox of the Administrator. This result confirms that ISA Server successfully publishes OWA using Basic Authentication.



21. On the Paris computer, configure the External Web 443 Web listener to use Form Authentication.



c. In the External Web 443 Properties dialog box, on the Authentication tab, complete the following information: Client Authentication Method: HTML Form Authenticationand then click OK to close the External Web 443 Properties dialog box.

The Web listener is now configured to use HTML Form authentication.



22. Use Internet Explorer to connect to https://mail.contoso.com/exchangeagain.

a. Open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter.

The Office Outlook Web Access authentication Web page appears, because the Web listener is configured to use HTML Form authentication.

b. In the Office Outlook Web Access page, complete the following information: Security: This is a private computer Use Outlook Web Access Light: disable (is default) Domain\user name: contoso\administrator Password: passwordand then click Log On.

Internet Explorer displays the Outlook Web Access Inbox.


23. Start Outlook 2003. a. On the Start menu, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2003.

b. In the Connecting to Denver.contoso.com dialog box, complete the following information: User name: contoso\administrator Password: passwordand then click OK.


c. Switch to the Command Prompt window.

d. Press the Ctrl-key, and then click the Outlook icon in the system tray area.

e. In the context menu of the system tray Outlook icon, click Connection Status.

The Exchange Server Connection Status window lists four RPC over HTTPS connections from Outlook to Denver.contoso.com.

f. Click Close to close the Exchange Server Connection Status window.

The Web listener on ISA Server is configured to use HTML Form authentication. When Outlook sends the connection request, ISA Server 2006 first checks the User-Agent HTTP header in the HTTPS request from Outlook. It recognizes that it should not respond with the form authentication Web page,


but instead falls back to requesting HTTP/Basic Authentication.

This is new functionality in ISA Server 2006. It allows you to publish both Outlook Web Access (using HTML Form Authentication), and Outlook RPC/HTTPS (using Basic Authentication) using the same Web listener, and the same IP address.

g. Close Outlook.

h. Close the Internet Explorer Outlook Web Access window.

78 Lab Summary

Module E: Enabling VPN Connections

Exercise 1Configuring ISA Server to Accept Incoming VPN Connections

In this exercise, you will configure ISA Server to accept incoming VPN connections from client computers on the Internet.


Note: This lab exercise uses the following computer: ParisRefer to the beginning of the manual for instructions on how to start the computer. Log on to the computer.


1. On the Paris computer, examine the status of the Routing and Remote Access service.

a. On the Paris computer, on the Start menu, click Administrative Tools, and then click Routing and Remote Access.

b. In the Routing and Remote Access console, select PARIS (local).

The Routing and Remote Access service is not started yet, and the service is not configured. ISA Server uses the Routing and Remote Access service to handle VPN connections, after the VPN connection is approved.

Note: All VPN configuration (except Remote Access dial-in permission for users and groups) is done through the ISA Server console.

2. Use the ISA Server console to configure VPN address ranges.

IP address ranges: - 10.3.1.1 - 10.3.1.120

a. On the Start menu, click All Programs, click Microsoft ISA Server, and then click, ISA Server Management.

b. In the ISA Server console, expand Paris, and then select Virtual Private Networks (VPN).

c. In the right pane, ensure that the VPN Clients tab is selected.

ISA Server supports two types of VPN connections: Remote access VPN - Client computers on the Internet create a VPN connection to the ISA Server. This is configured on the VPN Clients tab. Site-to-site VPN - Two private networks, or branch offices, are connected by a VPN connection. This is configured on the Remote Sites tab.

d. In the task pane, on the Tasks tab, click Define Address Assignments.

e. In the Virtual Private Networks (VPN) Properties dialog box, on the Address Assignment tab, select Static address pool, and then click Add.

f. In the Server IP Address Range Properties dialog box, complete the following information: Start address: 10.3.1.1 End address: 10.3.1.120and then click OK.

This IP address range allows for maximum: 1 destination VPN IP address on Paris (10.3.1.1) 119 VPN client addresses (10.3.1.2-10.3.1.120).

g. Click OK to close the Virtual Private Networks (VPN) Properties dialog box.

3. Enable and configure VPN client access.

a. On the Tasks tab, click Enable VPN Client Access.

This step enables VPN access to the ISA server. A system policy


- Maximum clients: 100

- Protocols: PPTP

rule is enabled, and after the changes are saved the Routing and Remote Access service is configured.

b. On the Tasks tab, click Configure VPN Client Access.

c. In the VPN Client Properties dialog box, on the General tab, in the Maximum number of VPN clients allowed text box, leave the default value 100.

The maximum number of VPN clients that can connect at the same time, depends on the capacity of the ISA Server, and the number of available IP addresses.

d. On the Protocols tab, ensure that only Enable PPTP is selected.

In this exercise, only the PPTP protocol is used.

e. Click OK to close the VPN Clients Properties dialog box.

Note that the VPN configuration is not applied yet.

4. Examine the VPN connection settings.

Access networks:External

Authentication: MS-CHAPv2

a. In the left pane, right-click Virtual Private Networks (VPN), and then click Properties.

You can also access the four tabs of the Virtual Private Networks (VPN) Properties dialog box from the task pane.

b. In the Virtual Private Networks (VPN) Properties dialog box, select the Access Networks tab.

ISA Server is currently configured to only accept incoming VPN connections from the External network.

c. Select the Authentication tab.

ISA Server is currently configured to allow only MS CHAPv2 authentication for incoming VPN connections.

d. Click OK to close the Virtual Private Networks (VPN) Properties dialog box.

5. Examine the VPN access rule:

System policy rule:Allow VPN client traffic to ISA Server (rule 13).



c. In the right pane, select the Allow VPN client traffic to ISA Server system policy rule (rule 13).

This system policy rule allows the PPTP protocol from the External network to the Local Host network (ISA Server).

If the L2TP/IPSec VPN protocol is enabled as well for VPN client access, then this rule is extended with the required L2TP/IPSec protocols (IKE, IPSec, L2TP).If additional networks are enabled on the Access Networks tab of the Virtual Private Networks (VPN) Properties dialog box, then this rule is extended with those networks.

d. In the task pane, on the Tasks tab, click Hide System Policy Rules.

6. Apply the VPN configuration.

a. In the ISA Server console, click Apply to apply the VPN configuration, and then click OK.

This step will configure and enable VPN connections on ISA Server, and configure and start the Routing and Remote Access service on the ISA Server computer.

Wait 30 seconds for ISA Server to configure and start the Routing and Remote Access service, before you do the next tasks.

7. Examine the configuration of the Routing and Remote Access console.

a. In the Routing and Remote Access console, in the left pane, right-click PARIS (local), and then click Refresh.

The user interface is updated to show that Routing and Remote Access is configured and started.

b. Right-click PARIS (local), and then click Properties.

c. In the PARIS (local) Properties dialog box, select the IP tab.

ISA Server has configured the Routing and Remote Access service

80 Lab Summary

to use a static address pool of IP addresses.

d. Click Cancel to close the PARIS (local) Properties dialog box.

e. Expand PARIS (local), and then select Remote Access Policies.

f. In the right pane, right-click the ISA Server Default Policy remote access policy, and then click Properties.

ISA Server has added a new remote access policy. The policy is first in the list, and applies to all incoming remote access connections (Day-And-Time-Restrictions matches7x "00:00-24:00"). The associated profile specifies the authentication methods allowed for the connections. Unless individual access permissions are specified in the user profile (which is done in the next task), remote access is denied.

g. Click Cancel to close the ISA Server Default Policy Properties dialog box.

h. Close the Routing and Remote Access console.

8. Configure the user profile of the Administrator account so that it is allowed to dial in.

a. On the Start menu, click Administrative Tools, and then click Computer Management.

b. In the Computer Management console, in the left pane, expand Local Users and Groups, and then select Users.

c. In the right pane, right-click Administrator, and then click Properties.

d. In the Administrator Properties dialog box, on the Dial-in tab, select Allow access, and then click OK.

e. Close the Computer Management console.

For demonstration purposes, in this exercise the local Administrator account is used to create the VPN connection. Normally domain user accounts are used to create the VPN connection.

Note: ISA Server will now accept incoming VPN connections from client computers on the External network. Those client computers will then automatically be placed in the VPN Clients network.In a later exercise, you will create access rules to allow the VPN Clients network access to the Internal network.


Exercise 2Configuring a Client Computer to Establish a VPN Connection

In this exercise, you will configure a client computer on the Internet to establish a VPN connection to the ISA Server computer.




1. On the Istanbul computer, examine the current IP address configuration, and use the Ping command to test connectivity to the Internal network (10.1.1.5).


b. At the command prompt, type ipconfig, and then press Enter.

The output of the ipconfig command shows that Istanbul currently uses only the IP address 39.1.1.7.

c. Type ping 39.1.1.1, and then press Enter.

The ping requests time out, because ISA Server (39.1.1.1) does not allow incoming ping requests from computers on the External network (Internet).

d. Type ping 10.1.1.5, and then press Enter.

The ping requests time out, because Istanbul cannot connect to computers on the Internal network yet.


2. Create a new connection in the Network Connections window.

Type: VPN connectionName: VPN to ContosoVPN Server: 39.1.1.1

a. On the Start menu, click Control Panel, right-click Network Connections, and then click Open.

The Network Connections window opens.

b. In the Network Connections window, right-click New Connection Wizard, and then click New Connection.

c. In the New Connection Wizard dialog box, click Next.

d. On the Network Connection Type page, select Connect to the network at my workplace, and then click Next.

e. On the Network Connection page, select Virtual Private Network connection, and then click Next.

f. On the Connection Name page, in the Company Name text box, type VPN to Contoso, and then click Next.

g. On the VPN Server Selection page, in the Host name or IP address text box, type 39.1.1.1, and then click Next.

h. On the Connection Availability page, select My use only, and then click Next.

i. On the Completing the New Connection Wizard page, click Finish.

The wizard creates a new connection in the Network Connections window, and displays the Connect VPN to Contoso dialog box, prompting you to establish the connection.

3. Establish the VPN connection named VPN to Contoso.

User name: AdministratorPassword: password

a. In the Connect VPN to Contoso dialog box, complete the following information: User name: Administrator Password: passwordand then click Connect.

After creating the VPN connection to the ISA Server computer, an

82 Lab Summary

icon appears in the System tray, which represents the established connection.

4. Examine the current IP address configuration, and use the Ping command to test the connection to the Internal network (10.1.1.5), and the VPN tunnel end-point (10.3.1.1).


b. At the command prompt, type ipconfig, and then press Enter.

The output of the ipconfig command shows that Istanbul currently uses the IP address 39.1.1.7, and has received a new IP address 10.3.1.2 (or higher) for its VPN connection to the ISA Server computer. Notice that both connections list a default gateway setting.

c. Type route print, and then press Enter.

The output of the route command shows that Istanbul has two default routes (the two Netmask 0.0.0.0 lines). However, the default route for the VPN connection (10.3.1.2) has a lower metric (1) than the metric (21) for the default gateway on the network adapter connection (39.1.1.1). The active default gateway is using the VPN connection (10.3.1.2), as is shown by the Default Gateway line at the end of the output.


The ping requests (to Denver) time out. Even though Istanbul has created a VPN connection to the ISA Server computer, it cannot connect to computers on the Internal network yet.

Note: VPN client computers are not considered part of the Internal network, but instead are considered to be in the special VPN Clients network, when they create a VPN connection. They are subject to the firewall policy access rules for the VPN Clients network. Furthermore, all access from the VPN Clients network is logged in the Firewall log.

e. Type ping 10.3.1.1, and then press Enter.

The ping requests time out. The IP address 10.3.1.1 is the destination VPN IP address on the ISA Server computer. Even the end-point of the VPN tunnel cannot be reached without an access rule that allows this.


5. On the Paris computer, use the Ping command to test the connection to the VPN client computer (10.3.1.2 or higher).

a. On the Paris computer, open a Command Prompt window.

b. At the command prompt, type ping 10.3.1.2 (or the higher 10.3.1.x IP address assigned to Istanbul), and then press Enter.

Four ping replies are returned from the Istanbul computer.


d. In the ISA Server console, select Firewall Policy.

e. In the task pane, on the Tasks tab, click Show System Policy Rules.

System policy rule 12 allows Ping from Local Host (the ISA Server computer) to All Networks (including the VPN Clients network).

f. In the task pane, on the Tasks tab, click Hide System Policy Rules.


Name: Allow Ping from VPN clients

Applies to: PING

From network: VPN ClientsTo network: Local Host

a. In the right pane, select the first rule., or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list.


c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Ping from VPN clients, and then click Next.

d. On the Rule Action page, select Allow, and then click Next.

e. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add.

f. In the Add Protocols dialog box, click Common Protocols, click PING, and click Add,and then click Close to close the Add Protocols dialog box.

g. On the Protocols page, click Next.

h. On the Access Rule Sources page, click Add.

i. In the Add Network Entities dialog box,


click Networks, click VPN Clients, and click Add,and then click Close to close the Add Network Entities dialog box.

j. On the Access Rule Sources page, click Next.

k. On the Access Rule Destinations page, click Add.

l. In the Add Network Entities dialog box, click Networks, click Local Host, and click Add,and then click Close to close the Add Network Entities dialog box.

m. On the Access Rule Destinations page, click Next.

n. On the User Sets page, click Next.

o. On the Completing the New Access Rule Wizard page, click Finish.

A new firewall policy rule is created that allows Ping from the VPN Clients network to the Local Host network (ISA Server).

p. Click Apply to apply the new rule, and then click OK.


7. On the Istanbul computer, use the Ping command again to test connectivity to the VPN tunnel end-point at the ISA Server computer (10.3.1.1).

a. On the Istanbul computer, at the command prompt, type ping 10.3.1.1, and then press Enter.

Four (or three) ping replies are returned from the ISA Server computer. The Allow Ping from VPN clients access rule allows access to 10.3.1.1.

This result confirms that the Istanbul computer is on the VPN Clients network, while it has an active VPN connection to the ISA Server computer.

b. Close the Command Prompt window.

In the next exercise, you will configure ISA Server to allow VPN Clients network access to the Internal network.

84 Lab Summary

Exercise 3Allowing Internal Network Access for VPN Clients

In this exercise, you will configure ISA Server so that client computers on the Internet, are allowed access to the internal network, by establishing a VPN connection.




1. On the Paris computer, examine the network rule for connectivity between the VPN Clients network and the Internal network.

a. On the Paris computer, in the ISA Server console, in the left pane, expand Configuration, and then select Networks.

b. In the right pane, on the Network Rules tab, select the rule that defined the connectivity between the VPN Clients network and the Internal network.

In the default configuration for the 3-Leg Perimeter network template, the network rule named VPN Clients to Internal Network (rule 2) indicates that ISA Server will Route network traffic between the VPN Clients network and the Internal network.

2. Create a new access rule:

Name: Allow access from VPN clients to Internal

Applies to: PING,Microsoft CIFS (TCP)

From network: VPN ClientsTo network: Internal




d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow access from VPN clients to Internal, and then click Next.



g. In the Add Protocols dialog box, click Common Protocols, click PING, and click Add, click All protocols, click Microsoft CIFS (TCP), and click Add,and then click Close to close the Add Protocols dialog box.

The Microsoft CIFS (TCP) protocol is also known as Server Message Blocks (SMB) - TCP port 445. It is used to access file shares and printer shares.



j. In the Add Network Entities dialog box, click Networks, click VPN Clients, and click Add,and then click Close to close the Add Network Entities dialog box.



m. In the Add Network Entities dialog box, click Networks, click Internal, and click Add,and then click Close to close the Add Network Entities dialog box.




A new firewall policy rule is created that allows the Ping and CIFS


protocols from the VPN Clients network to the Internal network.



3. On the Istanbul computer, reconnect the VPN to Contoso connection, if it was disconnected.

a. On the Istanbul computer, if the VPN to Contoso connection is disconnected, then in the Network Connections window, right-click VPN to Contoso, and then click Connect. In the Connect VPN to Contoso dialog box, complete the following information: User name: Administrator Password: passwordand then click Connect.

The VPN connection to the ISA Server computer is established again.

4. Use the Ping command to test connectivity to the Internal network (10.1.1.5), and use the Run dialog box to connect to \\10.1.1.5.



Four (or three) ping replies are returned from the Denver computer (10.1.1.5). Istanbul can now access the Internal network.


d. On the Start menu, click Run.

e. In the Run dialog box, type \\10.1.1.5, and then click OK.

A Windows Explorer window opens for \\10.1.1.5. This shows that ISA Server allows VPN client computers access to file shares on computers on the Internal network.

f. Close the \\10.1.1.5 window.

5. Disconnect the VPN to Contoso connection, and close the Network Connections window.

a. In the System tray, right-click the connection icon, and click Disconnect.

The VPN to Contoso connection is disconnected.

b. Close the Network Connections window.

86 Lab Summary

Exercise 4Configuring VPN Quarantine on ISA Server

In this exercise, you will configure ISA Server so that it can allow phased network access to VPN clients. Only client computers whose security configuration meets the security policy are allowed full access to the network.


Note: Remote Access Quarantine (or VPN Quarantine) implements 'phased network access' for (VPN) dial-up client computers. This functionality can be provided by the Windows Server 2003 Remote Access service or by ISA Server 2006.In both cases, connect time restrictions and network access restrictions are applied to the VPN client computer, while a script or a custom application verifies the security configuration of the client computer. If the security configuration meets the security policy, the time and access restrictions for the client computer are removed. When Windows Server 2003 Remote Access service is used to implement VPN Quarantine, a remote access policy (from the Remote Access server, or from a RADIUS server) applies a connection time-out and restrictive IP filters while the configuration of the client computer is verified. When ISA Server 2006 is used to implement VPN Quarantine, the VPN client computer is first placed in the Quarantined VPN Clients network, while the configuration of the client computer is verified. If the configuration meets the requirements, the client computer is then placed in the VPN Clients network. The firewall policy rules for the Quarantined VPN Clients network and the VPN Clients network define the allowed network access for the client computer.

In this exercise, ISA Server 2006 provides the VPN Quarantine functionality.



1. On the Paris computer, in the C:\Tools folder, examine the RQScript.vbs script file that is used to check the security configuration of the VPN client computer.

a. On the Paris computer, use Windows Explorer (or My Computer) to open the C:\Tools folder.

The RQScript.vbs script file in the Tools folder is the script that this lab uses to check the security configuration of the VPN client computer.

b. Right-click the RQScript.vbs file, and then click Edit (do not click Open).

c. Maximize the RQScript.vbs - Notepad, if that is not done already.

The RQScript.vbs script file checks whether Internet Connection Firewall (ICF) or Windows Firewall is enabled on the network connections of the VPN client computer. If this is the case, it passes the script identifier (RQScript_ID) RQVersion3 back to the remote access server (ISA Server), which will remove the quarantine restrictions.

Note: The same script can be used for either Windows Server 2003 Remote Access Quarantine, or ISA Server 2006 VPN Quarantine.

d. Close Notepad.


2. Install the Remote Access Quarantine Agent service (RQS.exe).

a. On the Start menu, click Control Panel, and then click Add or Remove Programs.

Note: Since Windows Server 2003 SP1, Remote Access Quarantine Agent service (RQS.exe) is part of the operating system. Before SP1, the service was installed from the Windows Server 2003 Resource Kit tools.


c. On the Windows Components page, select the Networking Services


component (do NOT select the check box), and then click Details.

d. In the Networking Services dialog box, select the Remote Access Quarantine Service check box, and then click OK.


Please wait while Setup installs the Remote Access Quarantine Service network service.


Setup does not completely configure the RQS.exe service for use with ISA Server 2006. You still need to define acceptable script identifiers (version strings) in the registry, configure the service for use with ISA Server, and then start the service.


3. Configure the RQS.exe service:

AllowedSet: RQVersion3

Authenticator: vpnplgin.dll


b. In the Run dialog box, type regedit.exe, and then click OK.

c. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rqs key.

d. In the right pane, right-click the AllowedSet value, and then click Modify.

e. In the Edit Multi-String dialog box, delete the current value, and then type RQVersion3, and click OK.

RQVersion3 is the identifier of the script (RQScript.vbs) that this lab uses to check the security configuration of the client computer.

f. Right-click the rqs key, click New, and then click String Value.

g. In the New Value #1 text box, replace the text by typing Authenticator, and then press Enter.

A new REG_SZ value named Authenticator is created.

h. Right-click the Authenticator value, and then click Modify.

Note: Ensure that you do not make a typing mistake in the file name below. The RQS.exe service will stop if it cannot find the file specified in the Authenticator registry value.

i. In the Edit String dialog box, type C:\Program Files\Microsoft ISA Server\vpnplgin.dll, and then click OK.

After the RQC.exe application on the client computer notifies the RQS.exe service on the server, by default the RQS.exe service calls %windir%\System32\mprapi.dll (Remote Access service) to remove the quarantine restrictions. When ISA Server provides the quarantine restrictions, then the RQS.exe service must call vpnplgin.dll in the ISA Server folder instead.

j. Close the Registry Editor window.

k. On the Start menu, click Administrative Tools, and then click Services.

l. In the Services console, in the right pane, right-click Remote Access Quarantine Agent, and then click Properties.

By default, the Startup type of the RQS.exe service is Manual. You will start the service later in this lab.

m. Click Cancel to close the Remote Access Quarantine Agent Properties dialog box.

n. Close the Services console.

4. Create a new protocol definition:

Name: RQS - Network Quarantine


When the security configuration of the VPN client computer meets the security policy, the RQC.exe application on the client computer notifies the RQS.exe service on the ISA Server, that the quarantine restrictions can be removed. This requires an access rule to allow communication (using

88 Lab Summary

Direction: OutboundPort: TCP 7250

TCP port 7250) from the Quarantined VPN Clients network to the Local Host network (ISA Server).

b. In the task pane, on the Toolbox tab, in the Protocols section, on the New menu, click Protocol.

c. In the New Protocol Definition Wizard dialog box, in the Protocol definition name text box, type RQS - Network Quarantine, and then click Next.

d. On the Primary Connection Information page, click New.

e. In the New/Edit Protocol Connection dialog box, complete the following information: Protocol type: TCP Direction: Outbound Port Range From: 7250 Port Range To: 7250and then click OK.

Note: At first view it may seem unexpected to create an Outbound protocol definition for the communication to the ISA Server. However, you will create an access rule (requiring an Outbound protocol definition) for the RQC.exe application on the Quarantined VPN Clients network, rather than a server publishing rule (requiring an Inbound protocol definition) to publish the RQS.exe service on the ISA Server.

f. On the Primary Connection Information page, click Next.

g. On the Secondary Connections page, select No, and then click Next.

h. On the Completing the New Protocol Definition Wizard page, click Finish.

A new user-defined protocol definition named RQS - Network Quarantine is created.

5. Create a new access rule:

Name: Allow RQS network quarantine notification

Applies to: RQS - Network Quarantine

From network: Quarantined VPN ClientsTo network: Local Host

a. In the right pane, select the first rule to indicate where the new rule is added to the rule list.


c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow RQS network quarantine notification, and then click Next.



f. In the Add Protocols dialog box, click User-Defined, click RQS - Network Quarantine, and click Add,and then click Close to close the Add Protocols dialog box.



i. In the Add Network Entities dialog box, click Networks, click Quarantined VPN Clients, and click Add,and then click Close to close the Add Network Entities dialog box.

Note: You can configure ISA Server (or remote access policies) to exempt certain users from the network access quarantine check. This means that these VPN clients are directly placed in the VPN Clients network when connected. You must include the VPN Clients network in the access rule, if you want to allow RQC.exe communication in that scenario.



l. In the Add Network Entities dialog box, click Networks, click Local Host, and click Add,and then click Close to close the Add Network Entities dialog box.





A new firewall policy rule is created that allows RQS communication from a VPN client computer on the Quarantined VPN Clients network to the ISA Server.

