ISA Server 2004 1-931836-19-1, 5-7502-0272-0, 5-94157-746-X
248 16 18MB
Russian Pages 1080 Year 2006
Recommend Papers
![ISA Server 2004 [1 ed.]
5-7502-0272-0, 5-94157-746-X](https://ebin.pub/img/200x200/isa-server-2004-1nbsped-5-7502-0272-0-5-94157-746-x.jpg)
![Configuring ISA Server 2000 [1 ed.]
9781928994299, 1928994296](https://ebin.pub/img/200x200/configuring-isa-server-2000-1nbsped-9781928994299-1928994296.jpg)
![Configuring ISA Server 2000 [1 ed.]
3540201009](https://ebin.pub/img/200x200/configuring-isa-server-2000-1nbsped-3540201009.jpg)
File loading please wait...
Citation preview
Dr.Tom Shinder's Configuring
ISA Server 2004 Dr. Thomas W. Shinder Debra Littlejohn Shinder
SYNGRESS
: : ,
(
),
(
,
)
;
,
;
,
, . . ,
24 . .
ISA Server . .
«
»
« 2005
-
»
681.3.06 32.973.81-018.2 62
62
., . ISA Server 2004: . « »; .: « ISBN 5-7502-0272-0 (« ISBN 5-94157-746- («
. — -
.:
», 2006. — 1088
.:
.
») »)
-
, ,
, «
», . Proxy 1.0
Microsoft Server 2004.
ISA
: ,
ISA Server 2004, ISA Server 2004,
,
ISA Server 2004. -
.
6S1.3.06 32.973.81-018.2 Copyright © 2005 by Syngress Publishing. Inc. All rights reserved. Printed in iltc United States of America. Translation Copyright © 2006 by BHV-St. Petersburg. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the except ion that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publ icat ion. 2D05 by Synsress Publisliine. Inc. [lyti'int^LLjin. paipcuieHHbjK
tin pycCKKil H'JbiK uptin t>t 1976 ,
2006 « ^
-
».
^teKTpo]4lbi.\ HIMM .'LHLEniti .
^ , №1 npori>SMht.
HjifrtmHui"! 1 ,
, 1 ,
|[1
№ O242S 24.07.00. 70x100Vie. . . 3000 . Nt4388 « 194354, , . ,5 . № 77.99.02.953. .006421.11.04 11.11.2004 .
« -
ISBN 1-931836-19-1( ISBN 5-7502-0272-0 (« ») ISBN 5-94157-746(« »)
.)
,9
« , 12
и
,! tte
, 1, 1 ,1,
.
, pu3Ju;utcHU u S-UK_I I'.V IC .
02 11.05. . . 87,72. »,
.
» 199034,
2005 by Syngress Publishing, Inc. », 2006
«
, ■
-
., 2006
СИЖ
«Syngress»
, . «Syngress»
O'Reilly Media, Inc.
-
, , «Syngress» : ' (Tim O'Reilly), (Laura Baldwin), (Mark Brokering), (Mike Leonard), (Donna Selenko), (Bonnie Sheehan), (Cindy Davis), (Grant Kikkert), (Opol Matsutaro), (Steve Hazelwood), (Mark Wilson), (Rick Brown), (Leslie Becker), (Jill Lothrop), (Tim Hinton), (Kyle Hart), (Sara Winge), . J. Rayhill, (Peter Pardo), (Leslie Crandell), (Valerie Dow), (Regina Aggio), (Pascal Honscher), (Preston Paull), (Susan Thompson), (Bruce Stewart), (Laura Schmier), (Sue Willing), (Mark Jacobsen), (Betsy Waliszewski), (Dawn Mann), (Kathryn Barrett), (John Chodacki) (Rob Bullington). (Aileen Berg) — . Elsevier Science, (Ian Seager), Burton), Fairbrother), (Emma Wyatt), (Mark Hunt)
(Lucy Chong), (Pang Ai Hua)
(Jonathan Bunkell), , (Duncan Enright), (David (Rosanna Ramacciotti), (Robert (Miguel Sanchez), (Klaus Beran), (Rosie Moss), (Chris Hossack), (Krista Leppiko) , . (David Buckland), (Marie Chieng), (Leslie Lim), (Audrey Gan), (Joseph Chan) STP Distributors , . (Kwon Sung June)
shing
.
Acorn Publi-
VI
(Tricia Wilden), (Marilla Burgess), (Andrew Swaffer), ' ( Lowe) (Mark Langley) , , , .
(David Scott), (Annette Scott), (Stephen O'Donoghue), Woodslane ,
(Winston Lim) shing .
Global Publi«Syngress»
.
,
(Thomas W. Shinder, MD), — Microsoft (Microsoft Certified Systems Engineer, MCSE), MVP (Microsoft Most Valuable Professional — , Microsoft (Microsoft Most Valuable Professional), ISA Server, ISA Server. Microsoft, Xerox, Lucent Technologies, FINA Oil, Hewlett-Packard (U. S. Department of Energy).
,
,
,
, 1990- . TACteam (Trainers, Authors, and Consultants) ( ), , , ,
, (whitepapers)
-
, . , Configuring ISA Server 2000 ( ISA Server 2000) (Syngress, ISBN 1 -928994-29-6), Dr. Tom Shinder's ISA Server and Beyond (ISA Server , ) (Syngress, ISBN 1-931836-66-3), and Troubleshooting Windows 2000 TCP/IP ( Windows 2000 TCP/IP) (Syngress, ISBN 1-928994-11-3). , MCSE Windows 2000 Windows 2003, Windows . —
«
org), ,
»
ISAserver.org (www.isaserver. , .
(Debra Littlejohn Shinder) — Microsoft (MCSE), MVP . — (college level criminal justice instructor), . — , . Scene of the Cybercrime: Computer Forensics Handbook ( : ) (Syngress, ISBN 1-931836-65-5) Computer
VIII
Networking Essentials (
) (Cisco Press). , , Configuring ISA Server 2000 ( ISA Server 2000) (Syngress, ISBN 1-928994-29-6), Dr. Tom Shinder's ISA Server and Beyond (ISA Server , ) (Syngress, ISBN 1-931836-66-3) Troubleshooting Windows 2000 TCP/IP ( Windows 2000 TCP/IP) (Syrgress, ISBN 1-928994-11-3). , — 15 , MCSE Windows 2000 Windows 2003, CompTIA Security-*TruSecure's ICSA (International Computer Security Assosiation, ). Brainbuzz A+ Hardware News, Sunbelt Software's WinXP News (www.winxpnews.com). TechRepublic's TechProGuild Windowsecurity.com, , Windows IT Pro Magazine ( Windows & .NET). — , (whitepapers), Microsoft, DigitalThink, Sunbelt Software, CNET . Microsoft. , -
Dallas-Ft Worth (Eastfield College).
(Martin Grasdal) MCSE+I, MCT, CNE (Certified NetWare Engineer, ), CNI, , +
-
, ,
.
MCT (Microsoft Certified trainer, ., a MCSE — 1996 .
Microsoft)
1995
, NetWare, Lotus Notes, Windows NT, Windows 2000, Windows 2003, Exchange Server, IIS, ISA Server . , . Microsoft (Master Control Program, ) , . . (Edmonton, Alberta, Canada) (Cathy) .
, ISA Server
. ,
Microsoft, ISA Server 2004. ,
,
-
-
-
. —
,
.
. ISA Server
Microsoft
ISA, .
, (Mike Nash), (Steve Brown), (Tony Bailey), (Joseph Landes), (Josue Fontanez), (Marcus Schmidt), (Risa Coleman), (Mark Mortimer), (Red Johnston), (Dave Gardner), (Joel Sloss), (Julia Polk), (Steve Riley), (Zach Gutt), (Mike Chan), (Suzanne Kalberer), (Kelly Mondloch), (Alan Wood), (Clint Denham), (Ellen Prater), (Scott Jiles), (Sibylle Haupert), (Amy Logan), (Ari Fruchter), (Ronen Boazi), (Barclay Neira), (Ben Guterson), (Colin Lyth,) (Eric Rosencrantz), (Jan Shanahan), (Jim Edwards) (Walter Boyd), Qoern Wettern) (Ronald Beekelaar) . ISA : (Avi Nathan), (Adina Hagege), (Keren Master), (RonMondri), (Itai Greenberg), (Yossi Siles), (Sigalit Bar), (Nathan Bigman), (Linda Lior), (Neta Amit), (Amit Finkelstein), (Meir Shmouely), (Nir Ben Zvi), (Opher Dubrovsky), (Oren Trutner), (Yigal Edery), (Ziv Mador), (Raz Goren), (Mooly Beeri), (Nir Caliv), (Ziv Caspi), (Gergory Bershansky), (Ariel Katz), (Dan Bar-Lev), (Max Uritsky), (Ronen Barenboim), (Nir Michalowitz) (Uri Barash). :
X
Roden) and
, , ISA Server: (John Curtis,) . (John Amaral), (Mike Druar), (Kevin Murphy), (Erika Batten), (Bonnie Anderson) (Mark Network Engines, (Abdul Azhan) RimApp, (Marc Semadeni) Hewlett Packard (Y°ng Thye Lin) (Yong Ping Lin) Celestix.
(Martin Grasdal) ,
,
, , . (Edwina Lewis),
, -
,
.
(Stephen Chetcuti) (Sean Buttgieg), Isaserver.org (www.isaserver.org) security.com (www.windowsecurity.com), ISA Server, , ISA Server, . (John Sheesley) (www.techproguild.com), (Amy Eisenberg) Windows IT Pro Magazine ( Windows & .NET), ISA Server 2004.
Window-
Tech Republic/TechProGuild ISA Server 2004, (Patricia Colby)
ISA Server, MVP, : (Chris Gregory), (Kai Wilke), (Stefaan Pouseele), (Jason Ballard), (Bud Ratliff), (Christian Groebner), (Dieter Rauscher), (Frederic Esnouf), (Jesper Hanno), (Philippe Mathon), (Phil Windell), (Slav Pidgorny), (Abraham Martinez Fernandez). , MVP: (Janni Clark) Server,
, Qerry Bryant), (John Eddy).
(Emily Freet), , (message boards),
ISA -
XI ,
,
-
. (John Tolmachoff), (Jeffrey Martin), (Amy Babinchak), (Steve Moffat), (Greg Mulholland), (Shawn Quillman), (Joseph Kravitz), (Tiago de Aviz), (David Farinic), (Aman Bedi), (Bill Stewart), AWJ (Al), (Susan Bradley) . ! (Jim Harrison). Microsoft
(QA team) ISA Server Web: www.isatools.org.
-
. ,
,
,
.
— ,
, , ,
.
(
,
,
)
,
-
. «Syngress»,
, ,
, : (Jaime Quigley), !
(Andrew Williams), . ,
-
Syngress
1997 . «
»
. ,
— (Thomas Shinder).
(Debra Littlejohn Shinder) ,
,
, -
. .
. ,
(
—
,
—
).
,
.
, . 250 000
-
.
. (Chis Williams), (Amorette Pedersen), ,
(Andrew Williams), Syngress Publishing 2004 .
.............................................................................................................. V ................................................................................................................... VII .................................................................................................................... IX ................................................................................................................. XII 1
:
Proxy 1.0 ISA 2004 .......................... 1 ............................................................... 2
icuwa ............................... __....... L—~............., ................... _ .......... _ ... 3 .................................. » .................................. 12 :
........................................................................... 14
: Microsoft?.......................................................................................... 15 : , ............................................... 19 : .............................................................. 30 :
.................................................................................. 32
: : : :
.................................................... __ ........ 33 ......................................................................34 .............................. _ ......................................39 .........................................................50
ISA Server:
-
............. 51
ISA: MS Proxy Server ......................................................................... 51 ....- ..............................................................................62
ISA;
........................................................................................................................ 63
2 ISA Server 2004 .............................................................................................. 67 GUI:
,
![
............................................68
,... ..........................................................69 ............................................................. ......................71 .....................................................67
1
Web-
.........................................................................................87 ...................................................... — ..........94
................................... -........................................... 102 Web....................................................................................................... 104
XIV
.............................................................................................108 .........................................................................................................113
.............................................................................113 (ALF) ............................ 114 VPN....................._.,„............................ 118 :
,
.................................................120
...................................................................„.....,121 .323.......................................................................................................... 121 .................................................................. 122 .......................................................................................122 . ....................................................................................................................123 ..................................................................................124 .....................................................................................128 3
ISA Server 2004 ...... 133 ..................................................................... 134
..............................-........................................ 137 ................................................................................. 143 ISA Server 2004
.......................................... 151
ISA Server 2004............................................................... 152 ISA Server 2004 Check Point................................... 173 ISA Server 2004 Cisco PIX....................................... 178 ISA Server 2004 NetScreen...................................... 184 ISA Server 2004 SonicWall ...................................... 190 ISA Server 2004 WatchGuard.................................. 198 ISA Server 2004 Symantec ............. 205 "f*" V V
/ •" "% ' ~
**/^
...................................... + ........+.++.
*+ ............. —■■■■■■■>•
+►■**
+ +
+ ................... * . - .............................................■■■■.
v j
ISA Server 2004 Blue Coat SG ...............................„„212 ISA Server 2004 ................................................................................................... 216 ...................................................................................................................... 219
..................................................................................... 222 ......................................................................... 223 .....................................................................................................223 J
%■ ■"■
"
■"■ ■■
■■■■■■
.................
*
**
................................................................................. 224 .................................................................................... 230
XV
4
ISA Server 2004 ......................................., ........235 ISA .................................................... 236 .....................................................................................237 ISA....................................................249 ISA ...........256 .....................................................257
,
ISA Server 2004 .........................................................................259
В
ISALOCA1 .......................................................262 ISA.....................................................................................................276
ISA Server 2004: ISA;
................... 280 .............................................. ........................... 282 ........................................................................ -.............. 296 ............... -.................. 299 ISA 2004 ................................. - ...... -........- ...... 302 ISA ................................................................... 316
ISA............................................................................. 336 ISA, VPN.................................. 337 « »( ISA) ................................................................................................. 342 Web-
................... 350 .............. 359 ISA DHCP......................................... 359 ....................................................................................................................... 361 .................................................................................. 362 ..................................................................................... 365
5
ISA Server 2004 ..................................................................................367 ISA Server 2004......................................................................... 368 SecureNAT ISA Server 2004.....................................-..... ---- ..... -........... 370 SecureNAT ....................................................... 379 ISA Server 2004........................................................ - ....... 383 WebISA Server 2004........................................ - ............~ ..........409 ISA Server 2004 ..................... 419 ISA Server 2004... .....................................................- .........421
XVI ISA Server 2004 ......................................423
DHCPWeb-
..........^ ----- -,..,—„. __ ........... ..424 DNSWeb-
........................... 435 .................................................. 443
SMS-
WebISA .................................................................................. 444 .... 449 .................... __ ......... 452 .... _... .................................................................................................................................................. 452
...................................................................................................................... 453 ................................................................................. 455 .................................................................................... 458
ISA ............461 ISA .......................... 462
.......................................................................................462 ................................................... _............4 4 DNS-cepuepa......................................................... _.......................465 ISA ...........................468 ................................................. .......... __ ........472 ..........................474
(
ISA
ISA « » ............................................................................................. 475 ISA ...........................481 ISA ....................483 ISA................................................................491 ISA ) .................................................492 ISA .................................495
DNSDHCP-
ISA...........................497 ISA........ -.......500 ISA.............5 0
[SA Server 2004..................................................-........................... 510 ............. __ ................... 522 ISA .......................................................................... 525
ISA err
................ „.;............................................ 526
XVII
ISA.............................. „ .............................................................528 ISA..................................................................... 531 ISA .............................. 532 ..................... «...................................................................... 534 .................................................................................. 535 DHCP .................................. 538 .......................................................................................................................541 ..................................................................................541 .....................................................................................543
7 ISA Server 2004 ......................................................... 547 ...................................................................................................................548 ISA.......................................................... 551
...............................................................- .......................................... 551 .................................................................................„.... 552 .............................................................................................. 554 ............................... __ .......... _.............. __ .... - 5 5 9 ................................................................................................. 560 ISA .............................................................................................. 560 Rule Action --------- ............................................................................. 5 1 Protocols................................. „ ............. __ ...........„...„....................... 5 1 Access Rule Sources .............................................................................. 564 Access Rule Destinations ...................................................................... 565 User Sets .....................................................-.'.„ .................................- .... 565 .......................................... ,...................................... 567 ................................................. 575 RPC........-.......................„............................ ................... 576 FTP-i ....................... ................. -......................................... 577 HTTP.......................................................... ------------- .. 578 ..... ............................................578 ............................................................................... 579 WebSecureNAT...................................................................................... 581 ................... 582
Web-
SSL..............................................590
SSLISA ................................................................................ ,...593 .
XVIII
[HTTP-
Web-
, Web) ............................................................................................594 MSN Messenger ......... 595 MSN Messenger ...........................................................................................„„..598 ISA .......................................................................................... 599 DM2 ..................................................................................601
........................................................................... 607 ........................................................... ...608 ISA .....................625 ...................................................................................................................... 635 .................................................................................. 636 .................................................................................... 640 8 ISA Server 2004 ....................................................................................................643 Web........................................................ 644
Web-
.................................................................... 644 ..............................................................._........... 652
WebSSL............................................................................ 65S
,
Select Rule Action ............................................................................. . ,656 Define Website to Publish .............................„......„ ....................„...... 657 Public Name Details...........................: ............................................... ..659 Select Web Listener WebHTTP .................................., ....................................................... 661 User Sets.......................................... -...................................................670 Properties Web........................671 Web-
SSL ...... 687
SSL.................................................................................688 WebISA.........................................................................694 ISA
WebWeb-
..... _____ ...... __ ................696 SSL ......................700
.....................................................„............711
HTTP-
...............722
XIX .................................................724
Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync ...............................................................« .... 726 Client Access: RFC, IMAP, POP3, SMTP Option ........................................ 729 .. ..........................................................................................................731 ...........................................................................732 .............................................................................734
«
9 VPN- »
ISA Server 2004 ......................................737 ISA..................................................738 , VPN......... 739 , VPN- .................................................................................. 742 ............................................................. _...................................... 743 VPN.............................................. 743 SecureNAT VPN..................................... 744 - IPSec ............................................................... 746 VPN................................................. 747 VPN
VPN-
VPN
VPNVPN-
IPSec............................................................ 748 VPN............................. 749 .............................................. ,........... 750
VPN-
......................... 751
VPN-
VPN-
..................................................................................... 751 , VPN................................................................................... 761 ......... „.,....... ..................763 ......................................... 767
VPN-
L2TP/IPSec ............... 769
ISA 2004 VPN.......... 769 L2TP/IPSec............................... 776 ............................................................................... 777
VPNVPNVPN-
.................................................................... ,779 VPN-
«
- -
»
............................ 781
...............................................784 ............................................787 ...............................................789
XX
VPN............................................... 791 ..................... —.......— ................793 ...............................................................795 ..................................................................796 VPN................................................798 - .............................................800 VPN-
;
«
- -
»
L2TP/IPSec...................800
........................................ 802 Web...........................................................................................803 ISA - L2TP/IPScc ................................ _ .... _ ...................................,.807
............................................................................ 808 Web...._ . 809 ISA - L2TP/IPSec................................................................................... .. 811 VPN- L2TP/IPSec................................................................................... .812 VPN- L2TP/IPSec........................................ 813 VPN-
IPSec VPN « - » ........................................................................................................ 814 RADIUS VPN815
(RADIUS) .............................................................................................................. 81 VPN.................................. 817 .......... 820 .................. ,........................................ .822 ...................................................823 .................. 825 VPNISA RADIUS ............................................................................................. 826 , VPN................................. ------ ..... — ............ -.... 829
XXI
VPN-
................................831
VPN-
................833 ISA .................................................................834 , ............................836 VPN............................................................................................ „837 VPN-
DHCP VPN
ISA .........................840 DHCPISA........................................................................................844 « - » ISA Server 2000 ISA .................................................................................................847
Local VPN Wizard VPN-
ISA Server 2000 ..............................................849
................................................................................................852 ,
ISA Server 2000 .............„.„ ........... „ ..... „ .......... ___ .. ____ ......._ ... .._...853 VPN-
ISA Server 20O0 .................................................................................853 VPN................... 854 Remote Site Wizard ISA .......................................................................................... 855 , ............................................ ___ ....857 , ....................................................................... 858
VPN-
.......................................................................................... 860 .................................................................................. 8 1
VPN........................................................................................861 .......................................................................................................................864 ..................................................................................864 ..................................................................................... 858 10 ISA Server 2004...............................................871 .................................................................................................................... 872 ............................................................................................... 873
SMTP Message Screener ........................................................................ 873
XXII
DNS..........................................» ... i....................................................... 887 ......................................................888 SOCKS V4... .............-...............................................................................889 FTP............................................................................................890 .323........................................................................................................891 MMS........................................................................................................,892 PNM ....................................................................................... „....„....... —893 .........................................................................................................893 RPC ..........................................................................................................893 BTSP ........................................... ___ ....................................................894 Web-
............................................................................................................894
-
....................................................................................................... 894 ISA Server ....................................... _ ................................... 921 Web............................................................................................ 927 SecurlD ........................................................ .'...........................................928 OWA, ...................................929 RADrUS......................................... ..........................930 IP-
/
................................ 930
DNSIP-
IP-
............................................... 930 ...................................................... 939 .................................................... 941
...................................................................................................................... 943 ................................................................................. 943 ...................................................................................... 944
11
WcbWebWeb-
ISA Server 2004 ............................. 947 .........................................................................948 ..................... „ ................................ ___ ..................... 949 .......................................................... ».............. 951 ...........................................................................953 Web-
ISA Server 2004................................. 954
................................................................. 955 ........................................................................ 956 ...................................................... 958 ISA Server 2004
........................... 961
.............................................961 ........................................................ 9 ..................................................... 966 ...............................977
XXIII ...................................................................................................................... 988 .................................................................................. 989 ..................................................................................... 990 12
ISA Server 2004 , .................................................. .,.., 995 ................................................................................................................... 996 ISA Server 2004 ............................................................ 997
........................................................ - ....... 998 ....................... 1005 ISA Server 2004..............................1005
,
................................................................ 1006 .................................................. 1008 ......................................................................... 1009 .............._ ................................................................. 1014 ...........................„. ....................... 1015 ,
ISA Server 2004......................1017
........................................ 1017 .............................................. _ .............................. 1025 ................................................................................. 1030 ISA Server 2004 ...............................................1031
ISA Server 2004 ......................................................_ ...—.................. 1031 , ISA Server 2004................................................................................................... 1042 ISA Server 2004.....................1050 ................................................................................1056 ................................................................................... 1061
1
: ISA 2004
Proxy 1.0
: : : ISA Server:
-
1
ISA Server «Configuring ISA Server 2000: Building Firewalls for Windows 2000» (Syngress Publishing, 2001, ISBN 1-928994-29-6) Microsoft . , ISA 2000 Microsoft, . Microsoft
ISA 2000
, -
, « », (Intrusion Detection/Intrusion Prevention, IDS/I DP)
Web-
—
, . ISA Server Firewall-1 /VPN-1
,
Checkpoint
PIX
Cisco, ,
guard, SonicWall, Symantec . ISA Server « ,
, , »,
NetScreen, WatchISA -
. ,
«
»
, ,
, ISA 2004
ISA Server 2000, .
-
. .323, , , ISA 2004
-
(«all-port forwarding»), ,
.
,
-
. , .
-
Microsoft
ISA Server, , . Microsoft
ISA Server 2004 ,
, and Acceleration Server» (ISA Server),
, «Internet Security
:
Proxy 1.0
ISA 2004
.
ISA Server 2004 , .
ISA Server 2000
,
,
.
,
,
ISA Server
-
(
).
,
. ISA Server 2004.
, -
,
,
, ,
-
ISA Server 2004.
, , ISA Server 2004
.
,
ISA Server 2004,
ISA Server 2004, , .
, ,
-
. ,
,
,
.
1.
:
Proxy 1.0
1
« .
:
», -
, :
«
Microsoft?»
Computing Initiative. ( :
ISA 2004
Microsoft, , — Trustworthy , ».
)
«
-
4
1
«
:
»
-
,
, (
-
, -
).
. «ISA Server:
-
»
— ISA Server.
Microsoft MS Proxy Server — ISA Server 2004. , ,
, ISA Server
. ISA Server
, -
, Microsoft. 2.
ISA Server 2004
ISA Server 2000 ISA Server 2000, ,
ISA Server 2004: ,
,
-
. ISA Server 2000, VPN,
:
-
,
, OWA (Outlook Web Access, WebWeb, FTP (File Transfer Protocol, ), , SMTP (Simple Mail Transfer Protocol, ), , . , Outlook)
2004,
ISA Server VPN-
, VPN,
, , ,
, SecurlD
Web-
( Protocol, Sockets Layer,
, ),
), )
VPN-
,
(Point-to-Point Tunneling SSL (Secure
:
Proxy 1.0
, RPC (Remote Procedure Call, , .
ISA 2004
Exchange )
3.
,
ISA Server 2004 2004
,
ISA Server 2004, , , (
■
-
: ,
, ); ■ ■ ■ VPN ■ ■
; IDS/IDP; ; Web.
;
, ,
, VPN
-
,
, ,
-
Exchange, SharePoint, Active Directory, ,
.
ISA Server 2004 / ■ ■ ■ ■ ■ ■ ■
-
: Checkpoint NG
Checkpoint); Cisco PIX / VPN; NetScreen / Juniper Networks / SonicWall / VPN; Symantec / Watchguard / VPN;
Nokia (
VPN; VPN;
Linux; ■ ■ ■
BlueCoat / VPN /
; Novell Volera; Squid.
6
1_________________________________________________________________
ISA Server 2004 Server 2004
ISA
, , ,
4.
.
ISA Server 2004
, ISA Server 2000, — . , ISA Server 2004,
ISA
Server 2004 . ,
-
: ■ ■ ■
ISA Server 2004;
ISA Server 2004; DHCP (Dynamic Host Configuration Protocol, ) ISA Server 2004; WINS (Windows Internet Naming Service, Windows) ISA Server 2004; ■ DNS (Domain Name System, ) ISA Server 2004; ■ RADIUS (Remote Authenti cation Dial-In User Service, ) ISA Server 2004; ■ ISA Server 2004. , ISA Server 2004 ,
ISA Server 2004. , 2004.
,
ISA Server », ISA Server 2004 ,
« . 5.
ISA Server 2004
ISA 2004: ■ ■ ■
SecureNAT; ; Web-
.
:
-
Proxy 1.0
ISA 2004
, ISA.
-
. ,
«
»
,
,
,
,
(
-
) .
,
. . ,
, ISA
(loopback) DNS.
