7/27/2019 Installing and Maintaining Isa Server
1/36
Installing and Maintaining
ISA Server
7/27/2019 Installing and Maintaining Isa Server
2/36
Planning an ISA Server
Deployment Understand the current network infrastructure
Review company security policies
Plan the required network infrastructure
Plan for branch office installations
Plan for availability and fault tolerance
Plan for access to the Internet
Plan the ISA Server client implementation anddeployment
Plan for server publishing
Plan for VPN deployment
Plan the implementation
7/27/2019 Installing and Maintaining Isa Server
3/36
Network Infrastructure
Requirements
DNS
Domain controllers
DHCP
7/27/2019 Installing and Maintaining Isa Server
4/36
Domain Name System
Requirements
To connect to resources on the Internet, clientcomputers must be able to resolve the DNSnames for servers on the Internet to IPaddresses
To enable access to Internet resources, ensurethat all client computers can resolve InternetDNS names
You can use: Internal DNS Server
External DNS Server
7/27/2019 Installing and Maintaining Isa Server
5/36
Domain Controller Requirements
restrict access to Internet resources based
on user accounts
require authentication before users can
access published servers
ISA Server provides several options for
authenticating the users
7/27/2019 Installing and Maintaining Isa Server
6/36
Dynamic Host Configuration
Protocol Requirements
DHCP is not required to support an ISAServer infrastructure
it is highly recommended to simplify
network management. The advantage of using DHCP is that it
can provide the IPconfiguration for all the
client computers on your networkautomatically. This can make your ISAServer deployment much more efficient.
7/27/2019 Installing and Maintaining Isa Server
7/36
Operating System Requirements System and Hardware Requirements for ISA Server
2006:
ISA Server can be installed on standard, Intel/AMD-
based server hardware.Component Requirement
OS Windows Server 2003 with SP1
or higher
Processor Single 733MHz Pentium III
equivalent
Memory 512MB of memoryDisk Space 150MB available (for installation
of ISA software)
Network Cards / ISDN
Adapter / Modem
One OS-compatible card
per connected network
7/27/2019 Installing and Maintaining Isa Server
8/36
Guidelines for Installing ISA Server,
Standard Edition
To Configure the ISA Server Network
Interfaces
The Internal Interface
Perimeter Network Interfaces
7/27/2019 Installing and Maintaining Isa Server
9/36
Choosing an ISA Server Client
ISA Server Client Options
Firewall clients
SecureNAT clients Web Proxy clients
7/27/2019 Installing and Maintaining Isa Server
10/36
What Is a Firewall Client
The Firewall client computer uses the
Firewall Client application when initiating
connections to the ISA Server computer
7/27/2019 Installing and Maintaining Isa Server
11/36
What Is a Firewall Client
The advantages of using Firewall clients:
Firewall clients enable user or group
based access control and logging
When a Firewall client connects to ISA
Server, the Firewall service automatically
authenticates the user.
the Firewall Client software can configure
the Web Proxy browser automatically.
7/27/2019 Installing and Maintaining Isa Server
12/36
What Is a Firewall Client
Must install the Firewall Client software onthe client computers
a large number of client computers in
organization and have no means ofautomating the client installation, it willrequire a significant effort to deploy theclien
The Firewall client can only be installed onWindows computers
7/27/2019 Installing and Maintaining Isa Server
13/36
What Is a SecureNAT Client
Do not have Firewall Client software.
The clients must be able to route requestsfor Internet resources through the ISA
Server computer configure the default gateway on the
SecureNAT clients and configure network
routing, so that all traffic destined to theInternet is sent through the ISA Servercomputer.
7/27/2019 Installing and Maintaining Isa Server
14/36
What Is a SecureNAT Client
When a SecureNAT client connects to the ISA
Server computer, the request is directed first to
the NAT driver, which substitutes the external IP
address of the ISA Server computerfor theinternal IP address of the SecureNAT client.
The client request is then directed to the Firewall
service to determine whether access is allowed.
Finally, therequest may be filtered by application
filters and other extensions.
7/27/2019 Installing and Maintaining Isa Server
15/36
What Is a SecureNAT Client
SecureNAT clients have other advantages:
SecureNAT clients also provide almost as muchfunctionality as Firewall clients
Requests from SecureNAT clients can be passed to
application filters, which can modify the requests toenable handling of complex protocols.
SecureNAT can use the Web Proxy service for Webaccess filtering and caching
Any operating system that supports TransmissionControl Protocol/Internet Protocol
(TCP/IP) can be configured as a SecureNAT client
7/27/2019 Installing and Maintaining Isa Server
16/36
What Is a SecureNAT Client
SecureNAT clients have two primary
limitations
You cannot control access to Internet
resources based on users and groups
SecureNAT clients may not be able to use
all protocols
7/27/2019 Installing and Maintaining Isa Server
17/36
Example
7/27/2019 Installing and Maintaining Isa Server
18/36
Example
Located on the
Branch Office
Network
The client computers must be configured with Router3 as the
default gateway.
Router3 must be configured with Router2 as the default
gateway.
Router2 must be configured to route Internet requests to
Router1.
Router1 must be configured to route Internet requests to the
ISA Server computer
Located on
Main Office
Network2 or
Main Office
Network1
The client computers must be configured to route all
Internet
requests to Router1.
Router1 must be configured to route Internet requests
to the
ISA Server computer.
7/27/2019 Installing and Maintaining Isa Server
19/36
What Is a Web Proxy Client?