6. In the C:\Tools\ISA folder, examine the ConfigureRQSForISA.vbs script file.

a. Use Windows Explorer (or My Computer) to open the C:\Tools\ISA folder.

b. Right-click the ConfigureRQSForISA.vbs file, and then click Edit (do NOT click Open).

c. Maximize the ConfigureRQSForISA.vbs - Notepad window if that is not done already.

The ConfigureRQSForISA.vbs script file is provided on the Microsoft Web site in the ISA Server downloads section as part of the Remote Access Quarantine Tool (RQSUtils.exe).It does all the tasks done in this exercise so far. This includes:- Installing the RQS.exe service.- Defining the AllowedSet registry entry.- Defining the Authenticator registry entry.- Creating the RQS protocol definition.- Creating the Allow RQS access rule.and even starting the RQS.exe service.

For demonstration purposes, these steps were done manually in this exercise.

d. Close Notepad.

e. Close the Windows Explorer window.

7. Configure ISA Server to enable quarantine:

Type: Use ISA ServerDisconnect quarantine: 60 seconds

a. In the ISA Server console, in the left pane, select Networks.

b. In the right pane, on the Networks tab, right-click the Quarantined VPN Clients network, and then click Properties.

c. In the Quarantined VPN Clients Properties dialog box, on the Quarantine tab, select Enable Quarantine Control.

d. In the message box, click OK to acknowledge that enabling quarantine control requires configuration on both the ISA Server and VPN client computers.

The required configuration on the VPN client computers (installing a Connection Manager profile that includes the RQScript.vbs script file, and the RQC.exe notifier component) is done in the next exercise.

e. On the Quarantine tab, complete the following information: Enable Quarantine Control: enable (done in previous step) Quarantine according to ISA Server policies: enable (is default) Disconnect quarantine users after (seconds): 60and then click OK.

The option to use quarantine according to RADIUS server policies, requires a remote access policy on the Remote Access server (or on a RADIUS server) that applies the connection time-out. It also requires RQS.exe to call mprapi.dll, instead of vpnplgin.dll to remove the quarantine restrictions.

f. Click Apply to save the changes, and then click OK.

90 Lab Summary

Exercise 5Creating and Distributing a Connection Manager Profile

In this exercise, you will create and distribute a Connection Manager profile, for use with network access quarantine. The profile is made available through an extranet distribution point.


Note: In order to run the script that verifies the security configuration of the VPN client computer, the client computer must use a Connection Manager profile to establish the VPN connection. The profile includes the script (RQScript.vbs) and the notifier component (RQC.exe).The Connection Manager profile is created with the Connection Manager Administration Kit (CMAK).



1. On the Paris computer, install the Connection Manager Administration Kit (CMAK).

a. On the Paris computer, on the Start menu, click Control Panel, and then click Add or Remove Programs.


c. On the Windows Components page, select the Management and Monitoring Tools component (do NOT clear or select the check box), and then click Details.

d. In the Management and Monitoring Tools dialog box, select the Connection Manager Administration Kit check box, and then click OK.


Please wait while Setup installs the Connection Manager Administration Kit (CMAK).



2. Use CMAK to create a new Connection Manager profile.

- Service name: VPN to Contoso (CM)- File name: VPN_RQ VPN server: 39.1.1.1

- Custom post-connect action:C:\Tools\RQScript.vbs %TunnelRasEntry% %Domain% %UserName%

- Additional files:C:\Program Files\ cmak\support\rqc.exe

a. On the Start menu, click Administrative Tools, and then click Connection Manager Administration Kit.

b. On the Welcome to the Connection Manager Administration Kit Wizard page, click Next.

Note: The CMAK wizard consists of 20 steps. Only two steps (Custom action and Additional files) are related to the use of network access quarantine.

c. On the Service Profile Selection page, select New profile, and then click Next.

d. On the Service and File Names page, complete the following information: Service name: VPN to Contoso (CM) File name: VPN_RQand then click Next.

e. On the Realm Name page, select Do not add a realm name to the user name, and then click Next.

f. On the Merging Profile Information page, click Next.

g. On the VPN Support page, complete the following information: Phone book from this profile: enable


Always use the same VPN server: 39.1.1.1and then click Next.

The IP address 39.1.1.1 is the address of the External Connection network adapter on Paris.

h. On the VPN Entries page, select VPN to Contoso (CM) Tunnel, and then click Next.

i. On the Phone Book page, CLEAR the Automatically download phone book updates check box, and then click Next.

j. On the Dial-up Networking Entries page, select VPN to Contoso (CM), and then click Next.

k. On the Routing Table Update page, select Do not change the routing tables, and then click Next.

l. On the Automatic Proxy Configuration page, select Do not configure proxy settings, and then click Next.

The next step in the CMAK wizard is the first step that is related to the use of network access quarantine.

m. On the Custom Actions page, click New.

n. In the New Custom Action dialog box, complete the following information: Description: Quarantine policy checking Program to run: c:\tools\RQScript.vbs Parameters: %TunnelRasEntry% %Domain% %UserName% Action type: Post-connect Run this custom action for: All connections (is default) Include the custom action program: enable Program interacts with the user: enable (is default)and then click OK.

The TunnelRasEntry, Domain and Username parameters passed to the script, are variables that RQC.exe passes back to the RQS.exe service on the ISA Server to indicate the particular connection.

o. On the Custom Actions page, click Next.

The next 8 wizard steps use the default setting in this lab.

p. On the Logon Bitmap page, select Default graphic, and then click Next.

q. On the Phone Book Bitmap page, select Default graphic, and then click Next.

r. On the Icons page, select Default icons, and then click Next.

s. On the Notification Area Shortcut Menu page, click Next.

t. On the Help File page, select Default Help file, and then click Next.

u. On the Support Information page, click Next.

v. On the Connection Manager Software page, select Install Connection Manager 1.3, and then click Next.

w. On the License Agreement page, click Next.

The next step is the second step that is related to the use of network access quarantine.

x. On the Additional Files page, click Add.

y. In the Browse dialog box, in the C:\Program Files\cmak\support folder, select the rqc.exe file, and then click Open.

RQC.exe is the application that runs on the VPN client computers.

z. On the Additional Files page, click Next.

aa. On the Ready to Build the Service Profile page, do NOT select Advanced customization, and then click Next.

A Command Prompt window opens and closes as the new Connection Manager profile (VPN_RQ.exe) is created in the C:\Program Files\

92 Lab Summary

cmak\Profiles\VPN_RQ folder.

bb. On the Completing the Connection Manager Administration Kit Wizard page, click Finish.

3. Create a new folder C:\Inetpub\Extranet.

Copy VPN_RQ.exe to the Extranet folder.

a. Use Windows Explorer (or My Computer) to open the C:\Program Files\cmak\Profiles\VPN_RQ folder.

b. Right-click the VPN_RQ.exe file, and then click Copy.

c. In the Windows Explorer window, open the C:\Inetpub folder.

d. Right-click in the empty area of the Inetpub folder, click New, and then click Folder.

e. In the New Folder text box, replace the text by typing Extranet, and then press Enter.

A new folder C:\Inetpub\Extranet is created.

f. Open the Extranet folder.

g. In the empty area of the Extranet folder, click Paste.

The Connection Manager profile VPN_RQ.exe is copied to the C:\Inetpub\Extranet folder. After the Extranet folder is published through ISA Server, client computers can install the profile.

h. Close the Extranet folder.

Note: You may have done the next task in an earlier exercise already.

4. Configure the default Web site to use port 81, and then start the Web site.

(If this is not done already).



b. In the IIS Manager console, expand PARIS (local computer), expand Web Sites, right-click Default Web Site, and then click Properties.

c. In the Default Web Site Properties dialog box, on the Web Site tab, ensure that the TCP port text box is set to 81, and then click OK.

The default HTTP TCP port is 80. Because ISA Server uses port 80 for publishing Web sites (and publishing automatic discovery information for Web clients), the Web site on the ISA Server computer must be changed to another port.

d. If the Default Web Site is not started, then right-click Default Web Site (Stopped), and then click Start.

The default Web site is started. The Web site listens on port 81.

5. Create a new virtual directory for the default Web site:

Alias: extranet

Path: C:\Inetpub\Extranet

Permissions:Read and Browse.

a. In the IIS Manager console, in the left pane, expand Default Web Site.

b. Right-click Default Web Site, click New, and then click Virtual Directory.

c. In the Virtual Directory Creation Wizard dialog box, click Next.

d. On the Virtual Directory Alias page, in the Alias text box, type extranet, and then click Next.

e. On the Web Site Content Directory page, in the Path text box, type C:\Inetpub\Extranet, and then click Next.

f. On the Virtual Directory Access Permissions page, complete the following information: Read: enable (is default) Run scripts: disable (is default) Execute: disable (is default) Write: disable (is default) Browse: ENABLEand then click Next.

The Browse permission is required, because the Extranet folder does not contain an HTML document to display. It only contains the Connection Manager profile VPN_RQ.exe.


g. On the Completing the Virtual Directory Creation Wizard page, click Finish.

A new virtual directory named extranet is created for the default Web site.

Note: By default, the extranet virtual directory allows anonymous access. Normally you would require authentication to access resources on the extranet.

h. Close the IIS Manager console.

Note: You may have done the next task in an earlier exercise already.



SSL: disable





b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible).


c. If a Web listener named External Web 80 does not exist, then right-click Web Listeners, and then click New Web Listener.


e. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next.


g. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next.

h. On the Single Sign On Settings page, click Next.

i. On the Completing the New Web Listener Wizard page, click Finish.



Name: Extranet Web Site


Internal site name: ParisIP address: 10.1.1.1Path: /extranetPort: 81 Public name:www.contoso.com/extranet


Delegation: none




d. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Extranet Web Site, and then click Next.





Note: After completing the wizard, the destination TCP port of the rule can be set to 81.

10.1.1.1 is the IP address of Paris on the Internal network.

i. On the next Internal Publishing Details page, complete the following

94 Lab Summary

information: Path: extranet/* Forward the original host header: enableand then click Next.

The option to send the original host header is enabled, because otherwise IIS will display the redirected address (10.1.1.1/extranet) in the browse output in Internet Explorer. It is usually considered a good practice not to display the internal redirected addresses of published servers.

j. On the Public Name Details page, complete the following information: Accept requests for: This domain name (type below): Public name: www.contoso.com Path: /extranet/*and then click Next.

The public name of the Web site is www.contoso.com/extranet.





A new Web publishing rule is created that publishes the Web site at 10.1.1.1/extranet (Paris) as www.contoso.com/extranet on the External network.

o. In the right pane, select the Extranet Web Site Web publishing rule, and then in the task pane, on the Tasks tab, click Edit Selected Rule.

p. In the Extranet Web Site Properties dialog box, on the Bridging tab, in the Redirect requests to HTTP port text box, type 81.

The Web publishing rule now redirects requests for www.contoso.com/extranet (port 80) to 10.1.1.1/extranet (port 81).

q. Click OK to close the Products Web Site (on Paris) Properties dialog box.

r. Click Apply to apply the new rule, and then click OK.


8. On the Istanbul computer, connect to http://www.contoso.com/extranetand install the VPN_RQ.exe Connection Manager profile.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://www.contoso.com/extranet, and then press Enter.

The content of the C:\Inetpub\Extranet folder is displayed. The folder only contains the Connection Manager profile VPN_RQ.exe.

If Internet Explorer shows HTTP Error 403 - Forbidden, then the properties of the extranet virtual directory in IIS on Paris are not set to allow Directory browsing, or do not allow anonymous access.

b. In the extranet folder, right-click VPN_RQ.exe, and then click Open.

c. In the File Download - Security Warning message box, click Run.

d. In the Internet Explorer - Security Warning message box, click Run to confirm that you want to run this software (without a valid signature to verify the publisher).

e. In the VPN to Contoso (CM) message box, click Yes to confirm that you want to install the Connection Manager profile.

f. In the next VPN to Contoso (CM) dialog box, select My use only, and then click OK.

The Connection Manager profile is installed on the Istanbul computer.

After the installation is completed, the Network Connections


window opens, and the VPN to Contoso (CM) connection dialog box is shown.

g. Click Cancel to close the VPN to Contoso (CM) connection dialog box.

h. Close the Network Connections window.

i. Close Internet Explorer.

Note: Besides making the Connection Manager profile available through a published extranet solution, as is done in the scenario in this exercise, you can also allow (portable) client computers to install the Connection Manager profile from a shared folder on the internal network, at a time when the client computers are on the internal network.

96 Lab Summary

Exercise 6Using VPN Quarantine on the Client Computer

In this exercise, you will use the network access quarantine by creating a VPN connection from the VPN client to the ISA Server.




1. On the Istanbul computer, use the VPN to Contoso (CM) connection, to establish a VPN connection to the ISA Server.

User name: AdministratorPassword: passwordDomain: (empty)

a. On the Istanbul computer, on the Start menu, click Control Panel, right-click Network Connections, and then click Open.

b. In the Network Connections window, under Connection Manager, right-click VPN to Contoso (CM), and then click Connect.

c. In the VPN to Contoso (CM) connection dialog box, complete the following information: User name: Administrator Password: password Logon domain: (leave empty) Save password: ENABLE Connect automatically: disable (is default)and then click Connect.

A yellow balloon dialog box in the system tray area shows that the VPN is now connected.

The quarantine script displays a message box to indicate that the security configuration of the client computer does not meet the security policy (ICF is not enabled on the network connections.)The connection stays in quarantine mode and is dropped after 60 seconds.

d. Click OK to close the Remote Access Quarantine message box.

e. Open a Command Prompt window.

f. At the command prompt, type ipconfig, and then press Enter.

The output of the ipconfig command shows that Istanbul currently has a VPN connection to Paris using IP address 10.3.1.2 (or higher).

Note: If the connection drops before you can complete the next ping command, just click Yes in the Reconnect message box, and then click Connect to re-establish the VPN connection.

g. At the command prompt, type ping 10.3.1.1, and then press Enter.

The ping requests time out. The IP address of the end-point of the VPN tunnel on the ISA Server computer (10.3.1.1) cannot be reached without an access rule that allows this from the Quarantined VPN Clients network.



Name: Allow Ping from Quarantined VPN clients

Applies to: PING

From network:




d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Ping from Quarantined VPN clients, and then click


Quarantined VPN ClientsTo network: Local Host

Next.






j. In the Add Network Entities dialog box, click Networks, click Quarantined VPN Clients, and click Add,and then click Close to close the Add Network Entities dialog box.



m. In the Add Network Entities dialog box, click Networks, click Local Host, and click Add,and then click Close to close the Add Network Entities dialog box.




A new firewall policy rule is created that allows Ping from the Quarantined VPN Clients network to the Local Host network (ISA Server).



3. On the Istanbul computer, use the Ping command to test the connection to the VPN tunnel end-point (10.3.1.1) and the Internal network (10.1.1.5).

a. On the Istanbul computer, in the Reconnect message box, click Yes.

b. In the VPN to Contoso (CM) connection dialog box, ensure that the User name and Password information is still present, and then click Connect.

c. Click OK to close the Remote Access Quarantine message box.

d. At the command prompt, type ping 10.3.1.1, and then press Enter.

Four (or three) ping replies are returned from the ISA Server computer. The Allow Ping from Quarantined VPN clients access rule allows access to 10.3.1.1.

This result confirms that the Istanbul computer is on the Quarantined VPN Clients network, as long as the security configuration of the client computer does not meet the security requirements.

e. At the command prompt, type ping 10.1.1.5, and then press Enter.

The ping requests (to Denver) time out. There is currently no access rule that allows communication from the Quarantined VPN Clients network to the Internal network.

f. If the Reconnect message box appears, click No to close the message box.

4. Enable Windows Firewall. a. On the Start menu, click Control Panel, and then click Windows Firewall.

b. In the Windows Firewall message box, click Yes to confirm that you want to start the Windows Firewall/ICS service.

The Windows Firewall/ICS service must be running, before you can configure Windows Firewall.

c. After the Windows Firewall/ICS service has started, in the Windows Firewall dialog box, on the General tab, select On, and then click OK.

Windows Firewall is enabled on all network connections. This configuration meets the RQScript.vbs script file requirement, which verifies whether Windows Firewall is enabled on all non-VPN connections.

98 Lab Summary

5. Use the VPN to Contoso (CM) connection, to establish a VPN connection to the ISA Server again.

a. In the Network Connections window, under Connection Manager, right-click VPN to Contoso (CM), and then click Connect.


This time the quarantine script displays a message box to indicate that the security configuration of the client computer does meet the security policy. However, the RQC.exe notifier component on the client computer is not able to contact the RQS.exe service on the ISA Server to remove the quarantine restrictions. The VPN connection is dropped after 60 seconds.

The RQS.exe service cannot be contacted, because the service is not started yet in this exercise.



6. On the Paris computer, start the Remote Access Quarantine Agent (RQS.exe) service.

a. On the Paris computer, on the Start menu, click Administrative Tools, and then click Services.

b. In the Services console, in the right pane, right-click Remote Access Quarantine Agent, and then click Start.

The Remote Access Quarantine Agent (RQS.exe) is now started, and listens on TCP port 7250.

You have already created an access rule (Allow RQS network quarantine notification) that allows RQS traffic from the Quarantined VPN Clients network to the Local Host (ISA Server).

c. Close the Services console.


7. On the Istanbul computer, use the VPN to Contoso (CM) connection, to establish a VPN connection to the ISA Server again.

Test the connection:- Ping 10.1.1.5- Run \\10.1.1.5

Disconnect the VPN connection again.

a. On the Istanbul computer, in the Reconnect message box, click Yes.


The quarantine script successfully notified the RQS.exe service. ISA Server removed the quarantine restrictions by moving the VPN client computer from the Quarantined VPN Clients network to the VPN Clients network.


d. At the command prompt, type ping 10.1.1.5, and then press Enter.

Four ping replies are returned from the Denver computer (10.1.1.5) on the Internal network. The access rule (Allow access from VPN clients to Internal) that you created in an earlier exercise, allows the communication.


f. On the Start menu, click Run.

g. In the Run dialog box, type \\10.1.1.5, and then click OK.

A Windows Explorer window opens for \\10.1.1.5. These results show that the VPN client computer can now connect to resources on the Internal network.

h. Close the \\10.1.1.5 window.

Now that ISA Server has removed the quarantine restrictions, the VPN connection is no longer disconnected after 60 seconds.

i. Right-click the connection icon in the system tray area, and then click Disconnect.

8. Use the VPN to Contoso connection (not the Connection Manager), to establish a VPN connection to the ISA Server.

a. In the Network Connections window, under Virtual Private Network (not under Connection Manager), right-click VPN to Contoso, and then click Connect.

b. In the Connect VPN to Contoso dialog box, complete the following information:


Disconnect the VPN connection again.

User name: Administrator Password: passwordand then click Connect.

Istanbul successfully establishes a VPN connection to the ISA Server. This VPN connection does NOT use the Connection Manager, and does not start the post-connect script to verify the security configuration of the VPN client computer. ISA Server will place the client computer in the Quarantined VPN Clients computers network, awaiting a notification from the RQC.exe notifier component on the client computer. Even though the client computer meets the security requirements (Windows Firewall is enabled), the notification is never sent to the ISA Server, and the connection is dropped after 60 seconds.

c. Wait (60 seconds) until the Reconnect VPN to Contoso dialog box appears, and then click Cancel, or right-click the connection icon in the system tray area, and then click Disconnect.

Note: The communication between the RQC.exe notifier component on the client computer, and the RQS.exe service on the ISA Server is not encrypted or authenticated. A malicious client computer can spoof this communication. Remote Access Quarantine is not a security mechanism, but rather a mechanism to help avoid a possible insecure configuration of the client computers, when establishing a VPN connection.


9. Disable Windows Firewall. a. On the Start menu, click Control Panel, and then click Windows Firewall.

b. In the Windows Firewall dialog box, on the General tab, select Off, and then click OK.

Windows Firewall is no longer enabled on any network connection.

c. Close the Network Connections window.


10. On the Paris computer, disable VPN client access.

a. On the Paris computer, in the ISA Server console, in the left pane, select Virtual Private Networks (VPN).

b. In the task pane, on the Tasks tab, click Disable VPN Client Access.

This step disables VPN access to ISA server: System policy rule 13 is disabled The Routing and Remote Access configuration is removed The Routing and Remote Access service is stopped.

c. Click Apply to save the changes, and then click OK.

100 Lab Summary

Module F: ISA Server 2006 as Branch Office Gateway

Exercise 1Configuring HTTP Compression to Reduce Bandwidth Usage

In this exercise, you will configure ISA Server to compress HTTP content when responding to requests from client computers, and to request compressed HTTP content when connecting to other servers.




1. On the Istanbul computer, examine the uncompressed file size of content.htm in the Default Web Site.

a. On the Istanbul computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.


b. In the IIS Manager console, expand ISTANBUL (local computer), expand Web Sites, and then select Default Web Site.

The Default Web Site contains a file named content.htm.

c. Right-click Default Web Site, and then click Open.

The c:\inetpub\wwwroot folder opens.

Notice that the uncompressed size of the content.htm file is 91 KB. You will request this file in compressed form later in the exercise.

d. Close the c:\inetpub\wwwroot window.

e. Close the IIS Manager console.

2. Open the C:\Tools\Perfmon-sent.msc console.


b. In the Tools folder, right-click Perfmon-sent.msc, and then click Open.

Perfmon-sent.msc is a saved MMC console containing a preconfigured System Monitor Control. It shows the Bytes Sent/sec counter for the network adapter.

You will use the results in this console later in the exercise.

c. Close the C:\Tools folder.



Name: Allow Web access (Branch)

Applies to: HTTP



b. In the left pane, expand Paris, and then select Firewall Policy.

c. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list.



d. In the task pane, on the Tasks tab, click Create Access Rule.

e. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (Branch), and then click Next.

f. On the Rule Action page, select Allow, and then click Next.

g. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add.

h. In the Add Protocols dialog box, click Common Protocols, click HTTP, click Add,and then click Close to close the Add Protocols dialog box.

i. On the Protocols page, click Next.

j. On the Access Rule Sources page, click Add.

k. In the Add Network Entities dialog box, click Networks, click Internal, click Add,and then click Close to close the Add Network Entities dialog box.

l. On the Access Rule Sources page, click Next.

m. On the Access Rule Destinations page, click Add.

n. In the Add Network Entities dialog box, click Networks, click External, click Add,and then click Close to close the Add Network Entities dialog box.

o. On the Access Rule Destinations page, click Next.

p. On the User Sets page, click Next.

q. On the Completing the New Access Rule Wizard page, click Finish.


4. Apply the changes. a. Click Apply to apply the new rule, and then click OK.


5. On the Denver computer, open the C:\Tools\Perfmon-received.msc console.

a. On the Denver computer, use Windows Explorer (or My Computer) to open the C:\Tools folder.

b. In the Tools folder, right-click Perfmon-received.msc, and then click Open.

Perfmon-received.msc is a saved MMC console containing a preconfigured System Monitor Control. It shows the Bytes Received/sec counter for the network adapter.

c. Close the C:\Tools folder.

6. Use Internet Explorer to connect to http://istanbul.fabrikam.com/content.htm

a. Open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/content.htm, and then press Enter.

Internet Explorer connects to ISA Server and retrieves the content.htm Web page from Istanbul.

The content.htm Web page contains 90 KB of text.

7. Examine the peak bytes received per second in the Performance console.

a. Switch to the Performance - Bytes Received console.

Notice that the network adapter on Denver has a peak bytes received per second of approximately 90 KB.

This result confirms that the content.htm Web page is currently not compressed when delivered from the ISA Server to Denver.


8. On the Istanbul computer, examine the peak bytes sent per second in the Performance console.

a. On the Istanbul computer, switch to the Performance - Bytes Sent console.

The network adapter on Istanbul has a peak bytes sent per second of approximately 90 KB.

This result confirms that the content.htm Web page is currently not

102 Lab Summary

compressed when delivered from the Web server (Istanbul) to the ISA Server.


9. On the Paris computer, examine the two Web filters for HTTP compression.

a. On the Paris computer, in the ISA Server console, under Paris, expand Configuration, and then select Add-ins.

b. In the right pane, select the Web Filters tab.