,
-
,
-
, . Web■
,
:
DHCP ; DNS
Web■
Web-
; ■ ■
WebWeb(Internet Explorer Administration Kit,
; IEAK Internet Explorer).
,
-
,
,
-
. SMS (System Management Server,
) .
6.
ISA
ISA Server
-
: ISA Server
ISA 2004 , ,
-
, ;
8
1
■ 2000,
ISA 2004 ISA 2004 ,
ISA -
, ,
ISA Server 2004 Windows 2000 Server
-
Windows Server 2003.
, ,
. LAT (Local Address Table),
2000,
ISA Server , ISA (Demilitarized Zone, DMZ). / , .
, (
Server 2004
),
, .—
.
.).
ISA Server 2004
, ISA Server 2004 ,
. ,
, -
,
, , ISA Server 2004
,
.
ISA Server 2004,
. : ISA Server 2000 Microsoft Proxy Server 2.0, ISA Server 2000 ISA Server 2004.
. , ISA Server 2004, ,
, ,
.
ISA Server
,
ISA Server 2004 ,
,
; ISA Server 2004 . Virtual PC VMWare
, Microsoft,
.
:
Proxy 1.0
ISA 2004
7. Server 2004
ISA ISA Server 2000, , .
ISA Server 2004
-
,
-
,
ISA Server 2000. ,
, . ISA Server 2004 ,
:
,
, ,
,
. , /
. ,
, ISA Server 2004
. ,
(
)
ISA. ISA Server 2004 —
. ; -
ISA Server 2000 ISA Server 2000 ,
,
. ,
ISA Server 2004 .
,
,
, ,
, .
-, Instant Messaging (IM) 2 .
Exchange
(Peer-to-Peer),
8.
ISA Server 2004 .
, , — .
2
. 4388
. ISA Server 2004 — ,
1
1
WebWeb-
. -
, WebSSL-SSL HTTP
— ,
, .
HTTP,
; ,
Web-
-
. , HTTP (
Web, ), HTTPS (HyperText Transmission Protocol Secure, ), FTP, NNTP (Network News Transfer Protocol, ), SMTP, (Post Office Protocol v. 3, ), 1 4 (Internet Message Access Protocol, ), VNC (Voice Numerical Control, ), , . . , ISA Server 2004 VPN . L2TP/IPSec. , TCP/UDP (User Data Protocol, ). , Web, -
,
,
-
, .
9. VPN-
«
- -
»
ISA Server 2004 , ISA Server 2004, — . ISA Server 2000 VPNVPN, VPN. ISA Server 2004,
,
VPN-
, VPN, ISA Server 2004.
, ISA Server 2004,
VPN,
,
VPN, . VPN
Exchange,
,
, Exchange RPC
______________________
:
Proxy 1.0
ISA 2004________ 11
Outlook 2002,
,
-
Exchange , Outlook MAPI (Messaging Application Programming Interface, ).
-
ISA Server 2004
VPNIPSec. ISA Server 2004 VPNISA Server 2004 VPN
, ,
-
. 2004 -
VPN,
,
,
L2TP/IPSec
VPN-
»
ISA Server « -
. ,
, (Remote Access Server, RAS) « - »).
ISA Server 2004 VPN VPN(
VPNVPN-
ISA Server 2004 L2TP/IPSec. , , L2TP/IPSec NAT-T (Network Address Translation, ) IPSec NAT-T . 10. ISA Server 2004
ISA
, .
-
ISA ,
.
, Web-
.
11. ISA Server 2004
ISA Server 2004 —
-
, ,
Web-
.
Web-
-
.
12
1 _________________________________________________________________
, Web-
ISA Server 2004
.
,
Web-
-
Web.
12.
ISA Server 2004
,
ISA Server 2004 Enterprise Edition ,
. , ISA Server 2004 Enterprise Edition ISA Server .
, 2004
,
. , ,
TCP/IP
, -
OSI (Open Systems Interconnect, DoD (Department of Defense,
)
). .
-
, .
-
«Configuring ISA Server 2000», .
, ISA Server 2000,
,
,
ISA Server 2004, .
. ,
ISA Server 2004, MCSA/
MCSE (Microsoft Certified Systems Administrator, Microsoft/Microsoft Certified Systems Engineer, Microsoft),
,
:
Proxy 1.0
ISA 2004
13
,
, ,
-
.
70-350
Microsoft
70-350 Microsoft Installing, Configuring and Administering Microsoft Internet Security and Acceleration (ISA) Server 2004 ( , ISA Server 2004 Microsoft) . WebMicrosoft www.microsoft.com/learn ing/mcpexams/defau lt. asp. , ISA Server 2004, 70-277 Installing, Configuring and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition ( , ISA Server 2000, Enterprise Edition). 70-277 MCSA MCSE, MCSA 70-350
MCSE
.
, -
. Microsoft , , ,
. , , ,
ISA Server 2004 .
( «
!»),
ISA Server 2004. Windows,
,
;
-
,
, ;
,
, Windows Point.
Microsoft Exchange ISA Server 2000,
Share,
14
1 ________________________________________________________________
,
,
-
. :
-
. ,
, .
,
,
, www.syngress.com. Server 2004 www.msfirewall.org.
.
Web-
WebISA
www.isaserver.org
Web-
: , ,
:
.
-
, ,
.
,
-
Microsoft 2000
, Internet Acceleration and Security Server (ISA, ).
-
,
,
,
. ISA Server,
-
.
:
■ ■ ■ ■ ■
; ; ; ; ( ). :
DoS-
(Denial-of-Service, , .
.
), .
-
______________________
:
( ), ISA Server ,
Proxy 1.0
ISA 2004 ________ 15
— (
— )
,
. , . ISA Server
,
ISA Server ,
, ,
,
-
Microsoft
(
)
Windows
.
: Microsoft? (
) Microsoft
.
, Windows,
.
, UNIX, ,
, -
. ,
.
Windows Windows , Macintosh Apple Linux,
, UNIX,
.
X,
, MS-DOS
OS/2
-
Windows Windows. Windows. To, ,
, , UNIX/Linux, Windows.
KDE, 1990-
. NetWare
1990.
. .
.
Windows NT
Novell,
-
UNIX. NetWare
16
1 _________________________________________________________________
1990-
. -
. ,
-
. (Local Area Network, LAN). , , «Web,
»
-
.
Windows. , .
Microsoft ,
.
,
,
, Windows . .
Microsoft,
-
, . Code Red
2001 .
Windows
Nimba,
. .
Microsoft , , Microsoft,
. Interface, , NLM — NetWare Loadable Module, NetWare Microsoft — API
,
:
)
,
, Microsoft
API (Application Programming .( NetWare — .) , .
-
:
Proxy 1.0
ISA 2004
17
, . Microsoft
,
-
. Windows . , ),
-
, IIS (Internet Information Server, . , ,
MIIS (Microsoft Microsoft), -
Identity and Integration Server, MBSA (Microsoft Baseline Security Analyser, Microsoft), SUS (Software Update Services, ) , , ISA Server. SUS Services,
WUS (Windows Update Windows),
-
.
(SD* Security Framework),
-
. 1.1. . 1.1. , .
(Secure by Design)
.
-
,
,
(Secure
-
by Default) ,
, ,
(Secure by Deployment) .
-
18
1 ________________________________________________________________
— , . .
-
: .
Microsoft ,
Web2004 .
.
Microsoft
, ; ,
.
,
, —
— Pack 2
Service
,
. Windows XP,
, -
.
,
, , .
,
Authenticode ( ActiveX. ,
)
-
, «Yes» (
MCSE/MCSA , 70-298 for a Microsoft Windows Server 2003 Network ( Microsoft Windows Server 2003) Server 2003 MCSE.
ISA Server 2004
).
Designing Security
Microsoft ISA Server 2000,
-
, . , ISA Server 2004 COMDEX 2003 .
-
ISA 2004 Microsoft
, Checkpoint
Cisco, -
:
Proxy 1.0
ISA 2004
VPN Guard, SonicWall ,
NetScreen, WatchISA 2000) -
. , ISA 2004 ( Enterprise Edition —
— Standard Edition
19
, Windows
Microsoft ( Exchange, SharePoint, SQL
,
:
.).
, ,
,
.
,
,
.
,
, ,
,
,
: ,
. , -
( ). , . —
-
.
.
? —
,
(
)
, .
,
.
-
,
.
, ,
.
, ; ,
.
,
-
20
1
, Department of Defense Trusted Computer System Evaluation Criteria ( ) ( « ») Trusted Network Interpretation ofTCSEC (Trusted Computer System Evaluation Criteria, )( TCSEC) (« » ), . . (International Organization for Standardization, ISO) ISO 17799 — . .
-
,
-
. : ■ ■ ■ ■ ■ ■
; ; ; (
);
; . ,
,
>
; Windows NT/2000/XP
-
Windows Server 2003 . , ,
, . ,
.
-
-
. ,
. —
.
,
-
, . -
, ,
,
,
-
-
_____________________
:
Proxy 1.0
ISA 2004
21
. ,
-
. :
■ ■ ■ ■ ■ ■ ■
; ; ; ; ; ; .
-
, .
:
■ ■ ■
,
; ; (
). .
: ALE = SLE
ARO,
Expectancy, ALE) = SLE —
80%. ), 0,6 = 118 000. ALE ,
(Annualized Loss (Single Loss Exposure, SLE) x (Annualized Rate of Occurrence, ARO). . , , 60% , , $60 ( 500 . SLE 500 60 18 000 0,8 (ARO) = $14 400. .
22 ______
1_________________________________________________________________
, /
-
,
. ,
,
,
-
,
.
,
&
, . Systems Security Ltd.
COBRA
,
. , ■
:
-
,
—
,
, ; ■
, , ;
■
-
, ,
, , ; ■
, . , ,
,
, .
-
.
«
{threat)
,
-
-
».
:
■ ■ ■ ■
; ; ; . . (
),
-
:
Proxy 1.0
ISA 2004
23
,
— , -
, . . ,
.
, ,
,
, 3, ■
:
,
,
,
, ■
;
,
,
; ■
,
,
,
,
,
, , ■
,
;
, ;
, (
, «
»
). «
». ,
: ■ ■ ■ ■ ■ ■
; ; ; ; ,
; ,
,
.
,
,
,
, .
.
, , .
,
-
, ,
, ,
.
, ,
.
, -
24
1 ________________________________________________________________
,
.
-
. ■
, ?
■
, , ?
■
, , , ? ,
, ,
-
, .
— , . -
. . (
)
,
.
:
■
,
, ,
, ; TCP/UDP,
■
; ■
-
JavaScript, . -
. 24
, 7
, .
,
,
,
-
, ,
. (dial-up)
-
_____________________
:
dial-up
Proxy 1.0
ISA 2004 _______ 25
, ,
, ,
IP-
, ;
-
. dial-up
, ,
, ,
,
.
dial-up .
—
,
VPN.
, (
.
) , ,
,
,
-
, .
,
—
-
. ,
.
,
: ■ ■ ■
; ; ; /
■ ■ ■ ■ ■
;
; ; ; ; . , ,
,
.
-
26
1
,
,
,
-
,
.
. ,
,
,
.
-
. —
,
.
,
(
). , .
, «
».
,
, ,
.
. , ,
-
, : ,
,
,
, -
.
« «
,
» », . ,
(
)
,
, (Management by Objective, MBO) (Total Quality Management, TQM),
,
X
Y( -
).
Y.
,
, -
. , ,
. ,
«
»,
-
:
Proxy 1.0
ISA 2004
27
X, Y,
-
.
,
, . Y,
,
, , .
, .
-
, ,
, .
,
, ,
-
. , (Health Insurance Portability and Accountability Act, HIPAA) , , -
( ). 2003 . $100 ( )
$250 000
10
, ,
. ;
-
, . (
.
.
.)
28
1
.
,
-
Gramm-Leach-Bliley (GLB) ,
. , ,
,
,
.
,
,
( Data Protection Act Copyright Act ,
,
,
Digital Millenium -
) ,
. .
, .
. ,
/ . , ,
,
:
.
, , , .
-
: ,
,
.
, , , ,
,
.
:
______________________ ■ ■
:
Proxy 1.0
ISA 2004 ________ 29
, ,
;
,
-
■
,
■
,
; , ; ,
.
, . , (Group Policy) (Local Security policy object). 30 , .
,
, -
,
, ,
,
, -
. CD-
-
.
:
■ ; ■ ■
; ;
■
, . , :
,
(
-
), ,
.
.
, /
/
, ISA Server .
, Microsoft,
-
^0
1 _________________________________________________________________
: -
,
,
Symantec McAfee, ( -
, , ,
) . ,
. ,
, .
-
.
: (
American Heritage Dictionary): « , ». ,
— ,
,
,
-
,
, . :«
, ,
». —
-
— .
,
;
,
. -
.
,
.
, ,
-
. .
—
, .
«
, -
»
, . .
,
-
,
. ;
,
:
Proxy 1.0
ISA 2004
31
,
(
,
),
( ,
), ).
(
.
■
:
( , ;
), ■
, , ;
■
, ,
(
■
);
,
, ;
■
, ,
, . , ,
.
-
, .
, , .
«
», . , .
,
. . ( ).
, -
. .
, .
,
32
1
(
), .
,
,
,
, ,
,
,
,
. .
.
,
.
,
«
»( ,
.
-
) ,
-
,
,
, ,
,
,
. .
(
,
)
«
, :
».
: Web-
CERT (Computer Emergency Response Team, ») , 50—100%. , , . , ,
«
,
. .
,
-
,
,
,
(
,
).
, . , , dial-up
-
. . ,
_____________________ ,
:
Proxy 1.0
,
ISA 2004 _______ 33
.
,
VPN-
-
-
Web-
.
, ,
-
, VPN-
.
,
.
. , ,
,
,
,
: «
» (firewall)
.
,
.
—
( ), ,
, ,
. , .
(
»
« ,
)
,
. ,
.
,
,
,
-
. ARPANET, . . .
1990-
. ,
.
, ,
. , ,
, .
-
34 _____
1__________________________________________________________
-
, Morris, 1988 . ,
-
. . . ^
-
», .
,
,
,
.
,
, .
,
,
-
. ,
IP,
.
, . IPTCP/UDP.
-
, «
OSI.
-
»—
,
,
.
1990-
.
), 1993 .
-
( DEC (Digital Equipment Corporation) TIS (Trusted Information System) Firewall Toolkit (FWTK), Gauntlet, . Checkpoint 1994 ., Firewall-1 (FW-1). , Nokia -
. ,
-
. .
: : /
,
.
:
_____________________ ■ ■
:
Proxy 1.0
/
ISA 2004 _______ 35
;
/
.
/ ,
,
:
, » »
. ,
. .
,
.« , .« «
», ,
-
, .
: (
-
) . , , Linux
-
BSD. ,
.
,
,
,
«
»
, . —
,
.
, «
»,
-
« VPNWeb- . -
». , .
(
),
,
NetScreen ,
. ,, -
.
(solid-state), -
. ,
.
-
1
,
,
.
ASIC
, .
,
-
ASIC
.
,
.
.
-
, ,
,
. .
ASIC
, ,
.
. , .
-
, ,
,
.
,
ASIC, . ASIC (
SSL
VPN
)
,
Intel
, . ,
, ,
ASIC.
-
, ,
«
ASIC.
»— ,
,
. ISA Server
2004 —
, Windows 2000 Server
Windows Server 2003.
______________________
:
Proxy 1.0
ISA 2004
37
. Checkpoint NG — Sun
, Windows NT UNIX IBM. Nokia.
AIX
,
2000
Linux,
Solaris
ISA Server 2004, ,
,
. ,
ISA,
-
Microsoft
. -
,
.
, ,
-
. ,
-
. Windows, UNIX/Linux ,
,
,
Solaris, ,
. , ,
.
. ,
-
. ( ). ,
-
( ,
;
,
). . ,
-
, , , .
-
38
1
, ,
.
.
—
. , . $100, .
Windows XP Windows Server Internet Connection Firewall (IFC).
2003
, IP-
-
, ,
.
,
(
»
.
«
). , ,
,
-
.
, ,
,
( «
,
«
»
»
-
). ,
, dial-up
-
VPN,
,
,
-
. .
,
,
,
.
— ,
, »,
,
, /
,
« ,
-
:
Proxy 1.0
ISA 2004
39
. : ■ On box (
) , .
■ Off box (
) , . . (
(
, , ISA Server),
, Checkpoint) ( , Cisco PIX). , .
,
.
-
,
:
, . «
» ,
,
.
: —
—
-
. ■
, IP-
, ,
«
»
( /
, IP). (IDS/IPS)
, DoS-
1 .
40 _____
1
•
■ ,
,
,
, / (
)
.
■
«
» ,
— ,
, . . ,
,
,
,
. ,
, .
.
, ■ ■ VPN■ ■ ■ Web■
. -
:
; ; ; ; ; . .
,
,
. ,
. ,
: ■ ■ ■
; ; .
. -
:
Proxy 1.0
y1
ISA 2004
OSI (
.
. 1.1)
-
. OSI
-
. : www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm.
-
0SI
J
. 1.1.
OSI
, ,
OSI. ,
IP-
-
. : ■
,
: , ;
■
,
: , ;
,
,
■
: ,
3
. 4388
.
;
42
1 _________________________________________________________ (stateful inspection),
, — ,
(
); .
,
, OSI.
TCP,
,
-
. OSI — (
-
DoD).
TCP
( UDP.
),
,
,
,
FTP
. -
TCP
UDP. TCP UDP
, . ,
.
-
, .
-
,
. , ;
. GET
-
PUT,
.
.
(Application-layer filtering, ALF) ,
.
OSI
, HTTP-
,
,
-
URL, FTP-
.
,
, -
. ,
. —
-
:
Proxy 1.0
ISA 2004
43
.
,
. /
,
.
-
. , FTP FTP ,
.
, -
,
. , ,
.
,
-
,
53 (
DNS). ,
,
DNS-
. ,
. .
-
, ,
, .
,
. , ,
-
. ,
,
, DNS-
SMTP-
. -
.
, .
, ,
,
-3-
,
,
,
.
VPNVPN, «
»
VPN,
-
44
1
, , .
VPN - -
« -
VPN-
-
VPN-
-
VPN-
VPN-
».
,
(
) ,
, VPN,
VPN (
L2TP),
, .
,
(
« IPSec),
,
-
»,
. VPN-
«
- -
VPN.
«
- -
»
» -
VPN-
,
»
«
-
. .
,
«
VPN(
«
- -
»
-
). ».
- -
VPN-
VPN
ISA Server
ISA Server 2004 ■ ■ ■
VPN: ); /IPSec (L2TP/IPSec);
( IPSec. L2TP/IPSec VPN-
,
«
- -
».
IPSec VPN«
- VPN
. , » ISA Server 2004 Microsoft (Windows 2000/Windows Server 2003 RRAS ISA Server 2000). VPN
(
ISA Server 2004 VPN-
VPNVPN-
,
VPN) «
: - -
».
, ISA Server 2004
_____________________
:
Proxy 1.0
ISA 2004 ________45
. VPN PPTP
VPNL2TP/IPSec. SecurlD, RADIUS, VPN-
EAP/TLS, ISA Server 2004. VPN-
«
- » VPN« ,
. VPN-
ISA Server 2004 - -
» . ISA Server 2004 VPN-
«
- -
-
,
».
, VPN
, VPN.
ISA Server 2004
-
ISA Server 2004 VPNVPN-
. ISA Server 2004,
-
,
-
.
. Windows
-
VPN Windows. VPN Windows: ■ ; ■ VPN Windows; ■ ■ Force,
VPN (Connection Manager Administration Kit); RFC (Requests for Comments, ) IPSec NAT Traversal, IETF (Internet Engineering Task ).
ISA Server 2004 VPN-
VPN ,
(
2.
ISA Server)
IDS,
.
46
1 __________________________________________________________
, (Local Area Network Directory, UDP, out-of-band (OOB
, LAND), Ping of Death,
WinNuke)
. . , POP,
POP-
-
,
POP, DNS,
-
DNS
.
ISA Server 2004
, IIS. .
, ISA Server 2004 -
, . ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
ISA Server 2004 Windows out-of-band (OOB Land; Ping of Death; IP half scan; UDP; ;
: WinNuke);
DNS (host name overflow); DNS (length overflow); DNS (zone transfer); ; SMTP. ISA Server 2004 : ISA Server 2004 ISA Server 2004
■ ■ ■ ■
; ; ;
. ,
,
ISA Server 2004,
, . , -
Real Secure.
IDS
:
Proxy 1.0
ISA 2004
47
WebISA Server —
( . (Checkpoint),
Web-
— BlueCoat), -
(Cisco) . ,
,
.
Web-
( )
Web.
-
, WebWebWeb-
-
.
,
WebWeb-
, .
,
: ■ ■ ■ ■
(forward caching); (reverse caching); (distributed caching); (hierarchical caching).
.
-
Web-
, ,
Web-
.
,
,
-
, Web-
(
,
,
. .)
, -
100
/ 1,5
, / .
,
Web-
.
Web-
Web-
.
,
48
1
Web-
.
, Web-
(
. 1.2).
.
. 1.2.
Web-
.
. . (
. . 1.3).
,
-
:
. 1.3.
Proxy 1.0
ISA 2004
4
Web-
, . . ( . .
. 1.4.
.
. 1.4),
-
50
1 __________________________________________________________
: . ,
-
. , ,
-
.
.
, .
,
: (front-end firewalls) , . ,
■
, , , .
■ (-
(back-end firewalls) , . , ,
)
, (- )
. . ■
-
,
(perimeter networks) , Web, .
, (DMZ). (application-filtering gateway
, ■
within the perimeter network)
, . , . . ■
(department firewalls) .
-
:
Proxy 1.0
ISA 2004
51
,
. -
. ■
,
(branch office firewalls) , VPN-
«
- -
», . ■
(telecommuter firewalls) ,
, VPN,
.
-
,
. (multiple firewall configu
■ ration) . ,
, ,
. 4.
ISA Server:
-
ISA Server
,
-
. ISA Server
MS Proxy Server. .
ISA: MS Proxy Server -
. ISA Server
-
,
.
« ». » (marriage by proxy), , ( ,
, « , ).
-
, ,
,
» -
«
:«
,
-
»,
-
-
52
1
, ). -
(
«
»
.
, ,
,
.
. IPIP-
-
-
;
(
),
. ,
, ,
, ,
, -
.
,
-
.
,
.
: MS Proxy Server Microsoft
1996 .
-
,
,
,
Winsock
, -
.
,
,
1.0
,
,
-
. ,
-
, Microsoft
Netscape,
Microsoft
.
, ,
-
. Microsoft .
Proxy Server, -
Netscape, —
-
,
.
rosoft)
; — CARP (Cache Array Routing Protocol, )
CARP .
( -
.
Microsoft -
.
MicWeb(Internet
: Cache Protocol,
-
Proxy 1.0
ISA 2004
53
) —
, -
, Border Manager ,
Novell.
CARP ICP CARP
. ,
, -
CARP ICP.
,
-
,
CARP .
CARP ISA Server 2004.
,
, .
-
—
FTP
HTTP.
. 2
,
Web-
WebWeb-
. (reverse hosting) ( Web-
.
-
, ,
Proxy Server
), (server binding).
Microsoft
-
. IIS Microsoft (Microsoft Management Console, .
4.0 MMC),
Microsoft: ISA Server 2000 Microsoft Proxy Server
, ,
-
. ISA Server 2000
-
. ,
— .
—
( ,
,
),
-
,
. Institute of Standards and Technology, NIST)
SP-800-10
(National -
54
1 х
, , ,
/
. -
, Microsoft
. Proxy Server 2.0
,
,
,
, ,
-
.
, -
,
,
, .
(
, ),
-
ISA Server 2000
: ■
(VPN) ISA Server VPN,
VPNActive Directory (AD) ISA
■ tory ■ ,
. Windows 2000 Active: Direc . , >
/
, ■
■ ,
. SecureNAT (Secure Network Address Translation, ) NAT, ISA, , , Macintosh UNIX , TCP/IP. , , , , .
■ , .
-
_____________________
:
■
Proxy 1.0
ISA, ,
ISA 2004 ________ 55
Windows 2000,
Microsoft. ISA ,
,
ISA
. ISA Server
■ ,
. , ISA
. ■
ISA Server ,
e-mail e-mail
. ■
.323 , NetMeeting (
Microsoft NetMeeting,
ILS). ■ , (live stream splitting) Windows Media Server).
Windows Media (
: ISA Server 2004 ISA Server 2000 .
, IDC (Internet Data Center, Microsoft 2002/2003 . » . , , VPN, .
), ISA ISA
« Microsoft
ISA Server 2004 ; ,
,
,
, . ISA 2004.
, . 1.2
, 2.
1
5t>
ISA Server 2004
1.2. .
, . . ISA Server 2000, (local address , ISA
table, LAT), Server 2004
ISA Server 2004 . (
,
DMZ,
), -
. , ISA ,
Server 2004 , .
, ,
(network address translation, NAT).
, ISA Server, .
ISA Server 2000,
VPN
ISA Server 2004 ,
,
(virtual private network, . VPN.
VPN)
-
VPN, ,
: . 1.2. (
Proxy 1 .0
ISA 2004
57
) -
,
«
-
- -
>> ISA Server 2000, , . ISA Server
, ,
, 2004
VPN «
- -
»
, VPN-
«
- -
-
».
, . /
ISA Server 2000 VPN,
VPNISA Server 2004
VPN-
-
ISA Server 2004 SecureNAT -
. , VPN-no
VPN,
, ISA Server 2000. VPN —
NAT
/ VPN SecureNAT VPNVPNVPN
Server 2003. .
ISA Server 2004 Windows ,
VPN, , ,
VPN
IPSec «
VPN- -
ISA Server 2000 L2TP/IPSec NAT-T VPN . ISA Server 2004 IP . ISA Server 2004 . , VPN Windows Server 2003 NAT-T L2TP/IPSec ISA Server 2004 ISA Server 2000 L2TP/IPSec VPN « - ». ISA Server 2004 » VPN« - », IPSec VPN ISA Server 2004 ISA Server 2000. , IP. ping tracert VPN. , ISA Server IPSec
(
.
.
.)
58
1 . 1.2. (
)
/ , .
-
ISA Server 2000 ,
,
. ISA Server 2004 New Protocol Wizard
-
ISA Server 2004 , (Firewall Rule). ISA Server 2004 ,
-
ISA Server 2000 Active Directory . ISA Server 2004
, , , ,
; Active Directory. ,
-
, . ,
,
, HTTP , Web-
(credential) Web .
ISA Server 2000. ( , ISA Server 2004
Web )
, :
-
WebHTTP RADIUS
Web-
ISA Server 2000, Active Directory
Web-
. ISA Server 2004 Active Directory tory. RADIUS
RADIUS Web-
-
, Active Direc-
: . 1.2. (
Proxy 1.0
59
ISA 2004
)
Web, 2004
WebISA Server 2000 IP-
Web-
IP-
ISA Server Web. -
,
IP-
,
WebWeb-
.