A Web Proxy client is a client computer that has
an HTTP 1.1compliant Web browser
application and is configured to use the ISA
Server computer as a Web Proxy server. do not have to install any software to configure
Web Proxy clients.
must configure the Web applications on the
client computers to use the ISA Server computer
as a proxy server
7/27/2019 Installing and Maintaining Isa Server
20/36
How to Configure ISA Server for
Web Proxy Clients
The first step in enabling Web Proxy clients is to
configure the ISA Server computer to allow connections
from these clients.
7/27/2019 Installing and Maintaining Isa Server
21/36
Configuring Web Proxy Clients
Manually
7/27/2019 Installing and Maintaining Isa Server
22/36
How to Configure Web Proxy
Clients
7/27/2019 Installing and Maintaining Isa Server
23/36
Guidelines for Choosing ISA Server
ClientsIf You Need To Then Use
Avoid deploying or configuring
client software
SecureNAT clients
Use ISA Server only for accessing
Web resources using HTTP or
HTTPS
SecureNAT or Web
Proxy clients
Allow access only for
authenticated clients
Firewall clients or Web
Proxy clients
Publish servers that are located
on your Internal network
SecureNAT clients
Improve Web performance in an
environment with non-Windows
operating systems
Web Proxy or
SecureNAT clients
7/27/2019 Installing and Maintaining Isa Server
24/36
Configuring the SecureNAT and
Web Proxy Clients
Configuring SecureNAT Clients to Route
Internet Requests
7/27/2019 Installing and Maintaining Isa Server
25/36
Installing and Configuring the Firewall Client How to Install Firewall Client
Use folder client in ISA server. Run file setup.exe
To enable Automatic Discovery of the ISA
Server computer, select Automatically Detect The
Appropriate ISA Server Computer.
7/27/2019 Installing and Maintaining Isa Server
26/36
Installing and Configuring the Firewall Client
can enable or disable the Firewall Clientand configure it to detect the ISA Server computer automatically or
configure the ISA
Server computer manually.
7/27/2019 Installing and Maintaining Isa Server
27/36
Installing and Configuring the Firewall Client
To deploy the Firewall Client to a large
number of clients, choose to automate the
Firewall Client installation.
Using Active Directory Group Policy to
Distribute the Firewall Client
7/27/2019 Installing and Maintaining Isa Server
28/36
Securing ISA Server 2006
defense-in-depth:
A defense-in-depth security strategy
means that you use multiple levels of
defense to secure your network
7/27/2019 Installing and Maintaining Isa Server
29/36
Securing ISA Server 2006
Policies, procedures, and awareness: Physical security: Ensure that only authorized personnel can gain
physical access to the resources.
Perimeter:connecting point between the Internet and the internalnetwork is as secure as possible, options for providing this securityinclude firewalls or multiple firewalls
Internal networks :Even if the perimeter is secure, you must stillensure thatthe internal networks are secure for cases in which theperimeter is compromised or when the attacker is within theorganization.
Operating systems
Applications Data
7/27/2019 Installing and Maintaining Isa Server
30/36
How to Secure the Network
Interfaces
To secure ISA Server, begin by securing
the network interfaces connected to the
server.
Securing the External Network Interface
Securing the Internal Network Interface
Using Security Templates to Manage
Services
Implementing Security Templates
7/27/2019 Installing and Maintaining Isa Server
31/36
Maintaining ISA Server 2006
How to Export and Import the ISA Server
Configuration
Exporting the ISA Server Configuration:
7/27/2019 Installing and Maintaining Isa Server
32/36
How to Export and Import the ISA
Server Configuration
Cloning a server : export a configuration from
one ISA Server computer and then import the
settings on another computer
Saving a partial configuration:export andimport any part of the ISA Server configuration
:a single rule, an entire policy, or an entire
configuration
Sending a configuration fo troubleshooting
Rolling back a configuration change
7/27/2019 Installing and Maintaining Isa Server
33/36
Exporting the ISA Server
Configuration The entire ISA Server configuration All the connectivity verifiers, or one selected connectivity
verifier
All the networks, or one selected network
All the network sets, or one selected network set All the network rules, or one selected network rule
All the Web chaining rules, or one selected Webchaining rule
Cache configuration
All the content-download jobs, or one or more selectedcontent-download jobs
The entire firewall policy, or one selected rule
7/27/2019 Installing and Maintaining Isa Server
34/36
Importing the ISA Server
Configuration Open ISA Server Management.
Select the object whose settings you want to import.You must select the correct
type of object for the configuration file that you are using.
On the Tasks tab, click the import task. The exact namefor the task will vary,
depending on the type of object that you selected.
Select the exported .xml file and click Import.
Click Apply to apply the changes and click OK when thechanges have been
applied.
7/27/2019 Installing and Maintaining Isa Server
35/36
How to Back Up and Restore the
ISA Server Configuration Open ISA Server Management and click the server name. The option to
back up
and restore the ISA Server configuration is available only when you selectthe
server name.
On the Tasks tab, click Backup This ISA Server Configuration.
Enter a file name for the backup file and click Backup. You must provide a password for the ISA Server backup
To restore the backup, click the server name in ISA Server Management.Then
click Restore this ISA Server Configuration and select the appropriate ISAServer
backup file. Click Apply to apply the changes and click OK when the changes have
been
applied.
7/27/2019 Installing and Maintaining Isa Server
36/36