ISA Server 2006 installs two Web Filters that provide HTTP compression functionality: Compression Filter - Compresses and decompresses HTTP responses. Caching Compressed Content Filter - Stores and retrieves compressed content in the cache.

Note: Do not move the Compression Filter lower in the list of Web Filters. Decompression must take place before any other Web filter inspects the content. Other Web filters cannot inspect compressed content.

10. Configure HTTP Compression.

Return Compressed Data:Internal

Content types:- Documents- HTML Documents- Macro Documents- Text

a. In the left pane, under Configuration, select General.

HTTP Compression is a global HTTP Policy setting. This means that is applies to all HTTP traffic that passes through ISA Server to or from a specified network or computer set. HTTP Compression is not a per-rule setting.

b. In the right pane, click Define HTTP Compression Preferences.

c. In the HTTP Compression dialog box, on the Return Compressed Data tab, click the top Add button.

By default HTTP compression is enabled, but no network elements are configured to use compression.

Note: It is possible that you already added one or more Web Listeners to the Return Compressed Data list, while creating new Web Publishing rules in earlier exercises.

d. In the Add Network Entities dialog box, click Networks, click Internal, and click Add,and then click Close to close the Add Network Entities dialog box.

You configured compression of HTTP responses when requested by clients on the Internal network.

Note: Do not confuse the two compression settings per network element: Return Compressed Data - ISA Server returns compressed content in HTTP response packets when clients from the specified network request compression. Request Compressed Data - ISA Server asks for compressed content in HTTP request packets when sending requests to servers on the specified network.

e. On the Return Compressed Data tab, click Content Types.

The Content Types dialog box lists all defined Content Types on ISA Server. Some content types, for example Audio, Video and Compressed Files, are already compressed at the application level. Do not enable HTTP compression for these content types.

f. In the Content Types dialog box, complete the following information: Compress the selected content types only: enable (is default) Documents: enable HTML Documents: enable (is default) Macro Documents: enable Text: enable (is default) All other check boxes: disable.and then click OK to close the Content Types dialog box.

Branch office functionality: When branch offices connect to ISA Servers at the main office to access HTTP content from the Internet or from Web servers at the main office, you should add the branch office networks to the Return Compressed Data list to reduce bandwidth usage for the response traffic.


g. Click OK to close the HTTP Compression dialog box.

h. Click Apply to apply the changes, and then click OK.


11. On the Denver computer, configure Internet Explorer to use HTTP 1.1 when connection through a proxy server.

a. On the Denver computer, in Internet Explorer, on the Tools menu, click Internet Options.

b. In the Internet Options dialog box, on the Connections tab, click LAN Settings.

Notice that Denver is currently configured to use a proxy server at IP address 10.1.1.1.

c. Click Cancel to close the Local Area Network (LAN) Setting dialog box.

d. On the Advanced tab, in the Settings list box, scroll to the HTTP 1.1 settings section.

By default, Internet Explorer uses HTTP 1.1, except when connecting through a proxy server.

HTTP compression requires HTTP 1.1.

e. Enable the Use HTTP 1.1 through proxy connections check box, and then click OK.

12. Refresh the content of the Web page at http://istanbul.fabrikam.com/content.htm, by pressing Ctrl-F5 or Ctrl-Refresh.

a. In Internet Explorer, ensure that the http://istanbul.fabrikam.com/content.htm Web page is opened.


Internet Explorer connects to the ISA Server and retrieves the content.htm Web page from Istanbul again.

Note: The use of the Ctrl-key to refresh the Web page ensures that Internet Explorer does not use its caching mechanism.



The network adapter on Denver has a peak bytes received per second of approximately 35 KB.

This result confirms that the content.htm Web page, which has a file size of 91 KB, is compressed when delivered from the ISA Server to Denver.

Note: When Internet Explorer uses HTTP 1.1, it will always include the HTTP request header Accept-Encoding: gzip, deflate, to request compressed content from a Web server.The response packet will include the HTTP response header Content-Encoding: gzip to indicate that the content is compressed.If you want to examine the network traffic in more detail in the lab environment, then you can use Network Monitor. The Microsoft Network Monitor 5.2 is installed in each virtual machine.




The network adapter on Istanbul has a peak bytes sent per second of approximately 90 KB.

Currently, ISA Server receives the content.htm Web page uncompressed from Istanbul, and then compresses the content when sending to Denver.

15. Configure IIS to enable HTTP compression.

Application files: yesStatic files: yes



b. In the IIS Manager console, expand, ISTANBUL (local computer), right-click Web Sites, and then click Properties.

By default, IIS 6.0 does not compress content in HTTP response

104 Lab Summary

packets.

c. In the Web Sites Properties dialog box, on the Service tab, complete the following information: Compress application files: enable Compress static files: enableand then click OK.

If you enable HTTP compression of application files (.asp, .dll, and .exe) and static files (.htm, .html, and .txt), IIS compresses the content when requested by clients that indicate they can accept gzip-encoded responses.

16. Restart IIS. a. In the IIS Manager console, in the left pane, right-click ISTANBUL (local computer), click All Tasks, and then click Restart IIS.

After enabling HTTP compression, you must restart IIS.

b. In the Stop/Start/Restart dialog box, in the drop-down list box, select Restart Internet Services on ISTANBUL, and then click OK.

The IIS services restart.

c. Close the IIS Manager console.

17. Examine the IIS Temporary Compressed Files folder.

a. Use Windows Explorer (or My Computer) to open the C:\Windows\IIS Temporary Compressed Files folder.

To reduce processor usage, IIS caches compressed static files in the IIS Temporary Compressed Files folder, the first time those files are requested. Application files are compresses every time they are requested.

The folder is currently empty.

b. Do not close the IIS Temporary Compressed Files folder.


18. On the Paris computer, configure HTTP Compression.

Request Compressed Data:External

a. On the Paris computer, in the ISA Server console, in the left pane, select General.


c. In the HTTP Compression dialog box, on the Request Compressed Data tab, click the top Add button.

d. In the Add Network Entities dialog box, click Networks, click External, and click Addand then click Close to close the Add Network Entities dialog box.

ISA Server will include the HTTP request header Accept-Encoding: gzip when requesting Web content from servers on the External network, to indicate that it can accept compressed traffic.

Branch office functionality: When ISA Servers in branch offices connect to the main office or directly to the Internet to access HTTP content, you should add the main office network or External network to the Request Compressed Data list to reduce bandwidth usage for the response traffic.

e. Click OK to close the HTTP Compression dialog box.

f. Click Apply to apply the changes, and then click OK.


19. On the Denver computer, refresh the content of the Web page at http://istanbul.fabrikam.com/content.htm, by pressing Ctrl-F5 or Ctrl-Refresh twice.

a. On the Denver computer, in Internet Explorer, ensure that the http://istanbul.fabrikam.com/content.htm Web page is opened.


c. Wait five seconds, and then hold the Ctrl-key, and click the Refresh button on the toolbar again.

Internet Explorer connects to the ISA Server and retrieves the content.htm Web page from Istanbul twice.




The network adapter on Denver has two peak bytes received per second of approximately 35 KB.

The content is compressed when delivered from the ISA Server to Denver.




The network adapter on Istanbul first has a peak bytes sent per second of approximately 90 KB, followed by a peak of approximately 30 KB.

On the first request for content.htm, IIS sends the uncompressed content immediately, and compresses the file for subsequent requests. On the second request, IIS sends the compressed content.

b. Close the Performance - Bytes Sent console.

22. Examine the IIS Temporary Compressed Files folder.

a. Switch to the IIS Temporary Compressed Files folder.

IIS has stored the compressed version of content.htm in this folder. The file size is 29 KB.

b. Close the IIS Temporary Compressed Files folder.

Note: By default, ISA Server is configured to inspect the content of compressed HTTP response packets. This means that ISA Server performs the following steps when receiving the response from Istanbul:1) - The Compression Filter uncompressed the content.2) - The HTTP Filter and other Web filters inspect the uncompressed HTTP content.3) - The Cached Compressed Content Filter caches the uncompressed content.and then when sending the response to Denver:4) - The Compression Filter compresses the content again.It is possible to disable inspection of compressed content. In that case, ISA Server does not uncompress the HTTP content, and the Cached Compressed Content Filter caches the compressed version of the content.


23. Configure IIS to disable HTTP compression.

Application files: noStatic files: no



b. In the IIS Manager console, expand, ISTANBUL (local computer), right-click Web Sites, and then click Properties.

c. In the Web Sites Properties dialog box, on the Service tab, complete the following information: Compress application files: disable Compress static files: disableand then click OK.

HTTP compression is disabled.

24. Restart IIS. a. In the IIS Manager console, in the left pane, right-click ISTANBUL (local computer), click All Tasks, and then click Restart IIS.

b. In the Stop/Start/Restart dialog box, in the drop-down list box, select Restart Internet Services on ISTANBUL, and then click OK.

The IIS services restart.

c. Close the IIS Manager console.


25. On the Paris computer, disable HTTP Compression.

a. On the Paris computer, in the ISA Server console, in the left pane, select General.


c. In the HTTP Compression dialog box, on the Return Compressed Data

106 Lab Summary

tab, select Internal, and then click Remove.

d. On the Request Compressed Data tab, select External, and then click Remove.

HTTP Compression is no longer enabled for responses to the Internal network, or requests to the External network.

e. Click OK to close the HTTP Compression dialog box.

f. Click Apply to apply the changes, and then click OK.


26. Close the Performance console and close Internet Explorer.

a. Close the Performance - Bytes Received console.



Exercise 2Configuring ISA Server to Cache BITS Content

In this exercise, you will configure ISA Server to cache Background Intelligent Transfer Service (BITS) content, and request ranges from cached files.




1. On the Paris computer, define a cache drive.

Cache size: 10 MB

a. On the Paris computer, in the ISA Server console, under Configuration, select Cache.

By default, caching is disabled on ISA Server.

b. In the right pane, select the Cache Drives tab.

c. In the task pane, on the Tasks tab, click Define Cache Drives (Enable Caching).

d. In the Define Cache Drives dialog box, in the Maximum cache size (MB) text box, type 10, and then click Set.

For demonstrative purposes, a very small disk cache file of 10 MB is created. Normally you would configure a much bigger cache file.

e. Click OK to close the Define Cache Drives dialog box.

2. Apply the changes and restart the Firewall service.

a. Click Apply to apply the changes.

b. In the ISA Server Warning dialog box, CHANGE the current selection, and select Save the changes and restart the services, and then click OK.

c. Click OK to close the Saving Configuration Changes dialog box.

3. Open a Command Prompt window to verify the existence of the disk cache file.

File: c:\urlcache\Dir1.cdat


b. At the command prompt, type cd \urlcache, and then press Enter.

c. Type dir, and then press Enter.

The Dir1.cdat file is the disk cache file that ISA Server uses. The file size is 10 MB.

You will use the Dir1.cdat file later in the exercise.

4. Examine the BITS caching setting for the Default rule.

a. In the ISA Server console, in the left pane, select Cache.

b. In the right pane, select the Cache Rules tab.

ISA Server 2006 has two predefined cache rules: the Microsoft Update Cache Rule and the Default rule.

You cannot change or delete the Default rule.

c. Right-click Default rule, and then click Properties.

d. In the Default rule Properties dialog box, select the Advanced tab.

Notice that the built-in Default rule does not enable caching of Background Intelligent Transfer Service (BITS) content.

e. Click Cancel to close the Default rule Properties dialog box.

5. Examine the BITS caching setting for the Microsoft Update Cache Rule.

a. In the right pane, right-click Microsoft Update Cache Rule, and then click Properties.

b. In the Microsoft Update Cache Rule Properties dialog box, select the Advanced tab.

BITS caching is enabled in the Microsoft Update Cache Rule.

The Microsoft Update Cache Rule is predefined, but you can

108 Lab Summary

disable or delete the rule if required.

c. On the To tab, select Microsoft Update Domain Name Set, and then click Edit.

The rule applies to requests to the Windows Update and Microsoft Update Web sites. Those are examples of Web sites that use BITS. Client computers that use BITS to download the update files, use the HTTP Range request header to download only the parts of the update files that contain the update information they need.

ISA Server 2006 provides BITS Caching. This means that ISA Server can cache the HTTP ranges requested by BITS, without having to download the entire file.

Note: Although this feature is called BITS Caching, it applies to all HTTP range requests, not only to HTTP range requests from BITS.

d. Click Cancel to close the Microsoft Update Domain Name Set Properties dialog box.

e. Click Cancel to close the Microsoft Update Cache Rule Properties dialog box.

Branch office functionality: By using BITS Caching on an ISA Server in a branch office, you can reduce bandwidth usage from the branch office for connections from client computers to Windows Server Update Services (WSUS) in the main office, or Windows Update and Microsoft Update on the Internet. The responses to HTTP range requests for update files are cached at the ISA Server in the branch office. The same benefit also applies to other applications in the branch office that use HTTP range requests or the BITS protocol.

Note: The computers in the lab environment are not connected to the Internet, and cannot connect to any of the Windows Update or Microsoft Update Web sites. To demonstrate BITS caching, in the next task you will add istanbul.fabrikam.com to the list of Web sites in Microsoft Update Domain Name Set.

6. Add istanbul.fabrikam.comto Microsoft Update Domain Name Set.

a. Right-click Microsoft Update Cache Rule, and then click Properties.

b. On the To tab, select Microsoft Update Domain Name Set, and then click Edit.

c. In the Microsoft Update Domain Name Set Properties dialog box, click Add.

d. Replace the New Domain text by typing istanbul.fabrikam.com, and then press Enter.

e. Click OK to close the Microsoft Update Domain Name Set Properties dialog box.

The destination istanbul.fabrikam.com is included in Microsoft Update Domain Name Set.

f. Click OK to close the Microsoft Update Cache Rule Properties dialog box.


8. Verify the existence of the Allow Web access (Branch) firewall rule.


In the right pane, notice the Allow Web access (Branch) firewall rule. This rule allows HTTP access from the Internal network to the External network. You created the rule in an earlier exercise.

The BITS service uses the normal HTTP protocol, and adds the HTTP Range request header in order to request parts of the file.


9. On the Denver computer, examine the BITS service.

a. On the Denver computer, on the Start menu, click Administrative Tools, and then click Services.

The Services console opens.

b. In the Services console, in the right pane, select


Background Intelligent Transfer Service.

The BITS service on the client computer transfers data between clients and servers. It has three functions: It asynchronously transfers files or file ranges in the background. It transfers the date in small chunks, utilizing unused bandwidth as it becomes available. It automatically resumes the download later if the computer restarts or if the network disconnects.

Note: The BITS service is automatically started when needed.


10. Examine the bitsclient.cmd and bitsadmin.exe tools.

Folder: C:\Tools


b. At the command prompt, type cd \tools, and then press Enter.


The Tools folder contains a script file named bitsclient.cmd that you can use to transfer files or file ranges with the BITS protocol.

The bitsclient.cmd script is created for use with this lab. It uses the bitsadmin.exe tool, which you can download from the Microsoft Web site as part of the Windows XP SP2 Support Tools.See http://support.microsoft.com/?kbid=838079 for more information.

Note: If you want to examine the network traffic in more detail in the lab environment, then you can use Network Monitor. The Microsoft Network Monitor 5.2 is installed in each virtual machine.

11. Use the bitsclient tool to download the content2.htm file from Istanbul.

a. At the command prompt, type bitsclient, and then press Enter.

As parameters, the BITS Client tool needs a remote URL, and optional an offset and length indicating the file range in bytes.

b. Type bitsclient http://istanbul.fabrikam.com/content2.htm, and then press Enter.

The BITS service connects to the ISA Server, and downloads the content2.htm file from Istanbul.


12. On the Paris computer, use the find command to verify the presence of the content2.htm content in the disk cache file.

a. On the Paris computer, in the Command Prompt window, in the C:\urlcache folder, type find /i "content2.htm" dir1.cdat, and then press Enter.

You can use the find command to search for text in the disk cache file.

The find command displays multiple entries for content2.htm, indicating the URL of cached content. The entries ending with a semicolon followed by two numbers, are 32 KB cached BITS chunks of the content2.htm file.

b. After a few seconds, press Ctrl-C to interrupt the find command, and to avoid searching the entire 10 MB disk cache file.



13. On the Istanbul computer, disable the Local Area Connection network adapter.

a. On the Istanbul computer, on the Start menu, click Control Panel, and then right-click Network Connections, and click Open.

The Network Connections window opens.

b. In the Network Connections window, right-click Local Area Connection, and then click Disable.

The network adapter is disabled. This helps demonstrate that ISA Server does not obtain the content2.htm file from Istanbul, but responds to subsequent file range requests from its cache.

110 Lab Summary


14. On the Denver computer, for demonstrative purposes, request the 11 bytes starting at position 749 in the content2.htm file.

a. On the Denver computer, in the Command Prompt window, in the C:\Tools folder, type bitsclient http://istanbul.fabrikam.com/content2.htm 749:11, and then press Enter.

Note: You can use the up-arrow key to easily recall the previous command at the command prompt.

For demonstrative purposes, the 11 bytes starting at position 749 in the content2.htm file are requested. The BITS service connects to ISA Server, and requests bytes 749-759 in the content2.htm file. ISA Server obtains this file range from the cache, and sends the 11 bytes to Denver, which saves the data in the bits-job1.txt file.

b. Type type bits-job1.txt, and then press Enter.

The 11 bytes at that position in the file happen to spell "Lorem ipsum".

This result verifies that ISA Server responded to the BITS file range requests from its cache. ISA Server did not connect to Istanbul, whose network adapter is disabled.




15. On the Istanbul computer, enable the Local Area Connection network adapter.

a. On the Istanbul computer, in the Network Connections window, right-click Local Area Connection, and then click Enable.

The network adapter is enabled.

b. Close the Network Connections window.


16. On the Paris computer, disable caching.

a. On the Paris computer, in the ISA Server console, in the left pane, select Cache.

b. In the right pane, select the Cache Drives tab.

c. In the task pane, on the Tasks tab, click Disable Caching.

d. Click Yes to confirm that you want to disable caching.

Caching is disabled.


a. Click Apply to apply the changes.




Exercise 3Configuring DiffServ Settings to Prioritize Network Traffic

In this exercise, you will configure ISA Server to use Differentiated Services (DiffServ) tagging of HTTP and HTTPS network packets.




1. On the Paris computer, enable the Web filter for DiffServ tagging.

a. On the Paris computer, in the ISA Server console, under Paris, expand Configuration, and then select Add-ins.

b. In the right pane, select the Web Filters tabs.

ISA Server 2006 installs one new Web Filter that provides tagging of network packets, by using the Differentiated Services (DiffServ) model: DiffServ Filter - Enables DiffServ tagging of Web traffic.

c. In the right pane, select DiffServ Filter, and then in the task pane, on the Tasks tab, click Enable Selected Filters.

The DiffServ Filter is enabled.

Note: Do not move the DiffServ Filter lower in the list of Web Filters. The filter assigns the packet priority to network packets based on several properties, including the size of the network packet on the network. For an accurate assessment of packet sizes, it has to inspect the traffic as close to the network adapter as possible.

d. Click Apply to apply the changes, and then click OK.

2. Define new DiffServ priorities.

Name: High priorityDiffServ bits: 100110Size limit: 700 bytes

Name: Medium priorityDiffServ bits: 110110Size limit: None

a. In the left pane, select General.

DiffServ configuration is a global HTTP Policy setting. This means that it applies to all HTTP and HTTPS traffic that passes through ISA Server to a specified URL, domain or network. DiffServ tagging is not a per-rule setting.

b. In the right pane, click Specify DiffServ Preferences.

c. In the HTTP DiffServ dialog box, on the General tab, select Enable network traffic prioritization.

d. On the Priorities tab, click Add.

ISA Server tags network packets by setting a few bits in the Type of Service (TOS) field of the IP header of the network packet. These are called the DiffServ bits, and form a specific value called DiffServ Codepoint (DS codepoint).

Note: ISA Server does not have any notion of the actual prioritization of certain DS codepoint values over other DS codepoint values. Routers on the network must handle that. ISA Server only assigns the DS codepoint value.

e. In the Add Priority dialog box, complete the following information: Priority name: High priority DiffServ bits: 100110 Apply a size limit to this priority: enable Size limit: 700and then click OK.

The size limit specifies a maximum size in bytes of network packets that can use this priority.

f. On the Priorities tab, click Add.

112 Lab Summary

g. In the Add Priority dialog box, complete the following information: Priority name: Medium priority DiffServ bits: 110110 Apply a size limit to this priority: disable (is default)and then click OK.

You have defined two priorities with an associated DiffServ value.

On the other tabs in this dialog box, you will assign specific URLs and domains to the defined priorities. The order of the priorities only matters for network packets that exceed the size limit. Those packets will be assigned to the next priority in the list.

3. Assign priorities to URLs.

URL:istanbul.fabrikam.com/salesPriority: High priority

URL:istanbul.fabrikam.comPriority: Medium priority

a. In the HTTP DiffServ dialog box, on the URLs tab, click Add.

The DiffServ filter uses the URL priority assignments for HTTP network traffic, and uses the domain priority assignments for HTTPS network traffic. For outgoing HTTPS network packets, ISA Server does not know the complete URL.

b. In the Add URL Priority dialog box, complete the following information: URL: istanbul.fabrikam.com/sales/* Priority: High priorityand then click OK.

High priority (DiffServ bits 100110) is assigned to HTTP network packets for URL istanbul.fabrikam.com/sales.

c. On the URLs tab, click Add.

d. In the Add URL Priority dialog box, complete the following information: URL: istanbul.fabrikam.com/* Priority: Medium priorityand then click OK.

Medium priority (DiffServ bits 110110) is assigned to all other HTTP network packets to the Fabrikam Web site. Notice that the order of the URLs is important.

4. Assign priorities to Domains.

Domain: *.fabrikam.comPriority: Medium priority

a. In the HTTP DiffServ dialog box, on the Domains tab, click Add.

b. In the Add Domain Priority dialog box, complete the following information: Domain: *.fabrikam.com Priority: Medium priorityand then click OK.

Medium priority is assigned to all HTTPS network packets to the entire fabrikam.com domain.

5. Enable DiffServ tagging for the External network.

a. In the HTTP DiffServ dialog box, on the Networks tab, select External.

You have enabled DiffServ tagging for network traffic to the External network.

b. Click OK to close the HTTP DiffServ dialog box.


7. Start the log viewer. a. In the ISA Server console, in the left pane, select Monitoring.

b. In the right pane, select the Logging tab.


c. In the task pane, on the Tasks tab, click Start Query.

The log viewer will display all current network activity based on the Firewall log file and the Web Proxy log file.

8. Verify the existence of the Allow Web access (Branch) firewall rule.


In the right pane, notice the Allow Web access (Branch) firewall rule. This rule allows HTTP access from the Internal network to the External


network. You created the rule in an earlier exercise.


9. On the Denver computer, use Internet Explorer to connect to http://istanbul.fabrikam.com/default.htm

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/default.htm, and then press Enter.

Internet Explorer displays the home page from Istanbul.



10. On the Paris computer, stop the log viewer.


b. In the right pane, select the Logging tab.

c. In the task pane, on the Tasks tab, click Stop Query.

ISA Server displays information about all the network connections since you started the log viewer.

11. Add the Filter Information column to the list of displayed columns.

a. In the right pane, right-click the Log Time column header (or another column header), and then click Add/Remove Columns.

b. In the Add/Remove Columns dialog box, in the Available columns list box, select Filter Information, and then click Add.

The Filter Information log field is moved from the Available columns list to the Displayed columns list.

c. In the Displayed columns list, select Filter Information, and then click Move Up, so that the new column is not last in the list.

d. Click OK to close the Add/Remove Columns dialog box.

12. Examine the contents of the Filter Information log field.

a. In the right pane, scroll the list of log field columns, so that you can see the Filter Information column near the end of the list.

b. In the column headers, double-click the small line between the Filter Information column, and the next column.

The width of the Filter Information column is changed to display the longest value in the Filter Information log field.

c. Scroll the list of log entries until you see text in the Filter Information field.