ISA Server 2004
:
-
,
IP-
-
IPWebISA Server 2004
-
SecrurlD.
Web-
, «
- »
«
-
- », Web,
ISA Server 2004 OWA,
. -
OWA, OWA- Pack 1, -
VPNSSL
Web(Secure Web Publishing Wizard)
,
Windows Server 2003 Service RDP SSL SSL VPNWindows Server 2003. ISA Server 2004 , SSL VPNWebSSL VPN Web. SSL-SSL ISA Server
2004 HTTP-
.
SSL-
-
WebISA Server 2004 RPC,
Outlook MAPI,
Exchange RPC
.
-
Exchange,
(
.
.
.)
60
1
. 1.2. (
) HTTP-
ISA Server 2004
HTTP
).
HTTP ( .
HTTPHTTP-
ISA Server 2004
-
, -
Windows HTTP-
HTTP-
ISA Server 2004
HTTP(
-
)
,
ge RPC-
FTP-
HTTP-
ExchanOutlook MAPI
, ISA Server 2004 ; ;
, ,
ISA Server 2000 HTTP- FTPWebMIME (Multipurpose Internet Mail Extensions, )( HTTP) ( FTP). HTTPISA Server 2004 HTTPISA Server 2004 HTTPISA Server 2004 « HTTP», URL , , , . , ISA Server 2004 , HTTP( «HTTP») , . , - POST, WebHTTPPOST Exchange ISA Server 2004 Exchange Outlook MAPI . Outlook RPC . RPCISA Server 2004 Outlook MAPI FTPISA Server 2004 , FTP FTP-
: 1.2. (
IS
Prox 1.0
2004
61
)
.
Web. ISA Server 2004 , , ISA Server 2004 ,
. -
, ISA Server 2004 Web-
, SMTP. , . ,
, . . ISA Server 2004,
, URL ISA Server 2004 .
, :
ping, TCP-
HTTP-
GET.
,
,
IP, ISA Server 2004
URL , . ,
-
, Web-
, .
,
,
,
ISA Server 2000 — 12:30.
, . ISA Server 2004 .
(
.
.
.)
62
1 . 1.2. (
) ___________
MSDE. MSDE (Microsoft Data Engine,
Microsoft) -
,
-
XML,
(Delegated Permissions Wizard) -
. -
, ISA Server 2004 , ISA Server 2000.
, 2
. ,
. 1.2, Feature Pack 1, ISA Server 2004.
ISA Server 2000 ,
ISA: , ,
,
ISA Server 2004. ,
, :
■ «
, , . Checkpoint» (www.infoworld. com/a rticle/04/05/03/HNisase rver_l.html). ■ « , ISA Server — , . (Gartner) , ,
.
, » (www.infoworld.com/article /04/
O5/O3/HNisaserver_l.html). ■ « : , ISA Server, — Darrow), TCP-IP Inc. — , .— Checkpoint Cisco,
Cisco (Chris
:
Proxy 1.0
ISA 2004
63
» (http://searchwin2000.techta rget.com/originalContent/0,289142, sidI_gci967964,00.html). ■ « "Strange Setup" (" ") , ISA Microsoft , . , ISA Server , Windows. ( : , .) »(http://sandbox.rulemaker.net/ngps/infosec/rwiz/fwiz-2004-02 -28). : ■
. , ISAServer.org (www.isaserver.org/pages/newsletters/march2004.asp). , Cisco Checkpoint ( ) ISA Server 2004 , . , , Windows Microsoft, ( Microsoft Exchange
■
■
SQL, ■
2004
,
, Microsoft Microsoft).
, ( ). , ,
XXI
,
-
1997 . .
,
ISA Server 2004.
, , , , , .
,
-
64
1
, (
),
, -
. ISA Server 2004 Microsoft
2000,
Microsoft Proxy Server
ISA Server
, ISA
-
. (
), ,
«
, »
: ,
. Microsoft
, «Trustworthy
. . Computing initiative» ,
— — ISA Server 2004
,
-
. ISA Server 2004
,
, -
; . , ,
,
,
, ,
, , ,
,
. , .
,
-
, ( )
( )
. (
). -
, ,
OSI
,
. ISA Server 2004 , ,
,
-
:
Proxy 1.0
ISA 2004
65
Web-
-
,
.
ISA Server 2004
,
,
ISA Server 2000,
-
. ,
ISA,
,
, . !
,
ISA Server 2004 : GUI:
,
:
,
2
ISA Server 2004 ISA 2000,
, OWAWeb-
,
. , , (Outlook Web Access publishing), , . .
,
-
, FTP, SMTP,
ISA Server 2004
,
, (Virtual Private Network), , OWA
VPN-
VPN-
: ,
,
-
-
,
. . GUI (Graphical User Interface,
-
) . ISA 2004, ,
, ISA Server.
, ISA Server 2004,
,
ISA Server 2000, . Microsoft
,
, —
-
ISA Server 2004 , ,
.
ISA 2004 ,
.
GUI:
,
,
,
ver —
. ,
ISA Server 2004 ISA Server 2000.
, . , ISA Server 2004 , ,
ISA Server 2000, , Help (
ISA Ser, ).
ISA Server 2004
. 2.1 ISA Server 2004. , (Microsoft Management Console)
ISA Server 2000,
.
. 2.1.
. 2.2.
ISA Server 2000 —
ISA Server 2004 —
,
. 2.2 —
69
70
2
ISA Server 2004
:
, , .
,
-
, .
,
. .
(
-
) -
. ISA Server.
ISA Server, ISA Server ISA, nect to Local or Remote ISA Server ( ISA Server)
ISA Server ,
.
Con-
Tasks.
(Microsoft Internet Security and Acceleration Server 2004), . : ■ The Getting Started Guide ( ISA Server), HTML ( . 2.3) ISA Server 2004 («A Feature Walk-Through»), . ■ Best Practices for Securing your ISA Server ( ISA Server) Security and Administration ( ) Help ISA Server 2004. Web, ISA Server, — http://www.mic rosoft.com/isaserver/techinfo/howto/. Security Best Practices. ■ Getting Started ( )( Getting Started!) , , ISA Server ( ). ■ WebMicrosoft, ISA Server 2004, (www.microsoft.com/isaserver) , ISA Server. ■ Web, , , ISA Server. , , .
ISA Server 2004
Getting Started Guide
. 2.3.
I
ISA Server 2004 —
И ,
,
-
, ■ ■ ■ ■ ■
. ISA Server (Name) ( ISA Server, Monitoring ( ); Firewall Policy ( ); Virtual Private Network (VPN) ( Configuration ( ).
■ ■ ■ ■
Networks ( Cache ( ); Add-ins ( General (
: );
, VPN); :
); ); ).
72
2
, .
ISA Server (Name) , — ROADBLOCK), Started with ISA Server 2004 ( . 2.4. ,
. 2.4. Getting Started
ISA Server ( Getting ISA Server 2004), Getting Started Guide.
ISA Server —
Getting Started ( ) . , : ■ Defining Your ISA Server Network Configuration ( ISA Server) , , NAT Server. ■ View and Create Firewall Policy Rules ( ) ,
ISA Server -
/
ISA Server . ISA
-
ISA Server 2004
ISA Server , , , e-mail ■ Define How ISA Server Caches Web ( Server Web) , , , Web, ■ Configure VPN Access ( VPN) VPN ,
Web. ISA , .
. ISA Server)
■ Monitor your ISA Server Network ( :
73
( Web-
). , ,
. Getting Started , . , Define Your ISA Server Network Configuration, , Networks Configuration ; View and Create Firewall Policy Rules, , Firewall Policy , . . ISA Server 2004, , , Getting Started , ISA Server , .
ISA Server ISA Server . ■ Define Administrative Roles (
Tasks ( ,
)
,
: ) Administration Dele
gation Wizard, .
, ISA Server.
■ Disconnect Selected Server from Management Console ( ) ISA Server.
А
.-
74
2 _
_
■ Backup this ISA Server Configuration ( ISA Server) XML ■ Restore this ISA Server Configuration ( ISA Server) , Related Tasks ( ISA Server (
ISA Server
XML, .
) XML).
ISA Server / /
?
:« Restore ( )?». . XML, )
Import ( Server ,
Backup ( Export (
) ,
ISA ISA Server.
,
Export ( Backup ( ■ Export user permission settings ( ); ■ Export confidential information ( — ). ,
)
)
, ):
-
/ . Backup/Restore .
,
,
VPN.
, :
«
». /
,
-
.
, ,
Web-
, . .
, :
-
75
ISA Server 2004
■ ■ ■ ■ ■ ■
; ; ; ; ; ISA Server ,
. , IPSec , -
, RADIUS. . Backup
: . -
. ,
. , ? —
ISA Server ISA Server ,
,
. , . ,
, .
,
ISA Server, .
ISA Server 6.
Monitoring ISA Server 2004
,
-
ISA Server 2000. ■ ■ ■ ■ ■ ■ ■
, . . Dashboard ( Alerts ( ); Sessions ( ); Services ( ); Reports ( ); Connectivity ( Logging (
: );
); ).
76
2
Dashboard (
)( (
, ging).
.
. 2.5)
,
Log.
,
,
Dashboard (
. 2.5.
)—
,
; ( 10),
,
. ,
: ■ ■
,
;
; ■
X . , . Alerts (
) ( ,
.
. 2.6.) ,
, ,
. . .
-
77
ISA Server 2004
. 2.6.
Alerts ( ISA Server
)
,
. 2.6,
, .
-
, .
Windows, Event Viewer (
,
)
. ■
,
«i» .
;
■
. ,
■
-
; ,
X ,
. (
).
Reset. .
Alerts Tasks , , , Yes,
,
( ),
,
,
, -
. Acknowledge ( .
Alerts,
Alerts ,
), .
78
2
,
,
-
,
, ,
.
,
(
, ,
Windows, /
). , Alerts.
,
, Sessions (
.
)( . . 2.7) ISA Server
. .
4
1 «>» FIMIM '■«'■
. 2.7.
am
Sessions ( ISA Server
Services (
)—
) ( . . 2.8) ISA Server Windows 2000
2003. Tasks (
)
, .
,
, Windows Server Services ,
ISA Server 2004
. 2.8.
Services (
)—
79
ISA Server
Reports (
)(
.
. 2.9,
, .
Report jobs ( ,
New Report Wizard ) .
.
-
,
.
. 2.9.
Reports (
Connectivity (
)—
)(
.
. 2.10)
, .
-
80
2
—
, ISA Server
PING,
I ..
. 2.10. ISA Server
ii.
I iL.ni
TCP
H-).,)
Connectivity (
URL HTTP-
ffi'^——i—an. i
.
. 1
.1
)— URL
Monitoring — ) (
.
Logging (
. 2.11),
-
, , Web-
SMTP.
,
,
, ,
. 2.11.
.
Logging ( ISA Server
)—
-
81
ISA Server 2004
Firewall Policy Firewall Policy (
), ,
(
Toolbox ( . 2.12.
),
. 2.12.
), Tasks (
Firewall Policy (
Help
)—
Firewall Policy (
) ,
Server.
« Web-
.
»
ISA ,
,
,
IP,
New Access Rule Wizard,
)
, . . 2.13-
-
82
2
. 2.13.
New Access Rule Wizard —
7
8.
Virtual Private Networks (VPN) ISA Server
, VPN-
Virtual Private Networks ( VPN
. 2.14.
Virtual Private Networks (
« ), .
)
- -
VPN ». . 2.14,
ISA Server 2004
83
,
-
: ■ ■
VPNWindows,
; VPN-
RADIUS VPN
■ ■ ■
,
; ; VPN-
;
,
VPN. Tasks ( VPN-
)
( , , VPN ( Windows)).
,
VPN -
VPN. 9-
Configuration:
Networks
Configuration ( Networks ( ), Network rules ( . 2.15.
. 2.15.
)
. -
Networks ( ), Network sets ( ) Web-chaining ( Web-
Networks ( Web-
)—
,
),
,
, ),
84
2
: Tasks ( Help (
), Templates (
)
). Networks .
-
Network Sets .
,
, (
).
Network Rules , (NAT) Web Chaining
Web, ISA Server
.
12.
Configuration:
Cache
Cache ( ), ISA Server.
. 2.16,
j
■ ! ■ ■ - . ' ■ ■
. 2.16. ISA Server
Cache (
_
_
^ __________________________
)—
,
-
, New Cache Rule Wizard. ,
-
ISA Server 2004
85
. . ,
ISA Server
-
. ISA Server
-
11.
Configuration:
Add-ins
Add-ins ( ) (application layer filtering, ALF) , ,
ISA Server. Web,
. ISA Server.
. 2.17. Web-
Add-ins
Add-ins (
Configuration:
)—
General
, General ( )( , : ■ Delegation of administration ( ;
. 2.17.
. 2.18) ) -
86
2
■ Configuration of firewall chaining ( ) , , SecureNAT ■ Specification of Dial-up preferences ( ) , ■ Specification of certificate revocation ( ISA Server
; dial-up dial-up; )
CRL (Certificate Revocation List); ■ Definition of Firewall client settings ( ) ; ■ Viewing of ISA Server computer details ( , ISA Server). ISA, ID , ; ■ Configuration of link translation ( ) ( ), , . , ■ ■ ■ ■
: RADIUS; DNSIP; .
. 2.18.
General (
)
;
ISA Server 2004
GUI ISA Server 2004.
,
, ISA Server 2004 ISA Server 2000. ,
87
, -
: ■ ■ ■ ■ Web■
; ; ; Web-
; .
ISA Server: ,
, -
, , ,
.
ISA Server, ,
,
ISA Server
-
. Help
2004 ISA Server, ISA Management , ISA Server. ISA Server ( isa.chm. , Help,
/
ISA Server, ISA Server.
ISA Server 2004
-
. ■ ■ ■ Web-
ISA Server , Microsoft ISA Server Program Files) ,
: ISA Management; Windows 2000
Windows Server 2003; .
88
2
ISA Management ISA Server
ISA Server. ,
ISA Server . 2.19-
. 2.19. ISA Server
Connect to Local or Remote ISA Server ( ISA Server) ,
ISA Server, IP-
. 2.20. ,
Computers ( ISA Firewall Policy.
)
Remote Management -
ISA Server 2004
. 2.20.
Connect To (
)
ISA Server -
ISA Server 2004. ISA Server 2000 : «A failure occurred. The task was not activated» (« »).
.
ISA Server ,
. :
1.
ISA Server Firewall Policy ( ) . 2. System Policy ( ) «Allow remote management from selected computers using MMC» (« »), . 3. , Edit System Policy ( ) System Policy Tasks ( ), System Policy Editor ( ). 4. Editor ( ) Configuration Groups ( ) Remote Management ( ) Microsoft Management Console (MMC). 5. From ( ), Remote Mana gement Computers ( ) -
-
90
2
This rule applies to traffic from these sources ( ), . 2.21.
-
System Policy Editor (
. 2.21. ,
6.
)
Remote Management Computers ( ).
7. net (
Р . 2.22. Д
, Computer ( ).
. 2.22, ), Address Range (
,
Add ( )
) Sub
ISA Server 2004
IPISA Server,
91
, . ,
-
,
,
ISA Server. ( ,
,
, ,
Computers ( ,
). VPN)
Add ( Add Network Entities ( VPN clients (VPN(
From ( )
, ) Remote Management , , ISA Server.
), Networks (
)
).
) )
Remote Management Computers ( . ,
-
ISA Server
, ,
(
). ISA Server
ISA Server ISA Server,
,
. Windows Server 2003, Windows XP
Windows 2000. ISA Server ,
isaautorun.exe
, ISA Server 2004. .
,
ISA Server .
-
ISA Server 2004. Install ISA Server 2004. , Windows 2000 Server Windows Server 2003, , Continue ( ), , , , . Microsoft ISA Server. ISA Server , (
.
.
.)
92
2
,
ISA Server.
Server 2000.
,
ISA
ISA Server 2000 . .
ISA Server
ISA Server 2004
-
/ ISA Server ( Windows 2000)
ISA Server 2004 (
ISA Server 2004 ,
Windows 2003). ISA Server
.
ISA Server Server 2003, , Connection,
Windows XP -
(
Windows RDC (Remote Desktop )
Programs/Accessories/Communications). ISA Server
Windows 2000
Windows 9x, RDC. ISA Server
. 2003, System tely to this computer ( ).
Windows 2000 Server, , Windows Server Remote Allow users to connect remo-
ISA Server ,
, .
,
, ISA Server
:
-
/
.
, /
,
-
, ,
(
. 2.23).
ISA Server 2004
. 2.23. ISA Server
93
RDC
, ,
-
ISA Server, , .
, Edit System Policy (
,
-
) ( Firewall Policy ( ) From ( ) , . ISA Server
), Remote Management ( Add ( ) , , /
Terminal Server ( ). , , , IP- .
Web,
Microsoft, Web-
ISA Server, ,
-
ISA Server .
,
ISA Server
94
2
Internet Explorer
. / Web-
, ,
Web-
,
,
,
,
, WebActiveX. , ISA Server Trusted Sites ( (Local Intranet security zone).
WebRimApp (http://www.rimapp.com)
. 2.24.
)
ISA Server RoadBLOCK . 2.24.
-
Web-
ISA Server 2004,
ISA Server
, , ISA Server 2000. : «Internet Security and Acceleration Server», —
Microsoft -
. ISA Server 2004
Checkpoint .
PIX, , ISA.
:
ISA Server 2004
■ ■ ■ ■ ■ ■
95
; ; ,
OWA ;
FTP;
; Web-
. .
ISA Server 2004 , ICMP (Internet Control Message Protocol, ). VPNISA Server IPSec. (
4)
IP (
3), ,
,
ping tracert, . ISA Server 2000
ISA Server 2004 FTP.
Server 2004
,
, ,
-
FTP-
—
FTP/ « .
», ISA Server 2000
ISA . -
, , . ISA Server 2004 «
Protocols ( New ( , .
» Firewall Policy ( ) Toolbox ( )( . 2.25). ISA Server 2004 , ISA Server 2004 .
New Protocol Wizard. , ), )
,
96
2
. 2.25.
ISA Server 2004
ISA Server 2004
. Windows
-
RADIUS
. .
SDK (Software Development Kit, ),
-
, . ISA Server 2000: Web, Server 2004 Web-
WebISA Server 2000, . ,
.
, ISA
: -
,
WebISA Server 2000 WebHotmail. .
. -
-
ISA Server 2004
.
97
ISA Server 2004
Hotmail
-
; .
0WA FTP OWA — OWA Publishing Wizard. SSL (Secure Sockets Layer) (
OWA-
ISA Server 2004
-
).
OWA Publishing Wizard ,
ISA Server 2004 OWA SSL Exchange. « », . , OWA Publishing Outlook Mobile Access ActiveSync, ISA Server 2000. WebISA Server 2000, ISA Server 2004. Web; ISA Server 2000 Web. , Web. ISA Server 2004 Web.
, Wizard
, ISA Server 2000
FTP-
, -
, . ,
FTP, ISA Server 2004. FTP: ,
ISA Server 2004 -
ISA Server 2000 ,
ISA Server 2004 FTP-
.
8.
Netscape , Web-
SSL . RSA. (
,
-
Netscape SSL ), .
: (
.
.
.)
98
2
1. . 2. . 3.
, , ,
,
. 4.
,
,
, . 5. , .
ISA Server 2000 ) ). ISA Server 2004 . , ■ Networks ( ) ■ Network sets ( ■ Computers ( ) IP.
IP-
( ( :
IP-
;
);
IP-
,
, , ■ Address ranges ( ■ Subnets ( )
; )
IP-
; IP-
;
; ■ Computer sets ( , ( • URL set ( ■ Domain name set ( ■ Web-listener (Web, Web.
)
— — IP-
: URL) (Web-
); -
); );
) IP-
,
ISA Server 2004
,
. -
. . 2.26.
. 2.26. ISA Server 2004 —
4.
ISA — ,
-
, (
). ISA Server
2004
, . IP.
ISA Server 2000 ,
,
ISA Server 2004 Firewall Rule Wizard, .
, , .
, ISA Server 2000. ,
-
-
100
2
)
ISA Server 2000 Deny rule ( , ,
Allow rule (
-
). . ,
. , ,
. ISA Server 2004 ,
,
, . . ,
, )
, ),
Move Up (
Move Down ( . 2.27.
-
—————————
. 2.27. (
), .
ISA Server 2000
, , -
. ISA Server 2004 ,
-
ISA Server 2004
101
. ISA. 6. 7
8.
WebISA Server 2004 . ISA Server 2000
Web,
.
-
ISA Server 2004 , .
ISA Server 2004 , . Web-
-
ISA Server 2000, ISA Server 2004 (Web Publishing Wizard). Web, WebSSL ( . 2.28).
. 2.28.
Wizard,
ISA Server 2004
Web-
-
SSL
Mail Server Publishing ,
102
2
, , SMTP RPC, NNTP (Network News Transfer Protocol, ), , Outlook Web Access, Outlook Mobile Access Exchange ActiveSync. . Server 2000,
Web Publishing Wizard , WebISA Server 2004 . Web; ISA Server 2004 Web. HTTPWeb. ISA Server 2004 Web.
-
WebISA ,
ISA Server 2000, Web,
, . ISA Server 2004 Rule Wizard (
).
-
, ,
,
,
, , .
-
-
, ISA Server 2004 ,
■ ■ ■ ■
VPN-
«
- -
: »;
VPN; ; Secure Exchange RPC. , .
VPN-
«
ISA Server 2004
»
VPN, «
IPSec
- -
- -
»
VPN-
,
,
. ISA Server 2000.
, -
»
ISA Server 2004 IPSec
« -
ISA Server 2004
Cisco PIX, Check Point
103
, ISA Server « L2TP/IPSec.
IPSec. 2000 » «
VPNVPN-
ISA Server 2000 - »,
,
; ,
.
,
VPN-
«
ISA Server 2004 - »,
. , .
-
/
, .
-
VPNISA Server 2000 ,
ISA Server 2004 VPN. VPN. , Outlook MAPI Exchange
,
-
. ISA Server 2004
, MAPI
VPN
-
Exchange.
VPN-
. VPNVPN-
,
,
.
-
,
.
ISA Server 2000
VPN-
, VPN-
2000. ISA Server 2004 reNAT
VPN,
. / VPN.
:
, SecureNAT,
, ISA Server Secu-
104
2
VPNL2TP/IPSec NAT-T VPNVPN2004,
, .
. .
-
. Windows Server 2003 NAT-T L2TP/IPSec ISA Server 2004. ISA Server 2004 IPSec,
VPNNAT-T VPN-
,
ISA Server 2000 ISA Server 2004 ISA Server ISA Server 2004 .
Secure Exchange RPC RPC
ISA Server 2004
Outlook MAPI, Exchange
,
-
. , .
WebWeb,
, ISA Server 2004 — . WebWeb, : Cache Rule Wizard ( SSL-
■ ■ ■ ■
ISA Server 2004 ); ; Web-
; .
Cache Rule Wizard ISA Server 2000 . . 2000 (
Cache Rule Wizard . ISA Server New Routing Rule Wizard ) ( . 2.29), ( ) Network Configuration ( ) Cache Configuration ( ),
( ).
ISA Server 2004 ,
ISA Server 2004
. 2.29.
105
ISA Server 2000
ISA Server 2004 (
Configuraiton/Cache Cache Rule ( Create a Cache Rule . 2.30.
) Cache (
New ( . 2.30,
)
), (
)
), Tasks,
, ,
. ,
ISA Server 2000
,
, ,
.
ISA Server 2004 , ,
: ,
,
,
, URL
,
-
ISA Server 2004
,
,
,
. , ,
, -
, .
5
. 4388
,
106
2
Welcome to the New Routing Rule Wizard Routing rules determine whether a client's Web request is retrieved directly, touted to upstream ISA Server, to an destination.
Note: Be sureto tie&s new policy elements required by the rule before you use this wizard.
To continue, clickNext.
ISA Server 2004
. 2.30.
Cache Rule Wizard
11.
SSLISA Server 2000
SSL,
.
SSL .
ISA Server 2004 SSL). , Advanced (
. , Cache Advanced Configuration ( , , SSL, Properties ( ) ), , SSLISA Server 2004.
, , -
, . 2.31.
-
107
ISA Server 2004
ISA Server 2004 —
. 2.31.
SSL-
WebWebWeb-
.
ISA Server 2000 , ISA Server 2004 ,
,
, , Web-
,
: -
Web-
.
ISA Server 2004, ISA ,
.
, (
,
, . Paths ( ,
) ,
WebProperties ) /path/*. -
8.
2004.
ISA Server ,
ISA Server 2000 . .
1 08
2
ISA Server 2004
, ,
-
,
.
ISA Server 2000 , ). )
( »(
,
,
«
-
, . Microsoft
,
ISA Server 2004, ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
: ; ; ;
; ; ; ; ; SQL; MSDE. .
ISA Server 2004
, WebSMTP
(
-
.
. 2.32).
ISA Server 2000,
-
( ,
) .
ISA Server 2004
109
ISA Server 2004
. 2.32.
ISA Server 2004 .
Sessions (
)
),
Monitoring (
. 2.33, . Sessions (
)
,
-
. . 2.33, , IP-
( SecureNAT
Web-
),
,
-
, . .
110
2
. 2.33.
—
ISA Server 2004
.
,
,
. ISA Server 2004
-
. ,
.
-
, ,
. (
. 2.34). WebSMTP
.
, , ,
-
( ,
,
-
,
,
) IPURL
ISA Server 2004
111
. 2.34.
ISA Server 2004 Server 2004 Connectivity (
,
URL (Connection Verifiers) ) Monitoring ( ). : ping, TCP HTTPGET. , IP, URL Connectivity Verifier Wizard .
ISA Server 2000 ,
.
ISA , -
-
ISA Server 2004 , . New Report Wizard New Report Job Wizard
, . ,
,
, .
,
-
112
2
ISA Server 2004
, .
HTML, ,
,
Web-
,
.
-
, .
ISA Server 2004
New Report Wizard
,
New Report Job Wizard
.
,
, ,
-
, .
ISA Server 2000 12:30. , .
, , ISA Server 2004 . ,
,
, .
,
. 2.35.
-
ISA Server 2004
12:30, . 2.35.
-,
______________
ISA Server 2004_______ 113
SQL ISA Server 2004
SQL, .
ISA Server 2004
,
SQL ISA Server 2000.
MSDE ISA Server 2004
MSDE. .
,
-
MSDE, . SQL (
SQL Server 2000, , Enterprise Manager,
. .)
.
, ISA Server 2004
Microsoft
, . :
■ ■
; (Application Level Filtra tion, ALF); VPN-
.
ISA Server 2000 .
, .
Microsoft
ISA Server 2004
-
, ,
. .
■ ■ ■ ■
ISA Server 2004 (Internal network) — ; (External network) — ; VPN— , (Local host network) —
,
:
, VPNIP-
; ISA Server.
114
2
, . ISA Server 2000 LAT (Local Address Table, ,
), 2004 :
ISA Server .
ISA Server 2004 . (
-
), . ,
.
ISA Server 2004
,
, -
. , ■ ISA Server ■ ■ ISA Server
: ;
(DMZ,
); ;
■ ISA Server, ■
; /Web-npoKCH
. ,
4.
(ALF) ISA Server ISA Server , ISA Server : ;
2004; , . 2000 ■
HTTP ;
ISA Server 2004
■ ■
HTTP-
115
;
HTTP-
,
; ■ ■ ■ ■ ■
-
; HTTP-
; Exchange RPC;
FTP
;
. .
HTTP HTTP-
ISA Server 2004 HTTP
(
-
). .
, -
.
, Feature Pack 1
HTTP-
ISA Server 2000 HTTPURL (URLscan), ISA Server 2000.
ISA Server 2004
-
,
Windows
,
.
, (
— MZ. ).
.
Windows , . pit
-
,
com
, —
MZ. , .
MZ, MS-DOS, Microsoft
. (Mark Zbikowski).
116
2
HTTPHTTP-
ISA Server 2004
-
, . , ,
.
,
-
.
HTTP-
,
ISA Server 2000 WebHTTP- FTPpurpose Internet Mail Extensions, ) FTP. ISA Server 2004 HTTPISA Server 2004, ISA Server 2000
( ) MIME-
(Multi"
HTTP,
-
. .
HTTPHTTP HTTP,
,
ISA Server 2004 URL .
,
,
-
ISA Server 2004. —
,
ISA Server
/
.
,
-
. . HTTP-
,
,
,
UTF-8.
HTTP,
HTTP-
, ,
. HTTPWeb-
POST, .
.
,
-
ISA Server 2004
HTTP, .
117
,
-
HTTP(HTTP-verbs), , : GET ( URI (Uniform Resource Identifier, )), PUT ( URL), POST ( , ) . .
, -
Exchange RPCSecure Exchange
ISA Server 2004 Exchange Outlook MAPI . RPC , . RPCISA Server 2004 , Outlook MAPI.
Outlook
-
,
Exchange RPC . ISA Server 2004
Outlook MAPI, RPC-
.
FTP FTP-
.
ISA Server 2004 , FTP . FTP
FTP-
FTP-
)
Read Only (
Protocols ( .
),
FTP
FTP-
,
-
FTP, ,
-
. ,
.
Web(NetBIOS). ISA Server 2004 . ,
,
,
.
118
2
ISA Server 2004
, , .
Web-
,
,
SharePoint. ,
-
; URL
ISA Server 2000, Feature Pack 1.
-
. ISA Server 2000
HTML.
,
, , .
-
NetBIOS -
, .
VPN,
,
ISA Server 2000. ISA Server 2004 (Network Access Quarantine Control), Windows Server 2003, VPNVPN, . ISA Server 2004 Windows 2000, . , VPN, . :
■ ; ■ ; ■ . VPN-
, VPN-
,
, . VPN-
-
, ,
,
______________
ISA Server 2004 ______ 119
, .
, ISA Server 2004
VPNVPN-
, VPN-
, , , /
,
. ,
.
( Server 2004 ;
VPN. ISA -
), L2TP, Windows.
VPNVPN(Routing and Remote Access), ISA Server Windows Server 2003. RADIUS. ISA Server 2004 Windows 2000, ISA Server VPN.
2004 VPN-
,
(connectoids, Connection Manager AdmiWindows 2000
VPN, Connection Manager Windows) VPNnistration Kit ( ), Windows Server 2004.
.
RADIUS,
ISA Server. , VPN-
,
.
VPN, ,
, ,
, .
-
120
2
VPN, ISA Server. VPN-
, ISA Server
-
,
. . Resource Kit ISA Server 2004 Remote Access Quarantine Agent (Rqs.exe) , -
,
, (Rqc.exe), . -
. , , Connection Manager.
-
.
-
, .
, Web-
?
,
:
/
,
,
. ,
. ISA Server 2004
-
9.
: ISA Server 2004
,
,
ISA Server 2000
,
, .
,
ISA Server 2000,
ISA
Server 2004. , ,
-
, , : ■ ■
; .323;
ISA Server 2000. , ISA Server 2004 . -
ISA Server 2004
■ ■
121
; . , Microsoft
ISA Server 2000 WMT,
ISA Server 2004.
(Windows Media Technologies') , , .
, / ,
. ,
WMTWMT-
, ,
-
, ISA Server. ,
Server, Microsoft
,
ISA -
ISA Server 2004.
.323 .323 (Voice over IP,
IP-
VoIP ,
). VoIP
. . (memory leak) ISA Server, . .323-
ISA Server Service Pack 1 ISA Server .323 ISA Server. , VoIP .323. SIP .323. Cisco ,
2000, .323 SIP (Session Initiation Protocol) ,
1
. Windows Media Technologies Windows Media Player, Windows Media Services, Windows Media Tools Windows Media Audio SDK — . .
122
2
IP-
, VoIP
SIP (Cisco Skinny).
-
.323
.323. Microsoft
.323
ISA Server 2004
-
.
ISA Server 2000
. Bandwidth Rules (
-
)
, / .
, .
,
, , . , ISA Server 2000
, -
.
, . . service)
-
(quality of service packet scheduling . -
, , ,
. ,
, ISA Server —
-
, .
ISA Server 2004 .
-
ISA Server 2000
/ ,
/ -
. ,
,
-
. .
ISA Server
, . ISA Server
,
-
ISA Server 2004
,
123
,
. , ,
,
-
,
. , . ISA Server 2000,
-
, ISA Server. ISA Server 2004
Microsoft
.
ISA Server 2004
.
ISA Server
, ISA Server 2000. 2004
Microsoft
ISA Server 2000, ISA , ,
. Server 2004 .
,
. ISA Server 2004
, .
ISA Server 2000, ISA Server
: . Microsoft
ISA
Server 2004.
,
, ,
ISA Server 2004 . 2004
ISA Server
(ALF) , ,
, VPN-
-
VPN,
. , ISA Server.
-
124
2
ISA Server 2004 , .
,
. .
,
(
2000.
,
) ISA Server 2004 .
,
Server 2004
, ISA Server 2004,
.
ISA Server
/ . ,
GUI:
.
,
0
ISA Server 2004 ,
0
ISA Server ISA , , -
ISA Server 2004 Server 2000:
,
. ISA
, ,
,
, . : ISA Server (Name), Monitoring, Firewall Policy, Virtual Private Networks (VPN) Configuration. Configuration : Networks, Cache, Add-ins General. Getting Started ISA Server / . Dashboard , ( Logging). ISA Server. , Web, , . Virtual Private Networks VPN . ,
0 0 0 0
0
ISA Server 2004
0
Networks
0
Cache ,
Configuration . , , ,
Server 0
ISA
.
Add-ins (ALF).
, Web-
0
125
,
.
General
.
0
ISA Server , Server
ISA
.
0
ISA Server 2004: Windows
ISA Server, Windows Server 2003, . ISA Server 2004 , 0 ISA Server 2004 Windows
Web-
-
IP-
. .
-
RADIUS
. 0
OWA ISA Server 2004 OWAOWA Publishing Wizard. 0 ISA Server 2004 , : Networks, Network sets, Computers, Computer sets, Address ranges, Subnets, URL sets. Domain name sets Web listeners. 0 ISA Server 2004 , . 0 ISA Server 2000 Server Publishing Rules , . ISA Server 2004 , . 0 ISA Server 2004 VPN , VPN« -
126
2
-
»,
VPN-
, Exchange RPC WebCache Rule Wizard,
ISA Server 2004 , SSL-
,
. WebnpoWeb-
-
. 0
Microsoft
-
, ISA Server 2004. , ,
, ,
-
,
,
e-mail, ,
SQL
0
MSDE.
ISA Server 2004
Microsoft
, ,
.
0 . 0 ISA Server 2004 ( ( ( (
:
-
), ,
), , ISA Server).
IP-
VPN-
VPN-
)
ISA Server 2004
.
0
ISA Server 2004
, ,
. 0
ISA Server 2004
, ,
0 HTTP-
. ISA Server 2004 HTTP-
). S
(
.
HTTP,
ISA Server 2004 , Windows .
ISA Server 2004
0 HTTP-
127
ISA Server 2004
, .
0
HTTP-
ISA Server 2004 ISA Server 2004
-
-
. 0
HTTP», , ,
«HTTP, 0
ISA Server 2004 URL
, .
HTTP-
, .
0
Secure Exchange
ISA Server 2004
Exchange 0
-
Outlook MAPI. FTP-
ISA Server 2004
,
-
FTP, FTP 0
.
ISA Server 2004
, ,
-
VPN-
, -
. 0
ISA Server 2004 Windows Server 2003, VPN-
, .
0
ISA Server 2004 FTP-
.
: S3
,
ISA Server 2000 WMT,
,
-
, ,
. ,
ISA Server, ,
0
Microsoft .323 VoIP. Microsoft 2004 ISA Server 2000 ,
ISA Server 2004. .323
ISA Server
. , ISA Server 2000
-
128
2
,
.
ISA Server 2000 /
ISA Server 2004 . /
,
-
. ,
,
. ISA Server 2004, .
Microsoft
, . www.syngress.com/ .
solutions ( «Ask the Author»). ITFAQnet.com. : ISA Server 2004 — : ISA Server 2004
? -
.
: .
. -
ISA Server 2004 ( ),
, . Microsoft
2004
ISA Server .
:
ISA Server ?
:
.
—
,
,
-
, . Web-
, HTTP, ,
, URL.
: :
? Server 2000.
ISA Server 2004 ISA Server 2004 —
ISA -
ISA Server 2004
.
Web-
129
,
-
. : :
Active Directory ISA Server 2004? Active Directory . ,
. 2004 tory,
,
,
Active Directory ISA Server 2004.
NT
ISA Server ISA Server 2004
? , . Windows Media, RealAudio
Apple QuickTime. B ISA .
Server 2004 : : , Web-
ISA Server 2004 ISA Server 2000 IP, , . , ISA Server 2004
,
ISA Server 2000? , ,
:
,
-
, : :
ISA Server Active Direc-
, ,
: :
,
.
ISA Server 2004 ISA Server 2004 Microsoft Exchange.
Exchange? Microsoft Exchange
SSL-SSL, , ISA Server 2004 OWA. RPC-
, POP3/IMAP4/SMTP.
0WA SSL-
ISA Server 2004.
OWA: :
VPNISA Server 2000, TCP/UDP ISA Server 2004. NAT-T L2TP/IPSec VPN, .
. ISA Server 2004? (GRE) -
130
2__________________________________________________________
ISA Server 2004. Server 2004 VPNISA Server 2004.
ISA VPN-
:
,
ISA Server 2004 ?
:
ISA Server 2004 LAT,
ISA Server 2000.
-
ISA Server 2004 ,
-
. .
,
ISA Server 2004 ,
-
,
, .
: :
? — ,
ISA -
ISA Server 2004 .
Server 2004. , : :
VPNISA Server 2004 VPNServer 2003, VPN, VPN-
. ISA Server 2004? L2TP/IPSec ISA Server 2004 IPSec NAT-T.
.
L2TP/IPSec. , L2TP/IPSec
2004 VPN-
«
- -
- Windows VPNNAT ISA Server IPSec
».
: :
? , .
ISA Server 2004 , ISA Server 2004
-
-
. ,
IP-
ISA Server 2004
131
.
-
, ISA Server 2004
.
, .
ISA Server 2004 .
:
ISA Server 2004 ?
: ,
. -
, . , Performance (
.
ISA Server 2004 ),
, Server 2004
.
ISA ,
,
. ,
,
,
.
: :
ISA Server 2004? ISA Server 2004 ISA Server 2004 . , ),
, Web Usage (
, (
Application Usage -
). ,
-
,
ISA Server 2004.
3
ISA Server 2004 : ISA Server 2004
134
3 __________________________________________________________
ISA Server . , 1, «ISA Server —
,
-
, -
?»,
, :«
ISA Server ,
?».
,
Checkpoint .
.
, , ,
.
,
-
ISA Server 2004, ,
. :
■
, / ; ISA Server 2004,
-
, ■
; ,
, ISA Server 2004, .
,
, ,
-
, . ,
.
,
,
-
, ,
, .
:« SonicWail
500
. ISA Server 2004
, ».
■
. SonicWail (
NetScreen
WatchGuard)
- ,
. 500 -
ISA Server 2004
. SOHO (Small Office/Home Office,
135
-
, )
■
.
SOHO
(
10-25), , ( ). ■
SOHO VPN; VPN-
(5-
VPN-
. )
.
■ .
, 133
SonicWall SOHO 3 . , ISA Server ( , ).
16
, ■ (
,
1,5
75 / ISA-
,
/ ). , . , .
»
«
« 10 000
5 ». 50 500
»
500 -
, « ,
5 000
20 000, 30 000
.
? -
, ,
.
, ,
. , 500 ,
-
, ,
,
, . ,
ISA Server .
-
136
3 _________________________________________________________
,
: ISA Server —
-
(Cisco
-
, /
Check Point) ,
.
. .
, -
,
PIX,
, ISA Server, .
,
-
,
-
. . ■ ,
, ,
VPN,
, (Total Cost of Ownership, ,
, ), . . ■ , , ,
VPN ( , WebWindows
, VPN(
, ),
) .
■
ICSA Labs (International Computer Security Association, ) Checkmark , .
,
,
,
, -
, ,
, .
ISA Server 2004 ,
137 ,
, . , .
(
,
, , NetScreen,
Juniper Networks
-
);
.
,
ISA Server .
2004
ISA Server 2004: ■ Checkpoint ( Nokia); ■ Cisco ; ■ NetScreen ( Juniper Networks); ■ SonicWall; ■ Watchguard; ■ Symantec Enterprise Firewall ( Symantec); ■ Blue Coat Systems ProxySG; ■ (IPchains, Juniper FWTK, IPCop). , ;
,
-
,
.
,
, .
, .
,
,
(
, ),
—
.
,
, /
.
.
, ,
, . . :
4388
138
3
■ ■ ■ ■ ■ ■
; ; ; ;
; . .
«
» ,
-
,
,
.
«
»,
, (
,
VPN-
,
,
, VPN-
).
,
.
,
-
Web, ,
Checkpoint,
, ,
Cisco.
Blue Coat,
ISA Server 2004, ,
Web,
,
.
ISA Server , ,
ISA Server.
, ,
:
■ Web; ■ 1DS/IDP (Intrusion-Detection System/Intrusion Detection&Prevention System); ■ ;
ISA Server 2004
■ • ; ■ / a PKI (Public Key Identification, .
139
; ; )/
-
ISA Server 2004
, .
, Integrated Circuit, ,
ASIC (Applications Specific ) , -
, . PIX
.
. ISA Server
,
, ,
-
ASIC,
.
,
-
. /
.
-
, . , ( ,
). , .
-
, ,
, Cisco )
,
. PIX Unrestricted (
)
, -
. : Restricted ( , (FO, Failover mode).
. ,
,
. , , . ,
.
, -
140
3
,
«R to UR» «FO to R» «FO to UR»
-
. . -
ping (
,
IP-
,
«
»)
-
, . IPIP,
,
.
Check Point FireWall-1 (FW-1) IP-
-
, . -
; . , ,
. , Symantec,
-
ISA Server 2004, Check Point , .
,
, -
. VPN-
.
,
(15-35
), .
VPN, 3DES.
,
,
-
.
,
Motif FW-1
Check Point
FW-1 4.1 Motif. LDAP (Lightweight Directory Access Protocol, ) FW-1, .
-
ISA Server 2004
,
141
, ,—
,
. . . 90
-
, Cisco ,
Check Point FW-1
/ ,
50% . .
, Symantec
«
», « . «
» »
, »
. («
» « ).
»
«
«
« »
, -
» ,
-
. .
, ,
.
,
-
. , , ,
,
, ,
.
,
, . 10 000 PIX
Classic ,
,
Cisco PIX Firewall -
510, 6.0
.
, ,
PIX.
142
3 ,
/ -
, , .
,
,
.
(
-
) .
.
■ ? ■ ? , .
-
,
PIX 5.0 FTP
-
-
,
boothelper ( PIX
.
PIX) ,
. -
TFTP, .
,
, (Total Cost of Ownership, TCO) .
, , ,
, ■
, ,
:
:
. .,
, ; ■
,
: ; (
■
); :
; ■
,
: , .
ISA Server 2004
143
,
, ,
: . ,
,
(
),
-
. . , , ,
-
,
, .
,
,
-
,
,
. , , , .
,
,
-
, . : ■ ■ ■ ■ ■
(
);
( VPNWeb-
,
);
; (
);
. .
( )
-
( ),
,
, /
-
144
3
/
. -
(
' -
). . ■ (
, ,
ASIC).
,
, .
,
(
, Ethernet
: 10/100 Ethernet,
(
. .),
)
. , .
, ■
. : VPN.
,
. ■ , .
,
ASIC
,
, . , , (
, ),
. — .
■ ( ), .
ISA Server 2004
145
■ . ■
/ , ;
, ,
RPC?
Windows, Active Directory (
Active Directory
),
,
Exchange, SharePoint .
Microsoft, ■ ( ),
( CLI — Command Line Interface,
Web-
GUI,
) . , ,
,
, ,
,
.
, . , VPN-
, ,
. ,
, . ,
;
,
-
.
. Web-
, -
,
-
. ,
, ,
.
,
146
3
.
,
ALF)
(Application Layer Filtering, , ,
DNS
-
(
, ,
,
,
,
. ,
,
. , «SSL bridging» ( «SSL termination and initiation» (
Microsoft SSL),
-
).
-
SSL).
, ,
.
■ , . , DNS
, .
—
URL,
Web,
,
, HTTP-
,
,
,
. . SMTP-
SMTP , . ■ , ,
.
, ,
?
?
?
VPN-
, ;
, (
)
. , : / (HTTPS, IPSEC, ISAKMP — Internet Security Association and Key Management Protocol, /IKE — Internet Key
ISA Server 2004
147
Exchange, ), LDAP, RADIUS, SecurlD, TACACS — Terminal Access Controller Access Control System, /TACACS-i-, CVP — Content Vectoring Protocol, , — , SMTP, , (IM, , NNTP, PCAnywhere), (DCOM — Distributed Component Object Model, , Citrix ICA — Interapplication Communications Architecture, , Sun NFS (Network File System, ), Lotus Notes, SQL (Structured Query Language, ), (EGP — Exterior Gateway Protocol, ), IGRP (Internet Gateway Routing Protocol, ), GRP (Gateway Routing Protocol, ), OSPF (Open Shortest Path First, ), RIP (Routing Information Protocol — ), /UDP (Bootp, Finger, Echo, FTP, NetBEUI, NetBIOS over IP, SMB — Server Message Block, , RAS, ), RPC, ICMP . (IDS/IDP). IDS IDS, . IDS IDS/ IDP . , IDS ( , WinNuke, Ping , Teardrop , ). , , ; , , IDS ( , ), IDS. IDS ,
IDS.
-
/ ,
,
. -
, . ( / ).
,
(
/ )
148
3__________________________________________________________
VPN
-
VPN,
VPNAES.
3DES , ,
-
,
.
■ , .
, , . SQL? ,
,
, . . , .
VPN ,
, ,
VPN-
. . VPN VPN
. .
■
VPN-
VPN, L2TP, SSL VPN?
: IPSec, NAT-T (NAT-Traversal)? VPN? (ActivCard, Authenex, SecurlD)? (DES, 3DES, AES)?
. ■
/
^
«
, -
), VPNVPN ( ),
- VPN-
» «
- ,
. VPN-
«
- -
».
»(
________________
ISA Server 2004______ 149
VPN-
VPN-
SSL Windows .
L2TP,
VPN(VPNWeb). Microsoft PPTP VPN , VPN,
/ . Microsoft
.
VPN-
-
/ VPN-
.
.
VPN.
VPN, L2TP/ . , , ,
VPN . AES 3DES. VPN-
-
VPN,
(
).
-
,
,
Web-
,
. (remote policy enforcement),
VPNIPSec ), NAT-T
«
. NAT-T — , NAT (Network Address Translation, . , , , NAT, IP-
Microsoft ,
NAT ,
. , ».
-
150
3 _________________________________________________________
WebWeb-
.
,
,
, WebWeb-
■
.
.
, Web-
.
, , .
ISA Server
,
35-50% . ■
, Web-
,
.
, Web-
,
. Web-
,
,
.
■ . ■ , ,
, -
. .
■ , Web,
. .
.
,
(
,
) .
, ,
-
, . ,
(
) (
).
-
ISA Server 2004
ICSA Labs ( ,
151
TruSecure Corporation) —
-
.
ICSA Modular Firewall Product Certification Criteria version 4, http://www.icsalabs.com/html/ communities/firewalls/certification/criteria/criteria_4.0.shtml. ICSA « » (black box), . NSS Network Testing Laboratories Checkmark (http:// www.nss.co.uk/Certification/Certification.htm). / , , ITSEC (Information Technology Security Evaluation Criteria, ), , , , TCSEC . Common Criteria Security Evaluation, (ISO). ISA Server 2000 Windows 2000 Server. ICSA ( 2001 .) : http://www.icsalabs.com/html/communities/firewalls/certification/rxvendors/microsoftisas2000/labreport_cid303.shtml. ISA Server 2004 ICSA.
ISA Server 2004 , Server 2004
ISA -
. , ,
ISA Server 2004 ISA Server, , SOHO.
,
.
ISA Server ,
,
ISA Server 2004 :
-
. -
152
3
■ Checkpoint; ■ Cisco PIX; • NetScreen; ■ SonicWall;
■ WatchGuard; ■ Symantec Enterprise Firewall; ■ BlueCoat SG.
ISA Server 2004 Microsoft
ISA Server 2004 « VPN Web. ISA Server 2004 Microsoft Windows Server System™, , ».
-
,
, -
.
ISA Server 2004
,
.
■
IIS, ,
Exchange, Sharepoint , .
■ , , . ■ VPNVPN
, VPN-
■
. ,
, ISA Server , .
,
ISA Server 2004
ISA Server 2004 : ■ , ,
153
,
,
-
, ;
■ , Web-
;
■ , Web; Windows Active Directory, VPN-
■ , , ■
Windows Web-
, [$
; ,
Server, Microsoft, . ,
ISA Server 2004 ,
, :
■ , ■
Exchange; , ,
-
; ■
, , , VPN
■ ;
Web-
;
154
3__________________________________________________________
■ Web. , ,
,
-
ISA Server 2004.
ISA Server 2004
, Windows 2000 Server (
) Windows Server 2003. Internet Explorer
SP4
. :
■ ■ 256 ■ ,
300
; ; )
150
■ ,
NTFS (New Technology File System, ; , ISA Server.
Microsoft, ISA Server 2004,
.
ISA Server 2004 . 800
1
.
Web-
, ISA Server, .
, , . .
, ISA Server 2004,
,
■ Windows Update ,
ISA Server 2004.
■
Windows Update, ISA Server 2004 .
, .
ISA Server 2004
■
155
,
,
,
. , RAID (Redundant Array of Independent ) .
Disks, ■
ISA Server 2004.
.
: ■ , ,
. .;
■ . ISA Server 2004 Standard Edition , Windows Server 2003, ISA Server 2004 Standard Edition , /
.
,
,
.
-
, . ,
. -
ISA Server 2004 —
. / ,
,
. ISA Server 2004 ISA Server 2004
Software Development Kit (SDK).
156
3
ISA Server 2004
, . -
, ,
, , RSA SecurlD,
, ,
,
-
. Server, Improving on ISA Server www.isaserver.org.
ISA Windows&NET ( 2004) Software Add-ons
. (Network Load Balancing, NLB) Windows Server 2003 NLB. NLBISA , NLB. .
Server 2004
,
,
Windows NLB. -
, .
ISA Server 2004.
/ ( Active Directory; ■ ■
):
Exchange; . .
Active Directory
ISA Server 2004 Active Directory ,
.
ISA Server 2004
ISA Server 2004 Server 2004 Directory
ISA Active -
. TCP UDPISA Server 2004
157
. , .
ISA Server 2004 RADIUS. Windows 2000 Windows Server 2003 IAS (Internet Authentication Server, ), RADIUS Microsoft. IAS Active Directory . IAS RADIUS , ISA Server 2004 Active Directory.
VPN-
RADIUS Web,
. RADIUS
-
-
Active Directory.
, Active Directory. ,
, ISA Server 2004 Enterprise Edition, Enterprise Arrays , ISA Server 2000 Active Directory .
-
Exchange
Exchange ISA Server 2004,
, -
. ,
ISA Server 2004 Exchange.
■
SSL-SSL OWA,
ISA Server 2004 ISA Server 2004.
HTTP, . , ISA Server 2004 «
»
SSL, SSL-SSL SSL-
-
,
158
3
HTTP-
ISA Server 2004, SSLOWA. ISA Server 2004 SSL. SSL-SSL ISA Server 2004 Outlook 2003/Exchange Server 2003 RPC HTTPS (SSL)-coeflHHeHHio. , SSL, , RPC no HTTPS (SSL). , ISA Server 2004 SSL-SSL , RPC HTTPS (55 ). ISA Server 2004 Secure Exchange RPC , Exchange, Exchange Outlook 2000/2002/2003. , : , , Outlook, . , ISA Server 2004 Exchange Secure Exchange RPC Publishing. , , Firewall-1 Checkpoint, Microsoft RPC. HTTP-
SSL-
ISA Server 2004 Exchange. , Exchange. Exchange , ISA Server 2004
Web.
, , WebServer 2004 Exchange 5 5 , ; Exchange.
, ,
Exchange , OWA.
, ,
-
. , Exchange OWA. , ISA Exchange 2000 Exchange ISA Server 2004 -
__________________
ISA Server 2004 _______ 159
0WA
cookies
-
, OWA. SMTP-
■
ISA Server 2004
,
; .
,
,
Exchange SMTPSMTP-
, / ,
,
, ,
.
. ISA Server 2004 . ■ HTTPHTTP
ISA Server 2004
2004
. SSL-SSL ISA Server Exchange OWA, , ).
WebWeb0WA ( ISA Server 2004 HTTP-
OWA-
SSL
ISA Server 2004
:
■ ■
; . ISA Server 2004 . . WebWeb. ,
WebWeb-
SecureNAT — , ISA Server 2004
. . ,
Web-
WPAD (Web Proxy Autodiscovery Protocol, Web) DNS/DHCP,
-
160
3
Windows (Windows Group Policy), IEAK
(logon
scripts). ,
SecureNAT, , ISA Server 2004. ,
,
-
DHCP.