The log entry represents the connection from 10.1.1.5 (Denver) to 39.1.1.7 (Istanbul) on TCP port 80.

The Filter Information field shows the used DiffServ priority for the request to the server, and the response to the client (Client/Server) for the first packet (First:0/Medium), and the remaining packets (Last:0/Medium). You did not enable DiffServ on the Internal network, so ISA Server does not use DiffServ tagging in the response to the client (Denver). The rest of the Filter Information field contains HTTP Compression information.

114 Lab Summary

Module G: Enterprise Management of ISA Servers

Exercise 1Enterprise Policies and Array Policies

In this exercise, you will create an enterprise policy, and apply this policy to multiple ISA Server arrays.


Note: This lab exercise uses the following computers: Florence - FirenzeRefer to the beginning of the manual for instructions on how to start the computers. Log on to the computers.

Perform the following steps on the Florence computer.

1. On the Florence computer, in the ISA Server console, examine the Enterprise nodes, Arrays node and Servers node.

a. On the Florence computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.


Note: The ISA Server console for ISA Server 2006 Enterprise Edition is not the same as the console for ISA Server 2006 Standard Edition.

b. In the ISA Server console, in the left pane, expand Enterprise.

The ISA Server console for ISA Server 2006 Enterprise Edition has two main areas of configuration: Enterprise node - This node allows you to define enterprise policies, enterprise networks, enterprise rule elements and enterprise add-ins. Arrays node - This nodes contains a listing of all the arrays managed within the same enterprise. An array is a group of ISA Server computers that share the same configuration and are managed together.

All configuration that is done at the enterprise-level, can be applied at the array-level.

c. Expand Enterprise Policies, and then select Default Policy.

The ISA enterprise administrator can create one or more enterprise policies. The predefined Default Policy enterprise policy cannot be modified.

d. In the left pane, select Arrays

An enterprise policy is assigned to each array.

The effective firewall policy is the combination of the firewall policy rules in the enterprise policy and the firewall policy rules at the array-level.

e. Expand Arrays, expand ITALY, expand Configuration, and then select Servers.

The ITALY array contains two ISA Server computers, Firenze and Florence.

When you install ISA Server 2006 Enterprise Edition, ISA Server is always in an array.

2. Examine the Configuration Storage server (CSS) settings.

a. In the left pane, select Arrays.

b. Scroll the right pane, so that you can see the Configuration Server


column.

All array configuration information (and enterprise configuration information) is stored in one or more replicating Configuration Storage servers (CSS). A CSS is a computer running Active Directory Application Mode (ADAM). You install ADAM from the ISA Server product CD-ROM.

Compare: ISA Server 2006 Enterprise Edition - All configuration information is stored in one or more servers running ADAM. You cannot store the ISA Server 2006 configuration in Active Directory. ISA Server 2006 Standard Edition - All configuration information is only stored in the local registry. There is no central database for ISA Server 2006 Standard Edition.

In this lab, the Florence computer is the CSS.

c. Right-click ITALY, and then click Properties.

d. In the ITALY Properties dialog box, select the Configuration Storage tab.

When you make enterprise or array configuration changes in the ISA Server console, and then click Apply, the changes are saved to the CSS. By default every 15 seconds each ISA Server computer checks the CSS for updates and applies those changes.

e. Click Cancel to close the ITALY Properties dialog box.

Note: All domain and workgroup installation combinations are possible: ISA Server array members can be installed on servers in a domain, or on servers in a workgroup. CSS can be installed on servers in a domain, or on servers in a workgroup. CSS can be installed on an ISA Server computer.

In this lab, Florence and Firenze are ISA Server array members in a workgroup. CSS is installed only on Florence.

f. In the left pane, expand PORTUGAL, expand Configuration, and then select Servers.

The PORTUGAL array contains two servers, Lisboa and Lisbon.

Note: The ISA Server 2006 Enterprise Edition console always connects to a particular CSS. It does not connect directly to the ISA Server computers to make changes. This means that you can apply changes to arrays centrally without having to connect to the individual ISA Server array members.

In the right pane, the text in the gray header indicates that currently the Lisboa and Lisbon computers are not available.

3. Examine the four components of the firewall policy rule list:

- System policy rules- Enterprise rules (before)- Array-level rules- Enterprise rules (after)

a. In the left pane, expand Arrays, expand ITALY, and then select Firewall Policy (ITALY).

The firewall policy rules that you create for an array can be in three locations: Enterprise Policy Rules (before) - Rules are processed before the array-level firewall policy rules. Firewall Policy Rules (array) - Array-level rules. Enterprise Policy Rules (after) - Rules are processed after the array-level firewall policy rules.

Only the Firewall Policy Rules (array) are created and managed at the array level. The Enterprise Policy Rules (before and after) are created and managed at the enterprise level in an Enterprise Policy, which is assigned to the array.


In the right pane, 34 predefined access rules to or from the Local Host (ISA Server computers) are shown.

Note: ISA Server 2006 Standard Edition only has the first 30 system

116 Lab Summary

policy rules. The last four system policy rules (31 to 34) specifically apply to traffic to and from ISA Server arrays.

The effective firewall policy is the combination of the following rules in order: System policy rules Enterprise policy rules (before) Array-level rules Enterprise policy rules (after).The Default rule (deny all traffic) is always listed last.

c. On the Tasks tab, click Hide System Policy Rules.

4. Create a new enterprise policy:

Name: Company Enterprise Policy

a. In the left pane, expand Enterprise, expand Enterprise Policies, and then select Enterprise Policies.

An ISA enterprise administrator can create one or more enterprise policies, and assign an enterprise policy to one or more arrays. Initially only the Default Policy enterprise policy exists.

b. In the task pane, on the Tasks tab, click Create New Enterprise Policy.

c. In the New Enterprise Policy Wizard dialog box, in the Enterprise policy name text box, type Company Enterprise Policy, and then click Next.

d. On the Completing the New Enterprise Policy Wizard page, click Finish.

A new enterprise policy named Company Enterprise Policy is created.

The enterprise policy is not assigned to an array yet.

e. In the left pane (NOT the right pane), select Company Enterprise Policy.

All enterprise policies (including Default Policy) always contain the Default rule, which is always listed last. The Default rule denies all network traffic.

5. Create an enterprise network:

Name:All Internal Networks

Network addresses:10.1.1.0 - 10.1.1.25510.4.1.0 - 10.4.1.255

a. In the left pane, select Enterprise Networks.

ISA Server 2006 Enterprise Edition has four predefined enterprise networks.

These four networks always map to the array-level network with the same name. They do not define any IP address ranges at the enterprise level. Instead the predefined enterprise networks act as placeholders for use in enterprise-level firewall policy rules.

Note: ISA Server does not have a predefined enterprise network for the Internal network. In this task, you will create a new custom enterprise network for the Internal network.

b. In the task pane, on the Tasks tab, click Create a New Network.

c. In the New Network Wizard dialog box, in the Network name text box, type All Internal Networks, and then click Next.

Custom enterprise networks are different than predefined enterprise networks10.4. They do define IP address ranges.

d. On the Network Addresses page, click Add Range.

e. In the IP Address Range Properties dialog box, complete the following information: Start address: 10.1.1.0 End address: 10.1.1.255and then click OK.

10.1.1.0-10.1.1.255 is the IP address range of the Internal network for the ITALY array.

f. On the Network Addresses page, click Add Range again.

g. In the IP Address Range Properties dialog box, complete the following information:


Start address: 10.4.1.0 End address: 10.4.1.255and then click OK.

10.4.1.0-10.4.1.255 is the IP address range of the Internal network for the PORTUGAL array.

h. On the Network Addresses page, click Next.

i. On the Completing the New Network Wizard page, click Finish.

A new enterprise network named All Internal Networks is created.

Note: For ease of management, when you have a large number of networks, you can create an Enterprise Network Set which groups multiple existing enterprise networks.

6. In Company Enterprise Policy, create a new access rule:

Name: Baseline - Allow HTTP traffic to Internet

Applies to: HTTP

From network: All Internal NetworksTo network: External

a. In the left pane, select Company Enterprise Policy, and then in the right pane, select Default rule.

b. In the task pane, on the Tasks tab, click Create Enterprise Access Rule.

Note: You cannot create publishing rules in an enterprise policy. An enterprise policy only contains access rules.

Also note that system policy rules are only defined at the array level.

c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Baseline - Allow HTTP traffic to Internet, and then click Next.



f. In the Add Protocols dialog box, click Common Protocols, click HTTP, and click Add,and then click Close to close the Add Protocols dialog box.



i. In the Add Network Entities dialog box, click Enterprise Networks, click All Internal Networks, and click Add,and then click Close to close the Add Network Entities dialog box.

All Internal Networks represents the Internal networks of ITALY and PORTUGAL.



l. In the Add Network Entities dialog box, click Enterprise Networks, click External, and click Add,and then click Close to close the Add Network Entities dialog box.

The External enterprise network maps to the External network in each array.




A new enterprise access rule is created that allows the HTTP protocol from All Internal Networks to the External network for all users.

Note: The new access rule is listed in the enterprise policy rules section that is after the Array Firewall Policy section. When this enterprise policy is applied to an array, the array administrators can override this enterprise access rule with an array access rule that is listed earlier.

7. Assign Company Enterprise Policy to the ITALY array.

a. In the left pane, right-click ITALY, and then click Properties.

b. In the ITALY Properties dialog box, select the Policy Settings tab.

Currently the Default Policy enterprise policy is assign to the

118 Lab Summary

ITALY array.

c. in the Enterprise policy list box, select Company Enterprise Policy.

The Company Enterprise Policy is assigned to the ITALY array.

Notice that you can specify what types of rules the array administrator can create for the array firewall policy.

d. Click OK to close the ITALY Properties dialog box.

8. Assign Company Enterprise Policy to the PORTUGAL array.

a. In the left pane, right-click PORTUGAL, and then click Properties.

b. In the PORTUGAL Properties dialog box, select the Policy Settings tab.

Currently the Default Policy enterprise policy is assigned to the PORTUGAL array.

c. in the Enterprise policy list box, select Company Enterprise Policy.

The Company Enterprise Policy is assigned to the PORTUGAL array.

d. Click OK to close the PORTUGAL Properties dialog box.

9. Examine the firewall policy of the PORTUGAL array.

a. In the left pane, select Firewall Policy (PORTUGAL).

b. In the right pane, right-click the Baseline - Allow HTTP traffic to Internet rule, and then click Properties.

c. In the access rule properties dialog box, select the Action tab.

Notice that you cannot modify enterprise firewall policy rules at the array level.

d. Click Cancel to close the access rule properties dialog box.

10. Collapse the PORTUGAL node.

a. In the left pane, collapse the PORTUGAL node.

The PORTUGAL node is not used in later exercises.

11. Create a new enterprise protocol definition:

Name: Attack Ports

Protocols:- TCP 12345 (outbound)- TCP 31337 (outbound)

a. In the left pane, select Enterprise Policies.

b. In the task pane, on the Toolbox tab, in the Protocols section, on the New menu, click Protocol.

c. In the New Protocol Definition Wizard dialog box, in the Protocol definition name text box, type Attack Ports, and then click Next.

You will use the Attack Ports protocol definition in a new enterprise access rule.

d. On the Primary Connection Information page, click New.

e. In the New/Edit Protocol Connection dialog box, complete the following information: Protocol type: TCP Direction: Outbound From: 12345 To: 12345and then click OK.

TCP port 12345 is used by many Trojan horse applications.

f. On the Primary Connection Information page, click New.

g. In the New/Edit Protocol Connection dialog box, complete the following information: Protocol type: TCP Direction: Outbound From: 31337 To: 31337and then click OK.

TCP port 31337 is also used by Trojan horse applications.

h. On the Primary Connection Information page, click Next.

i. On the Secondary Connections page, click Next.

j. On the Completing the New Protocol Definition Wizard page, click Finish.


A new enterprise protocol definition is created which defines ports used by Trojan horse applications.

Note: The new enterprise protocol definition can be used in access rules in all enterprise policies, and in the array firewall policy of all arrays.

12. In Company Enterprise Policy, create a new access rule:

Name: Block - Trojan horse traffic

Applies to: Attack Ports

From network: All Internal NetworksTo network: External

a. In the left pane, select Company Enterprise Policy, and then in the right pane, select Baseline - Allow HTTP traffic to Internet

The new rule will be placed before the selected rule.

b. In the task pane, on the Tasks tab, click Create Enterprise Access Rule.

c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Block - Trojan horse traffic, and then click Next.

d. On the Rule Action page, select Deny, and then click Next.


f. In the Add Protocols dialog box, click User-Defined, click Attack Ports, and click Add,and then click Close to close the Add Protocols dialog box.



i. In the Add Network Entities dialog box, click Enterprise Networks, click All Internal Networks, and click Add,and then click Close to close the Add Network Entities dialog box.



l. In the Add Network Entities dialog box, click Enterprise Networks, click External, and click Add,and then click Close to close the Add Network Entities dialog box.




A new enterprise access rule is created that denies certain network traffic from All Internal Networks to the External network for all users.

p. Right-click Block - Trojan horse traffic, and then click Move Up.

The access rule is now listed in the enterprise policy rules section that is before the Array Firewall Policy section. Array administrators cannot override this enterprise access rule in an array access rule.

Note: By default, ISA Server blocks network traffic on all ports on the Internal network. The Block - Trojan horse traffic enterprise access rule prevents unintended access when an array administrator creates an array access rule that allows access to all protocols.

13. Examine the firewall policy of the ITALY array.

a. In the left pane, select Firewall Policy (ITALY).

The new access rule in the enterprise policy appears in the firewall policy for the ITALY array.

b. In the task pane, on the Toolbox tab, in the Protocols section, expand User-Defined.

The Attack Ports enterprise protocol definition is available for use in array-level firewall policy rules as well.

14. Assign Default Policy to the ITALY array.

a. In the left pane, right-click ITALY, and then click Properties.

b. In the ITALY Properties dialog box, select the Policy Settings tab.

c. In the Enterprise policy text box, select Default Policy, and then click OK.

The Default Policy enterprise policy is assigned to the ITALY array.

120 Lab Summary

d. In the left pane, select Firewall Policy (ITALY).

Notice that the firewall policy no longer contains the two enterprise access rules from the Company Enterprise Policy.


15. Discard the changes. a. In the right pane, click Discard to discard all the changes made in this exercise.

b. Click Yes to confirm that you want to discard the changes.

If you clicked Apply during this exercise, Company Enterprise Policy may be assigned to the ITALY array. To change this, assign Default Policy to the ITALY array, and then click Apply and OK again.


Exercise 2Remote Management and Role-based Administration

In this exercise, you will configure ISA Server to allow remote management.

You can connect remotely to manage ISA Server using the ISA Server console, or using a Remote Desktop connection.


Note: This lab exercise uses the following computers: Denver - Florence - FirenzeRefer to the beginning of the manual for instructions on how to start the computers. Log on to the computers.


1. On the Florence computer, add the Denver computer (10.1.1.5) to the Enterprise Remote Management Computers computer set.

a. On the Florence computer, in the ISA Server console, in the left pane, expand Enterprise, and then select Enterprise Policies.

b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Computer Sets.

The Enterprise Remote Management Computers computer set, contains all the computer accounts from which you can manage all the arrays in the enterprise.

c. Right-click Enterprise Remote Management Computers, and then click Properties.

d. In the Enterprise Remote Management Computers Properties dialog box, click Add, and then click Computer.

e. In the New Computer Rule Element dialog box, complete the following information: Name: Denver Computer IP Address: 10.1.1.5and then click OK.

Denver (10.1.1.5) is added to the Enterprise Remote Management Computers computer set, so that you can manage the ISA Server array configuration from the Denver computer.

f. Click OK to close the Enterprise Remote Management Computers Properties dialog box.

2. For the ITALY array, examine the Remote Management Computers computer set.


b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Computer Sets.

c. Right-click Enterprise Remote Management Computers, and then click Properties.

Notice that you cannot modify the enterprise-level policy elements, at the array-level. The Add, Edit and Delete button are grayed out.

d. Click Cancel to close the Enterprise Remote Management Computers Properties dialog box.

e. Right-click Remote Management Computers, and then click Properties.

The array-level Remote Management Computers computer set, contains all the computer accounts from which you can manage this array (ITALY). Each array has its own Remote Management Computers computer set.

You can manage an array from the computers in the Enterprise Remote Management Computers computer set, and from the computer in the

122 Lab Summary

Remote Management Computers computer set.

f. Click Cancel to close the Remote Management Computers Properties dialog box.

3. Examine the system policy rules that are used by the remote management computers:

System policy rules:2 - 3 - 4 - 11 - 20 - 32

a. In the task pane, on the Tasks tab, click Show System Policy Rules.

The array-level system policy rules are displayed. There are no enterprise-level system policy rules.

b. In the System Policy Rules list, select system policy rule 2.

A total of six system policy rules allow access from the Remote Management Computers and the Enterprise Remote Management Computers to Local Host (ISA Server): Rule 2 - Allows access from the ISA Server console (MMC) to the ISA Server. This is NOT the rule that allows you to configure ISA Server, because that is done by connecting to the Configuration Storage Server (CSS). This rule only allows access to the information in Monitoring node. Rule 3 - Allows access to the ISA Server computer with a Remote Desktop (Terminal Services) connection. Rule 4 - Allows access to the ISA Server computer from a Web application. This applies to ISA Server 2006 appliances. Rule 11 - Allows you to ping the ISA Server computer. Rule 20 - Allows access to the Performance Monitor information on the ISA Server computer. The rule is disabled by default. Rule 32 - Allows access to the CSS to configure the array. This rule only applies when CSS is installed on ISA Server. In this lab, CSS is installed on Florence.

c. In the task pane, on the Tasks tab, click Hide System Policy Rules.

4. Use System properties to enable remote desktop.

a. On the Start menu, click Control Panel, and then click System.

Before Denver can connect using Remote Desktop (using system policy rule 3), remote desktop must be enabled on Florence.

b. In the System Properties dialog box, on the Remote tab, in the Remote Desktop box, select Enable Remote Desktop on this computer.



5. Create a new user account.

Name: David

Password: Password2Change password at next logon: disable

Member of: Remote Desktop Users

a. On the Start menu, click Administrative Tools, and then click Computer Management.


Note: The (Enterprise) Remote Management Computers computer sets allows you to specify which computers can connect to ISA Server for remote management. However, whether you connect remotely or administer ISA Server locally, you always need to authenticate with a user account that is assigned a monitoring role or an administration role on ISA Server.

Florence and Firenze are in a workgroup. This means that they do not share user account information. To allow remote monitoring and administration of both Florence and Firenze, you have to create a mirrored user account on Florence and Firenze. A mirrored user account is a local user account with the same user name and password.

For arrays with array members in a domain you can use domain accounts, instead of mirrored local accounts.

c. Right-click Users, and then click New User.

d. In the New User dialog box, complete the following information: User name: David Password: Password2 Confirm password: Password2 User must change password at next logon: disableand then click Create.


e. Click Close to close the New User dialog box.

f. Right-click David, and then click Properties.

g. In the David Properties dialog box, on the Member Of tab, click Add.

h. In the Select Groups dialog box, type Remote Desktop Users, and then click OK.

The Remote Desktop Users group grants David remote desktop permission, and the necessary user right to log on through Terminal Services.

i. Click OK to close the David Properties dialog box.

You will assign David the Array Administrator role on ITALY. This grants the account full control permission on the array configuration in CSS.

You will also assign David permission to monitor the Florence ISA Server.

j. Close the Computer Management console.

Perform the following steps on the Firenze computer.

6. On the Firenze computer, create a new (mirrored) user account.

Name: David

Password: Password2Change password at next logon: disable

a. On the Firenze computer, on the Start menu, click Administrative Tools, and then click Computer Management.


c. Right-click Users, and then click New User.

d. In the New User dialog box, complete the following information: User name: David Password: Password2 Confirm password: Password2 User must change password at next logon: disableand then click Create.

e. Click Close to close the New User dialog box.

You will assign David permission to monitor the Firenze ISA Server.

f. Close the Computer Management console.

Note: If you want to connect to Firenze using a remote desktop connection, then you must enable remote desktop on Firenze, and add David to the Remote Desktop Users group.


7. On the Florence computer, assign array administrative roles:

Array Administrator:FLORENCE\David

Mirrored monitor account:David

a. On the Florence computer, in the ISA Server console, in the left pane, right-click ITALY, and then click Properties.

b. In the ITALY Properties dialog box, on the Assign Roles tab, click the top Add button.

You use role-based administration to organize ISA Server administration into predefined roles. The roles represent functions in an organization that may be assigned to administer ISA Server. When you assign a role to a user or a group, only the permissions needed for the tasks associated with that role are granted.

ISA Server has three array-level administrative roles.

c. In the Administration Delegation dialog box, complete the following information: Group or User: FLORENCE\David Role: ISA Server Array Administratorand then click OK.

The David account on Florence is granted full control on the ITALY array configuration in CSS, and read-only permission on the enterprise configuration.

d. Click OK to acknowledge that you must assign this role to the mirrored

124 Lab Summary

account.

e. Click the bottom Add button.

f. In the Administration Delegation dialog box, complete the following information: Group or User: David Role: ISA Server Array Administratorand then click OK.

The David accounts on Florence and on Firenze are granted permission to monitor the ISA Server.

g. Click OK to close the ITALY Properties dialog box.

8. Examine the enterprise administrative roles.

a. In the left pane, right-click Enterprise, and then click Properties.

b. In the Enterprise Properties dialog box, select the Assign Roles tab.

You can assign administrative roles at three levels in ISA Server: Enterprise-level: Allows administrative control over all the enterprise and the all array configuration. Enterprise policy-level: (Per enterprise policy) Allows creation of enterprise policy rules for a single enterprise policy Array-level: (Per array) Allows administrative control over the array configuration of a single array.

c. Click Cancel to close the Enterprise Properties dialog box.

9. Start the Array Status Monitor to quickly see the current CSS status.

File:C:\Tools\Status\ArrayStatus.hta

a. Use Windows Explorer (or My Computer) to open the C:\Tools\Status folder.

b. In the Status folder, right-click ArrayStatus.hta, and then click Open.

Array Status Monitor is an HTML application for use with this lab. It continually displays the CSS synchronization status and the NLB status of the array.

This is the same information that is displayed in the ISA Server console at the Monitoring node on the Configuration tab (CSS Status) and on the Services tab (NLB Status).

c. Close the Status folder.

10. Apply the changes. a. Click Apply to save the changes, and then click OK. Use the Array Status Monitor to wait until the CSS status is Synced.


11. On the Denver computer, use ISA Server console to connect to ITALY.

CSS: Florence

CSS credentials:David / Password2

Monitor credentials:David / Password2

a. On the Denver computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.

Note: Denver does not run ISA Server. Only the ISA Server console is installed.

b. In the ISA Server console, in the left pane, select Microsoft Internet Security and Acceleration Server 2006, and then in the task pane, on the Tasks tab, click Connect to Configuration Storage Server.

c. In the Configuration Storage Server Connection Wizard dialog box, click Next.

d. On the Configuration Storage Server Location page, in the On remote computer (remote management) text box, type Florence, and then click Next.

e. On the Configuration Storage Server Credentials page, complete the following information: Credentials of the following user: enable User name: David Password: Password2and then click Next.

These credentials (David) are used to connect to CSS.

f. On the Array Connection Credentials page, select The same credentials


used to connect to the Configuration Storage Server, and then click Next.

The same credentials (David) are used to monitor the ISA Server array members.

g. On the Completing the Connection Wizard page, click Finish.

The ISA Server console on Denver connects to the CSS on Florence (using system policy rule 32).

12. Attempt to create a new enterprise policy.

a. In the ISA Server console, in the left pane, expand Enterprise.

b. Right-click Enterprise Policies, click New, and then click Enterprise Policy.

The David account only has read-only permissions at the enterprise-level. You cannot create a new enterprise policy.

c. Click OK to acknowledge that you do not have necessary permissions.

13. Examine the services information for the array members.

a. In the left pane, expand Arrays.