, ,
. ISA Server 2004 ,
-
, ISA Server 2000. ISA Server 2004. ISA Server 2004
■ .
ISA Server 2004
,
.
ISA Server 2004 — , , .
ISA Server 2004 ISA Server. 2000. ■
ISA Server 2004 .
, , .
ISA Server 2004 ,
ISA Server 2004 SDK. , ISA Server
2004.
, , .
■ —
. . ,
ISA Server 2004
-
ISA Server 2004
161
,
-
. , (Help), ISA Server 2004.
ISA Server 2004.
■
, , , , ISA Server 2004
. ,
, ,
. -
,
. ■
, ISA Server 2000
, .
, ,
,
,
ISA Server 2004
.
,
, ,
. ISA Server 2004
, .
■ SDK,
ISAPI (Internet Server ) ,
API, ISA Server.
,
. -
. ISA Server 2004. ISA Server 2004
■ ISA Server 2004
ISA Server
2004,
, . ISA Server 2004. .
162
3__________________________________________________________
, , .
,
-
, ,
, ,
. ■ ISA Server 2004
, Windows 2000
, ,
Windows XP 2004
Server 2003.
ISA Server
.
,
ISA Server 2004, Windows Server 2003
RDP,
. / ISA Server 2000,
ISA Server 2004 . ISA Server 2000
. ■ Dashboard
(dashboard) ISA Server 2004 , : Connectivity ( ), Report status ( ), Alerts ( ) overall System Performance (
), Service status ( ), active Sessions ( ). . ■ Alerts
(Alerts)
,
, ISA Server 2004. Event Viewer (
,
. ) ,
( (Acknowledged) ( ).
) ,
,
ISA Server 2004 -
ISA Server 2004
163
,
. Sessions (
■ Sessions
) ,
.
, . Sessions ■ Connectivity Monitors
,
. ISA Server 2004 (keep tabs)
, . : Active Directory, DHCP, DNS, ), Web (Internet) Others ( ). , ,
Published Servers ( . . ■ Reporting . (
). .
,
,
,
, .
■ Logging
ISA Server 2004 . .
, .
ISA Server 2004 . ISA Server 2004 MSDE, SQL . ISA Server, , .
, MSDE SQL,
ISA Server
-
.
ISA Server
, -
. ISA Server ,
, .
, , .
,
164
3_________________________________________________________________
ISA Server 2004
.
ISA Server 2004 — (ALF). ISA Server 2004
, ,
Server 2004 —
HTTPHTTP-
. HTTP.
, ■ ■ ■ ■ ■ ■ ■ ■
HTTPJava; ActiveX; ; MIME;
URL Web-
HTTP; HTTPURL;
;
,
.
HTTP-
ISA Server 2004 :
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
ISA HTTP:
DNS; FTP; .323; MMS (Microsoft Media Streaming); PNM (Real Networks Streaming); POP; ; RPC; Exchange RPC; RTSP (Real Time Streaming Protocol, ); SMTP; SOCKS V4; Web( SecurlD;
Web-
);
__________________
ISA Server 2004
■ RADIUS; ■ ■
165
; OWA. . ,
ISA Server 2004
-
. ■
Checkpoint NG , Exchange Outlook MAPI. Secure
Secure Exchange RPC ISA Server 2004 ISA Server 2000
Exchange RPC
ISA Server 2004 Exchange Outlook 2000, Outlook 2002 Outlook 2003 MAPI. , ) Outlook Outlook. , , . Web-
, ( ■ ISA Server 2004 URL , , . Web-
. .
■
OWA ISA Server 2004 ,
,
Web-
OWA.
OWA, , 0WA. ,
, OWA. OWA
-
, ,
.
, —
: , .
, Exchange OWA
Exchange 5.5, Exchange 2000
166
3
Exchange 2003.
ISA Server 2004
Exchange 2003 .
-
,
-
. ,
. ,
, ,
.
,
;
. , . ISA Server 2004. ■
ISA Server 2004 , , MMS«
, .323-
, PNM»
.
, NAT «
FTP-
. .
»
, Secure-
.
■ , . ,
«
»
.
,
, . (firewall service) .
ISA Server 2004 ,
,
.
, . SMS, Active Directory Group Policy Software Distribu tion . ■ ISA Server 2004 Software Development Kit (SDK) , (SDK)
ISA Server 2004. ,
ISA Server 2004
SecureNAT
.
C++, . VPN ISA Server 2004 VPN-
■ ,
VPN-
.
, ISA Server 2004 SDK
. VPN-
Server 2004
167
-
ISA ,
, VPN-
.
ISA Server 2004
,
-
IIS (Internet Security Systems). . ,
, ISA Server 2004 . ISA Server 2004 : ■ Windows ( Windows out-of-band); ■ (Land); ■ Ping of Death; ■ IP(IP half scan); ■ UDP; ■ (port scan); ■ DNS (DNS host name overflow); ■ DNS (DNS length overflow); ■ DNS (DNS zone transfer); ■ ; ■ SMTP. ISA Server 2004 : ■ ■ ■ ■
, ISA Server 2004; ISA Server 2004; ;
. ISA Server , ISA Server 2004,
, ,
168
3
. )'
-
, -
Real Secure IDS .
VPNISA Server 2004 ■ Point-to-Point Tunneling Protocol (PPTP); ■ Layer 2 Tunneling Protocol/IPSec (L2TP/IPSec); ■ IPSec. , IPSec «
- -
L2TP/IPSec VPN-
VPN:
VPN« - VPN-
»
». «
- -
».
IPSec VPN-
. «
ISA Server 2004 VPN (Windows 2000/
» Microsoft, ISA Server 2000).
Windows 2003 RRAS
- -
/ Ы-
VPN-
«
VPN ISA Server 2004 ■ VPN■ VPN-
- -
»
VPN-
:
; «
- -
».
VPN-
, VPN-
,
Server 2004 , EAP/TLS, VPN-
,
ISA Server 2004. « - » VPN. VPN«
. VPNL2TP/IPSec SecurlD, RADIUS, VPN-
ISA -
ISA Server 2004 - -
-
» ,
-
. ISA Server 2004 VPN-
, «
- -
».
, VPN-
, VPN-
ISA Server 2004 .
-
ISA Server 2004
ISA Server 2004
169
VPN.
-
VPN-
ISA Server 2004 ,
. . ,
VPN-
, .
,
,
-
VPNActive Directory, .
Active Directory, . , ISA Server.
VPN
/ Active Directory
VPN-
Windows
VPN-
Windows. Windows. ■
VPN. ,
VPNVPN-
. , ISA Server 2004 ■
VPN. Windows
VPN, .
,
VPNWindows
,
, , ,
VPNVPN-
VPN.
7
. 43
,
Windows. , Microsoft . , , ,
170
■
3
VPN (Connection Manager Administration Kit, ) Microsoft, Windows Server 2003, VPNVPN. . ,
Windows 2000 , VPN-
, VPN.
-
,
, . VPN-
, .
VPNш
). IETF RFC, (NAT Traversal) NAT-Traversal (NAT-T) — IPSecVPN, (NAT). NAT , IP. NAT, , VPNNAT Traversal,
(
-
IPSecISA Server . . ,
,
Microsoft
VPNVPNVPN-
,
ISA Server 2004 , ,
-
.
, . ,
-
VPN,
, VPN-
. . , VPN-
VPN-
. VPNISA Server 2004.
-
ISA Server 2004
.
VPNVPN-
171
,
.
ISA Server
VPNVPN-
,
,
. , VPNVPN-
. ISA Server 2004 VPNWindows.
-
,
-
, . VPN-
,
ISA Server 2004 Enterprise Edition VPN, , . Windows 2000 Windows Server 2003 Standard Edition 1 000 VPN. Windows Server 2003 Enterprise Edition Datacenter Editions 16 000 30 000 12 . VPNWindows
, ISA Server 2004. -
VPN-
.
WebVPN2004
, .
WebISA Server 2004 Web-
ISA Server Web-
.
ISA Server 2004 Web,
.
(Web,
, ISA Server 2004, ).
, WebWeb-
-
. ,
, Web-
-
172
3
ISA Server 2004,
Web-
.
-
. , ,
, WebWeb. .
ISA Server 2004 -
,
.
, Web-
, Web-
Web-
WebISA Server 2004.
ISA Server 2 0 0 4 , , ISA Server 2004 . , WebISA
Web, Web-
, Server 2004,
,
. WebWeb-
. .
■ , ISA Server 2004. , .
, , .
■
-
WebWeb(offline). Web-
,
Web,
,
. ,
, ,
-
,
. WebServer 2004.
ISA Server 2004 Web-
, ,
ISA
__________________
ISA Server 2004 ______173
ISA Server 2004 Check Point Web-
Check Point, «100 businesses»
ISA . International Data Corp. 17 2003 ., TechTarget (h ttp://searchsecurity.tech target.com /originalContent/0,289142,sidl4_gci941717, 00.html), Checkpoint / : 48%. Fortune. Server
97 100 Cisco PIX, Check Point
, (defensein-depth), . Fortune,
, 97% 500 Check Point, , Check Point.
,
Nokia ( Check Point FW-1/VPN-1 Cisco NetScreen. Point Point,
IPSO) Check Check
Nokia. , ,
VPN ISA Server 2004.
Web-
,
Check Point: Check Point NG (Next Generation,
) Firewall-1 VPN-1. Check Point NG, FW-1 Pro, VPN-1 Pro, SmartCenter/SmartCenter Pro, Check Point Express, Smart View Monitor/ Reporter, SmartUpdate, ClusterXL VPNSecuRemote SecureClient. https://www.checkpoint.com/GetSecure/MediaEngine?action=MP_OrderStart. FW-1/VPN-1 /
VPN, ( .
.
.)
-
Nokia, IPSO.
Nokia Point ID
)
Check Check Point ( .
-
174
3
IPSO NG.
,
-
Check Point Fire Wall-1 Check Point VPN-1 IP(25, 50, 100, 250, ). VPN-1 (VPN-1 SecureClient) . , Check Point ( Check Point FW-1/VPN-1).
Nokia, , -
( Hardware Central), FW-1 ,
.
SmartCenter 100 IP, Web-
5 150
5 516
.
Check Point
■ 24 100 ■ 4 995 ■ 399
' (
500 (100-500
); );
1
.
FW-1
VPN-1
,
,
FW-1. VPN-1 Windows
SecuRemote VPN-1 SecureClient
. Macintosh (
25 IP-
) 1 000 IP-
40 000 URL-
)
2 300 . UFP (URL Filtering Protocol, , .
CVP
UFP-
URL,
-
. CVP.
Check Point: Check Point FireWall-1 : VPN-1 Edge
VPN (
/
).
ISA Server 2004
■ ■ ■ ■ ■ ■
Windows NT/2000; Sun Solaris; Linux (RedHat); Check Point SecurePlatform; Nokia IPSO ( IBM AIX.
175
UNIX); Windows Check Point FW-1 NG , 300
40 128
. . 32
40
GUI.
Check Point FW-1/VPN-1 ,
.
,
-
FW-1. . Solaris 2.7 9 Server 2003.
FW-1; Windows
FW-1, Check Point
ISA Server 2004?
Check Point,
ISA Server 2004 — . UNIX.
Point, ISA Server 2004
Check
. ISA Server 2004
Windows ,
: (Network Load Balancing, NLB); ;
■ ■ VPN■ Active Directory; ■ Windows DHCP, DNS WINS; ■
RADIUS.
Windows Server 2003
.
Server
Windows 2000
Check Point:
«
«NG with Application Intelligence» (NG ) Check Point . Check Point »,
-
176
3
, «Application Intelligence».
FireWall-1 SmartDefense Check Point (
4.0). URL Filtering Protocol Server for FW-1 (SurfControl). Web, . CPV(Content Vectoring Protocol,
FW-1
). -
Websense FW-1. ISA Server 2004
. ,
, .
-
FW-1, ISA Server 2004
Websense, SurfControl ,
.
ISA Server 2004 , , , Web-
HTTP. SMTPSMTP, SMTP, . RPCISA Server RPC, Exchange . DNSDNS, . ISA Server SDK .
Check Point:
VPN
Check Point : ■ VPN-1 Edge: ■ VPN-1 Express:
/
;
500
;
■ VPN-1 Pro: ■ VSX:
( ,
FW-1); ,
. , VPN(
« SmartDefense, ),
- -
»
.509.
, URL-
ISA Server 2004
177
VPN-1 Express, VPN-1 Pro VSX. ■ (one-click VPNs); ■ ■ AES, ■ VPN QoS ■ VPN■ VPNVPN-
VPN VPN-
:
IPSecSecuRemote 56— 168SSL
; 128—256(FoodGate-1); Web-
; ;
Microsoft L2TP.
Check Point SecureClient ( ) VPNISA Server ( Check Point «client configuration verification»
,
),
, .
ISA Server 2004 VPN-
«
,
VPN-
- -
. VPN,
;
,
,
, IP-
,
.
■ ISA Server
.509
:
IPSecPKI. VPNVPNVPN
, ■ VPN ISA Server
/
ISA Server
,
. , .
VPN, ■ ISA Server
.
.
■ ISA Server 2004 ■ ISA Server 2004
IETF RFC L2TP IPSec Nat Traversal (NAT-T) VPN Server 2003. 3DES. VPN QoS, QoS , QoS,
. ■ ISA Server
», -
SSL-
.
1 78
3 ________________________________________________________________
■ ISA Server 2004 ■ ISA Server
Microsoft PPTP VPN-
L2TP.
Windows Server 2003 .
L2TP
Windows PPTP
Check Point: WebWebCheck Point;
, .
ISA Server 2004
Web-
.
ISA Server 2004 , WebISA Server 2004 , , ISA Server 2004. Web, ISA Server 2004, WebWeb, 2004
, .
,
,
ISA Server 2:004. ISA Server . , .
, ,
ISA Server 2004 ,
, . ISA Server 2004 ISA Server 2004 Web(
,
,
WebWeb).
ISA Server 2004 Cisco PIX Cisco
PIX
, -
. , ,
PIX 501,
,
-
,
PIX 535,
, . Check Point
(
, ,
Nokia). , , International Data Corp., CNET News (http://news.com.com/2 100-7355-5079045.html),
-
ISA Server 2004
2003 .
179
Cisco.
-
34,3%PIX (DMZ). (
-
),
. PIX. ,
, ,
VPN ISA Server 2004.
,
Web-
Cisco PIX: PIX VPN-
. ,
Cisco ( )
.
30
50
,
, .
PIX
-
Common Criteria EAL4. PIX
500
. PIX:
■ PIX 501 .
10 VPN-
/
/ (
3DES).
lOBaseT
-
10/100. ■ PIX 5
/ 20
VPN3DES). ■ PIX 515E
. /
/ ( autosense lOBaseT. /
. 188
2 000 IPSec-
/ ,
.
10/100. ■ PIX 525
. / , 70 / ( 2 000 IPSec. . Gigabit Ethernet.
3DES), 280 000 10/100
180
3
■ PIX 535
. 1
VPN3DES),
95 2 000 IPSec-
/
/ (
. . Gigabit Ethernet.
10/100 500
500 000
PIX 501
(795
10
20 000
) PIX,
PIX 535. : ■ ■ ■ ■ ■
PIX 501 PIX 50 515 PIX 525 PIX 535
495-795 959 2 495-2 695 10 920-14 759 20 000-24 000
; ; ; ; .
PIX.
,
,
, .
,
,
. 31
-
. . 3.1.
PIX
RAM -
501
506
51SE
525
535
133 16 8 10
300 32 8 20
433 32 , 64 16 188 /
600 256 16 360
1 1 16 1
130 000 2
280 000 6
/
7 500 1
/
25 000 +1
-
/
/
500 000 8
ISA Server
-
. , ,
. 1,59
ISA Server / .
, -
ISA Server 2004
181
; ISA Server .
,
Cisco PIX: Cisco PIX OS. , .
Cisco IOS,
-
Cisco, . ,
OS,
-
. PIX,
. 3-1.
ISA Server 2004, , Windows Server 2003
Intel, 2000 Server .
,
ISA Server .
,
Windows Server 2003 (profile), Security Configuration Wizard. ,
Windows ,
Server 2003 SP2
-
Microsoft
ISA Server 2004. : http://www.microsoft.com/technet/prodtechnol/isa/2004/ pl a n/secu ri ty ha rden i nggu ide. mspx.
Cisco PIX: PIX )
,
ASA (Adaptive Security Algorithm, IP-
,
)
( , NAT
. ,
URL-
FTP, H.323. PIX
-
, — WebSense N2H2. WebWebSense
. PIX
URL-
NetPartner
. N2H2
-
182
3
WebSense
N2H2, ,
.
ActiveX
Java-
-
.
Cisco
«fixup protocols» (
-
). .
FTP, HTTP, H.323, ils, rsh, rtsp, SMTP, SIP, Skinny , PIX, -
SQL. «
»
. ISA Server 2004, .
, , . ISA Server 2004
-
WebSense .
ISA Server 2004 ISA Server ,
HTTPSMTP-
. SMTP-
, SMTP
,
-
. RPC-
ISA Server
,
RPC,
Exchange
.
DNS-
, DNS-
,
-
. SDK ISA Server
Cisco PIX:
OS X), Cisco 256-
Web-
.
VPN Cisco PIX VPNCisco 800 1700)
VPN. Windows, Linux, Solaris Mac (PIX 501 5 6 , L2TP Microsoft. : 56DES, 1 83DES
Cisco ( VPN-
AES. PIX 3DES/AES
56-
DES
Web-
Cisco.
VPNVPN-
( )
VPN-
ISA Server 2004 Cisco Secure v.3.x.
ISA Server 2004
.
183
VPN-
.
VPN, , . ISA Server 2004, VPN. , , VPNVPNL2TP/IPSec, Windows XP, Windows NT, 2000 Server 2003. Server VPN, ( , / ), .
, ISA Server . ISA Server Windows 9x./ME, VPNISA , ,
VPN ISA Server
VPN,
,
-
.
Cisco PIX: WebCheck Point, /VPN Cisco. Cisco Content Engine ( ware),
Engines
Web-
).
Cisco ACNS (Application and Content Networking Soft, / Cisco Content Engine, 2 500 18 000 . . Content , Cisco IOS. Cisco Content Engine , (HTTP, FTP, SSL) . ACNS Web-
Flow (
), Web. BlueCoat), NetApp
2004
ISA Server 2004 . ,
WCCP (Web Cache Communication Protocol, Cisco WCCP CacheSquid. Web-
ISA Server
184
3 _________________________________________________________
Web-
.
2004
ISA Server ISA Server 2004. Web-
, ,
, ISA Server 2004, Web-
, ,
Web-
,
ISA Server 2004. 2004
ISA Server . . ISA
, , . .
,
Server 2004
, , Web-
2004
. ISA Server 2004 ISA Server Web.
,
Web-
ISA Server 2004 NetScreen NetScreen 2003 .
,
Data Corp. (IDC) news.com.com/2100-7355-5079045html,
International CNET News hup-.// 16%.
Juniper Networks 2004 . Juniper Networks
nologies
NetScreen Tech. NetScreen.
-
, ,
,
VPN
Web-
ISA Server 2004. Juniper Networks Juniper Firewall Tool Kit (FWTK), Linux/UNIX, ISA Server 2004
«
».
NetScreen: NetScreen IPSec. Trend Micro AV.
VPN-
-
. NetScreen (Reduced Instruction Set Computer,
ASIC,
RISC-
ISA Server 2004
)
. ScreenOS,
-
,
185
. ,
-
-
, .
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
NetScreen 5 (5 , 5 Elite, 5GT, 5GN Plus, 5XT, 5 Elite) 200, 500 5 000. NetScreen 25 50. — 500 100 000 NetScreen, : NetScreen 5XP (10 ) 495 ; NetScreen 5GT 495 ; NetScreen 5XT 695 ; NetScreen 5XP Elite ( 995 ; ) NetScreen 5GT Plus 995 ; NetScreen 5XT Elite 1195 ; NetScreen 25 3 495 ; NetScreen 50 5 695 ; NetScreen 204 9 995 ; NetScreen 208 14 245 ; NetScreen 500 22 500 ; NetScreen 5200 99 000 .
.
. , NetScreen IDP (Intrusion Detection and Prevention, ) 7 995 10 34 995 500. VPNNetScreen (v. 8) 95 , 195 100 995 1 000 . VPNNetScreen ( ) 345 10 , 2 495 100 19 995 1 000 . . 3-2 ISA Server 2004
,
NetScreen.
186
3
1
. 3.2.
NetScreen 200 Series 128 000
-
VPN 3DES
(
NetScreen NetScreen 50
000 /
NetScreen 25
NetScreen 5XP
4 000
2 000
400-550 / 200 /
100
50 Ml
4 000
1 000
500
100
4 4 000 256
2 1 000
60
2 1 000 60
1 32 16
1 000
100
25
10
/
/
20
/
10
/
10
/
) -
( NAT PAT IP IP IPVPN -
FutureScreen OS
NetScreen
:
■ Manual key, IKE, PKI (X.5O9), PKCS 7 10; ■ DES, 3DES AES; ■ (SCEP); ■ : VeriSign, Microsoft, Entrust, RSA Keon, iPlanet (Netscape), Baltimore, DOD PKI; ■ RADIUS, RSA SecurelD, LDAP. ISA Server
.
,
. ISA Server ,
1,59 ; ISA Server
, -
/ . .
ISA Server 2004
187
Windows Server 2003 , Server 2003 SP2 Security Configuration Wizard. Microsoft , ISA Server 2004. www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx.
NetScreen: ScreenOS,
NetScreen , ASIC.
,
NetScreen .
ScreenOS .
NetScreen
,
-
. 3-2. ISA Server 2004, Intel, Windows 2000 Server Windows Server 2003, ISA Server
,
, , . ,
-
.
NetScreen: NetScreen »
« , ,
-
: ■ ■ ■ ■ ■ ■
HTTP; ; ; SMTP; FTP; DNS. NetScreen OneSecure.
NetScreen NetScreen IDP, ,
.
-
188
3
NetScreen
Websense (
URL-
). ISA Server 2004 . ,
,
, . ISA Server 2004
Websense
;
,
-
.
ISA Server 2004
HTTP. SMTPSMTP-
, SMTP ISA Server RPC
, . RPC,
,
-
Exchange
. DNS-
-
,
DNSWeb-
NetScreen:
, . SDK ISA Server .
-
VPN NetScreen VPN,
VPN. NetScreen (
).
VPN-
. :5 -
3DES
256-
PKI
DES. 168-
AES. NetScreen .509-
(
, ,
Verisign). ■ NetScreen ■ NetScreen ■
VPNVPNVPN).
Client (
), .
«
IPSec SSL; - »; (
NetScreen Remote Security -
ISA Server 2004
VPN-
.
,
189
VPN
-
.
, .
ISA Server 2004, , VPN-
«
,
- -
»
VPN,
; ,
,
/ . .509 ,
, ■ ISA Server ■
VPN-
-
, . VPN,
IP: IPSecPKI. VPN. ISA Server VPN, VPN .
ISA Server
, VPN-
. . Nat Traversal (NAT-T) IETF RFC VPN Server 2003. 3DES. VPN QoS, QoS , ,
■ ISA Server L2TP IPSec ■ ISA Server 2004 ■ ISA Server 2004
. ■ ISA Server ■ ISA Server 2004 ■ ISA Server Windows PPTP
SSL-
. Microsoft PPTP VPN-
Windows Server 2003 L2TP
L2TP.
.
NetScreen: Web/
VPN
.
NetScreen NetScreen Web-
Web-
-
/ ISA Server.
Server 2004 . , Web-
.
Web-
ISA Server 2004 ISA Server 2004
190
3
,
, , ISA Server 2004, WebWeb, -
ISA Server 2004. Web,
ISA Server 2004. 2004
ISA Server . , . ,
, ,
ISA Server 2004 , Web-
. ISA Server 2004 ISA Server 2004 Web(
,
Web-
-
).
ISA Server 2004 SonicWall International Data Corp., News http://news.com.com/2100-7355-5079045.html, SonicWall Cisco, Netscreen Nokia). 5,4%.
CNET 2003 . (
SonicWall. SonicWall, ,
VPN
Web-
, -
ASIC
-
ISA Server 2004.
SonicWall: /
1 -
SonicWall ,
ICSA. ■ ■ ■ ■
SOHO3: SOHO TZW TELE3: TELE TZ: ( ), ■ TELE TZX: MDIX ■ TELE3 SP/TELE3 SPi: ),
SonicWall: ; ; ; ;
WorkPort ;
, ; POS (Point of Sale, ,
191
ISA Server 2004
;
-
ISDN-
;
■ PRO 100:
; (DMZ);
; ■ TZ 170:
;
MDIX (security processor) (system on a chip, NAT; ; ; , VPN, ;
); ■ PRO 230: , DHCP■ PRO 330:
, ■ PRO
: SonicOS 2.0;
, ; ,
; ; ,
ISP,
(
) VPN-
;
AES; (dedicated cryptographic accelerator); , NAT. ■ RPO 4060: 3060;
, 8
PRO
/5 .
. 33 SonicWall. .
-
.3.
3
SonicWall -
RAM
-
-
-
SOHO 133 3
16
SOHO TZW
133
16
TELE3
133
2 10/100
6 000
-
-
10/25/50/
baseT
-
VPN-
-
/
-
75
/
- (
C3DES 20 /
10
20
/
10
20
/
5
)
16
2 10/100 baseT
6 000
2 10/100 baseT
000
10/25
5
75 (
/
75 (
/
) )
(
.
.
.)
192
3
.
3. (
)
3. -
-
-
-
-
-
-
VPN-
-
/
C3DES
TELET 133
TELETZX
133
133
16
16
16
SP/SPi PRO 100
1J3
16
TZ 170 SonicWall 64 Security Processor
3 10/100 baseT
6 000
3 10/100 baseT, -
6000
5
5
2 10/100 6 000 baseT, lv.90 1 ISDN 3 10/100 6 000 baseT
10
7 10/100 baseT
10/25/
000
75 ( 75 (
20
/
5
20
/
5
20
/
10
20
/
50
- 30 )
/
/ ) / )
75 (
/
- 75 (
/
90 (
/
) ) 5-50/210
-
• PRO
PRO
PRO 3060
PRO 4060
233
233 Strongar RISC 2 Intel
2
64
64
256
256
Intel
3 10/100 baseT
30 000
3 10/100 baseT
128 000
6 10/100 baseT
128 000
6 10/100 baseT
500 000
- 190 (
/
- 190 (
/
45
/
- » 1 000
45
/
1000
75 (
/
5001 000
) )
300 (
/
300 (
/
)
-
AES)
5 90 / ( AES) )
SonicWall . : ■ SonicWall SOHO3n
1000/ 3 000
-
445 (25 );
(10 ), 795
), 645 (50
-
ISA Server 2004
SonicWall TZWn
449
(10 ); (10 ), 825 );
(25 SonicWall TZ170n 410 (25 SonicWall Tele3 TZXn 493 SonicWall SPn 534 SonicWall Pro 230n 1 655 SonicWall Pro 2 319 SonicWall Pro 4060m 4 995
193
), 599 ), 576 (
-
; ; (
); ); ).
( (
,
SonicWall :
■ VPN SonicWall SOHO ■ SonicWall VPN PRO 100n ■ VPNSonicWall
410
;
576
;
451
(10 (50
(100 75 (50
■ ■
), 659 ), 825
); (5 ), 695
), 495 (
);
VPN SOHOn (
495
.
: http://www.tribecaexpress.com/sonicwall_firewalls_price.htm). SonicWall (Content Filtering Service, CFS) ; .
-
695 95 5 PRO 3060 guard.com/ContentFilteringService.asp).
PRO 4060. (
:http://www.somc-
: ■
136 5
19 195
1 000
; ■
Global Management System 10 ;
1 655 ; 12 446 100
194
3
■
95
(SOHO 10
20 749 (GMS (
)
).
: www.tribecaexpress.com/sonicwall_firewalls_price.htm).
SonicWall: SonicWall ASIC,
. 33. SonicOS.
-
; ■ SonicOS v.2.0s , ; ■ SonicOS v.2.0e
(PRO
4060)
, , . Intel, Windows 2000 Server .
ISA Server 2004, , Windows Server 2003
,
ISA Server
,
, .
Windows Server 2003 , Server 2003 SP2 Security Configuration Wizard. Microsoft , ISA Server 2004. : http:// www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx.
SonicWall: SonicWall (Content Filtering Service, CFS), . , Web( )
, . URL-
Web.
: standard ( ).
)
premium (
, -
, .
, ,
.
. -
ISA Server 2004
CFS
Web-
195
14
-
: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Violence ( ); Hate/racism ( / ); Intimate apparel ( Nudism ( ); Pornography ( ); Weapons ( ); Adult/mature content ( Cult/occult ( / ); Illegal drugs ( Drugs ( ); Criminal skills ( Sex education ( Gambling ( ); Alcohol/tobacco ( /
), Arts/Entertainment ( Trading ( / / ( ); Streaming Media/
)
); ); ); ); ).
Abortion ( / ), Auctions ( ); Brokerage/ ), Humor/Jokes ( / ), News/Media ( ); Personal/Dating ( / ); Religion ( / ), Software Downloads ( ) ( 52 ).
-
SonicWall
SonicWall Content Filter
SonicOS. CFS ,
SonicWall List (CFL)
.
ISA Server 2004, .
ISA Server 2004
-
Websense . Web. , ISA Server 2004
, Websense.
ISA Server 2004 . ,
-
196
3
,
.
ISA Server 2004 SMTPSMTPRPC-
HTTP-
. SMTP-
-
,
, ,
ISA Server RPC,
. ,
-
Exchange
. DNS-
, DNS-
, . ISA Server .
SonicWall:
VPN
SonicWall 3 000
VPN. VPNIPSec
. VPN-
VPNIP-
500 VPN-
.
SonicWall ), LMHOST
PRO SonicWall VPN Client 8.0 (
, L2TP DNS, WINS
SonicWall Client Policy Provisioning VPNGlobal VPN Client.
VPN-
.
SonicWall VPN: ■ ■ ■ ■ ■
SOHO TZW — 1 2 170—1 PRO 2040 — 10 PRO 306 — 25 PRO 406 — 1 000
,
; ; ; ; . VPN
,
. VPNTELE3; ■ TELE3TZ; ■ TELE3TZX;
,
:
ISA Server 2004
■ ■ ■ ■ ■
TELE3SP; SOHO3 SOHO3 25 SOHO3 50 TZ 170 10
197
; ; ; .
ISA Server 2004 30 000 2
-
VPN. ISA Server ISA Server L2TP/IPSec, Server 2003VPN-
VPN1 000 (Standard Edition) 1 000 (Enterprise edition, Datacenter edition) , . , ISA Server IPSec « - », L2TP VPN. VPN. ISA Server VPNWindows 9x/ME, Windows XP, Windows NT, 2000 .
VPN-
ISA Server , ( / , VPNVPN-
,
,
VPN, ),
. Windows Server 2003, -
, ,
.
,
-
, .
SonicWall: WebSonicWall . Service (CFS),
WebWebCFS —
—
Filtering -
. ISA Server 2004, . , Web-
.
WebISA Server 2004
-
ISA Server 2004 ,
,
198
3 __________________________________________________ _ _ ^ _
, 2004,
ISA Server 2004. WebISA Server WebWeb, -
, , ISA Server 2004.
2004
ISA Server . . ISA
, , . .
,
Server 2004
, , Web-
2004
. ISA Server 2004 ISA Server Web.
,
Web-
ISA Server 2004 WatchGuard , CNET News WatchGuard
5079045.html, Nokia SonicWall) 4%.
International Data Corp. http://news.com.com/2100-7355( Cisco, NetScreen, 2003 .
Watchguard: Watchguard : ■ SOHO 6:
; VPN;
■ Firebox X:
; ;
■ Firebox Vclass:
; . WatchGuard
. 34.
WatchGuard
. 3.4.
_____________ Firebox X __________SOHO 6 ____________ Firebox Vc las s ________
-
275
/
75
/
2
-
100
/
20
/
1,1
VPN 500 000
7 000
500 000
/ /
ISA Server 2004
. 3.4. (
199
)
1 :
Firebox X 6 10/100
SOHO6 6 10/100
(3
Firebox Vclass V200, VI00: 2 lOOOBaseSX Fiber Gegabit Ethernet, 2 Dedicated HA V80, V60, V60L4 10/100 2 Dedicated HA VI0: 2 10/100 40 000 SMTP, HTTP
)
■
VPN-• ALF
1 000 HTTP, SMTP, FTP, DNS, H.323, DCERPC, RTSP, http
10 HTTP
]^ URLQoS (;
/
BH:I
1 000
10
20
( VP N • ;1 (:
/11 ;tccii
)
-
2004 . 10 50
V60L floV60
25
WatchGuard Firebox, : ■ ■ ■ ■ ■
SOHO 6 / 1 0 SOHO 6 / 5 0 Firebox III 700/ 250 Firebox III 2500/ 5 000 Firebox VI0 / ;
— 549 — 899
; ; — 2 490 — 5 790
; ; (20/75
/ ) — 799
-
200
3
■ Firebox V60 /
(100/200
/ ) — 599
; ■ Firebox V80 /
(150/200
/ ) — 8 490
(300/600
/ ) — 14 490
; ■ Firebox VI00 / . SOHO V10 ( 10 VPN Manager VPN■ 4 Fireboxesn — 796 ; ■ 20 Fireboxesn — 2 796 ; ■ Fireboxesn — 6 396
SOHO:
.
VPN■ 5 ■ 50
— 220 — 1 800
■ 100 ■ 1 000
Firebox
).
:
; . VPN;
— 780 — 1 440
Vclass MU
:
. Vclass.
Centralized Policy Manager (CPM) Windows NT/2000
-
: ■ 10 ■ 100
— 2 840 — 12 680
; .
( WatchGuard http://www.securehq.com/group.wml&storeid=l&deptid=76&groupid=222&sessionid= 200437249417233).
WatchGuard: WatchGuard (Security Management System), : ; , -
■ InternetGuard: GroupGuard: , ; ■ HostGuard: ISA Server 2004 , Windows Server 2003
. Intel, Windows 2000 Server ,
-
ISA Server 2004
201
. ISA Server
,
,
-
. Windows Server 2003 , Wizard. Microsoft ,
Security Configuration
Server 2003 SP2
ISA Server 2004. : http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx.
WatchGuard: WatchGuard Firebox (
— SOHO
VI0)
,
. FTP SMTP. Firebox III V60L, V60, V80, V100 V200 ■ SMTP. ,
HTTP, 500, 700, 1000, 2500
4500
Firebox Vclass :
, ,
, ID
(spoofed)
, , ; ■ HTTP. WebMIME, Java, ActiveX,
,
80, ,
cookies,
; ■ FTP.
FTP-
,
, ,
; ■ DNS.
, ,
■
.323.
; .
Vclass
, : Java (Java script blocking);
■ IP source route ( »; ■ ■ ■ Ping of Death ( 65536 S
. 4388
IP(DoS); DoS (DDOS, Distributed Denial of Service); , );
«
-
202
3
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
ICMP (ICMP flood); TCP (TCP SYN flood); UDP (UDP flood). ASIC (LAND);
:
Teardrop; NewTear; OpenTear; Overdrop; Jolt2; SSPING; Bonk/Boink; Smurf; Twinge. ISA Server 2004
-
: ■ ■ ■ Ping of death; ■ IP■ UDP; ■ ■ ■ ■ ■ ■
Windows (Windows out-of-band, WinNuke); (LAND); (IP half scan); (port scan); DNS (DNS host name overflow); DNS (DNS length overflow); DNS (DNS zone transfer); ( buffer overflow); SMTP (SMTP buffer overflow).
ISA Server . ISA Server 2004 .
-
, , . ISA Server 2004
WebSense .
ISA Server 2004 ISA Server ,
HTTPSMTPSMTP .
. SMTP-
, ,
-
ISA Server 2004
RPC-
ISA Server
203
,
RPC,
Exchange
.
DNS-
, DNS-
,
-
.
WatchGuard:
VPN
VPNFirebox Firebox III 700, Firebox V10)
VPN
WatchGuard (SOHO, VPN-
. .
VPN
. 3-5. . 3.5.
VPN
WatchGuard VPN-
VPN
,
VPN-
VPNSOHO6 Firebox III 700 Firebox III 2500 Firebox VI0 Firebox V60 Firebox V80 Firebox VI00
20 5 75 20 100 150 300
/ / / / / / /
5
0
150 1 000
0 50
0
0 20 20 20
1
400 8 0001 20 000'
Firebox V80, WatchGuard, VPN: ■ IPSec with IKE; ■ L2TP over IPSec 2 ; ■ over IPSec ; ■ IPSec Security Services; ■ (Tlinnel and Transport Mode); ■ ESP (Encapsulated Security Payload, ); ■ (Au thentication Header, ); ■ + ESP; ■ IPSec; ■ DES 3DES;
1/5 1000 1 000 10 4001 8 0001 20 000'
204
■ ■ ■ ■ ■ ■
3
MD5 SHA-1; RSA; DSS (Digital Signature Standard, Certificate Management;
);
(CRL) LDAP.509 v2 and v3, PKCS #10, and PKCS *7.
WatchGuard Firebox User, (security configuration policy),
;
VPN-
Mobile -
, . VPN-
.
VPNVPN .
ISA Server 2004 VPN. ISA Server ,
VPN-
ISA Server -
, VPN-
. .
ISA Server L2TP IPSec ISA Server 2004 ». ISA Server
Nat Traversal (NAT-T) IETF RFC VPN Server 2003VPN-
« VPN-
ISA Server 2004
Microsoft PPTP VPNVPNPPTP L2TP/IPSec, Windows XP, Windows NT, 2000 Server 2003. VPN-
-
L2TP. ISA Server . ISA Server Windows 9x/ME,
ISA Server , ( /
),
VPN, ,
, .
- .
VPN-
Mobile User
Web-
. WebWatchGuard
Guard,
,
Watch-
.
WatchGuard: WebWatchGuard / ,
ISA Server.
-
ISA Server 2004
ISA Server 2004 . , Web. ,
2004 2004
Web-
ISA Server ISA Server ISA Server 2004. Web-
, , ISA Server 2004, Web-
205
, ,
Web-
,
ISA Server 2004. 2004
ISA Server . . ISA
, , . .
,
Server 2004
, , Web-
2004
. ISA Server 2004 ISA Server Web.
,
Web-
ISA Server 2004 Symantec Symantec Norton . 02
,
-
31% 2004 .
51%
, /www.symantec.com/press/2004/n040121.html.)
: http:/
.(
Symantec
/
VPN
-
SOHO, ,
(
)
,
, .
Symantec ,
Windows
Solaris.
Symantec.
Symantec, ,
, Server 2004.
VPN
Web-
ISA
206
3
Symantec: /
VPN
Symantec, ,
,
. 3-6. / /
(
/
. 3.6. Symantec
VPN
VPN
)
/ (
VPN (
)
)____________
Symantec Firewall/VPN 100 Symantec Firewall/VPN 200 Symantec Firewall/VPN 200R
Symantec Enterprise Firewall
SGS 5420 SGS 5440 SGS 5460
. 3-7
/ /
VPN
Symantec .
, /
. 3.7.
VPN
Symantec
/ Firewall/VPN 100
VPNVPN-
«
-
Firewall/VPN 200
Firewall/ VPN 200R
»
VPNVPN-
IPSec DSL/ T-1/ISDN
LAN 10/100
4
WAN
1
8 2
8 2
15-25
30-40
30-40
( )
Web-
Web-
Web-
207
ISA Server 2004
. 3.7. (
) Firewall/VPN100
Firewall/VPN 200
ARM7 8 /
ARM7 8 /
Firewall/ VPN 200
WAN )
( Web-
ARM7 8 /
DHCPNAT
(
) Symantec 5400 (SGS 5430, SGS 5440, SGS 5460). ( )
. 3-8 .
(
. 3.8.
)
Symantec SGS 5420
WAN
6 6 0 500
10/100 Gigabit (
SGS 5460
2 500
8 0 8 4 500
190 000 1,4 /
200 000 1,8 /
0
) 64 000 200 (Full inspection)
VPN W/3DES VPN w/AES
(signature-based) VPN IPSec We b-
SGS 5440
95 90 30 520 40
/ / / /
680 400 80
/ /
1
730 600 90 2
80
80
/
/ / /
208
3_________________________________________________________________
Symantec
, Solaris: Symantec Enterprise Firewall
Windows NT/2000 Symantec Enterprise VPN. 7.0. Symantec Enterprise Firewall
ICSA. -
(
).
Symantec Enterprise Firewall 7.0
■
:
; ;
■ ■ ■
; ; (RADIUS, LDAP, , S/Key, Defender, SecurelD, Web-
■ ■ ■ ■ ■ NAT
Windows); ; ;
EAL-4; AES; VPN-
,
; ■ URL■
WebNOT. Symantec Enterprise VPN VPNVPN-
: IPSec; ,
IPSec;
■ ; ■ ■
; . /
VPN
Symantec
:
■ Symantec Firewall/VPN 100 — 499 ■ Symantec Firewall/VPN 200 — 899 ■ Symantec Firewall/VPN 200R — 1 199 ( ( ). ■ Symantec SGS 5420 — 2 999,99 ■ Symantec SGS 5440 - 6 899,98 ■ Symantec SGS 54 - 11 534,98
; ; . )
Symantec . 50
, ; ; .
VPN-
ISA Server 2004
VPN-
50 VPN-
-
Gold Maintenance, LiveUpdate.
209
,
.
,
URL-
-
, ,
-
,
: ■
Event Manager, , Advanced Manager (
■
; Event Manager),
; ■ ■ ■
; ; (
, );
■
VPN-
.
Symantec: SGS Raptor, Recourse IDS (Intrusion Detection System) Symantec. Symantec Enterprise Firewall Windows NT/2000 Solaris. Windows 400 , 256 RAM 8 . Solaris Solaris 7 8, Sun UltraSPARC I II sbus PCI, 256 RAM 8 . ISA Server 2004 , Windows Server 2003
Intel, Windows 2000 Server ,
.
Windows Server 2003 , Configuration Wizard. Microsoft ,
Server 2003 SP2
Security
ISA Server 2004. : http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ securityhardeningguide.mspx.
210
3__________________________________________________________
Symantec: Symantec ,
HTTP
Technologies)
SMTP/POP3
FTPManHunt ( ManHunt
IDS. WebNot
). Recourse -
( Symantec . Symantec .
URL-
. ISA Server 2004 HTTP, POP3,
, SMTP, FTP
DNS. ISA Server 2004
, -
. , . ISA Server 2004 ISA Server ,
HTTPSMTP-
. SMTP-
, SMTP
,
-
. DNS,
DNS-
, .
ISA Server , a SDK ISA Server .
Symantec:
Web-
VPN
Symantec Enterprise VPN 7.0 Windows NT/2000 Solaris 7/8 Enterprise Gateway ( ). VPNSymantec Enterprise Windows 9x, ME, 2000, NT 4.0 . Enterprise VPN Enterprise Firewall Symantec. Symantec Enterprise VPN ■ VPNVPN■
: IPSec, ,
IPSec; -
; ■ ■
; .
ISA Server 2004
211
VPN-
; ,
VPN-
VPN-
.
8 ISA Server 2004
ISA Server « - », VPNISA Server
VPN1 000 (Standard Edition) 16 000 30 000 2 (Enterprise edition, Datacenter edition). VPNIPSec L2TP . ISA Server . VPN. ISA Server VPNWindows 9x/ME, Windows XP, Windows NT, 2000 VPN-
L2TP/IPSec, Server 2003.
ISA Server ,
,
VPN, ),
( /
-
,
. VPNVPN-
2003
Windows Server -
, ,
,
.
,
-
, .
Symantec: WebSymantec
Web-
. Web- -
. ISA Server 2004
Web-
. , -
ISA Server 2004 WebISA Server 2004
, ,
ISA Server 2004. Web, WebISA Server 2004.
,
.
, ISA Server 2004, Web-
, -
212
3
2004
ISA Server . .. ISA
, , . .
,
Server 2004
, , Web-
2004
. ISA Server 2004 ISA Server Web.
,
Web-
ISA Server 2004 Blue Coat SG Blue Coat Systems
,
IDC, ,
ISA Server, Web. CacheFlow, 2002 . . Web3 000 14 000 , 70% Dow-Jones Industrial companies. Blue Coat 33% . Blue Coat
ICSA. Blue Coat SG.
Blue Coat: Blue Coat ■ SG 400 250; ■ SG 800 ■ SG 8000 000
:
2 000; 1 000 ,
, ,
. . 39-
. 3.9. SG400-0 SG400-1 SG800-0 SG800-0B
Blue Coat SG IDE 40 IDE 40 18 36 Ultra SCSI 18 36 Ultra SCSI
256 512 512
2 10/100 2 10/100 2 10/100
768
2 10/100
10
i i
. 3.9. (
ISA Server 2004
213
)
2 10/100, 73
SG800-1
73
SG800-2
Ultra SCSI
Ultra SCSI
73
SG8OO-3 1
Ultra SCSI
15 000 RPM 73 15 000 RPM 73 15 000RPM 73 15 000 RPM 73
SG8000-1
1
SG8000-2
SG8OOO-3' 1
SG8000-4 1
1
10/100/1000 10/100,
1,5
10/100/1000 2 10/100,
2
10/100/1000 4 10/100/1000 4 10/100/1000 4 10/100/1000 4 10/100/1000
1 2 3 4
SG8000
■ SG400 — 3 495 ■ SG800 — 5 995 ■ SG8000 — 40 000
10/100, SX 2 10/100, SX 10/100, SX
3,2
.
Blue Coat SG ; ;
:
. -
;
500
9 140 .
Blue Coat: Blue Coat SGOS. SGOS (
-
ASIC).
ISA Server 2004 , Windows Server 2003
Intel, Windows 2000 Server ,
.
ISA Server
, ,
Windows Server 2003 (profile), Security Configuration Wizard. ,
, ,
Blue Coat.
Server 2003 SP2 Microsoft
-
214
3
ISA Server 2004. : http://www.microsoft.com/technet/prodtechnol/isa/2004/ plan/securityhardeningguide.mspx.
Blue Coat: Blue Coat
, Content Policy Language (CPL) (Access Control Lists, ACL). SG NTLM (NT LAN Manager), LDAP (Lightweght Directory Access Protocol, ) RADIUS. Blue Coat SG (WebSense, SurfControl, SmartFilter). MIME.
, ,
, . AV-
TrendMicro
-
.
SG
Symantec Web-
.
, Web,
-
,
.
IM ,
-
. .
/
,
Blue Coat , ,
,
-
, ,
.
Blue Coat
.
ISA Server,
, , . ISA Server
/
-
-
.
ISA Server 2004 .
-
, , . ISA Server 2004 SMTPSMTP-
HTTP-
. SMTP-
,
,
,
.
ISA Server 2004
RPC-
ISA Server
215
,
RPC,
Exchange
.
DNS-
, DNS-
,
-
.
Blue Coat:
VPN
VPN Web-
Blue Coat
ISA Server 2004 ■ ■ ■ ■ VPN ■ VPN «
-
. VPN: ;
L2TP/IPSec IPSec; ; - ». «
- -
VPNVPN-
». ISA Server
L2TP,
Windows.
Blue Coat: WebSG
:
■ ■ ■ ■ ■ ■
; ; ; ; ; . (Proxy
Autoconfiguration,
). 4/7 WCCP (Web Cache Communication Protocol, ). Web, .
, ,
, (
,
)
Web,
, «
»
. .
.
,
-
216
3
ISA Server 2004
Web-
. , -
ISA Server 2004 Web-
.
ISA Server 2004
, ,
ISA Server 2004. Web, ISA Server 2004, WebWeb,
,
-
,
ISA Server 2004. 2004
ISA Server . . ISA
, , . .
,
Server 2004
, , Web-
2004
. ISA Server 2004 ISA Server Web.
,
Web-
ISA Server 2004 (
)
-
GNU (General Public License) , .
;
-
, .
( ),
,
, .
(
)
:
■ . (
) ,
;
, . ■ ,
,
, . ,
-
ISA Server 2004
217
, .
■
, -
« »
,
.
,
-
, ,
. , . IPchains, Juniper Firewall Tool Kit (FWTK)
IPCop.
IPChains/IP Tables IPChains «
Linux, ( IP-
» (IP Masquerade) « »
Linux). ,
-
. , «
. .
» IPchains :
OSI. ,
SMTP, POP, NNTP
DNS, . IPTables
IPchains, ,
Squid
. -
IPchains
FWTK
.
VPN
-
,
. ,
ISA Server 2004 — .
,
Web,
; -
. ISA Server . ISA Server VPN-
, L2TP
VPNIPSec.
218
3 ________________________________________________________________
FWTK/ipfirewall Juniper Firewall ToolKit Obtuse Systems Linux BSD (Berkeley Software Distribution')/FreeBSD. ipfirewall Ipfirewall FreeBSD.
.
, ,
-
( ) . ipfirewall
-
. . «
ipfirewall, » («deny ip from any to any»).
ip
,
,
. ipfw.
-
, ,
, 65 535
. .
. (- )
(
)
.
-
,
. ,
«
»
ISA Server 2004 — .
. ,
Web-
,
,
.
ISA Server . ISA Server VPN-
, L2TP
VPNIPSec.
IPCop IPCop
.
Linux
Web UI, . . IPCop
-
NAT Smoothwall
1
). —
UNIX .
( .
,
-
ISA Server 2004
GNU GPL.
219
IP,
-
. IPCop
, .
VPN (
-
IPSec)
Snort IDS. ,
/
. Linux,
. IPCop (DMZ).
-
, DMZ). «
(
,
DMZ» (DMZ pinholes). Web-
IPCop,
.
ISA Server 2004
, ,
Web-
-
;
,
.
ISA Server
VPNIPSec.
. ISA Server VPN-
, L2TP
.
ISA Server 2004 .
. 3.10.
ISA Server 2004
ISA Server Checkpoint Cisco PIX Netscreen SO SonicWall ______________________NG/Nokia 350 51SE ____________________Pro 230
WatchGuard Symantec V80 ________ 5420 _______ 1
( - Windows IPSO; PIX OS unoiiius 2000, Windows ( Server 2003 Windows IOS) NT/2000, Solaris, Linux, AIX -
- 350
/ 188 1,59 /
ASIC)
ScreenOS (2 ,
SonicOS
-
-
simple ( ) enhanced ( .) /
170 -
/
190
/ 200
/
200
(
.
/
.
.)
220 . VPN3.
3
10. (
)
ISA Server Checkpoint NG/Nokia350 -
4 10/100
6
12 500 1000 (Standard) 16 000 + , 30 000L2TP (Enterprise) 2 VPN
, L2TP, IPSec, SSL
4 10/100 2
3 10/100
2 000 100
WatchGuard V80
3 10/100
500
, MS L2TP, IKE/IPSec,
IPSec, SSL, L2TP
SonicWall Pro 230
Nets c re en 50
Cisco PIX 515E
Symantec o230
4 10/100,
8 000
IPSEC, SSL
IPSec,
IPSec, L2TP IPSec (
L2TP,
) VPN-
,
-
-
-
-
, Windows
,
-
MS L2TP
VPN-
-
-
,
, -
(10)
•
- Windows Server 2003, :
SP,
» (client configuration veri-
,
-
; VPN, Windows
-
VPNIUIH Secure Client ( -
,
, VPN-
-
-
)
.
-
-
VPN-
,
; VPN- NetScreen ReCisco mote Security - Mobile User Secure VPN Client ( - VPN client client v.3x ) Global VPN client
;!; VPNSecured
-
ISS Real Secure IDS,
-
55
- IDS IDP;
; IDS
/
- OneSecure; - IDS
OTIIS
TCPIDS
-:
-
-
DoS-
-: IDS/I DP
(Recourse)
CFS-
10. (
.
)
SMTP, 2004 ISA Server HTTP
221
3. ISA Server Checkpoint Cisco PIX NG/Nokia350 515E
SonicWall Watch Guard Symantec V80 5420 Pro 230
Netscreen 50
Fixups; ASA; HTTP, POP3, , SMTP, URL, Web- FTP, DNS, sense N2H2; -WebSense -
, NG, ,
; HTTP, FTP SMTP , -
Java/ActiveX UFP Web (HTTP, HTTPS), CLI, Telnet, SSH, Global Pro
-
Web- Java-based , CLI, GUI; CLI; Web SNMP, Global Multi-box (SSL), Mgmt System mgmt (CPM) ( Symantec )
-, HTTP, SMTP, DNS, FTP, POP3, IMAP
-
dows -
CLI (
CLI, SNMP, WinFTP, Telnet, MMC SSH, Web: PIX (PDM), Voyager ( CLI, Telnet, - SSH, console ( , ) port ) - Horizon Mgr -(
CFS
Cisco Content Engine -
-
-
,
-
/
-
-
-
Web-
( -
/ ) Windows 2000/2003 -
),
) /
-
;
, -
;
/
-
-
(
.
.
.)