Notice that you only see the ITALY array. As array administrator for ITALY, you cannot see other arrays for which you do not have permissions, such as PORTUGAL.

b. Expand ITALY, and then select Monitoring.

c. In the right pane, select the Services tab.

The ISA Server console on Denver connects to Florence and Firenze to obtains services information (using system policy rule 2).

14. Disconnect from the enterprise, and close the ISA Server console.

a. In the left pane, select Microsoft Internet Security and Acceleration Server 2006.

b. In the task pane, on the Tasks tab, click Disconnect from Enterprise.

c. Click Yes to confirm that you want to disconnect from the enterprise.

The ISA Server console is no longer connected to a CSS.

d. Close the ISA Server console.

15. Create a remote desktop connection to Florence.

Log on:- User name: David- Password: Password2

a. On the Start menu, click All Programs, click Accessories, click Communications, and then click Remote Desktop Connection.

b. In the Remote Desktop Connection dialog box, in the Computer text box, type Florence, and then click Connect.

Denver creates a remote desktop connection to Florence (using system policy rule 3).

c. In the Log On to Windows dialog box, complete the following information: User name: David Password: Password2and then click OK.

David successfully logs on to Florence.

16. Use the ISA Server console to examine the permissions of David.


The ISA Server console appears.

b. In the ISA Server console, expand Arrays.

Note: Even though you (David) are logged on the computer that runs CSS, you have no permissions to see the PORTUGAL array.

c. Expand ITALY, and then select Monitoring.

d. In the right pane, select the Services tab.

Denver creates the remote desktop connection to Florence. However, the connection to Firenze (to obtain the services information), is now created from Florence. System policy rule 2 allows this traffic for members of the Array Servers computer set, which includes Florence.

e. Close the ISA Server console.

17. Log off from the remote a. On the Start menu, click Log Off.

126 Lab Summary

desktop connection. b. Click Log Off to confirm that you want to log off.

The remote desktop connection is reset. The Denver desktop appears again.



18. On the Florence computer, use System properties to disable remote desktop.

a. On the Florence computer, on the Start menu, click Control Panel, and then click System.

b. In the System Properties dialog box, on the Remote tab, in the Remote Desktop box, CLEAR the Enable Remote Desktop on this computer check box.



Exercise 3Working with Configuration Storage Servers (Optional)

In this exercise, you will examine details on how ISA Server uses a Configuration Storage server (CSS) to save configuration data.


Note: This lab exercise uses the following computer: FlorenceRefer to the beginning of the manual for instructions on how to start the computer. Log on to the computer.


1. On the Florence computer, examine the Configuration Storage server (CSS) settings.

a. On the Florence computer, in the ISA Server console, in the left pane, right-click ITALY, and then click Properties.

b. In the ITALY Properties dialog box, select the Configuration Storage tab.

When you make enterprise or array configuration changes in the ISA Server console, and then click Apply, the changes are saved to the Configuration Storage server (CSS).

Periodically each ISA Server computer checks the CSS for updates, and applies those changes. Each ISA Server keeps a local copy of the array configuration, and synchronizes the local copy with the updates from the CSS.

c. Open the Check the Configuration Storage server for updates every list box.

You can change how often the ISA Servers in the array contact the CSS to check for updates. The default is every 15 seconds. The minimum is every 3 seconds.

Note: This poll rate is stored in the array configuration data as well. In the lab environment, do not change this to 10 minutes or 60 minutes, and apply changes, because it will then take 10 minutes or 60 minutes, before ISA Server checks to change it back again.

d. Close the Check the Configuration Storage server for updates every list box.

The Configuration Storage server text box shows that the ITALY array uses Florence as (primary) CSS. This means that CSS is installed on an array member. You can also install CSS on a separate server. The server can be in a workgroup, or in a domain.

ISA Server only contacts the Alternate Configuration Storage server, after the primary CSS has been unavailable for more than 30 minutes. After using the alternate CSS for 6 hours, ISA Server switches back to the primary CSS if it is available again.

e. Click Cancel to close the ITALY Properties dialog box.

2. In the ISA Server installation folder, examine the ChangeStorageServer.vbs script.


b. At the command prompt, type cd \Program Files\Microsoft ISA Server, and then press Enter.

c. Type cscript.exe ChangeStorageServer.vbs /?, and then press Enter.

ISA Server obtains the address of the primary CSS and alternate CSS from the local copy of the array configuration data. However, when those CSS computers become unavailable, ISA Server is not able to connect to a CSS and update its local copy to use a new CSS.

To solve this problem, you can use the ChangeStorageServer.vbs script in the ISA Server installation folder to change the CSS address in the

128 Lab Summary

local copy of the configuration data.The script is available from the ISA Server product CD-ROM.

Note: This is the only scenario where you directly change the local copy of the array configuration data.

d. Do not close the Command Prompt window.

3. In the Services console, examine the ISASTGCTRL service.

a. On the Start menu, click Administrative Tools, and then click Services.

b. In the Services console, right-click ISASTGCTRL, and then click Properties.

CSS is an instance of Active Directory Application Mode (ADAM). ADAM is a LDAP service that runs as user service. It provides data storage and retrieval for directory-enabled applications. ADAM provides much of the same functionality of Active Directory, but it does not require the deployment of domains or domain controllers.

You install ADAM from the ISA Server product CD-ROM.

c. Click Cancel to close the ISASTGCTRL Properties (Local Computer) dialog box.

d. Close the Services console.

4. In the Event Viewer console, examine the ADAM (ISASTGCTRL) log.

a. On the Start menu, click Administrative Tools, and then click Event Viewer.

b. In the Event Viewer console, in the left pane, select ADAM (ISASTGCTRL).

ADAM uses a separate event log file to record events.

The ADAM event log is especially important when you deploy CSS on multiple computers in the same enterprise, and want to troubleshoot CSS replicating issues.

c. Close the Event Viewer console.

5. Examine the CSS authentication setting.

a. In the ISA Server console, in the left pane, right-click ITALY, and then click Properties.

b. In the ITALY Properties dialog box, on the Configuration Storage tab, click Select.

To ensure that ISA Server synchronizes with a valid CSS, either Windows authentication, or authentication over SSL is used.

When CSS or ISA Server is in a workgroup, you cannot use Windows authentication, and must use authentication over SSL instead.

c. Click Cancel to close the Select Authentication Type dialog box.

d. Click Cancel to close the ITALY Properties dialog box.

6. In the ISA Server installation folder, examine ISACertTool.exe.

e. In a Command Prompt window, in the C:\Program Files\Microsoft ISA Server folder, type isacerttool.exe /?, and then press Enter.

You can use ISACertTool.exe to install a Web server certificate on the CSS computer. Alternatively, you can use the Repair option in Add or Remove Programs.

You can download ISACertTool from www.microsoft.com/isaserver/downloads.

Note: Even though it is common to refer to a server authentication certificate as a Web server certificate, CSS is not a Web server. The certificate on the CSS computer is used for LDAP over SSL (LDAPS), not HTTP over SSL (HTTPS).

f. Do not close the Command Prompt window.

7. Use the Certificates console to examine the Web server certificate for the ISASTGCTRL service account.


b. In the Run dialog box, type mmc.exe, and then click OK.

A new empty Microsoft Management Console (MMC) opens.

c. In the Console1 window, on the File menu, click Add/Remove Snap-in.


d. In the Add/Remove Snap-in dialog box, click Add.

e. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.

f. In the Certificates snap-in dialog box, select Service account, and then click Next.

g. In the Select Computer dialog box, select Local computer, and then click Next.

h. In the Certificates snap-in dialog box, in the Service account list box, select ISASTGCTRL, and then click Finish.

i. Click Close to close the Add Standalone Snap-in dialog box.

j. Click OK to close the Add/Remove Snap-in dialog box.

The Certificates snap-in for the ISASTGCTRL service account, is added to the console.

k. Maximize the Console Root window.

l. In the left pane, expand Certificates - Service (ISASTGCTRL), expand ADAM_ISASTGCTRL\Personal, and then select Certificates.

The certificate store for the ISASTGCTRL service account lists the Web server certificates that are used when ISA Server computers connect to the CSS using SSL.

m. In the right pane, right-click the Florence certificate, and then click Open.

The ISA Server computers in the ITALY array (Florence and Firenze), connect to the CSS on Florence to check for updates of the configuration. The name on the certificate (Florence) must match the primary or alternate CSS name used in the array configuration.

You can use ISACertTool.exe or the Repair option in Add or Remove Programs to install a new Web server certificate for the ISASTGCTRL service account.

n. Click OK to close the Certificate dialog box.

o. Close the Console1 window. Click No to confirm that you do not want to save console settings to Console1.

8. Use the dsdbutil tool to examine the LDAP ports used by CSS.

a. On the Start menu, click All Programs, click ADAM, and then click ADAM Tools Command Prompt.

A Command Prompt window opens in the C:\Windows\ADAM folder. The folder contains several tools to use with the ADAM database.

b. At the command prompt, type dsdbutil, and then press Enter.

The dsdbutil.exe tool provides management facilities for the ADAM database file.

c. At the dsdbutil: prompt, type list instances, and then press Enter.

The output of the command shows information about the ADAM instances running on this computer. ISA Server only uses a single instance of ADAM.

The ISASTGCTRL ADAM instance uses LDAP TCP port 2171 and LDAP over SSL TCP port 2172.

Note: If you install CSS on a domain controller these ports do not interfere with the default Active Directory LDAP (389 and 3268) and LDAP over SSL (636 and 3269) TCP ports. ISA Server supports installation of CSS on a domain controller.

d. At the dsdbutil: prompt, type quit, and then press Enter.

9. Use the ldp tool to check the LDAP SSL connection to CSS.

a. At the command prompt, type ldp, and then press Enter.

The ldp.exe tool can be used to run any LDAP query against the ADAM directory service. For use with ISA Server, this is also a convenient tool to check SSL connectivity after you have installed a Web server certificate on CSS.

130 Lab Summary

b. In the Ldp window, on the Connection menu, click Connect.

c. In the Connect dialog box, complete the following information: Server: Florence Port: 2172 Connectionless: disable (is default) SSL: enableand then click OK.

When a Web server certificate with the correct name is installed, ldp shows the contents of the ADAM RootDSE information. Otherwise a connection error is shown.

d. Close the Ldp window.

10. Use the dsmgmt tool to examine the CSS ADAM naming contexts.

a. At the command prompt, type dsmgmt, and then press Enter.

The dsmgmt.exe tool provides management facilities for the ADAM directory service.

b. At the dsmgmt: prompt, type partition management, and then press Enter.

c. At the partition management: prompt, type connections, and then press Enter.

d. At the server connections: prompt, type connect to server Florence:2171, and then press Enter.

The dsmgmt tool creates a connection to the CSS ADAM directory service, using LDAP.

e. At the server connections: prompt, type quit, and then press Enter.

f. At the partition management: prompt, type list, and then press Enter.

The CSS ADAM directory service uses three naming contexts: Configuration, Schema, and FPC2.

The Schema contains class definition for all the ISA Server configuration data. The Configuration naming context contains data about ADAM sites, and replication. The FPC2 naming context contains all enterprise and array configuration data.

g. At the partition management: prompt, type quit, and then press Enter.

h. At the dsmgmt: prompt, type quit, and then press Enter.

i. Close the ADAM Tools Command Prompt window.

11. Use the ADAM ADSI Edit console to examine the ADAM site replication configuration.

Connections to [Florence:2171]:- Configurationand- CN=FPC2

a. On the Start menu, click All Programs, click ADAM, and then click ADAM ADSI Edit.

The ADAM ADSI Edit console allows you to view and modify ADAM objects in the directory service database.

b. In the ADAM-adsiedit window, on the Action menu, click Connect to.

c. In the Connection Settings dialog box, complete the following information: Connection name: Configuration Server name: Florence Port: 2171 Well-known naming context: Configurationand then click OK.

The Configuration [Florence:2171] connection is added to the console.

Note: ADAM ADSI Edit does not support LDAP over SSL connections. You must use the ldp.exe tool to check LDAP over SSL connectivity to the ADAM directory service.

d. On the Action menu, click Connect to again.

e. In the Connection Settings dialog box, complete the following information: Connection name: Enterprise Data


Server name: Florence Port: 2171 Distinguished name (DN) or naming context: CN=FPC2and then click OK.

The Enterprise Data [Florence:2171] connection is added to the console.

f. In the left pane, expand Configuration [Florence:2171], expand CN=Configuration, CN={...}, expand CN=Sites, expand CN=Default-First-Site-Name, and then select CN=Servers.

Just like Active Directory, ADAM uses sites to manage multi-master replication between groups of CSS computers in multiple locations.

The Florence CSS is in the Default-First-Site-Name site.

g. In the left pane, select CN=Default-First-Site-Name, and then in the right pane, right-click CN=NTDS Site Settings, and click Schedule.

CSS replication within an ADAM site is based on change notification. When a configuration update occurs at a CSS, the ADAM instance waits 15 seconds and then notifies its closest CSS replication partners within the site to obtain the configuration update.

Note: The replication frequency within an ADAM site (every 15 seconds) is unrelated to the default ISA Server CSS poll rate (also every 15 seconds).

As you can see in the Schedule dialog box, when no updates have occurred, by default the CSS computers within a site still check the other CSS replication partners every hour.

h. Click Cancel to close the Schedule dialog box.

i. In the left pane, expand CN=Inter Site Transports, and then select CN=IP.

j. In the right pane, right-click CN=DEFAULTIPSITLINK, and then click Properties.

k. In the CN=DEFAULTIPSITELINK Properties dialog box, in the Attributes list, select replInterval.

The CSS replication between ADAM sites is not based on notification, but on a replication interval. By default, different sites replicate configuration update every 180 minutes (3 hours).

l. Click Cancel to close the CN=DEFAULTIPSITELINK Properties dialog box.

m. In the left pane, expand Enterprise Data [Florence:2171], expand CN=FPC2, expand CN=Array-Root, expand CN=Arrays, and then select the first CN={...}.

The FPC2 naming context contains all the enterprise and array configuration data. To avoid configuration mistakes, you should never change this information directly in ADAM ADSI Edit. Instead use the ISA Server console, or use an administrative script.

n. Close the ADAM-adsiedit window.

Note: The ADAM ADSI Edit console saves the current connections Configuration [Florence:2171] and Enterprise Data [Florence:2171] for later use.

12. In the ISA Server installation folder, examine AdamSites.exe.

a. In a Command Prompt window, in the C:\Program Files\Microsoft ISA Server folder, type adamsites.exe /?, and then press Enter.

Instead of configuring replication parameters between ADAM sites in ADAM ADSI edit directly, you can use the AdamSites.exe tool. The AdamSites tool can also create sites, and move CSS computers to new sites.

You can download AdamSites from www.microsoft.com/isaserver/downloads.

b. At the command prompt, type adamsites.exe sites, and then press

132 Lab Summary

Enter.

The enterprise currently has one site named Default-First-Site-Name, containing the CSS computer Florence.

c. At the command prompt, type adamsites.exe sitelinks, and then press Enter.

The site replicates configuration updates to other sites (if present) every 180 minutes.


13. Examine the protocol definitions related to CSS:

- MS Firewall Storage- MS Firewall Storage Replication- MS Firewall Storage Server

a. In the ISA Server console, in the left pane, select Firewall Policy (ITALY).

b. In the task pane, on the Toolbox tab, in the Protocols section, expand All Protocols.

c. In the list of protocols, right-click MS Firewall Storage, and then click Properties.

d. In the MS Firewall Storage Properties dialog box, select the Parameters tab.

Three protocol definitions are related to CSS network traffic: MS Firewall Storage - Outbound access to CSS (TCP ports 2171 and 2172) MS Firewall Storage Replication - Outbound CSS replication (TCP port 2173) MS Firewall Storage Server - Inbound access to CSS (TCP ports 2171 and 2172)

The first two protocol definitions are used in system policy rules: Rule 31 (MS Firewall Storage) - Allows access from ISA Server to the CSS, so that ISA Server can check for updates. Rule 32 (MS Firewall Storage) - Allows access from remote management computers to ISA Server. This rule only applies when CSS is installed on ISA Server.. Rule 33 (MS Firewall Storage Replication) - Allows access to and from ISA Server to replicate CSS. This rule only applies when CSS is installed on ISA Server.

You can use the MS Firewall Storage Server protocol definition to publish CSS. This may be needed in a back-to-back ISA Server configuration, or when installing an ISA Server in a new branch office.

e. Click Cancel to close the MS Firewall Storage Properties dialog box.


Module H: Configuring Load Balancing

Exercise 1Configuring Network Load Balancing (NLB)

In this exercise, you will configure ISA Server to use NLB for load balanced and fault tolerant outbound and inbound access.

Note: The default background wallpaper on the Denver computer and the Istanbul computer, only displays a single ISA Server (Paris). If needed, on those two computers you can select a different background wallpaper which displays the two ISA Servers (Florence and Firenze) that are used in this module.


Note: This lab exercise uses the following computers: Denver - Florence - Firenze - IstanbulRefer to the beginning of the manual for instructions on how to start the computers. Log on to the computers.


1. On the Florence computer, examine the current configuration of the Internal Connection network adapter, before NLB is enabled.

a. On the Florence computer, on the Start menu, click Control Panel, click Network Connections, right-click Internal Connection, and then click Properties.

In the Internal Connection Properties dialog box, notice that Network Load Balancing is not enabled yet on this network adapter.

Note: Do not enable Network Load Balancing (NLB) in this dialog box. You enable and configure NLB from the ISA Server console.

b. Click Cancel to close the Internal Connection Properties dialog box.

2. In the ISA Server console, enable NLB integration, and enable NLB on the Internal network.

Primary Virtual IP address:10.1.1.3Subnet mask:255.255.255.0


b. In the ISA Server console, expand Arrays, expand ITALY, expand Configuration, and then in the left pane, select Networks.

c. In the right pane, select the Networks tab.

d. In the task pane, on the Tasks tab, click Enable Network Load Balancing Integration.

Enabling NLB integration results in the following two actions: ISA Server controls the NLB driver and adds additional functionality, such as alerting the NLB driver when any ISA Server service fails and support for handling network traffic when NLB is enabled on multiple networks on the array. ISA Server manages the configuration of NLB, and overrides any manual NLB changes you may make outside of ISA Server.

Note: It is possible to use NLB on ISA Server in non-integrated mode. However, in this configuration you don't have the added functionality provided by ISA Server's control of the NLB driver.

e. In the Network Load Balancing Wizard dialog box, click Next.

f. On the Select Load Balanced Networks page, select Internal, and then click Set Virtual IP.

134 Lab Summary

g. In the Set Virtual IP Addresses dialog box, complete the following information: Primary VIP: 10.1.1.3 Subnet mask: 255.255.255.0and then click OK.

The NLB virtual IP (VIP) address is used on both array members. The address must be in the same IP subnet as the dedicated IP addresses (DIPs) on Florence (10.1.1.1) and Firenze (10.1.1.2).

Later in this exercise, you will also enable NLB on the External network.

h. On the Select Load Balanced Networks page, click Next.

i. On the Completing the Network Load Balancing Integration Wizard page, click Finish.

A message box appears, explaining that the name you specify for the Configuration Storage server (CSS) should resolve to the intra-array IP address. This only applies if CSS is installed on an array member, and NLB is enabled.

j. Click OK to close the message box.

k. In the left pane, right-click ITALY, and then click Properties.

l. In the ITALY Properties dialog box, select the Configuration Storage tab.

The array uses the name Florence to specify the CSS on the Florence computer. Both Florence and Firenze use a hosts file to resolve the name Florence to the intra-array IP address of Florence (23.1.1.1). This means that the array meets the requirement explained in the message box after you enabled NLB integration.

m. Click Cancel to close the ITALY Properties dialog box.

3. Examine the NLB and CARP configuration on the Internal network.

a. In the left pane, select Networks, and in the right pane, on the Networks tab, right-click Internal, and then click Properties.

b. In the Internal Properties dialog box, select the NLB tab.

NLB is enabled on the Internal network. The Primary VIP is 10.1.1.3.

c. Select the CARP tab, and ensure that CARP is NOT enabled on this network.

ISA Server supports the use of both CARP and NLB on the same network, but in this exercise you will use only NLB.

d. Click OK to close the Internal Properties dialog box.

4. Examine the status of the Network Load Balancing service on the Monitoring/Services tab.

a. In the left pane, select Monitoring, and then in the right pane, select the Services tab.

When NLB integration is enabled, ISA Server displays the status of the Network Load Balancing service on the Services tab. This is not a real Windows service, but represents the NLB network driver.

Because you have not applied the configuration changes yet, the current status of the Network Load Balancing service is Unavailable.

b. Do NOT click Apply yet to save the changes.

5. Start the Array Status Monitor to quickly see the current CSS status and NLB status.

File:C:\Tools\Status\ArrayStatus.hta

a. Use Windows Explorer (or My Computer) to open the C:\Tools\Status folder.

b. In the Status folder, right-click ArrayStatus.hta, and then click Open.

Array Status Monitor is an HTML application for use with this lab. It continually displays the CSS synchronization status and the NLB status of the array.

This is the same information that is displayed in the ISA Server console at the Monitoring node on the Configuration tab (CSS Status) and on the Services tab (NLB Status).


c. Close the Status folder.


a. In the ISA Server console, click Apply to save the changes.



d. Use the Array Status Monitor to wait until the CSS status is Synced, and the NLB status is Running. This may take 5 to 10 minutes.

After Florence and Firenze have received the new configuration, ISA Server enables and configures NLB on both computers. The NLB status Configuring means that the NLB driver is still converging the computers to a consistent state.

Note: Instead of waiting 5 to 10 minutes for NLB to convergence, and display the status Running, you can continue with the next tasks.

7. Examine the NLB host IDs, and the network used for intra-array communication.

a. In the left pane, select Servers.

b. In the right pane, right-click Florence, and then click Properties.

The Host ID number represent the NLB host identifier, assigned by ISA Server. Florence uses host ID 2, Firenze uses host ID 3.

All hosts in a NLB cluster must use a unique host ID between 1 and 32. ISA Server does not assign host ID 1, so the maximum number of array members in a NLB cluster is 31.

Note: Do not confuse the terminology. NLB uses the terms cluster and hosts, while ISA Server uses the terms array and members. WLBS (Windows NT Load Balancing Service) is an old name for NLB.

c. In the Florence Properties dialog box, select the Communication tab.

Florence (and Firenze) use the IP address on the Perimeter network (23.1.1.x) for communication between array members. This is a configuration change performed during the lab setup. The default setting on ISA Server is to use the first IP address of the network adapter on the Internal Network for intra-array communication.

Note: When you enable NLB on ISA Server, the intra-array communication network must not be load-balanced. This is not needed for the so-called NLB Heartbeat, but to allow normal intra-array communication. (However, this requirement is removed in Windows Server 2003 Service Pack 1.)

In this exercise you will enable NLB on both the Internal network and the External network.

d. Click Cancel to close the Florence Properties dialog box.

8. Delete all existing Web publishing rules and Server publishing rules.


As is examined in more detail later, the behavior of NLB is dynamic, and is influenced by the existence of Web publishing rules and Server publishing rules.

In the lab environment, to ensure that the behavior of NLB matches exactly the description and the steps in this exercise, you must delete all existing Web publishing rules and Server publishing rules.

b. In the right pane, in the Firewall Policy Rules list, for each Server publishing rule, right-click the rule, click Delete, and then click OK to confirm that you want to delete the rule.

Note: Server publishing rules are indicated in the Order column by a square icon containing a little gray server symbol.

c. For each Web publishing rule, right-click the rule, click Delete, and then click OK to confirm that you want to delete the rule.

Note: Web publishing rules are indicated in the Order column by a gray server symbol connected to a blue workstation symbol.