/ (
-
/ )
/ , / , LB - ( , 8)
3
222 . 3.10. (
) Cisc PIX Netscreen o 515E
ISA Server Checkpoint NG/Nokia 350
-
, , - AV, (Content - engine), IDS, (SurfControl), GSM - AV ,
- IDS,
( -
,
)
-
,
-
50 SonlcWall Pro 230
,
WatchGuard V80
- /
,
Symantec 5420
- AV,
-
,
,
1-
, -
-i '
VPN, HA/LB
, ,
(Standard Edition -
;
-
-
,
-
-
50
Edition), - VPNSecureClient
VPN-
;
VPN1 499
-
- 3 695
;
, 1 VPN-
-
VPN-
-
-
-
VPN-
(Standard Edition)
I 699
-12 995
2 999
; R, UR, F, VPN-
5 695 4 989
-
-
1
Symantec, 5400,
, Windows
1
Solaris.
Windows Server 2003 Standard Edition Server 2003 Enterprise DataCenter Edition , 30 000 .
ISA Server 2004, (IPchains, FWTK IPCop),
1000
1000 L2TP
. Windows VPN16 384, a L2TP-
-
Checkpoint, Symantec , . .
-
ASIC. ,
—
«
» -
ISA Server 2004
,
223
ASIC, — :
, , .
,
.
,
,
-
. ,
, ,
,
. , ISA Server , . ISA Server 2004
-
, , .
ISA Server ,
(Blue Coat) /VPN Web-
: NetScreen
PIX /VPN
.
,
-
. ,
.
,
ISA Server
. Blue Coat,
, ,—
,
VPN.
( ) ,
,
. ,
■ IPchains/FWTK
. ,
,
ISA Server -
. Linux .
UNIX,
-
224
3
VPN.
,
■ IPchains/FWTK . UNIX. , .
, ,
,
( )
,
, .
■
,
IPCop,
IPCop
Web-
, . / Snort.
: Squid.
SOHO, . ,
, . , .
2004,
,
ISA Server -
.
,
,
ISA Server 2004
-
, .
. , . ISA Server 2004, .
,
,
-
, , . , «
».
,
,
ISA Server 2004
225
,
,
,
.
0
, . ,
-
. ,
(
,
-
), .
,
,
-
/
.
0
: ,
,
-
,
,
(
).
0
,
, ,
,
,
-
. 0
, ,
-
, .
0
( )
-
( ),
, /
/
-
. 0
Web,
-
/ ,
.
0
,
, ,
, , ,
-
. 0
, /
,
.
VPN .
VPN-
-
226
3
0
VPN VPN-
VPN( VPN, . Web,
VPNVPN-
, «
- -
»),
, VPN,
. Web-
,
, . 0
,
Web-
, ,
, . , ,
, -
. , )
(
(
).
0 ICSA Labs
,
.
ISA Server 2004 0
Microsoft ,
ISA Server 2004 « VPN Web-
,
-
». 0 ISA Server 2004 ,
:
-
, VPN,
,
. 0
ISA Server 2004
: ,
, Windows Active Directory, VPN, Web-
, 0
, : /
,
;
,
. ISA Server 2004,
-
ISA Server 2004
,
227
;
-
; . 0 ISA Server 2004
,
Service Pack 4
Windows 2000 Server ( Windows Server 2003Internet Explorer
)
0 ISA Server
.
,
-
Windows Server 2003. 0 ISA Server Directory, Exchange
Active Microsoft Server System .
ISA Server 2004
-
, , ISA Server 2000. ISA Server 2004 ISA Server
RDP.
0 ISA Server 2004 ,
,
, -
, . 0
ISA Server 2004 . ISA Server 2004
. ISA Server 2004 : Secure Exchange RPC, . 0 ISA Server 2004 IIS. . ISA Server 2004 IPSec. 0 VPN ISA Server 2004 0
VPNVPN,
-
,
,
OWA , -
VPN-
:
VPNVPN« - ISA Server 2004
, L2TP/IPSec : VPN». VPN-
.
228
3
0
VPN ISA Server 2004, Web-
ISA Server 2004 ISA Server Web-
.
2004 Web-
.
0 ISA Server 2004 Server
,
ISA -
. 0
Check Point
, ISA Server
. Check Point
Web-
; .
0
SecureClient
Check Point
, ,
VPN-
VPNISA Server,
-
. Cisco PIX
0
, ISA Server . Cisco PIX WebCisco Content Engine . VPN PIX VPNCisco Secure v.3.x . , ISA Server ( / , NetScreen . NetScreen VPN( ); . VPN NetScreen . , ISA Server ( / , SonicWall . NetScreen VPN, . VPN. ,
0
0 13
0 0
,
-
),
-
),
-
ISA Server 2004
0 0 0
WatchGuard WatchGuard
229
. HTTP, FTP, DNS. .
Web-
ISA Server. -
WatchGuard VPN-
,
. ,
ISA Server (
/
,
-
),
Symantec . Symantec ISA Server. WatchGuard VPN0 Blue Coat
Web-
.
,
. Web-
0
-
Blue Coat « Blue Coat
- -
ISA Server 2004, . VPN-
». .
0
(
,
),
, .
0
,
, .
0 IPChains , : 0 Juniper Firewall ToolKit Linux
, VPN, IDS . Obtuse Systems. ipfirewall .
BSD/FreeBSD.
0 IPflrewall FreeBSD.
-
, , /
0 IPCop — Linux
.
, Web-
,
NAT
. . GNU GPL.
Smoothwall IP (ipchains).
230
3 _________________________________________________________
0 IPCop
SOHO, .
, . www.syngress.com/ .
solutions ( «Ask the Author»). ITFAQnet.com. :
Microsoft «
ISA Server
»?
:
Microsoft
-
ISA Server, , . ISA Server, RimApp ISA Server 2004 « Windows, :
-
, Hewlett-Packard, Network Engines, . Windows Server » ISA Server 2004.
ISA Server (Windows 2000 Server Windows Server 2003)
,
-
? :
.
Microsoft Windows 2000 Server, , , Microsoft. Windows 2000 , Kerberos, , Active Directory, Security Configuration Manager, TLS (Transport Layer Security, ), IPSec, PKI, , L2TP VPN . Windows Server 2003, «secure by design» ( , ) «secure by default» ( ), IIS .
ISA Server 2004
U ISA Server 2004 Security Configuration Wizard ( ISA Server ISA. Bi
Windows Server 2003 -
SP2),
ISA Server Wall,
231
NetScreen 500
Sonic-
?
: ,
, . . VPN-
SOHO /
, ,
, . ISA Server SOHO
( ).
, , Web- -
. .
, .
:
,
, SonicWall ISA Server ,
. (Standard ISA Server ?
Enterprise)?
,
NetScreen, -
: .
,
-
, ( ). : . .
;
,
, ISA Server,
, ,
. , . ISA Server Standard Edition Enterprise Edition : Standard Edition Enterprise Edition. Enterprise Edition , NLB. Enterprise Edition VPN( 1 000 30 000 L2TP).
232
3 _________________________________________________________
:
ISA Server
CARP ,
ICP, HTCP, Cache Digests
:
WCCP?
CARP
. -
ISA Server, CARP
,
,
. ,
WCCP ,
ICP.
,
URL, CARP
. ,
CARP,
ICP,
Web.
, ,
CARP
, :
VPN-
ISA Server
,
/
:
VPN-
VPN.
Windows Server 2003VPN, , -
Network Access Quarantine , , , .
, , VPN-
.
, VPN-
. , ,
VPN
VPN-
. -
.
VPNVPN.
ISA Server Windows, Windows,
ISA Server 2004
:
ISA Server, Linux,
:
9
233
IPChains ?
Squid,
(Robert A. Heinlein), TANSTAAFL («There ain't no such thing as a free lunch» — ). , « » : □ , , , ; D , , , ; □ , , , . , IPchains/iptables FWTK — , , VPN, . IPCop , SOHO , . Microsoft Exchange, SharePoint Microsoft, ISA Server.
. 4388
ISA Server 2004
; ■
ISA
■
ISA Server 2004
■ ISA ■
Web-
■ ■
ISA DHCP-
236
4
ISA ISA .
. -
, .
,
-
VMware
. ,
.
ISA «
» , ISA. -
,
-
, . , , ISA.
, .
-
,
,
,
. . server.org.
www.isa-
BOOK , [email protected].
,
ISA , ISA,
.
, «ISA»
«
ISA 2004
«
ISA».
»
, -
. ,
ISA
, , ISA,
. ISA Server ISA
.
,
-
: , , .
ISA ISA ,
.
, ISA
, .
,
-
ISA Server 2004
237
, DMZ (demilitarized zone,
-
)
, ,
, -
. , ,
ISA .
, «
■ ■ ■ ■
-
»
ISA:
; ,
ISA; ISA
; . ISA
. ,
,
ISA .
,
.
, ISA.
, ISA
-
,
.
,
. ?»
:« :«
,
».
, .
-
. ,
,
. ,
.
238
4
,
-
, ,
.
-
, . ,
.
,
, .
-
, . , , . >
.
, ,
,
,
. ,
Web, — HTTP, HTTP .
, Web-
,
Microsoft
Microsoft, 9:00 17:00,
,
, . ,
-
,
, , «
,
. *,
-
—
, .
: ■ ■ ■ ■
1: 2: 3: 4: . 4.1
; ; ; . —
.
239
ISA Server 2004
1:
. HI
>
, . .
1:
. 4.1.
.
-
, ,
,
.
, . ,
-
, . ,
,
-
, —
. , . , ,
. .
240
4
,
,
. —
.
,
,
,
.
,
, ,
,
.
,
, (
,
). ,
,
,
, ,
,
,
, .
, ,
-
,
. ,
,
,
. , ( ).
,
,
, ,
-
.
—
,
. ,
, ,
,
,
, ,
(
,
,
;
, ),
.
-
,
.
,
«
-
»
.
, ,
-
,
. ,
,
.(
, .)
ISA Server 2004
241
,
. ( ).
-
, ,
. , ,
-
. ,
,
. (
-
, ). —
. ,
,
-
, ,
,
.
,
,
, . ,
,
,
,
.
, .
-
,
,
,
-
. , .
.
. 4.1
,
-
. . 4.1. _____________________________________ . ,
;
, , ,
,
. , , (
.
.
.)
242
4 . 4.1. (
) ______
, ,
-
«
» , , ,
:«
,
,
ISA
,
,
ISA
-
». ,
ISA
«
»,
-
, .
, ? , ,
.«
-
» ,
ASIC ( . . X, Y
)
Z.
X
,
,
,
: «Windows
», . 4.2
.
,
Y Z Y Z, ,
. . 4.2. ________________________________________________ _ _ _
X
Windows
Z
, ,
, ,
-
ISA Server 2004
243
,
-
. ,
. , , , . , ,
, , ( ).
, HTTP, HTTPS
IMAP4,
-
-
80, 143
443.
4 . ,
,
, . :«
, ISA»,
,
-
, ,
.
2 —
, .
-
. 4.2 . , . ,
-
,
. ,
-
, 5
/ ,
10 ,
;
/ . ,
-
, 2,5
/ .
244
4__________________________________________________________
2:
. ,
. . и
.
/ /
. 4.2.
/
.
2:
,
.
, ( «
»),
, ,
HTTP-
.
, ,
,
, HTTP
-
. ISA Server 2004.
-
ISA Server 2004 , , (
, .
,
,
) ISA Server 2004 , .
ISA Server 2004
—
245
-
3, . ,
,
,
, .
— . ,
, ,
.
. 43 3-
3:
.
,
. ,
, . /
. ,
,
/
,
. .
,
. 4.3.
.
3:
ISA Server 2004. . , .
-
, ,
246
4
,
, /
-
. /
. ,
, /
,
:
■ ,
-
,
' ■
; , -
,
,
,
,
;
■
,
; ;
■
. , . ISA Server 2004 ,
-
. Web-
,
:
■
TCP (
UDP-
, ISA Server 2004);
■
, TCP
UDP-
ISA Server 2004; IP,
■ ; ■
, ;
■ ,
. . -
, .
,
,
ISA Server 2004
247
ISA Server 2004
1,5 .
/
4 .
4—
-
. .
4:
,
. 4.4
4.
. ,
, ,
, . ,
.
, ',
'
, IPSec
,
,
, .
,
,
.
. 4.4.
4:
,
, .
, -
,
,
,
.
, : ■
,
,
, .
«
-
248
4 __________________________________________________________
», ;! ; IPSec ( ,
,
) ,
-
.
,
,
IPSec, ;
■
-
, .
, , (
,
HTML );
■ , ; ■
, ;
■
, , SMTP-
. ,
,
,
,
, ,
;
■ , ,
. ,
(scumware),
-
,
,
,
(rootkit)
, . .
-
. ,
,
,
,
ISA, ,
,
.
, :«
, ,
ISA
,
ISA Server 2004
249
» «
,
: -
, ». ,
,
,
, ,
,
, -
. ISA ISA ISA
.
ISA /
.
,
ISA ISA
-
,
ISA,
.
,
-
ISA. ■
. .
■
, Windows. ,
Windows.
■
ISA Server
-
, ■
. Intel,
ISA ,
«
»,
. ■ « ■
. ISA Server». , , . .
ISA ■
,
, ISA;
:
250
4
■
, Bluecoat) ,
■
-
, CacheFlow (
Squid; , . ,
ISA, .
,
ISA ,
-
, , (
,
, ISA OWA MAPI/RPC,
), Microsoft Exchange,
-
,
. ,
ISA,
,
,
Web-
-
«ISA »(
,
-
,
). ISA
-
, , ,
1990.
., ,
, .
,
( (
ASIC)
ASIC)
«
,
».
-
, Checkpoint .
1990-
.
.
-
, , ,
. ASIC,
. ,
-
ISA Server 2004
251
, ,
.
, ASIC, : http://www.issadvisor.com/viewtopic.php?t=368.
-
, . ISA
, ,
, -
,
.
, Windows . ,
,
-
ISA
Windows, .
.
,
, Windows:
ISA
■
ISA .
. ISA, ;
■
, , (
RPC ISA
Blaster). , , RPC
. RPC ,
. IIS ,
,
Blaster IIS (
IIS SMTP) ,
.
.
ISA
,
,
, ;
■
. , ,
, ;
252
4
■
. .
,
, ISA.
(
)
; ■
,
Windows, Exchange,
SQL, SharePoint
Microsoft? ,
■ ISA. Windows Server 2003 SP1 Configuration Wizard,
SCW (Security ), SCW;
■ .
ISA Server 2004 . ,
ISA. ISA Server 2000, , .
, ,
,
-
Windows Server 2003 Windows 2000,
.
, , ,
-
.
ISA
«
,
»
ISA -
. .
,
, IP, -
: ICMP — IP-
ICMP. . .
ISA .
ISA Server 2004
253
(
2
« «
OSI) ». ,
»
, .
, ,
,
, .
,
(
)
-
, ( 4
OSI).
TCP
UDP
,
.
UDP
«
», . ,
,
. .
, (
-
). , .
,
ISA,
,
,
,
.
, 1
-
.
, ,
2
3,
. -
.
, .
-
HTTP-
,
,
,
, .
-
, , HTTP-
traversal). , . , ,.%5c../winnt/systm32/cmd.exe?/c+ dir+c\. «dir c:\»,
HTTP. —
(directory Web: www.iusepixfirewalls.com/scripts/ cmd.exe :\.
254
4__________________________________________________________
«%5 ».
Web%
,
,
—
«%5 »
.
«\».
IIS,
Web-
-
, . . . ,
«../», «.» (
%2
«../•> ( «%2 %2 /». . ISA,
).
,
,
,
),
-
,
. : SMTP, NNTP, ISA Server 2004,
IMP, POP3, IMAP4
-
.
, , . ,
,
-
,
, ,
-
, ASIC (
).
ISA
Intel, «
» ,
Exchange, SQL, FTP, Web, Intel
-
? :
■
,
, .
, ■
;
,
, ,
. , ;
,
ISA Server 2004
■
255
ISA Server 2004 ,
, . ,
, , ;
■
« » MTBF (Mean Time Beetween Failures, ) . Electronics, )
. IDE (Integrated Device . ISA Server 2004 XML. 15
, , , . , . ,
,
.
ISA
ISA , .
, 30
!
ISA Server «
,
ISA Server. ISA Server, ,
?» ISA. ISA
,
, , ISA
, ,
ISA, ,
. ,
.
-
, ,
«
ISA Server 2004 ISA »,
ISA Server 2000. ISA , Web-
.
. -
256
4
,
ISA
-
. ,
ISA Web.
,
ISA ISA
-
, .
, Web-
,
,
ISA , —
, HTTP/HTTPS.
, ,
ISA Server 2004 ,
,
,
,
. -
, OWA,
,
-
ISA , ActiveSync IIS. ISA Server 2004,
,
-
-
.
ISA ISA ■
.
ISA
, ,
.
■ Microsoft
.
■ , . ■
ISA . -
,
.
, ISA.
ISA ,
.
ISA Server 2004
■
257
ISA ASIC
,
. ■
ISA
, .
.
, ISA,
, ISA,
,
, , ISA,
,
.
,
,
ISA,
.
ISA
-
,
.
,
, ISA.
,
ISA
,
,
ISA -
, /
-
.
. 4.5 . , ,
-. .
,
,
DMZ ( )
LAN .
DMZ (
.
. 4.6).
ISA
.
,
ISA /
.
258
4
ISA Server 2004 (
. 4.5.
. 4.6.
DMZ
, .
-
ISA , .
-
ISA Server 2004
ISA S ,
^
. : .
. Microsoft Virtual PC VMware VMware, Microsoft Virtual PC Virtual Server ISA.
* Workstation.
—
. *.
.
. 4.7
,
.
Exchange . 4.7.
. 43
4.4
, .
CLIENT
■Л
.0.0.2
WINS
-
10.0.0.3
EXCHANGE 2003FE 172.16.0.2
10.0.0.1
172.16.0.1
Int: 10.0.0.1 Ext: 192.1 68.1.70 Dmz: 172.16.0.1 192.168.1.60
10.0.0.2
10.0.0.2
Int: 10.0.0.2
10.0.0.2
ISALOCAL
EXTCLIENT 192.168.1.90
He
Ext: Dmz: Int: 10.0.0.2 Ext: Dmz; Windows Server 2003
He
10.0.1.2
10.0.0.2
He
Windows Server 2003 DS (msfirewall org)5, DNS, WINS, DHCP, RADIUS, Enterprise CA 128
Windows Windows XP Server 2003 Exchange Her 2003
128
128
128
64
2
2
4
Int: 2 Ext:0 Dmz: 4
He
Windows XP
ISA 200
1
VMNet2
. 4.4. OSL ROUTER IP-
REMOTEISA SERVER
Int: 192.168.1.60 Ext: Public Public Gateway
no
-
-
192.168.1.24*
10.0.1.1
He
He
He
He
4
(public) WINS
EXTERNAL WEB2
10.0.1.2
Int: 10.0.1.1 172.16.1.2 Ext: 192.168.1.71 192.168.1.60 172.16.1.1
-
DNS
CLIENT
He
He
He
He
He
He He
Windows Server 2003 ISA 2004
Windows XP He
He
128
Windows Server 2003 SMTP, WWW, NNTP,FTP 64
Windows 2000 SMTP, WWW, NNTP, FTP 64
128
ISA Server 2004 . 4.4.
(
261
)
DSL ROUTER VMNet
REMOTEISA
BRANCHWEB SERVER
REMOTE CLIENT
EXTERNAL 2 WEB
Int:6 Ext: 0 Dmz: 5
5
6
He
1
—
,
. , ;
.
VMNet —
VMware. VMNet
3
-
, Ethernet, .
EXTERNALWEB —
Web-
.
ISA REMOTEISA
"
-
,
DNS-
,
ISA
.
5
Active Directory, DNS-
, — msfirewall.org. ,
Active Directory.
,
, VMware .
. . 4.3
4.4. , ,
Pentium IV (1,5
1
)
-
,
.
,
. Ethernet.
VMnet
, , ISA VMnet.
(ID) ,
.
, ,
, . 4.3
-
4.4
. 4.7. ,
. NALCLIENT , IP-
VMnet .
, Windows XP REMOTECLIENT. VMnet
, .
CLIENT, EXTER,—
262
4__________________________________________________________
-
, ISA. .
-
, ISALOCAL ,
VMware Workstation 4.0. VMware
ISA
VMware ,
-
. ,
VMware
-
-
Virtual PC .
Microsoft
Virtual PC .
PC
Virtual
ISA ,
.
VMware
,
,
. Virtual PC www. microsoft. com/windows/virtualpc/cfefault.mspx.
:
ISALOCAL VMware Workstation, . http:// ,
www.vmware.com/download/ http://www.vmware.com/support/ws45/doc/ ,
.
,
VMware Workstation. ,
ISALOCAL Windows Server 2003,
ISA
, CD (« iso». MSDN (Microsoft Developer Network,
-
-
soft, Windows Server 2003 ,
-
iso Micro).
-
,
«.iso» -
ISA Server 2004
263
VMware Workstation,
«iso» , Windows Server 2003.
iso,
«iso».
, -
iso.
,
,
.
WinlSO,
, www.winiso.com/. Windows Server 2004 https://microsoft.order-5.com/
Enterprise Edition windowsserver2003evaldl/. iso, . iso-
.
iso,
ISALOCAL VMware. VMware Workstation ( VMware) ( . 4.8) New Virtual Machine ( ).
. 4.8.
2.
VMware Workstation (
Next ( Wizard (
iso-
ISA 2004.
)
. 1.
VMware)
Welcome to the New Virtual Machine ).
264
4
3.
Select the Appropriate Configuration ( ) (
4. (
)
. 4.9.
5.
Custom (
).
Next
). Select a Guest Operating System ( ) ( . 4.9) Microsoft Windows. Windows Server 2003 Enterprise Edition.
Select a Guest Operating System ( )
Name the Virtual Machine ( . 410) — ISALOCAL Location ( ). Next ( (
. 4.10.
Version Next ( ).
Name the Virtual Machine (
) -
, ).
)
ISA Server 2004
.
265
Memory for the Virtual Machine ( (
. 4.11) . ISALOCAL .
. 4.11.
7
) -
, 128 Next (
ISA .
128
).
Memory for the Virtual Machine (
Network Type ( networking (
)(
)
. 4.1 2)
Use bridged . IP,
).
,
. ISA ISALOCAL.
-
ISALOCAL -
(
DSL-
DMZ).
). , ISALOCAL VMnet2 ( Next ( ). Select I/O Adapter Types (
8.
)
)
VMNet4 (
Next (
9.
Select a Disk ( Virtual Disk (
)
). Create a New
). . .
Next (
).
266
4
Network Type (
. 4.12.
)
10.
Select a Disk Type ( (Recommended) (IDE, ) 11. Specify Disk Capacity ( 4.0 Windows Server 2003
) Next (
IDE ).
)( Disk size (GB) (
. 4.13) , ISA
,
). -
,
.
,
-
. , ,
.
. 4.13.
Specify Disk Capacity (
Next (
).
)
ISA Server 2004
12.
267
Specify Disk File ( ) Finish ( ). 13ISALOCAL VM, Settings ( ). Virtual Machine Control Panel ( ) Hardware ( ). Hardware Add ( ). Next Welcome to the Add Hardware Wizard ( ). Hardware Type ( )( . 4.14) Ethernet Adapter ( Ethernet) Next ( ).
14.
15. 16.
. 4.14.
17.
Hardware Type (
Network Type ( VMNet2 .
18.
)
)
Custom ( . Finish (
). Device (
).
)
NIC 2. 19-
20. ( 21.
Virtual Machine Control Panel ( Hardware ( ). ) Add ( ). ) Welcome to the Add Hardware Wizard ). Hardware Type ( )( . 4.15) Ethernet Adapter ( Ethernet) Next ( ).
) Hardware ( Next (
268
4
. 4.15.
22.
Hardware Type (
Network Type ( VMNet4 DMZ.
)
)
Custom (
).
. Finish (
).
23.
Device NIC3.
24. 25.
CD-ROM I (IDE 1:0) Device ( ( . 4.16) iso) Browse ( isoWindows Server 2003.
(
. 4.16.
iso
). Use ISO image )
ISA Server 2004
26.
Device Remove (
269
USB Controller (
USB).
).
27.
Virtual Machine Control Panel ( ).
Windows Server 2003. Server 2003 . 1. ISALOCAL — VMware Workstation ( Start this virtual machine ( , iso-
, Windows . 4.1 7) )(
. 4.17).
.
. 4.17.
2. 3. 4. 5. 6. system ( 7. iso
Setup Notification ( ), .
Welcome to Setup ( ).
Windows Licensing Agreement ( Windows).
Partition Setup ( ). Format the partition using the NTFS file NTFS) . . Windows Server 2003 . .
270
4__________________________________________________________
8. . 9.
Next ( ).
)
Regional and Language Options (
10.
Personalize Your Soft ware (
).
Next (
).
11.
Your Product Key ( ). Next ( ). 12. Licensing Modes ( ) 500 Per server. Number of concurrent connections ( ). Next ( ). 13Computer Name and Administrator Password ( ) ISALOCAL Computer name ( ). Administrator password ( ) Confirm password ( ). Next ( ). 14. Yes ( ) Windows Setup ( Windows), , . 15. , Date and Time Settings ( ). Next ( ). 16. Networking Settings ( ) Typical settings ( ) Next ( ). 17. Workgroup or Computer Domain ( ) . EXCHANGE2 (VMNet2) ISALOCAL msfirewall.org. Next ( ). 18. , . 19. ISALOCAL . Windows Server 2003 IP-
, -
. ISALOCAL .
1. 2.
3-
ISALOCAL Install VMware Tools ( ISALOCAL
Next ( VMware Tools (
)
Install (
VM VMware). ).
Welcome to the installation wizard for VMware).
ISA Server 2004
4. 5.
Setup Type ( Next ( ). Install ( ).
) )
271
Complete (
)
Ready to Install the Program (
6.
Hardware Installation ( Continue Anyway ( ). 7. Yes ( ) VMware Tools Installation ( VMware), , . 8. Windows Server 2003, . 9NotePad ( ), HWAccel.txt. 10. Advanced ( ) Settings ( ) Display Properties ( ). 11. Default Monitor and Standard VGA Graphics Adapter Properties ( : VGA) Troubleshoot ( ). 12. Troubleshoot ( ) Full ( ). Apply ( ), . 13Display Properties ( ) . 14. Installation Wizard Completed ( ) Finish ( ). 15. VMware Tools ( VMware) Yes ( ). ISALOCAL Windows Server 2003 . 16. . )
—
.
1. Properties (
2. 3. 4.
5. 6.
). Display Properties ( ) Desktop ( ). Desktop ( ) Customize Desktop ( ). Desktop Items ( ) General ( ). General ( ) My Documents ( ), My Computer ( ), My Network Places ( ) Internet Explorer. . Apply ( ), Display Properties ( ). My Network Places ( ) Properties ( ).
272
4
7. ) Rename ( 8. 2) 9. 3)
Local Area Connection ( Network Connections ( ). WAN. Local Area Connection 2 ( Rename. LAN. Local Area Connection 3 ( Rename ( ).