9. Create a new access rule. a. In the right pane, select the first rule in the Firewall Policy Rules list, or

136 Lab Summary

Name: Allow Web access (NLB)

Applies to: HTTP


select Default rule if no other rule exists, to indicate where the new rule is added to the rule list.


c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (NLB), and then click Next.



f. In the Add Protocols dialog box, click Common Protocols, click HTTP, and click Add,and then click Close to close the Add Protocols dialog box.



i. In the Add Network Entities dialog box, click Networks, click Internal, click Add,and then click Close to close the Add Network Entities dialog box.



l. In the Add Network Entities dialog box, click Networks, click External, click Add,and then click Close to close the Add Network Entities dialog box.





10. After NLB integration is fully enabled, apply the changes.

a. Before you apply the new rule, ensure that NLB integration is fully enabled on the ISA Server array. Wait until the CSS status is Synced, and the NLB status is Running.

b. Click Apply to apply the new rule, and then click OK. Wait until the CSS status is Synced, and the NLB status is Running.


11. On the Denver computer, connect to http://istanbul.fabrikam.com/web.asp.

Use proxy server address:10.1.1.1:8080and10.1.1.3:8080

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter.

The Web Server Info Demo Page on Istanbul appears. The Web server reports that the Web request was sent through Florence (39.1.1.1).

b. On the Tools menu, click Internet Options.


Notice that currently Internet Explorer is still using IP address 10.1.1.1 (Florence) as the proxy server address. This means that all Web proxy traffic uses Florence.

After you have enabled NLB, you should ensure that all client computers use the NLB virtual IP address as the proxy server address (for Web Proxy clients and Firewall clients), or as default gateway (for SecureNAT clients).

d. In the Local Area Network (LAN) Settings dialog box, complete the following information: Use a proxy server for your LAN: enable Address: 10.1.1.3 Port: 8080 Bypass proxy server for local addresses: enableand then click OK.



f. On the toolbar, click the Refresh button.

The Web page reports that the Web request was sent through Firenze (39.1.1.2). Apparently the NLB process assigns the Web proxy connection from 10.1.1.5 to Firenze.

g. Close Internet Explorer.

Note: Depending on the timing of the Florence and Firenze servers, there is a very small chance that the Web proxy connection from 10.1.1.5 is still going through the Florence server. In that case, the NLB distribution of the connections through Florence and Firenze is exactly the opposite of the description in this exercise. To ensure that the behavior of NLB matches exactly the steps in this exercise, do the next task.

Note: You only need to do the following task if the Web proxy connection in the previous task continued to go through the Florence server.


12. On the Firenze computer, stop, wait 10 seconds, and start the Microsoft Firewall service.

a. On the Firenze computer, in a Command Prompt window, type net stop fwsrv, and then press Enter.

The Microsoft Firewall service on Firenze is stopping. After 5 seconds, NLB on Florence will automatically reconfigure to handle all connections through the array.

b. Wait 10 seconds, and then type net start fwsrv, and press Enter.

After the Microsoft Firewall service on Firenze is started, all connections through the array are load balanced between Florence and Firenze again.


Note: In the following tasks, you will enable NLB on the External network as well. This allows you to load balance incoming connections to published servers on your network.


13. On the Florence computer, enable NLB on the External network.

Primary Virtual IP address:39.1.1.3Subnet mask:255.255.255.0

a. On the Florence computer, in the ISA Server console, in the left pane, select Networks.

b. In the task pane, on the Tasks tab, click Configure Load Balanced Networks.

c. In the Network Load Balancing Wizard dialog box, click Next.

d. On the Select Load Balanced Networks page, select External, and then click Set Virtual IP.

e. In the Set Virtual IP Addresses dialog box, complete the following information: Primary VIP: 39.1.1.3 Subnet mask: 255.255.255.0and then click OK.

f. On the Select Load Balanced Networks page, click Next.

g. On the Completing the Load Balanced Networks Wizard page, click Finish.

Currently NLB is enabled on both the Internal network (virtual IP 10.1.1.3) and the External network (virtual IP 39.1.1.3).

Note: When you use NLB on an ISA Server array, it is recommended to enable NLB on all networks, except the network used for intra-array communication (unless you use Windows Server 2003 Service Pack 1).

h. Click Apply to apply the changes, and then click OK. Wait until the CSS status is Synced, and the NLB status is Running.

14. Refresh the ISA Server a. In the left pane, right-click Firewall Policy (ITALY), and then click

138 Lab Summary

console, so that the new virtual IP address is shown in the user interface.

Refresh.

This step ensures that the ISA Server console rereads the IP addresses from the network adapters.


Name:External Web 80 NLB

SSL: disable

Network:External - 39.1.1.3Compression: disable



b. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Web Listeners, and then click New Web Listener.

c. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80 NLB, and then click Next.

d. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next.

e. On the Web Listener IP Addresses page, select the External check box, and then click Select IP Addresses.

Instead of listening on dedicated IP addresses (39.1.1.1 and 39.1.1.2), it is recommended to only listen on the virtual IP address.

Note: If you did not refresh the ISA Server console in the previous task, it is possible that 39.1.1.3 is not listed as Virtual IP yet.

f. In the External Network Listener IP Selection dialog box, select the Specified IP addresses option, and then in the Available IP Addresses list, select 39.1.1.3, and click Add.

g. Click OK to close the External Network Listener IP Selection dialog box.

The Web listener will only listen on IP address 39.1.1.3, on the External network.

h. On the Web Listener IP Addresses page, clear ISA Server will compress content, and then click Next.

i. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next.

j. On the Single Sign On Settings page, click Next.

k. On the Completing the New Web Listener Wizard page, click Finish.

A new Web listener (port 80 on IP address 39.1.1.3) with the name External Web 80 NLB is created.


Name:Web Home Page NLB



Public name:shop.contoso.com

Web listener:External Web 80 NLB

Delegation: none

a. In the right pane, select the first rule in the Firewall Policy Rules list to indicate where the new rule is added to the rule list.

b. In the task pane, on the Tasks tab, click Publish Web Sites.

c. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Web Home Page NLB, and then click Next.

d. On the Select Rule Action page, select Allow, and then click Next.


f. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server, and then click Next.

g. On the Internal Publishing Details page, complete the following information: Internal site name: denver.contoso.com Use a computer name or IP address: disable (is default)and then click Next.

h. On the next Internal Publishing Details page, complete the following information: Path: (leave empty) Forward the original host header: disable (is default)and then click Next.

i. On the Public Name Details page, complete the following information:


Accept requests for: This domain name (type below): Public name: shop.contoso.com Path: (leave empty)and then click Next.

On Istanbul (Internet), the name shop.contoso.com must resolve to 39.1.1.3.

j. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80 NLB, and then click Next.

k. On the Authentication Delegation page, select No delegation, and client cannot authenticate directly, and then click Next.

l. On the User Sets page, click Next.

m. On the Completing the New Web Publishing Rule Wizard page, click Finish.

A new Web publishing rule is created which publishes the Web site at denver.contoso.com (10.1.1.5) as shop.contoso.com on the External network on virtual IP address 39.1.1.3.

n. Click Apply to apply the new rule, and then click OK. Wait until the CSS status is Synced, and the NLB status is Running.


17. On the Istanbul computer, verify the IP address of shop.contoso.com, and then connect to http://shop.contoso.com/web.asp


b. At the command prompt, type ping shop.contoso.com, and the press Enter.

In the hosts file on Istanbul, shop.contoso.com is already defined as 39.1.1.3.

Note: Depending on firewall policy rules that you may have created in earlier exercises, you may or may not receive replies on the ping requests to 39.1.1.

c. Open Internet Explorer. In the Address box, type http://shop.contoso.com/web.asp, and then press Enter.

The Web Server Info Demo page on Denver appears. The Web server reports that the Web request was sent through Florence.

Apparently the NLB process assigns the Web connection from Istanbul (39.1.1.7) to Florence.

Note: Because ISA Server blocks unsolicited network traffic on all networks, the request and reply must go through the same ISA Server.When ISA Server sends the Web request to Denver (10.1.1.5), it replaces the client address (39.1.1.7) in the network packet with its own dedicated IP address (10.1.1.1) on the Internal network. When Denver replies, it sends the reply back to the client IP address (10.1.1.1), which is automatically the correct ISA Server.

d. Close Internet Explorer.

140 Lab Summary

Exercise 2Examining Details on NLB

In this exercise, you will examine details on how ISA Server configures and controls the NLB driver to provide load balancing functionality for array members. You will also perform the steps needed to disable NLB integration on an array.




1. On the Florence computer, use the nlb query command to see the current convergence state of the NLB cluster.

a. On the Florence computer, in a Command Prompt window, type nlb query, and then press Enter.

The NLB utility shows which NLB hosts are currently part of the clusters for each network.

Note: Florence is host ID 2, and Firenze is host ID 3. WLBS is an old name for NLB.

2. Use the nlb queryport command to see the number of accepted and dropped network packets.

a. At the command prompt, type nlb queryport 8080, and then press Enter.

The NLB utility reports the number of accepted and dropped packets on Florence for the NLB port rule that applies to TCP or UDP port 8080.

Remember the number of accepted and dropped packets through the 10.1.1.3 cluster (Internal network) for comparison in the next task.


3. On the Firenze computer, use the nlb queryport command to see the number of accepted and dropped network packets.

a. On the Firenze computer, open a Command Prompt window.

b. At the command prompt, type nlb queryport 8080, and then press Enter.

The NLB utility on Firenze reports exactly the opposite numbers of accepted and dropped packets through the 10.1.1.3 cluster (if no additional new network traffic occurred in the meantime).

Note: All TCP and UDP packets are sent to both NLB hosts. Each hosts makes the exact same decision which hosts will handle a particular network packet. For single affinity, this decision is based on the outcome of the hash value of the source IP address.

Apparently the hash value of 10.1.1.5 results in NLB host Firenze.



4. On the Florence computer, examine the configuration of the Internal Connection network adapter.

a. On the Florence computer, on the Start menu, click Control Panel, click Network Connections, right-click Internal Connection, and then click Properties.

Notice that ISA Server has enabled Network Load Balancing on the network adapter.

b. In the Internal Connection Properties dialog box, select Network Load Balancing (do NOT clear the check box), and then click Properties.

The NLB cluster IP address is set to 10.1.1.3.


c. Select the Host Parameters tab.

Florence is assigned Priority (or host ID) 2.

d. Select the Port Rules tab.

There is a single port rule that specifies that TCP and UDP traffic directed at any port is load balanced, using Single affinity.

Single affinity means that NLB uses only the IP address of the sender (and not the combination of the IP address and port) to calculate which host handles the traffic. In effect, all network connections from a particular computer use the same ISA Server.

Note: Do not change any of the settings in the Network Load Balancing Properties dialog box. ISA Server will override any changes you make here.

e. Click CANCEL to close the Network Load Balancing Properties dialog box.

f. Click Cancel to close the Internal Connection Properties dialog box.

g. In a Command Prompt window, type ipconfig /all, and then press Enter.

The Internal Connection network adapter now has two IP addresses (10.1.1.1 and 10.1.1.3), and uses a new physical address (MAC) 02-BF-0A-01-01-03. NLB bases the new MAC address on the hexadecimal representation of the cluster IP address.


5. On the Firenze computer, examine the configuration of the Internal Connection network adapter.

a. On the Firenze computer, open a Command Prompt window.

b. At the command prompt, type ipconfig /all, and then press Enter.

The Internal Connection network adapter on Firenze uses the same cluster IP address (10.1.1.3), and the same MAC address (02-BF-0A-01-01-03).

Florence and Firenze do no longer use the original MAC address on the Internal Connection network adapter, but use the same new MAC address. This is called unicast mode in NLB.

Note: When NLB integration is enabled, ISA Server always uses unicast mode and single affinity.



6. On the Florence computer, create a new access rule.

Name: Allow Ping to firewall

Applies to: PING

From network: InternalTo network: Local Host

a. On the Florence computer, in the ISA Server console, in left pane, select Firewall Policy.

b. In the right pane, select the first rule in the Firewall Policy Rules list, to indicate where the new rule is added to the rule list.


d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Ping to firewall, and then click Next.






j. In the Add Network Entities dialog box, click Networks, click Internal, click Add,

142 Lab Summary

and then click Close to close the Add Network Entities dialog box.



m. In the Add Network Entities dialog box, click Networks, click Local Host, click Add,and then click Close to close the Add Network Entities dialog box.




A new firewall policy rule is created that allows Ping from the Internal network to the Local Host network (ISA Server).

q. Click Apply to apply the new rule, and then click OK. Wait until the CSS status is Synced, and the NLB status is Running.


7. On the Denver computer, examine the MAC addresses used by 10.1.1.1, 10.1.1.2, and 10.1.1.3.



Florence returns four replies on the ping requests.

c. Type ping 10.1.1.2, and then press Enter.

Firenze returns four replies on the ping requests.


NLB does not load balancing ICMP traffic requests (ping). This means that both Florence and Firenze return a reply to each ping request. The ping application does not display the double responses.

e. Type arp -a, and then press Enter.

The command displays the MAC addresses used for each IP address during the last 2 minutes. Because NLB is using unicast mode, all IP addresses return the same MAC address (02-BF-0A-01-01-03).


8. Connect to http://istanbul.fabrikam.com/web.asp.

Use proxy server address:10.1.1.3:8080anduse default gateway:10.1.1.1.

a. Open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter.

Denver is using Web proxy address 10.1.1.3. The Web server reports that the Web request was sent through Firenze (39.1.1.2)



d. In the Local Area Network (LAN) Settings dialog box, complete the following information: Use a proxy server for your LAN: disableand then click OK.


Internet Explorer is no longer configured to use a proxy server (Web Proxy client). Instead, the default gateway (10.1.1.1) on Denver is now used to connect to the ISA Server (SecureNAT client).


The Web page reports that the Web request was sent through Firenze (39.1.1.2).

9. Change the default gateway from 10.1.1.1 to 10.1.1.3.

a. In a Command Prompt window, type ipconfig, and then press Enter.

The default gateway is configured to 10.1.1.1.

Note: Unlike a Web Proxy client that uses proxy server 10.1.1.1 (Florence), network traffic from a SecureNAT client that uses default gateway 10.1.1.1, is load balanced correctly and handled by the NLB host (Firenze)


based on the hash value of the source IP address.

The reason for this is that a Web Proxy client request is technically from 10.1.1.5 to 10.1.1.1:8080 (with the HTTP headers indicating istanbul.fabrikam.com), while a SecureNAT client request is from 10.1.1.5 to 39.1.1.7:80 (sent to the NLB cluster MAC address provided by 10.1.1.1).

Note: It is still important to change the default gateway setting on SecureNAT client computers to the virtual IP address (10.1.1.3), to ensure that traffic is handled correctly when the computer with IP address 10.1.1.1 is temporarily unavailable.

b. On the Start menu, click Control Panel, click Network Connections, right-click Local Area Connection, and then click Properties.

c. In the Local Area Connection Properties dialog box, select Internet Protocol (TCP/IP) (do NOT clear the check box), and then click Properties.

d. In the Internet Protocol (TCP/IP) Properties dialog box, complete the following information: Default gateway: 10.1.1.3and then click OK.

e. Click Close to close the Local Area Connection Properties dialog box.

f. In the Command Prompt window, type ipconfig, and then press Enter.

The default gateway is changed to the virtual IP address (10.1.1.3).

g. Close the Command Prompt window.

10. Connect to http://istanbul.fabrikam.com/reload.asp.

Use default gateway:10.1.1.3.

a. In Internet Explorer, in the Address box, type http://istanbul.fabrikam.com/reload.asp, and then press Enter.

The reload.asp page automatically refreshes the Web page every 2 seconds. The Web server reports that each Web request was sent through Firenze (39.1.1.2).



11. On the Florence computer, use the ISA Server console to stop the Microsoft Firewall service on Firenze.

a. On the Florence computer, in the ISA Server console, in the left pane, select Monitoring.

b. In the right pane, on the Services tab, select the Microsoft Firewall service for Firenze.

Note: Ensure that you select the Microsoft Firewall on Firenze, not on Florence.

c. In the task pane, on the Tasks tab, click Stop Selected Service.

ISA Server stops the Firewall service on Firenze.


12. On the Denver computer, wait until reload.asp is refreshed through Florence.

a. On the Denver computer, in Internet Explorer, wait until reload.asp is refreshed through Florence (39.1.1.1), instead of Firenze (39.1.1.2).

When the Firewall service stops, the following happens: ISA Server on Firenze notifies NLB that it should no longer be joined to the NLB cluster. NLB on Firenze stops sending its normal one-per-second heartbeat broadcast messages. After 5 missed heartbeat messages, NLB on Florence detects that NLB on Firenze stopped functioning. NLB on Florence converges to a NLB cluster with one host. It will now respond to all network packets, and handle the Web request from Denver.

Note: The fact that NLB is notified when the Firewall service is not running, is functionality that is only available when NLB integration is enabled.

144 Lab Summary


13. On the Florence computer, use the ISA Server console to start the Microsoft Firewall service on Firenze.

a. On the Florence computer, in the ISA Server console, on the Services tab, select the Microsoft Firewall service for Firenze.

b. In the task pane, on the Tasks tab, click Start Selected Service.

ISA Server starts the Firewall service on Firenze.

c. Wait until the CSS status is Synced, and the NLB status is Running.


14. On the Denver computer, examine the continuing refresh of reload.asp.

Close and reopen Internet Explorer, and connect to http://istanbul.fabrikam.com/reload.asp.

a. On the Denver computer, in Internet Explorer, notice that reload.asp continues to be refreshed through Florence (39.1.1.1).

NLB actually uses two steps to decide which host handles a network packets:1) Each NLB host maintains a list of current TCP connections handled by the host. Existing TCP connections are not disconnected when the cluster converges to include more NLB hosts. This also applies to PPTP (GRE) and IPSec connections. However, UDP, ICMP and other IP connections may move to other NLB hosts after a cluster converges.2) For new connections, NLB uses the hash value of the source IP address (when using single affinity), to determine the NLB host.


c. Open Internet Explorer again, and in the Address box, type http://istanbul.fabrikam.com/reload.asp.

The new Web request to reload.asp is handled through Firenze (39.1.1.2).

d. Close Internet Explorer.

Note: In the following tasks, you will explore how ISA Server controls the way NLB calculates its hash value, so that network requests to published servers and the related network reply are always going through the same ISA Server in an array. This is called bi-directional affinity (BDA).


15. On the Istanbul computer, connect to http://shop.contoso.com/web.asp.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://shop.contoso.com/web.asp, and then press Enter.

The Web server reports that the Web request was sent through Florence.

When ISA Server sends the Web request to the published server (Denver), it replaces the client address in the network packet with its own dedicated IP address (10.1.1.1) on the Internal network. When Denver replies, it sends the reply back to the client IP address (10.1.1.1), which is automatically the correct ISA Server.



16. On the Florence computer, change the Web Home Page NLB rule.

Requests appear to come from: original client

a. On the Florence computer, in the ISA Server console, in the Firewall Policy Rules list, right-click Web Home Page NLB, and then click Properties.

b. In the Web Home Page NLB Properties dialog box, on the To tab, select Requests appear to come from the original client, and then click OK.

For Web publishing rules, the default is that requests appear to come from the ISA Server computer. For Server publishing rules, the default is that requests appear to come from the original client. You can change this setting for any Web publishing rule or Server publishing rule.

c. Click Apply to apply the new rule, and then click OK. Wait until the CSS status is Synced, and the NLB status is Running.



17. On the Istanbul computer, refresh the connection to http://shop.contoso.com/web.asp.

a. On the Istanbul computer, in Internet Explorer, on the toolbar, click the Refresh button.

The Web server reports that the Web request was sent through Florence. ISA Server did not replace the client address, so the network packet that arrived at Denver contains the original client address (39.1.1.7).

How does Denver know which ISA Server the reply should go to?Note: Denver does not inspect the Reverse-Via HTTP header in the Web request, plus the same question applies to non-HTTP protocols, using Server publishing rules, as well.

The answer is: Denver (the published server) does not know which ISA Server to reply to. Instead the server just sends a reply to the received client address (39.1.1.7), which is sent to Denver's default gateway (10.1.1.3), and NLB selects the correct ISA Server.

NLB on the Internal network works together with NLB on the External network in a so-called bi-directional affinity (BDA) team. Bi-directional affinity means that the hash value to determine the NLB host to use, matches in both directions. On the Web request from Istanbul, NLB on the External network uses the hash value of the source IP address (39.1.1.7). On the reply, NLB on the Internal network uses the hash value of the destination IP address (which is the same 39.1.1.7).



18. On the Florence computer, use the nlb params command and the C:\Tools\fwengmon /N command to examine the NLB bi-directional configuration.

a. On the Florence computer, in a Command Prompt window, type nlb params 39.1.1.3, and the press Enter.

The NLB utility displays the configuration parameters of the NLB cluster on the External network.

Notice that BDATeaming (6th parameter from the bottom) is enabled.

b. At the command prompt, type nlb params 10.1.1.3, and then press Enter.

The NLB cluster on the Internal network, also has BDA teaming enabled.

However, the setting to automatically use the hash value of the destination IP address, instead of the source IP address (ReverseHash, 3rd parameter from the bottom), is NOT enabled.

When NLB integration is enabled, ISA Server specifically tells NLB for which connections reversing hashing needs to be used.

c. Type cd \tools, and then press Enter.

d. Type fwengmon /?, and then press Enter.

The Firewall Kernel Mode Tool (fwengmon.exe) is a tool you can use to analyze and troubleshoot firewall connectivity by monitoring the ISA Server kernel-mode firewall engine.

You can download the tool from www.microsoft.com/isaserver/downloads.

e. Type fwengmon /N, and then press Enter.

The output lists all the NLB hook rules that the ISA Server firewall engine has defined. Each NLB hook rule specifies whether to use the hash value of the source IP address (forward), or the destination IP address (reverse), for particular network connections.

To make it easier to read this list, you can save the output to a text file.

f. Type fwengmon /N > nlbrules.txt, and then press Enter.

146 Lab Summary

g. Type notepad nlbrules.txt, and then press Enter.

Notepad opens the text file with the list of NLB hook rules.

h. In Notepad, on the Format menu, ensure that Word Wrap is disabled.

i. Maximize the nlbrules.txt - Notepad window, if that is not done already.

The firewall engine has defined a NLB hook rule for every possible combination of IP subnets (except 127.0.0.0/8), related to the current ISA Server networks configuration and publishing rules.

For each publishing rule that is configured so that requests appear to come from the original client, the firewall engine defines reverse NLB hook rules for the published server IP address to all networks. This is called dynamic BDA.

The reverse NLB hook rule used for the http://shop.contoso.com/web.asp reply from Denver is:10.1.1.5-10.1.1.5 -> 24.0.0.0-126.255.255.255

j. Close Notepad.


19. On the Denver computer, connect to http://istanbul.fabrikam.comweb.asp.

Use default gateway10.1.1.3(Do not use a proxy server)




d. Ensure that Internet Explorer is not configured to use a proxy server.

Web requests will use the default gateway 10.1.1.3 (SecureNAT client).

e. Click OK to close the Local Area Network (LAN) Settings dialog box.

f. Click OK to close the Internet Options dialog box.

g. In the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter.

The Web page reports that the Web request was sent through Florence (39.1.1.1).

Before the publishing rule to Denver was created, NLB used the hash value of the source IP address (10.1.1.5) for connections from Denver, which resulted in the use of NLB host Firenze. However, now that the firewall engine has defined a reverse NLB hook rule for network traffic from 10.1.1.5 to the External network, based on the new Web publishing rule, NLB uses the hash value of the destination IP address (39.1.1.7 for this connection) for all network traffic from Denver to the External network, including network traffic that is not related to the Web publishing rule.

20. Connect again to http://istanbul.fabrikam.comweb.asp.

Use a proxy server:10.1.1.3:8080

a. On the Tools menu, click Internet Options.


c. In the Local Area Network (LAN) Settings dialog box, complete the following information: Use a proxy server for your LAN: enable Address: 10.1.1.3 Port: 8080 Bypass proxy server for local addresses: enableand then click OK.

Web requests will use the proxy server at 10.1.1.3:8080 (Web Proxy client).

d. Click OK to close the Internet Options dialog box.

e. On the toolbar, click the Refresh button.



The firewall engine did not define a reverse NLB hook rule that includes network traffic from 10.1.1.5 to the Internal network. For the connection from 10.1.1.5 to 10.1.1.3, NLB uses the hash value of the source IP address (10.1.1.5), which results in the use of NLB host Firenze.

Note: In the following tasks, you will disable NLB on the ISA Server array. This consists of four steps that need to be done in the correct order. Step 1 - Delete rules and rule elements that use any virtual IP address. Step 2 - Disable NLB on all networks. Step 3 - Apply the changes. Step 4 - Disable NLB integration, and apply the changes.


21. On the Florence computer, examine the warning message when attempting to disable NLB integration.

a. On the Florence computer, in the ISA Server console, in the left pane, select Networks, and in the right pane, select the Networks tab.

b. In the task pane, on the Tasks tab, click Disable Network Load Balancing Integration.

A warning message box appears. It explains that Windows NLB will remain configured on the array computers (in a non-integrated mode), when you disable NLB Integration in the ISA Server console.

To disable NLB completely, you have to perform several steps.

c. Click CANCEL to indicate that you do NOT yet want to disable NLB integration.

22. Delete the firewall policy rules and rule elements that use the virtual IP addresses.

Firewall policy rule:Web Home Page NLB

Web listener:External Web 80 NLB

(Step 1)


The first step to disable NLB on an ISA Server array, is to reconfigure or to delete any rules and rule elements that use the virtual IP addresses.

b. In the right pane, in the Firewall Policy Rules list, right-click Web Home Page NLB, and then click Delete.

c. Click Yes to confirm that you want to delete the Web Home Page NLB rule.

You must delete the Web publishing rule, before you can delete the Web listener that uses the virtual IP address.

d. In the task pane, on the Toolbox tab, in the Network Objects section, under Web Listeners, right-click External Web 80 NLB, and then click Delete.

e. Click Yes to confirm that you want to delete the External Web 80 NLB Web listener.

23. Disable NLB on all networks.

Networks:InternalExternal

(Step 2)

a. In the left pane, select Networks, and in the right pane, select the Networks tab.

The second step to disable NLB on an ISA Server array, is to disable NLB on any network.

b. In the task pane, on the Tasks tab, click Configure Load Balanced Networks.

c. In the Network Load Balancing Wizard dialog box, click Next.

d. On the Select Load Balanced Networks page, clear the check boxes of all networks, and then click Next.

e. On the Completing the Load Balanced Networks Wizard page, click Finish.

If NLB is still configured on a network, when you disable NLB integration, NLB remains configured on the array in non-integrated mode.

24. Apply the changes.

(Step 3)

a. Click Apply to save the changes, and then click OK. Wait until the CSS status is Synced, and the NLB status is Not configured.

The third step to disable NLB on an ISA Server array, is to apply the current changes, so that NLB is disabled on the network adapters, before

148 Lab Summary

you disable NLB integration in ISA Server.

The Not configured NLB status means that NLB integration is enabled, but that no network is configured to use NLB.

25. Use nlb query, and ipconfig /all to examine the network configuration.

a. In a Command Prompt window, type nlb query, and then press Enter.

The NLB utility reports that NLB (WLBS) is not installed on the computer.

b. At the command prompt, type ipconfig /all, and then press Enter.

The virtual IP addresses (10.1.1.3 and 39.1.1.3) are no longer assigned to the network adapters, and the original MAC addresses are used again.


26. Disable NLB integration.

Apply the changes and restart the Firewall service.

(Step 4)

a. In the ISA Server console, in the left pane, select Networks, and in the right pane, select the Networks tab.

The last step to disable NLB on an ISA Server array, is to disable NLB integration, and to apply the change.

b. In the task pane, on the Tasks tab, click Disable Network Load Balancing Integration.

c. Click OK to confirm that you want to disable NLB integration.

d. In the left pane, select Monitoring, and in the right pane, select the Services tab.

When NLB integration is disabled, the Network Load Balancing service is no longer listed on the Services tab.

e. Click Apply to save the changes.

f. In the ISA Server Warning dialog box, CHANGE the current selection, and select Save the changes and restart the services, and then click OK.

g. Click OK to close the Saving Configuration Changes dialog box.

h. Wait until the CSS status is Synced.



27. On the Denver computer, configure Internet Explorer to use proxy server 10.1.1.1:8080, and change the default gateway to 10.1.1.1.



c. In the Local Area Network (LAN) Settings dialog box, complete the following information: Use a proxy server for your LAN: enable Address: 10.1.1.1 Port: 8080 Bypass proxy server for local addresses: enableand then click OK.


Internet Explorer now uses proxy server 10.1.1.1:8080.


f. On the Start menu, click Control Panel, click Network Connections, right-click Local Area Connection, and then click Properties.

g. In the Local Area Connection Properties dialog box, select Internet Protocol (TCP/IP) (do NOT clear the check box), and then click Properties.

h. In the Internet Protocol (TCP/IP) Properties dialog box, complete the following information: Default gateway: 10.1.1.1


and then click OK.

i. Click Close to close the Local Area Connection Properties dialog box.

The default gateway is changed to IP address 10.1.1.1.

150 Lab Summary

Exercise 3Using CARP to Distribute Cache Content

In this exercise, you will configure ISA Server to use Cache Array Routing Protocol (CARP). When you enable CARP, the cache drives on all servers are treated as a single logical cache drive.

You will also explore the CARP algorithm in the automatic configuration script that is used by Internet Explorer.




1. On the Florence computer, verify that ISA Server listens for Web Proxy client requests on the Internal network.


b. In the right pane, on the Networks tab, right-click Internal, and then click Properties.

c. In the Internal Properties dialog box, on the Web Proxy tab, ensure that Enable Web Proxy client connections on this network is enabled, and that HTTP port is 8080.

Cache Array Routing Protocol (CARP) does not require the Internal network to listen for Web Proxy client requests, however in the next tasks Web Proxy client requests are used to connect to ISA Server.

d. Select the CARP tab. (Do NOT enable CARP).

Notice that CARP is not enabled yet. This is the default setting in ISA Server.

e. Click OK to close the Internal Properties dialog box.


Name: Allow Web access (CARP)

Applies to: HTTP



b. In the right pane, select the first rule in the Firewall Policy Rules list, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list.


d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (CARP), and then click Next.



g. In the Add Protocols dialog box, click Common Protocols, click HTTP, and click Add,and then click Close to close the Add Protocols dialog box.



j. In the Add Network Entities dialog box, click Networks, click Internal, click Add,and then click Close to close the Add Network Entities dialog box.




m. In the Add Network Entities dialog box, click Networks, click External, click Add,and then click Close to close the Add Network Entities dialog box.





q. Click Apply to apply the new rule, and then click OK. Wait until the CSS status is Synced.


3. On the Denver computer, connect to http://istanbul.fabrikam.com/web.asp

Use proxy server address:10.1.1.1:8080and10.1.1.2:8080

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter.

The Web Server Info Demo Page on Istanbul appears. The Web server reports that the Web request was sent through Florence (39.1.1.1).

Note: Internet Explorer is currently configured to use proxy server 10.1.1.1:8080.



d. In the Local Area Network (LAN) Settings dialog box, complete the following information: Use a proxy server for your LAN: enable Address: 10.1.1.2 Port: 8080 Bypass proxy server for local addresses: enableand then click OK.





Note: In the following tasks, you will enable CARP on the ISA Server array. This consists of four steps. Step 1 - Enable caching and configure cache settings and rules. Step 2 - Enable CARP on the Internal network. Step 3 - Configure a CARP load factor for each array member. Step 4 - Enable Web Proxy client requests on the intra-array communication network.


4. On the Florence computer, enable caching and configure cache settings and cache rules.

(Step 1)

a. On the Florence computer, in the ISA Server console, in the left pane, select Cache.

In the right pane, on the Cache Drives tab, notice that the cache size for both Florence and Firenze is 0 MB. This means that caching in disabled. That is the default setting in ISA Server.

b. In the right pane, on the Cache Drives tab, select Florence.

c. In the task pane, on the Tasks tab, click Define Cache Drives (Enable Caching).

In the Florence Properties dialog box, you can set the maximum disk cache size, for each physical disk on the Florence computer.

Caching is enabled on Florence if the total cache size is not 0 MB.

d. Click Cancel to close the Florence Properties dialog box.

Note: To avoid possible conflicts with other lab exercises, caching is not enabled in this exercise. In a real environment, CARP only has any

152 Lab Summary

function if caching is enabled.

e. Select the Cache Rules tab.

f. In the task pane, on the Tasks tab, click Configure Cache Settings.

g. In the Cache Settings dialog box, select the Advanced tab.

The Cache Settings dialog box allows you to specify general cache settings (independent of the requested URL).

h. Click Cancel to close the Cache Settings dialog box.

i. In the right pane, right-click Default rule, and then click Properties.

Cache rules allow you to define cache settings that are specific to requested URLs, or network destinations.

The Default rule applies to all network destinations, and is used when possible custom cache rules do not apply to the requested URL.

j. Click Cancel to close the Default rule Properties dialog box.

5. Create a new domain name set for CARP exceptions:

Name:CARP Exception Web Sites

Computer:download.contoso.com


b. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Domain Name Sets, and then click New Domain Name Set.

c. In the New Domain Name Set Policy Element dialog box, in the Name text box, type CARP Exception Web Sites, and then click Add.

d. In the New Domain text box, replace the text by typing download.contoso.com, and then press Enter.

e. Click OK to close the New Domain Name Set Policy Element dialog box.

A new domain name set named CARP Exception Web Sites is created.

6. Enable CARP on the Internal network.

Add the new domain name set as CARP exceptions.

(Step 2)

a. In the left pane, select Networks.


c. In the Internal Properties dialog box, on the CARP tab, select Enable CARP on this network.

When CARP is enabled on the Internal network, Web requests coming from client computers on the Internal network will be balanced across the servers in the array.

Note: ISA Server 2006 (and ISA Server 2004 SP2) use a different CARP distribution algorithm, than earlier ISA Server versions.

In ISA Server 2006, CARP distributes Web requests to URLs on same host name (such as www.microsoft.com) to the same array member. This means that the source IP address never changes during a session to that Web site.In ISA Server 2004 and earlier, CARP distributed Web requests from a client computer to URLs on the same host name, equally across the array members.

d. In the CARP Exceptions box, click Add.

e. In the Add Domain Name Sets dialog box, click CARP Exception Web Sites, and click Add,and then click Close to close the Add Domain Name Sets dialog box.

In ISA Server 2006, for Web requests to URLs in the CARP Exceptions Web Sites (such as download.microsoft.com), CARP selects the array member based on the client computer IP address. This means that requests from different client computers to the same URL are distributed across the array members.In ISA Server 2004 and earlier, CARP distributed Web requests on the CARP Exceptions list from all client computers to URLs on the same host name to the same array member.

f. Select the NLB tab.

NLB is currently not enabled. However, you can enable both CARP


and NLB on the same network.

g. Click OK to close the Internal Properties dialog box.

Note: You cannot enable CARP for Web requests coming from client computers on the External network. ISA Server does cache content from published Web servers, but does not use CARP to distribute that cache content.

7. Configure a CARP load factor for each array member.

(Step 3)

a. In the left pane, select Servers.

b. In the right pane, right-click Florence, and then click Properties.

c. In the Florence Properties tab, select the CARP tab.

The CARP load factor determines the relative number of Web requests processed by this server compared to the other array servers. By default all array servers use the same load factor of 100.

The load factors are relative numbers. This means that the sum of the load factors always represents 100%. For example, if the load factors of Florence and Firenze are changed to 80 and 240, then Florence processes 25% (80 of 320) of the Web requests, and Firenze processes 75% (240 of 320) of the Web requests.

Note: Do not change the load factors in this exercise. This ensures that the behavior of CARP matches exactly the description and the steps in this exercise.

8. Configure the network used for intra-array communication (Perimeter) to listen for Web Proxy client requests.

(Step 4)

a. In the Florence Properties dialog box, select the Communication tab.

Florence (and Firenze) use the IP address on the Perimeter network (23.1.1.x) for communication between array members.

b. Click Cancel to close the Florence Properties dialog box.

When using CARP, array members forward Web requests to each other on the network that is configured for intra-array communication. This requires that this network listens for Web Proxy client requests. Each ISA Server computer is Web proxy client for the other ISA Server computer.

c. In the left pane, select Networks.

d. In the right pane, on the Networks tab, right-click Perimeter, and then click Properties.

e. In the Perimeter Properties dialog box, on the Web Proxy tab, complete the following information: Enable Web Proxy clients: enable Enable HTTP: enable (is default) HTTP port: 8080 (is default) Enable SSL: disable (is default)and then click OK.

9. Apply the changes. a. Click Apply to apply the changes, and then click OK. Wait until the CSS status is Synced.


10. On the Denver computer, refresh the Web page http://istanbul.fabrikam.com/web.asp

Use proxy server address:10.1.1.2:8080

a. On the Denver computer, in Internet Explorer, on the toolbar, click the Refresh button.

The Web page reports that the Web request was sent through Florence (39.1.1.1). However, Internet Explorer is currently configured to use proxy server 10.1.1.2:8080, which is on Firenze.

The following steps happen:1) Denver sends the Web requests to Firenze (10.1.1.2).2) The CARP algorithm on Firenze determines that the URL "http://istanbul.fabrikam.com/web.asp" must always be handled and cached by Florence.3) Firenze forwards the Web request to Florence (23.1.1.1).4) Florence (39.1.1.1) sends the Web request to Istanbul (39.1.1.7).

The reply goes back along the exact same route:5) Istanbul sends the reply back to Florence.

154 Lab Summary

6) Florence caches the reply (if caching was enabled)7) Florence forwards the reply to Firenze8) Firenze does NOT cache the reply, and sends the reply to Denver.

Note: To avoid forwarding of Web requests between array servers, Internet Explorer on the client computer can be instructed to use the CARP algorithm, and send the Web requests to the correct array server. ISA Server provides Internet Explorer with a CARP calculation script, so that the client computer and the array servers use the exact same calculation to determine which array server handles and caches a particular URL.


11. On the Florence computer, examine the URL of the CARP calculation script.



c. In the Internal Properties dialog box, select the Firewall Client tab.

When you install the Firewall Client software on client computers, the installation process can update the configuration of the Web browser as well. This dialog box displays the URL of the CARP calculation script.

Note: In this lab environment, the name ITALY does not resolve to an IP address, so to obtain the CARP calculation script you have to use the ULR http://10.1.1.1:8080/array.dll?Get.Routing.Script

d. Select the Web Browser tab.

The Web Browser tab specifies additional settings in the configuration script. Internet Explorer will not contact ISA Server for Web servers on the Internal network, and if ISA Server is unavailable, Internet Explorer will attempt to connect directly to the Internet.

e. Click Cancel to close the Internal Properties dialog box.


12. On the Denver computer, configure Internet Explorer to use an automatic configuration script.

Address:http://10.1.1.1:8080/array.dll?Get.Routing.Script



c. In the Local Area Network (LAN) Settings dialog box, in the Automatic configuration box, complete the following information: Use automatic configuration script: enable Address: http://10.1.1.1:8080/array.dll?Get.Routing.Scriptand then click OK.

You do not need to disable the proxy server configuration (10.1.1.2:8080) in this dialog box. Only if the configuration script is not found, will Internet Explorer use the proxy server configuration.

Note: ISA Server generates the script on demand. The script and array.dll do not exist as files on the ISA Server computer. This is just a URL with a special meaning to ISA Server.

Also note that the configuration script URL is case-sensitive!


13. Refresh the Web page http://istanbul.fabrikam.com/web.asp

and connect to http://ankara.fabrikam.com/web.asp

a. On the toolbar, click the Refresh button.

Denver sends the Web request for URL "http://istanbul.fabrikam.com/web.asp" to Florence. The CARP algorithm on Florence concludes the same, and forwards the Web request to Istanbul.

b. In the Address box, type http://ankara.fabrikam.com/web.asp, and then press Enter.

Note: ankara.fabrikam.com is a different host name, but resolves to the same IP address as istanbul.fabrikam.com (39.1.1.7).

Denver sends the Web request for URL


Use configuration script. "http://ankara.fabrikam.com/web.asp" to Firenze. The CARP algorithm on Firenze concludes the same, and forwards the Web request to Istanbul (39.1.1.7).

Because the CARP calculation for each URL on the client computer is exactly the same as on the array servers, Florence and Firenze do not have to forward Web requests to each other.


14. Use Internet Explorer to save a copy of the configuration script to C:\Tools\array.Script.txt

a. Open Internet Explorer. In the Address box, type http://10.1.1.1:8080/array.dll?Get.Routing.Script, and then press Enter.

You can obtain a copy of the configuration script by typing the script URL in the Address box.

The configuration script URL is case-sensitive.

b. In the File Download dialog box, click Save.

c. In the Save As dialog box, browse to the C:\Tools folder, and then in the File name text box, type array.Script.txt, and click Save.

The configuration script is saved as C:\Tools\array.Script.txt.

Note: The .txt extension is added, so that you can easily open the script file in Notepad.

15. Examine the contents of C:\Tools\array.Script.txt in Notepad.


b. In the Tools folder, right-click array.Script.txt, and then click Open.

Notepad opens the array.Script.txt file.

The configuration script is a JScript file. For each URL, Internet Explorer calls the FindProxyForURL function in the script, which returns the address and port of the proxy server that Internet Explorer should use to connect to for that particular URL.

In the MakeProxies function, on line 29 and 30 in the script, the IP addresses (10.1.1.1, 10.1.1.2) and the relative load factors (1.000000 for both) of the available proxy servers are specified.

On line 9 in the script, the CARP exception Web site, download.contoso.com, is listed. The other exceptions are from the Microsoft Update Domain Name Set.

On line 3 in the script, the UseDirectForLocal variable indicates that Internet Explorer must bypass the proxy server for local addresses (URLs without dots).

c. Scroll to the end of the script.

The last part of the script contains the actual CARP algorithm.

In summary, for a given URL, the script calculates a score (multiplied by the load factor) for each proxy server. The highest scoring proxy server for this URL is selected.For URLs on a CARP exception Web site, the script includes a hash value of the client IP address to calculate a score for each proxy server.

d. Close Notepad.


Note: In the script, ISA Server always provides the dedicated IP addresses, and never the NLB virtual IP address, of the proxy servers in the array. This allows you to enable both CARP and NLB on the same network.

16. Use C:\Tools\carpdemo.js to calculate the selected proxy server for:

istanbul.fabrikam.com/web.asp

istanbul.fabrikam.com/<yourname>


b. At the command prompt, type cd \tools, and then press Enter.


The Tools folder contains another script file, carpdemo.js for use with this lab.

Carpdemo uses the saved array.Script.txt file to calculate the selected proxy server for a provided URL.

156 Lab Summary

ankara.fabrikam.com

izmir

d. Type carpdemo istanbul.fabrikam.com/web.asp, and then press Enter.

The result of the CARP algorithm for this URL shows that it is handled and cached on proxy server 10.1.1.1. If the proxy server is not available, Internet Explorer will connect to the next proxy server in the list (10.1.1.2), and finally attempt to use its default gateway to connect to the Web server (DIRECT).

e. Click OK. Type carpdemo istanbul.fabrikam.com/yourname (replace yourname by your own name), and then press Enter.

All URLs on istanbul.fabrikam.com are handled and cached on proxy server 10.1.1.1. During a session to the same Web site, the source IP address of the array member used remains the same.

f. Click OK. Type carpdemo ankara.fabrikam.com, and then press Enter.

All URLs on ankara.fabrikam.com are handled and cached on proxy server 10.1.1.2.

g. Click OK. Type carpdemo izmir, and then press Enter.

Izmir does not have a dot in the URL. The Web server is considered to be on the internal network (local). Internet Explores does not connect to a proxy server.

h. Click OK to close the CARP Routing Script demo message box.

i. Close the Command Prompt window.


17. Configure Internet Explorer to use a proxy server:

Address: 10.1.1.1:8080

a. In Internet Explorer, on the Tools menu, click Internet Options.


c. In the Local Area Network (LAN) Settings dialog box, complete the following information: Use automatic configuration script: disable Use a proxy server for your LAN: enable Address: 10.1.1.1 Port: 8080 Bypass proxy server for local addresses: enableand then click OK.





18. On the Florence computer, disable CARP on the Internal network.



c. In the Internal Properties dialog box, on the CARP tab, CLEAR the Enable CARP on this network check box.

d. Click OK to close the Internal Properties dialog box.

CARP is disabled on the Internal network.

e. Click Apply to save the changes, and then click OK. Wait until the CSS status is Synced.


Exercise 4Using CARP and Scheduled Content Download Jobs

In this exercise, you will configure ISA Server to use CARP and a content download job to update cache content.



Note: In the following tasks, you will configure a cache content download job on the ISA Server array. This allows you to update the ISA Server cache with HTTP content that may be requested by Web Proxy clients later.


1. On the Florence computer, examine the Microsoft ISA Server Job Scheduler service.

a. On the Florence computer, on the Start menu, click Administrative Tools, and then click Services.

b. In the Services console, select the Microsoft ISA Server Job Scheduler service (two services below Microsoft Firewall in the list)

Automatic cache content download jobs are run by the Microsoft ISA Server Job Scheduler service on each array server.

To understand the configuration of content download jobs, it is helpful to understand that conceptually there is no difference between the following two methods to place objects in the ISA Server cache: A Web Proxy client user on the Internal network, sending multiple requests to Web sites on the Internet. The ISA Server Job Scheduler service (running as Local System), on the Local Host network, sending multiple requests to Web sites on the Internet, based on URL information in a cache content download job.

For configuration on ISA Server, the main difference is that a user connects from the Internal network, while the content download jobs are run from the Local Host network.


2. Configure the Local Host network to listen for Web Proxy client requests.

a. In the ISA Server console, in the left pane, select Networks.

b. In the right pane, on the Networks tab, right-click Local Host, and then click Properties.

c. In the Local Host Properties dialog box, on the Web Proxy tab, complete the following information: Enable Web Proxy clients: enable Enable HTTP: enable (is default) HTTP port: 8080 (is default) Enable SSL: disable (is default)and then click OK.

The ISA Server Job Scheduler service connects as Web Proxy client from the Local Host network.

Note: Do not enable CARP on the Local Host network yet.

3. Enable system policy rule 29 to allow HTTP from the Local Host network for content download jobs.



c. In the right pane, right-click system policy rule 29, and then click Properties.

System policy rule 29 is disabled by default. The rule allows HTTP

158 Lab Summary

from the Local Host network to All Networks for content download jobs.

d. Select the Users tab.

Note: The system policy rule applies to requests from the built-in System account and the built-in Network Service account. It does not allow unauthenticated access. This means that after this rule is enabled, ISA Server blocks unauthenticated HTTP traffic from the Local Host network (ISA Server computer).

If you do not want to block unauthenticated HTTP traffic from the ISA Server computer, you must not enable system policy rule 29, but instead create an access rule that allows HTTP access for the content download jobs, and place this new access rule last in the Firewall Policy Rules list.

e. Click Cancel to close the system policy rule 29 dialog box.

f. Right-click system policy rule 29, and then click Edit System Policy.

g. In the System Policy Editor dialog box, in the Configuration Groups list, ensure that Scheduled Download Jobs is selected, and then select the Enable check box.

h. Click OK to close the System Policy Editor dialog box.

System policy rule 29 is now enabled.

i. In the task pane, on the Tasks tab, click Hide System Policy Rules.

4. Apply the changes. a. Click Apply to save the changes, and then click OK. Wait until the CSS status is Synced.

5. Create a new content download job.

Name: Fabrikam News Site

Download frequency:Daily at 7:00 AM

URL:http://istanbul.fabrikam.com/news.htm

a. In the left pane, select Cache, and then in the right pane, select the Content Download Jobs tab.

b. In the task pane, on the Tasks tab, click Schedule a Content Download Job.

c. In the New Content Download Job Wizard dialog box, in the Content Download Job name text box, type Fabrikam News Site, and then click Next.

d. On the Download Frequency page, select Daily, and then click Next.

Note: The Download Frequency page mentions the use of CARP with content download jobs. You will enable CARP for this purpose, later in the exercise.

e. On the Daily Frequency page, complete the following information: Job start date: today's date (is default) Job start time: 7:00 AM Run the job one time every day: enable (is default)and then click Next.

f. On the Content Download page, in the Download content from this URL text box, type http://istanbul.fabrikam.com/news.htm and then click Next.

The job scheduler will download news.htm, and recursively download Web pages linked in news.htm.

g. On the Content Caching page, click Next.

Note: The content download job allows you to cache content, even if the HTTP headers indicate that the content should not be cached. However, the default is to cache content if the HTTP headers indicate to cache.

h. On the Completing the Scheduled Content Download Job Wizard page, click Finish.

A new content download job named Fabrikam News Site is created.

6. Examine the configuration status of the array servers.

a. In the left pane, select Monitoring, and then in the right-pane, select the Configuration tab.

b. In the task pane, on the Tasks tab, click Refresh Now.

The configuration status of Florence and Firenze is Not synced.

When you create a content download job, the configuration is


updated on the array servers immediately. You do not have to click Apply to save the changes.

c. Wait until the configuration status is Synced.

7. Edit the log viewer filter:

Log Record Type:Web Proxy Filter

Start the log viewer.

a. Select the Logging tab.

Note: You may (temporarily) need to close the task pane, to see the Logging tab.


c. In the Edit Filter dialog box, in the conditions list, select the existing Log Record Type condition.

d. In the Value list box, select Web Proxy Filter, and then click Update.

e. Click Start Query to close the Edit Filter dialog box.

The log viewer will display current network activity based on the Web Proxy log file.

8. Start the Fabrikam News Site content download job now.

a. In the left pane, select Cache, and in the right-pane select the Content Download Jobs tab.

b. In the right pane, select the Fabrikam News Site job.

c. Scroll the contents of the right pane to the right, so that you can see the Status column.

The current job status is Idle.

d. In the task pane, on the Tasks tab, click Start Selected Jobs Now.

The job scheduler will run the Fabrikam News Site content download job on both array servers now, instead of waiting until the scheduled time (7:00 AM).

e. After a few seconds, on the Tasks tab, click Refresh Now.

The Fabrikam News Site is a very short job. After the refresh, the job status in the Status column changes back from Running to Idle, and the Stop Running Jobs task link changes back to Start Selected Jobs Now.

9. Stop the log viewer, and examine the Web Proxy log entries.

a. In the left pane, select Monitoring, and in the right pane select the Logging tab.

b. After a few seconds, in the task pane, on the Tasks tab, click Stop Query.

The log viewer displays log entries from the Web Proxy log file. You may need to scroll to the right to see the URL and Server Name columns.

Both Florence and Firenze first attempt an anonymous Web Proxy connection (port 8080) to the Local Host network (127.0.0.1). System policy rule 29 requires authentication. After that both array servers download news.htm and economy.htm from 39.1.1.7.The istanbul.fabrikam.com/news.htm Web page links to the ankara.fabrikam.com/economy.htm Web page. Both host names resolve to 39.1.1.7.

Note: All files in the content download job (news.htm and economy.htm) are downloaded and cached by both array servers. This is because CARP is not enabled for content download jobs yet.

10. Enable CARP on the Local Host network.



c. In the Local Host Properties dialog box, on the CARP tab, select Enable CARP on this network.

When CARP is enabled on the Local Host network, content download jobs run only on a single array server. The downloaded Web pages are distributed over the array servers, according to the CARP algorithm.

Note: Currently CARP is disabled on the Internal network. When you use a content download job to distribute cache content according to the CARP algorithm, you have to ensure that Web Proxy clients on the Internal

160 Lab Summary

network access the content using CARP as well.

d. Click OK to close the Local Host Properties dialog box.

e. Click Apply to save the changes, and then click OK. Wait until the CSS status is Synced.


11. On the Denver computer, use C:\Tools\carpdemo.js to calculate the selected proxy server for:

istanbul.fabrikam.com/news.htm

and

ankara.fabrikam.comeconomy.htm

a. On the Denver computer, in a Command Prompt window, in the C:\Tools folder, type carpdemo istanbul.fabrikam.com/news.htm, and then press Enter.

The content download job URL is handled on array server 10.1.1.1 (Florence). This means that the job scheduler on Florence will run the Fabrikam News Site job.

b. Click OK. Type carpdemo ankara.fabrikam.com/economy.htm, and then press Enter.

The economy.htm Web page is downloaded and cached on array server 10.1.1.2 (Firenze).



12. On the Florence computer, start the log viewer.

a. On the Florence computer, in the ISA Server console, in the left pane, select Monitoring, and in the right pane select the Logging tab.

b. In the task pane, on the Tasks tab, click Start Query.

The log viewer will display current network activity based on the Web Proxy log file.

13. Start the Fabrikam News Site content download job now.

a. In the left pane, select Cache, and in the right-pane select the Content Download Jobs tab.

b. In the right pane, select the Fabrikam News Site job.

c. In the task pane, on the Tasks tab, click Start Selected Jobs Now.

The job scheduler will run the Fabrikam News Site content download job now. Because CARP is enabled on the Local Host network, CARP calculates that only the job scheduler on Florence runs the job.

d. After a few seconds, on the Tasks tab, click Refresh Now.

The Stop Running Jobs task link changes back to Start Selected Jobs Now.

14. Stop the log viewer, and examine the Web Proxy log entries.

a. In the left pane, select Monitoring, and in the right pane select the Logging tab.

b. After a few seconds, in the task pane, on the Tasks tab, click Stop Query.

Note: Because the log entries are collected from two array members, and happen within the same second, they may not be in the correct order.

The log entries show that Florence downloads and caches news.htm from Istanbul (39.1.1.7). After that Florence forwards the request for economy.htm to Firenze (23.1.1.2). Firenze downloads and caches economy.htm from ankara.fabrikam.com (39.1.1.7).

Notice that all files in the content download job (news.htm and economy.htm) are downloaded and cached only once, according to the CARP distribution.


15. Edit the log viewer filter:

Log Record Type:Firewall or Web Proxy Filter

a. In the left pane, select Monitoring, and then in the right-pane, select the Logging tab.



c. In the Edit Filter dialog box, in the conditions list, select the existing Log Record Type condition.

d. In the Value list box, select Firewall or Web Proxy Filter, and then click Update.

e. Click Start Query to close the Edit Filter dialog box.

The log viewer will display current network activity based on the Firewall log file and the Web Proxy log file.

f. On the Tasks tab, click Stop Query.

16. Delete the Fabrikam News Site content download job.

a. In the left pane, select Cache.

b. In the right pane, on the Content Download Jobs tab, right-click the Fabrikam News Site job, and then click Delete.

c. Click Yes to confirm that you want to delete the Fabrikam News Site job.

The change is updated on the array servers immediately. You do not have to click Apply to save the changes.

d. Wait until the CSS status is Synced.

Note: You cannot disable Web Proxy clients on the Local Host network, when a content download job exists.

17. Disable Web Proxy clients and CARP on the Local Host network.



c. In the Local Host Properties dialog box, on the Web Proxy tab, CLEAR the Enable Web Proxy clients check box.

d. On the CARP tab, CLEAR the Enable CARP on this network check box.

e. Click OK to close the Local Host Properties dialog box.

Web Proxy clients and CARP are disabled on the Local Host network.

18. Disable Web Proxy clients on the network used for intra-array communication (Perimeter).

a. On the Networks tab, right-click Perimeter, and then click Properties.

b. In the Perimeter Properties dialog box, on the Web Proxy tab, CLEAR the Enable Web Proxy clients check box.

c. Click OK to close the Perimeter Properties dialog box.

Web Proxy clients is disabled on the Perimeter network.

19. Disable system policy rule 29.



c. In the right pane, right-click system policy rule 29, and then click Edit System Policy.

d. In the System Policy Editor dialog box, in the Configuration Groups list, ensure that Scheduled Download Jobs is selected, and then CLEAR the Enable check box.

e. Click OK to close the System Policy Editor dialog box.

System policy rule 29 is now disabled.

f. In the task pane, on the Tasks tab, click Hide System Policy Rules.

20. Apply the changes. a. Click Apply to save the changes, and then click OK. Wait until the CSS status is Synced.

162 Lab Summary

Module I: Using Monitoring, Alerting and Logging

Exercise 1Monitoring the ISA Server

In this exercise, you will explore the monitoring functions of ISA Server.


Note: This lab exercise uses the following computer: ParisRefer to the beginning of the manual for instructions on how to start this computer. Log on to the computer.


1. On the Paris computer, examine the alert definition for the Service Shutdown event.

a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click, ISA Server Management.

b. In the ISA Server console, in the left pane, expand Paris, and then select Monitoring.

c. In the right pane, select the Dashboard tab.

The Monitoring node has multiple tabs that allow you to monitor, control, investigate, troubleshoot and plan firewall operations.

On the first tab (Dashboard), five of the other tabs are represented by a summary box providing a quick summary of the detailed information on those other tabs. Whenever you need to investigate a particular event or reported issue in more detail, you switch from the Dashboard to the other tabs.

d. Select the Alerts tab.

The Alerts tab lists events at the ISA Server that are significant enough to alert you.

e. In the task pane, on the Tasks tab, click Configure Alert Definitions.

f. In the Alert Properties dialog box, select the Service Shutdown line (do not clear the check box for Service Shutdown), and then click Edit.

On the General tab, in the Severity drop-down list box, notice that ISA Server considers a Service Shutdown an Information alert.

g. In the Service Shutdown Properties dialog box, select the Events tab.

On the Events tab you specify the threshold to trigger an alert when the event occurs. In this example, the event is a shutdown of any ISA Server service

h. Select the Actions tab.

On the Actions tab you specify the action, besides listing it on the Alerts tab, that should happen when an alert for this event is triggered. In this example, the only action is to report the alert in the Windows event log (Application log).

i. Click Cancel to close the Service Shutdown Properties dialog box.

j. Click Cancel to close the Alerts Properties dialog box.

Notice that the current status of the ISA Server services is


considered so significant that there is also a special tab (Services) that will specifically display the status of the services.

2. Use the Services console to stop the Microsoft ISA Server Job Scheduler service to simulate an unexpected shutdown of the service.

a. On the Start menu, click Administrative Tools, and then click Services.

b. In the Services console, in the right pane, right-click Microsoft ISA Server Job Scheduler service, and then click Stop.

The ISA Server Job Scheduler service is stopped. This simulates an unexpected shutdown of one of the ISA Server services.


3. Examine how an alert shows up on the Alerts tab, and the Dashboard tab.

a. In the ISA Server console, on the Alerts tab, wait for 30 seconds for the new alert (Service Shutdown) to show up, or in the task pane, on the Tasks tab, click Refresh Now.

A new Information alert (Service Shutdown) appears.

b. Select the Dashboard tab. Wait for 30 seconds, or in the task pane, on the Tasks tab, click Refresh Now.

In the Alerts summary box, the Service Shutdown Information alert is displayed as well. Notice the column that lists the number of New (not acknowledged yet) alerts.

The icon in the top left corner of each summary box, indicates the highest severity or status of the information in that summary box. You may click the circle with the two up-arrows to roll-up the summary box.

4. Investigate the Service Shutdown alert and resolve the issue by starting the ISA Server Job Scheduler service on the Services tab.

a. On the Dashboard tab, click the heading of the Alerts summary box to return to the Alerts tab.

b. On the Alerts tab, select the Service Shutdown alert, and then expand the Service Shutdown alert.

The Messages area shows a general description of the event. (The service was stopped gracefully.)

c. Select the second Service Shutdown alert line.

The Messages area shows a more specific description of the event. (The ISA Server Job Scheduled service was stopped gracefully.)

When multiple similar alerts occur, they are grouped with a common general description.

d. In the task pane, on the Tasks tab, click Acknowledge Selected Alerts.

The Status of the Service Shutdown alert changes from New to Acknowledged to indicate that you have seen this alert.

Acknowledged alerts are removed from the Alerts summary box on the Dashboard tab as well.

e. Select the Services tab, and then in the task pane, on the Tasks tab, click Refresh Now.

f. In the right pane, select Microsoft ISA Server Job Schedule, and then in the task pane, on the Tasks tab, click Start Selected Service.

The ISA Server Job Scheduler service is started again.

g. On the Alerts tab, select the second acknowledged Service Shutdown alert line.

h. In the task pane, on the Tasks tab, click Reset Selected Alerts.

i. Click Yes to confirm that you want to reset Service Shutdown.

The Service Shutdown alert is removed from the Alerts tab to indicate that you have resolved this alert. The alert will still be in the Windows Event Application log.

Note: The particular event (Service Shutdown) is used as an example in this exercise. You would normally investigate a Service Shutdown alert on the ISA Server computer more extensively, than just start up the service again.

164 Lab Summary

5. Examine the intrusion detection options.

a. In the ISA Server console, in the left pane, expand Configuration, and then select General.

b. In the right pane, click Enable Intrusion Detection and DNS Attack Detection.

In the dialog box, you can enable detection of well-known intrusion attempts. Detected attempts trigger an intrusion detection alert.

Notice that intrusion detection is enabled by default.

c. Click Cancel to close the dialog box.

6. Examine the performance monitoring options.

a. On the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Performance Monitor.

A pre-configured System Monitor console for ISA Server appears.

ISA Server 260 defines five System Monitor objects and approximately 170 performance counters to monitor the performance of the ISA Server.

b. Close the ISA Server Performance Monitor console.

c. If a message box appears, click No to confirm that you do not want to save console settings to msisaprf.msc.


Exercise 2Checking Connectivity from the ISA Server

In this exercise, you will explore the connectivity checking functions of ISA Server.


Note: This lab exercise uses the following computers: Paris - IstanbulRefer to the beginning of the manual for instructions on how to start the computers. Log on to the computers.


1. On the Paris computer, create two new connectivity verifiers:

Name: Istanbul (ping)Server: 39.1.1.7Method: Ping

Name: Istanbul (http)Server: 39.1.1.7Method: HTTP "GET"



The Connectivity Verifiers tab allows you to define Connectivity Verifiers. A connectivity verifier periodically connects from the ISA Server to other computers that you specify, to test current connectivity. This helps with troubleshooting server connectivity problems.

ISA Server automatically defines the required System policy rules to allow the network traffic to check the connectivity to the other computers. The connectivity verifiers are not intended to check the ISA Server configuration, or the Firewall policy rules, but instead are intended to check the network connectivity from the ISA Server computer to the specified computers.

c. In the task pane, on the Tasks tab, click Create New Connectivity Verifier.

d. In the New Connectivity Verifier Wizard dialog box, in the Connectivity Verifier name text box, type Istanbul (ping), and then click Next.

e. On the Connectivity Verification Details, complete the following information: Monitor connectivity to this server or URL: 39.1.1.7 Group type used to categorize: Web (Internet) Verification method: Send a Ping requestand then click Next.

f. On the Completing the Connectivity Verifier Wizard page, click Finish.

A new connectivity verifier is added. ISA Server will ping 39.1.1.7 (Istanbul) every 30 seconds and compare the response time with the timeout response threshold of 5000 msec.

g. In the task pane, on the Tasks tab, click Create New Connectivity Verifier.

h. In the New Connectivity Verifier Wizard dialog box, in the Connectivity Verifier name text box, type Istanbul (http), and then click Next.

i. On the Connectivity Verification Details, complete the following information: Monitor connectivity to this server or URL: 39.1.1.7 Group type used to categorize: Web (Internet) Verification method: Send an HTTP "GET" requestand then click Next.

j. On the Completing the Connectivity Verifier Wizard page, click Finish.

k. If the Enable HTTP Connectivity Verification message box appears, click Yes to confirm that a system policy rule is enabled.

166 Lab Summary

A new connectivity verifier is added. ISA Server will establish an HTTP GET request to 39.1.1.7 (Istanbul) every 30 seconds and compare the response time with the timeout response threshold of 5000 msec.

2. Examine the System policy rules used by the connectivity verifiers.



In the right pane, System policy rule 12 allows Ping requests from the ISA Server computer (Local Host) to All Networks.Rule 19 allows HTTP requests from the ISA Server computer to All Networks.

Note: Instead of allowing HTTP requests to All Networks, you may consider configuring rule 19 to use a custom Computer Set that only includes the computers for which you have defined a HTTP connectivity verifier.

c. In the task pane, on the Tasks tab, click Hide System Policy Rules.

3. Apply changes to save and activate the new connectivity verifiers.

a. In the left pane, select Monitoring.

b. In the right pane, click Apply to save the new connectivity verifiers, and then click OK.

The two connectivity verifiers are now active.

4. Wait for the successful check of the two connectivity verifiers for Istanbul.

a. On the Connectivity Verifiers tab, wait one minute, and then in the task pane, on the Tasks tab, click Refresh Now.

Note: Refresh Now updates the information in the ISA Server console, it does not interfere with the connectivity verifiers periodic checking.

Two green checkmark icons appear in the Verifier Name column. A green checkmark icon indicates that the response time from Istanbul is less than the timeout response threshold (5000 ms).


5. On the Istanbul computer, stop the Default Web Site to simulate a failure of the Web server.

a. On the Istanbul computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

b. In the IIS Manager console, expand ISTANBUL (local computer), expand Web Sites, right-click Default Web Site, and then click Stop.

The Web site is stopped. Istanbul will no longer respond to HTTP requests. This simulates a failure of the Web server.


6. On the Paris computer, wait for the failure state of the Istanbul (http) connectivity verifier.

a. On the Paris computer, on the Connectivity Verifiers tab, wait one minute, and then in the task pane, on the Tasks tab, click Refresh Now.

In the Verifier Name column, a red error icon appears for the Istanbul (http) connectivity verifier. The red error icon indicates that the connectivity verifier did not receive a response from Istanbul to its HTTP request.

Notice that the Istanbul (ping) connectivity verifier does not report an error.


7. On the Istanbul computer, start the Default Web Site again.

a. On the Istanbul computer, in the IIS Manager console, right-click Default Web Site (Stopped), and then click Start.

The Web server is started again.

b. Close the IIS Manager console.


8. On the Paris computer, wait for the success state of the Istanbul (http) connectivity

a. On the Paris computer, on the Connectivity Verifiers tab, wait one minute, and then in the task pane, on the Tasks tab, click Refresh Now.

A green checkmark icon appears again for the Istanbul (http)


verifier. connectivity verifier. ISA Server has successfully received a response to its HTTP request to Istanbul.

9. Delete the two connectivity verifiers for Istanbul.

a. Right-click the Istanbul (http) connectivity verifier, and then click Delete.

b. Click Yes to confirm that you want to delete the connectivity verifier.

c. Right-click the Istanbul (ping) connectivity verifier, and then click Delete.

d. Click Yes to confirm that you want to delete the connectivity verifier.

Both connectivity verifiers are removed.


Note: The connectivity verifiers in this exercise check connectivity to the Istanbul computer on the Internet. Other examples for using connectivity verifiers are checking DNS connectivity (TCP port 53) to DNS servers on the Internet, and checking service connectivity to published servers in the perimeter network.

168 Lab Summary

Exercise 3Logging Client Computer Access

In this exercise, you will explore the logging functions of ISA Server.




1. On the Paris computer, find the location of the ISA Server log files.

a. On the Paris computer, in the ISA Server console, in the left pane, select Monitoring, and then select the Logging tab.


b. In the task pane, on the Tasks tab, click Configure Firewall Logging.

c. In the Firewall Logging Properties dialog box, on the Log tab, click Options.

The Options dialog box shows that ISA Server saves the Firewall service log files in the ISALogs folder in the ISA Server installation folder (C:\Program Files\Microsoft ISA Server).

d. Click Cancel to close the Options dialog box.

The Firewall Logging Properties dialog box shows that the log file names are in the form ISALOG_yyyymmdd_FWS_nnn.mdf.

e. Click Cancel to close the Firewall Logging Properties dialog box.

The Web Proxy log files (ISALOG_yyyymmdd_WEB_nnn.mdf) are also saved in the ISALogs folder.

2. Start a new online log query.

a. On the Logging tab, click Start Query.

Start Query starts a new online log query of the ISA Server log files. When a successful of failed connection is made through ISA Server, the records of log file are displayed on the screen.


Name: Allow Web access (logging test)

Applies to: HTTP





d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (logging test), and then click Next.



g. In the Add Protocols dialog box, click Common Protocols, click HTTP, and click Add,and then click Close to close the Add Protocols dialog box.














4. On the Denver computer, use Internet Explorer to connect to http://istanbul.fabrikam.com.


Internet Explorer displays the Istanbul Web site.


5. On the Paris computer, create a filter definition for online mode logging.

Filter by:Destination IPCondition: EqualsValue: 39.1.1.7

a. On the Paris computer, in the ISA Server console, in the left pane, select Monitoring, and then select the Logging tab.

ISA Server lists all Firewall service log file and Web Proxy log file records on the screen, since the Start Query command. This may include several of the same denied NetBIOS Name Service and NetBIOS Datagram requests. The HTTP request to Istanbul (39.1.1.7) is also in this list. You can filter the on-screen display, by creating a filter definition.


c. In the Edit Filter dialog box, complete the following information: Filter by: Destination IP Condition: Equals Value: 39.1.1.7and then click Add To List to add the filter definition.

d. Click Start Query to close the Edit Filter dialog box.

The on-screen display is cleared, and the new filter definition (Destination IP equals 39.1.1.7) is in effect.


6. On the Denver computer, refresh the content of the Web page at http://istanbul.fabrikam.com twice.

- First press Ctrl-F5 (Ctrl-Refresh).- then press F5 (Refresh)

a. On the Denver computer, in Internet Explorer, ensure that the http://istanbul.fabrikam.com Web page is opened.

b. Hold the Ctrl-key, and click the Refresh button on the toolbar, to refresh the content of the Web page, regardless of any changes.

c. Wait a few seconds, and then click the Refresh button on the toolbar (without the Ctrl-key) to refresh the content of the Web page when it has changed.

Internet Explorer displays the same Istanbul Web page after each refresh.

7. Attempt to open the non-existing Web page at http://istanbul.fabrikam.com/test.htm

a. In Internet Explorer, in the Address box, type http://istanbul.fabrikam.com/test.htm, and then press Enter.

Internet Explorer cannot find the test.htm page (HTTP Error 404).



8. On the Paris computer, view the online mode logging records for destination IP 39.1.1.7.

a. On the Paris computer, on the Logging tab, wait a few moments for the log file entries for destination IP 39.1.1.7 to appear on the screen.

A total of three or more log file records will appear for

170 Lab Summary

Add column:HTTP Status Code

Destination IP 39.1.1.7 (Istanbul)

b. Right-click the Log Time heading, and then click Add/Remove Columns.

You can add additional columns in the display, by moving the columns from the Available columns list to the Displayed columns list.

c. In the Add/Remove Columns dialog box, in the Available columns list box, select HTTP Status Code, and then click Add ->.

HTTP Status Code is moved into the Displayed columns list.

d. In the Displayed columns list, select HTTP Status Code, and then click Move Up, until HTTP Status Code is just after HTTP Method.

e. Click OK to close the Add/Remove Columns dialog box.

Use the horizontal scroll bar to see all the fields of the following log file records on the screen: Protocol http - HTTP Method GET - HTTP Status Code 200 Protocol http - HTTP Method GET - HTTP Status Code 304 Protocol http - HTTP Method GET - HTTP Status Code 404

Result code 200 means Success (is after Ctrl-F5), 304 means Content not changed (is after F5), and 404 means File not found (is after attempt to get test.htm).


9. Remove the online filter definition, and stop the query.

a. In the task pane, on the Tasks tab, click Edit Filter.

b. In the Edit Filter dialog box, select the Destination IP - Equals - 39.1.1.7 expression, and then click Remove.

c. Click Start Query to close the Edit Filter dialog box.

d. In the task pane, on the Tasks tab, click Stop Query.

The online log query of the Firewall Server log files is stopped.


Date post:	20-Nov-2014
Category:	Documents
Upload:	lumade
View:	853 times
Download:	2 times