)
DMZ. IPISA. WAN
I
. Properties (
-
). WAN Properties ( net Protocol (TCP/IP) ( ( ). General ( ) Properties ( IP, . 4.18.
. 4.18.
4. 5.
) , TCP/IP)
InterProperties
Internet Protocol (TCP/IP) , TCP/IP)
IP-
Advanced... ( ...). Advanced TCP/IP Settings ( IP) DNS. DNS connection's addresses in DNS ( DNS). .
TCP/ Register this
ISA Server 2004
6. 7.
Close ( ).
273
Internet Protocol (TCP/IP) Properties ( , TCP/IP). ) WAN Properties ( IP-
LAN
-
. 1. 2.
LAN
LAN Properties ( Internet Protocol (TCP/IP) ( ties ( ). 3. General ( ) Properties ( IP,
. 4.19.
4. 5.
Properties ( ) , TCP/IP)
). Proper
Internet Protocol (TCP/IP) , TCP/IP) ( . 4.19) . 4.19.
IP-
Advanced... ( ...). Advanced TCP/IP Settings ( TCP/IP) DNS. DNS Register this connection's addresses in DNS ( DNS). 6. WINS ( . 420). WINS Add ( ). WINS Server (WINSTCP/IP) IPWINS. ISA WINS. 10.0.0.2 . Add ( ).
274
4
. 4.20.
WINS-
7.
Advanced TCP/IP Settings ( TCP/IP).
8.
Properties (
Internet Protocol (TCP/IP) Properties ( , TCP/IP). 9. LAN ). DMZ
IPISA.
-
DMZ
. 1.
DMZ
Properties (
). 2.
3.
4. 5.
6. 7.
DMZ Properties ( ) Internet Protocol (TCP/IP) ( , TCP/IP) Properties ( ). General ( ) Internet Protocol (TCP/IP) Properties ( , TCP/IP) IP, 4.21. Advanced... ( ...). Advanced TCP/IP Settings ( TCP/ IP) DNS. DNS Register this connection's addresses in DNS ( DNS). Internet Protocol (TCP/IP) Properties ( TCP/IP). DMZ Properties ( ).
ISA Server 2004
. 4.21.
275
IP-
Windows Server 2003 ISA. Snapshot ( ) ISALOCAL-VMware WorkSave Snapshot ( ). , ISA , ISA.
. station . 6 , ISALOCAL,
ISA.
IP-
,
. ping
, .
, ISALOCAL.
10.0.0.2 , ,
, ISALOCAL REMOTEISA EXCHANGE2OO3BE , , , IPVMnet. ,
■ ■ ■ ■ ■
, ISALOCAL; ISAREMOTE; CLIENT; EXCHANGE2003BE; REMOTECLIENT.
ping -
:
276
4
, REMOTECLIENT. , VPN-
, REMOTECLIENT, « - -
-
CLIENT VMnet .
IP»
9.
VMware Workstation 4.0 . (Alessandro Perilli) (http://www.virtualization.info) VMware . .vmz :
.
Ethernet3.present = "TRUE" ethernet3.addressType = "generated" ethernet3.generatedAddress = "00:0o: 29: cb:7d:8f" ethernet3.generatedAddressOffset = "30" ethernet3.connectionType = "custom" ethernet3.vnet = "VMnet3"
Ethernet AddressOffset. address.Type, generatedAddress, connectionType
vnet.
ISA ISA Server 2000
, (untrusted). Table,
) LAT,
LAT. ISA Server 2000,
(trusted) LAT (Local Address ISA Server 2000. , . ISA : , LAT ISA Server 2000. :
DMZ ( ISA Server 2000. ISA Server 2000
, ,
DMZ . ISA Server 2000
ISA Server 2000, ), : DMZ -
DMZ ISA Server 2000.
ISA Server 2004
■
277
LAT NAT (
).
,
, DMZ
■
NAT.
ISA Server 2000 DMZ.
ISA Server
2000
DM2, ; .
■
DMZ Web-
,
DMZ
.
■
DMZ , ,
FTP,
. FTP-
, LAT.
, . ISA Server 2000 DMZ. DMZ, DMZ ISA Server 2004 , DMZ
■ 2000 LAT. LAT,
. RRAS (Routing and Remote Access Service, ) RRAS
ISA Server
DMZ, ,
. Microsoft . ,
ISA Server 2000 LAT. . ISA Server
ISA ISA
2000
LAT, ISA.
-
ISA ISA. ISA . ,
DMZ
:
278
4
,
DMZ, DMZ
»
NAT «
-
« DMZ. NAT ,
»
.
-
, NAT
.
. 4.5
-
ISA
ISA Server 2000.
. 4.5.
ISA __________________________________________ , . -
_______________
— . . IRC-
,
-
, , . IRC,
,
ISA,
,
,
ISA,
-
ISA. ISA
.
-
,
, —
-
NAT.
NAT, ,
NAT
, ,
NAT-
-
. ,
ISA Server 2000 NAT
, LAT,
LAT Web.
,
, Web-
, Web,
.
,
, ISA Server 2000
-
ISA Server 2004 . 4.5. (
279
)
ISA
— ISA Server 2000
. -
, , LAT,
LAT. LAT.
, ISA
-
ISA VPN-
ISA Server 2000
VPN-
LAT VPN-
.
ISA ,
VPN-
.
VPN-
ISA
VPN-
VPNISA
VPNVPN-
.
,
, . ,
VPN,
, ,
-
-
.
,
DMZ. ,
, (Network Group).
, . ,
-
,
,
,
URL
.
ISA Server 2000 VPNSecureNAT
,
VPN-
Web-
ISA,
. VPNISA, SecureNAT VPN-
VPN,
ISA SecureNAT . /
VPN-
.
280
4
ISA Server 2004: ISA 2004 (
multinetworking
) ISA.
,
,
-
.
,
ISA .
-
ISA . , .
,
DMZ
,
.
stateful ( ,
), . multinetworking,
,
,
ISA. -
, DSL,
,
,
,
1,
. ,
,
. , Rainfinity.
RainConnect
.
RainConnect ISA, -
ISA .
ISA 2004,
. ISA.
. 4.22
ISA Server 2004
281
. 4.22.
ISA
, ISA. ISA, —
, .
.
:
, DMZ,
. ISA ,-
■
, . VPN-
■ ,
ISA
, DMZ WebRPC DM2
; . Exchange, WebOutlook 2003. ,
SQL. ;
■ . , Exchange.
, DMZ;
■ (
,
Windows Update).
282
4__________________________________________________________
.
,
Exchange
; ■ VPN, VPN-
DMZ, . / .
, ,
ExchangeUsers
Outlook MAPI .
Exchange, , Exchange Exchange. ,
Exchange RPCHTTP
CIFS (Common Internet File System, ),
. -
:
, .
VPN-
, ,
-
,
VPN-
.
ISA: ISA
,
ISA
, ISA.
ISA ■ ■ ■ ■ ■
VPN-
-
: (Local Host Network); (Internal Network); (External Network, default); (VPN Clients Network); VPN(Quarantined VPN Clients Network).
ISA 2004 ■
: ISA
. ; IP-
, ■ ,
;
■ ■
. IP-
, VPNIP,
VPN; ,
.
ISA Server 2004
283
.
—
,
IP-
ISA. IP,
IP-
,
,
DMZ, ,
ISA -
, IP-
,
13
.
;
.
Properties ( ) Name\Configuration\Networks. ( ), Properties ( ). (
. 4.23.
) . . WebISA,
Networks ( ) Local Host ( Properties ( . 4.23).
ServerDetails ) ),
Web-
Local Host Network Properties ( . General ( ) Web Proxy (Web) . WebEnable Web Proxy clients ( ), , , Web.
Web-
-
284
4 ч
ISA
Web-
,
-
. WebISA. Web-
-
.
,
Web,
WebIPWeb-
ISA, ISA
.
IP-
ISA — 192.168.1.1,
IPWeb,
.
Web-
. ,
VPN-
VPN-
,
,
,
,
.
,
,
. ,
ISA
192.168.1.1, ISA
. DMZ, DMZ. ISA -
172.16.0.1, , ,
,
, ,
, . ISA , SMTP-
, ISA. SMTP-
ISA. ISA
-
SMTPIP.
, -
ISA, ISA, .
ISA Server 2004 Server 2000. ISA Server 2000 (Local Address Table, LAT),
ISA , .
ISA Server 2004
LAT (
285
) ISA Server 2000. , ISA Server 2000.
-
, LAT, ,
ISA Server 2000,
-
ISA ,
ISA. , ISA 2004. 30
-
ISA 2004
,
/
ISA.
,
-
. ISA 2004: ■ ■ ■
; Kerberos
ISA Server ; Microsoft CIFS (Common Internet ) ISA Server
File System, ; ■
NetBIOS ISA Server . . ISA — .
-
, , Active Directory, DNS-, DHCP-, WINS. ISA,
, ISA. . ,
. , DM2
ISA. . ISA,
.
.
ISA,
.
4
286
ServerName\ Configuration\Networks. ,
,
-
ISA. , ISA. Networks ( Internal network ( (
)
)
Details ( ).
), Addresses . 4.24.
,
. 4.24.
Addresses ( .
) ,
, . 4.25,
]
192.168.1.0/24, ISA. . Private ( . Add Private (
) . 4.25
, ).
Add
ISA Server 2004
287
. 4.25. ,
-
, ,
.
,
, . , IP192.168.1.0—192.168.1.255 192.168.2.0—192.168.2.255 . 192.168.0.0—192.168.255.255 , 192.168.2.0/24 . Add Private .
( )
-
Add Adapter ( Add Adapter (
. 4.26
). ).
Select Network Adapters ( , Windows , Windows
) ,
-
. ,
ISA. Windows, RIP (Routing Information Protocol,
-
288
4
)
OSPF (Open Shortest Path First, ).
-
. 4.26.
Add (
).
. 4.27
Add (
).
. 4.27.
Domains ( .
)(
,
. 4.28).
-
,
,
. ,
, ,
,
ISA.
ISA Server 2004
289
ISA
, .
Domains (
) Web-
,
, , Domains (
. )
-
Web-
.
. 4.28.
Domains (
), .
,
. 4.29.
. 4.29 .
290
4
. : ISA ISA
,
. Active Directory ) Active Directory, .
) (
ISA , -
ISA ( . ,
-
— msfirewall.org. Domains (
). msfirewall.org, ISA msfirewall.org,
-
.
, ,
,
-
.
msfirewall.org
mains (
, DMZ,
)
.
msfirewall.org
DoHTTP, HTTPS -
( 7),
(HyperText Transmission Protocol Secure, ), FTP, SMTP . , ,
, .
,
ISA msfirewall.org
Domains (
).
,
-
, Domains (
, ISA
),
. -
SecureNAT, msfirewall.org ISA. SecureNAT
, ISA.
Domains ( .
,
) Web-
/
SecureNAT,
, -
.
,
.
291
ISA Server 2004
Web-
. 4.30.
Internal Properties ( Web Browser (Web)( . 4.30).
)
Web-
, -
( 5). . Bypass proxy for Web servers in this network ( ). .
Web-
-
: *Bypass proxy for web servers in this network. Select this option
ifthe Web browser on the Firewall client computer should bypass the ISA Server computer when accessing local Web servers» ( Web. , WebISA Server Web). , Web. ? Web, , . , WebWeb, , WebWebISA Web. : , , ISA , .
292
4
■ Directly access computers specified on the Domains tab ( , Web-
).
,
,
, . Web-
Domains (
)
WebWeb-
SecureNAT, .
ISA
, Domains (
, ),
, DMZ ■ Directly access these servers or domains ( ). , WebWeb, , Outlook Express Hotmail. Web, Web-
. . IPISA. ,
,
, SecureNAT . ■ If ISA Server is unavailable, use this backup route to connect to the Internet: Direct access or Alternative ISA Server ( ISA Server , : ISA Server). , , ISA , . ISA , WebISA, . Direct Access ( ) , Web, . SecureNAT, . Alternative ISA Server ( ISA Server) FQDN (Fully Qualified Domain Name, ) IPISA, Web. Browse ( ) . Alternative ISA Server ( ISA Server) FQDN, , ISA FQDN
ISA Server 2004
IP-
,
ISA
Web-
,
, — . , WPAD (Web Web) Web. . (bypass list) , CERN ( , ISA 2004). WebWeb-
.
Proxy Autodiscovery Protocol, , Web, Web-
.
,
Web Proxy (WebWebWeb-
),
Web, Web Proxy clients ( Web). Enable HTTP ( HTTP) Web, . 4.31.
. 4.31.
-
. ,
Web-
293
Web Proxy (Web-
)
WebEnable
WebISA.
WebWeb-
,
.
294
4
Enable SSL ( ISA Server 2000 , WebSSL. WebWeb. Web-
SSL)
Web Proxy (Web,
SSL-
Web, , WebSSLWeb-
,
)
WebWebWeb-
,
,
.
WebWebSSL-
SSLWeb-
-
WebWeb Proxy ,
HTTP, SSL)?
Enable SSL ( WebWeb. Web-
SSLHTTP-SSL
,
HTTP. Web-
(Web-
) -
URL
ISA. -
-
.
,
,
, ,
-
-
, , , Web.
.
. -
Internet Explorer
,
ISA
-
, ISA.
.
,
ISA
-
. ISA .
-
ISA , IPv4
.
-
ISA Server 2004
295
, ,
. -
. , .
-
.
VPNVPN-
. ISA,
VPNVPN, ISA,
VPNVPNVPN-
, VPN-
, ,
.
VPN-
.
, VPN,
, VPN-
. ISA,
VPNIP-
,
-
. ,
DHCP.
VPN-
DHCP, DHCP,
VPN.
.
, , VPN-
.
ISA
9, VPN-
.
VPNVPN, ISA.
, VPNVPNVPN-
ISA. VPN, ISA,
, ISA.
: Federic Esnouf, MVP VPN-
296
4
, . Federic VPNfesnouf.online.fr/programs/QSS/qssinaction/QssI nAction.htm.
: http://
VPN,
VPN-
,
ISA VPN-
VPNVPNVPN-
.
ISA, , .
,
,
,
, ISA
,
ISA. -
. , ,
ISA. ISA .
ISA , . , ISA.
,
,
ISA DMZ, DMZ, , ,
: .
, ,
DMZ,
— : , DMZ, a ISA. ISA,
DMZ. 192.168.1.0/24
ISA
IP-
DMZ
.
10.0.0.0/24. 172.16.0.1/16,
-
ISA Server 2004
1.
2. 3.
4.
5.
297
: Microsoft Internet Security and Acceleration Server 2004 , Configuration ( ). Networks ( ). Tasks ( ) . Create a New Network ( ). Welcome to the New Network Wizard ( ) Network name ( ). DMZ. Next ( ). Network Type ( ) Perimeter Network ( )( . 4.32). : Internal Network ( )— , « * ISA. , ISA « », , . « » . Properties ( ) , , ; D Perimeter Network ( )— DMZ. , , . Properties ( ) , . , , , — DMZ; D VPN Site-to-Site Network ( VPN « - ») — VPN« - » . VPN VPN« - »; D External Network ( )— , « » ISA. ISA , : , ISA, , ISA, . , , , Properties ( ) . Next ( ).
298
4 . 4.32.
. 4.32
6. □ Add (
.
Network Addressees ( . )— ,
)(
. 4.33) :
. IP-
□ Add Adapter (
;
)— . Windows, Windows .
, , ; □ Add Private (
). ,
. , .
Add Adapter ( )— Select Network Adapters ( )( . . 4.33). DMZ ( Network and Dial-up Connections — dial-up ). , , Network Interfaces Information ( ). .
-
ISA Server 2004
299
. 4.33.
7. 8.
Next ( Finish (
) )
( 9.
Apply ( .
10.
),
Network Addresses ( ). Completing the New Network Wizard ). Apply New Configuration (
). 11.
Networks (
. 4.34).
. 4.34.
, , . (Network Rules).
е евы
ав
-
300
4
: ■ Route ( »
).
ISA «
,
«
»
.
,
,
,
. , «
,
».
,
, «
». —
, , ,
(
, ,
,
ISA
). ,
«
IP,
, «
»
( ,
IP-
IP-
). »
, ,
NAT. ■ NAT.
ISA NAT
.
NAT , .
NAT IP-
, .
,
, DMZ.
,
-
—
NAT —
-
DMZ. DMZ, IP-
,
;
DMZ. , ,
, — DMZ,
DMZ ,
I P,
;
. , Web-
NAT ,
. . ,
, -
ISA
-
, , .
-
ISA Server 2004
301
ISA. , DMZ. , «
».
-
, DMZ.
IP-
, ,
DMZ, NAT, NAT.
,
-
: 1. Microsoft Internet Security and Acceleration Server 2004 , Configuration ( ). Networks ( ). 2. Networks ( ) Network Rules ( ) Details ( ) . 3. Task ( ) Tasks ( ). Create a New Network Rule ( ). 4Welcome to the New Network Rule Wizard ( ) Network rule name ( ). : Internal aDMZ. Next ( ). 5. Network Traffic Sources ( ) Add ( ). 6. Add Network Entities ( ) Networks ( ). Internal ( ). Close ( ). 7. Next ( ) Network Traffic Sources ( ). 8. Network Traffic Destinations ( ) Add ( ). 9. Add Network Entities ( ) Networks ( ). DMZ. Close ( ). 10. Network Traffic Destinations ( ) Next ( ). 11. Network Relationship ( ) Route ( )( . 4.35). Next ( ).
302
4
. 4.35.
12.
Finish (
)
Completing the New Network Rule ).
Wizard ( 13.
Apply ( .
),
14.
Apply New Configuration ( ).
15.
Network Rules ( ) Microsoft Internet Secu
Details ( ) rity and Acceleration Server 2004.
ISA 2004 ISA
-
,
. ISA
,
. ISA
■ ■ ■ ■ ■ ■ ■
Networks ( ); Network Sets ( Computers ( Address Ranges ( Subnets ( ); Computer Sets ( URL Sets (
: );
); ); ); URL);
ISA Server 2004
■ Domain Name Sets ( ■ Web Listeners (Web-
303
); ).
.
ISA. -
, ,
ISA
,
,
,
,
ISA. Networks ( ,
Internet Security and Acceleration Server 2004
Microsoft ). -
.
. : • All Networks (and local host) ( All Protected Networks (
);
).
All Networks (and local host) ( .
)
,
-
. ISA
-
,
.
All Protected Networks ( ISA, All Protected Networks (
, .
) )
,
,
-
ISA. Network Sets (
, 1. 2004 2.
3.
) . Microsoft Internet Security and Acceleration Server , Firewall Policy (
). Task ( ) Network Objects ( Network Sets ( .
Toolbox ( ). ISA. ).
). ,
304
4
4.
Network Sets ( ( . 4.36).
)
. 4.36.
, ,
, -
. ,
VPN-
. , 1. 2004
). Task ( ) Network Objects (
2.
3.
. ( . . 4.37): Microsoft Internet Security and Acceleration Server , Firewall Policy ( Toolbox ( ). ISA. ).
Network Sets ( Network Set ( ). Welcome to the New Network Set Wizard ( ) Network set name ( — VPN and Internal. Next ( ). Network Selection ( ) selected networks ( ). Includes all networks except the selected network ( ),
). , New (
-
),
).
Includes all , -
305
ISA Server 2004
, (
.
)
VPN Clients (VPN).
Next (
)
Internal (
Name -
).
. 4.37.
6.
Finish (
)
Completing the New Network Set Wizard ).
( 7.
Apply ( .
),
8. 9.
Apply New Configuration ( ). Network Sets (
)
.
,
,
.
,
DNS-
, DNS
-
.
DNS.
DNS,
DNSDNS ISP. DNS-
,
-
, DNSDNS-cep-
ISA
. . (
.
. 4.38):
306
4
Microsoft Internet Security and Acceleration Server , Firewall Policy ( -
2004
). Task ( ) Toolbox ( ). Network Objects ( ). New ( ), Computer ( ). New Computer Rule Element ( ) , — DNS Server. IP, Computer IP Address (IP). , , Browse ( ), , ISA . Description (optional) ( , ). .
. 4.38.
5. 6.
Computer Objects. Apply ( .
),
7.
Apply New Configuration ( ).
IP-
-
,
-
, , ,
ISA, »,
« . ,
307
ISA Server 2004
, . .
( . . 4.39): Microsoft Internet Security and Acceleration Server , Firewall Policy (
1. 2004
). Task ( ) Network Objects ( New (
2. 3.
),
Toolbox ( ). ). Address Range (
). 4.
New Address Range Rule Element ( ) (
). ),
). tion (optional) (
,
).
Name Start Address ( End Address ( Descrip .
. 4.39.
5. 6.
Address Ranges ( Apply ( .
7.
).
), Apply New Configuration (
).
, .
,
-
308
4
.
, . ( . . 440). Microsoft Internet Security and Acceleration Server , Firewall Policy ( .
1. 2004 2. 3.
4 )
). Task ( ) Toolbox ( ). Network Objects ( ). New ( ), Subnet ( ). New Subnet Rule Element ( Name ( ) . Network address ( ), Network mask (
)
. Description (optional) (
).
,
.
. 4.40,
5. 6.
Subnets ( Apply ( .
7.
).
), Apply New Configuration (
).
IP,
.
,
. -
309
ISA Server 2004
, ,
-
,
Windows
, -
. :
■ Anywhere ( ); ■ IPSec Remote Gateways ( ■ Remote Management Computers (
IPSec); ).
Anywhere (
)
-
IPv4.
, .
,
ISA DHCPAnywhere ( ), DHCP. IPSec Remote Gateways ( VPN-
«
,
- -
IPSec. ,
VPN-
»
IPSec) .
Remote Management Computers ( )
ISA ,
ISA. 1. 2004 2. 3. 4. 5.
6. 7.
,
. Microsoft Internet Security and Acceleration Server , Firewall Policy (
). Task ( ) Toolbox ( ), Network Objects ( ). Computer Sets ( ). Remote Management Computers ( ), Edit ( ). Add ( ) Remote Management Computers Properties ( ). Computer ( ), Address Range ( ) Subnet ( ) . New Rule Element ( ) . Apply ( ), .
310
4__________________________________________________________
8.
OK
Apply New Configuration ( ). , .
,
-
, . , ,
SMTP-
Exchange. ,
-
, , , ( . . 4.41). 1. 2004 2. 3. 4. 5.
6.
7.
8. 9-
-
.
Microsoft Internet Security and Acceleration Server , Firewall Policy (
). Task ( ) Toolbox ( ). Network Objects ( ). Computer Sets ( ). New Menu ( ). New Computer Set Rule Element ( ) Name ( ), — Mail Relays ( ). Add ( ). Computer ( ), Address Range ( ) Subnet ( ). Computer ( ). New Computer Rule Element ( ) Name ( ), — BORAX. Computer IP Address (IP) IP, . IP( DNS), Browse ( ). Computer ( ). . Apply ( ), . Apply New Configuration ( ).
ISA Server 2004
311
. 4.41.
URL -
URL URL
URL WebISA.
, HTTP
URL URL
FTP, .
, ,
URL,
org.com. SMTP-
,
,
-
URL mail.isaserver-
, URL,
mail.isaserverorg.com. , URL
-
, HTTP/FTP.
, URL
. URL
■
URL,
. URL,
FQDN
. ,
. ■ .
. URL , h ttp://'. is a server.org, http://www.isaserver.org/'
http://
312
4 _______________________________________________________________________
'.isaserver.org/*. . http: //*.isaserver.org/'/articles ■
. URL SSL,
URL
.
,
,
-
. ,
,
Hotmail WebURL https://loginnet.passport.com. URL https: //lo gin net. pass port .com/*, . ,
ISA SSL-
.
ISA SSLURL,
ISA ,
SSL-
,
. -
. URL Outlook Express Hotmail
Microsoft Outlook 2003 ISA. ,
URL
,
,
. URL ( 1. 2004 2. 3. 4. 5.
6. 7.
-
. 4.42). Microsoft Internet Security and Acceleration Server , Firewall Policy (
). Task ( ) Toolbox ( ). Network Objects ( ). URLSets ( URL). New Menu ( ), URL Set ( URL). New URL Set Rule Element ( URL) URL Name ( ), — Hotmail Access. New ( ). New ( ) URL, — hup:// '.passport.com, . , URL: http://*.passport.net, http://'.msn.com, http://*.hotmail.com. . Apply ( ), . Apply New Configuration ( ).
ISA Server 2004
313
I j lFtoONSliflotUHifoirrtni'ftttihnJMWiglRlMta '■^jp/ m*^ not bfn>ppltprj *i fcjcppdect URlt ncbdsl in tNs set {eppJceblf 'or hfTTV rrirfkc cr^>:
-ji http://*. passport .com
Thrf URL 5rt c*n he us*d to atbw of denw я • ' tOEhcl*rfr»rtiJ4ir-.
. 4.42.
URL
URL , FQDN, FQDN,
, FQDN. '.isaserver.org.
URL URL,
URL. : ■ Microsoft Error Reporting Sites ( ■ System Policy Allowed Sites (
Microsoft, ,
); ).
Microsoft Error Reporting Sites ( Microsoft, ) '.watson.microsoft.com watson. microsoft.com. , ISA Microsoft . System Policy Allowed Sites ( , * ) .microsoft.com, *.windows.com •.windowsupdate.com. , , ISA Windows Update WebMicrosoft.
314
4
URL,
, Web-
FTP. , URL
, FTP-
HTTP/HTTPS
HTTP/H1TPS/
. (
1. 2004 2. 3. 4. 5.
(
.
. 4.43). Microsoft Internet Security and Acceleration Server , Firewall Policy (
). Task ( ) Toolbox ( ). Network Objects ( ). Domain Name Sets ( ). New Menu ( ), Domain Name Set ( ). New Domain Name Set Policy Element ( ) Name ( ). New ( ). . Description (optional) , ). .
J
-
. 4.43.
6. (
Domain Name Sets . 4.44).
ISA Server 2004
315
. 4.44.
7.
Apply ( .
),
8.
Apply New Configuration ( ). URL
. -
Web10 000 URL .
URL
URL . http://www.mvps.org/winhelp2002/hosts.htm, URL . «Strong Outbound Access Control using the ISA Firewall (2004): Using Scripts to Populate URL Sets and Domain Name Sets» (« ISA: URL ») http://isaserver.org/articles/2004domainseturlset.html. HOSTS URL , .
WebWeb-
,
-
Web-
, -
. Web, . WebWebWeb-
,
Web-
. -
316
4
HTTP
WebIP-
SSL-
.
WebISA.
WebWeb-
8, .
Web-
-
ISA ISA .
-
ISA Windows Server 2003, ,
ISA.
, , .
ISA ISA
-
,
10 . PIX
, ISA. ISA, ISA.
, ISA
■ ■ ■ ■ ■
:
; ; ; DMZ
; Web-
(
). , .
,
ISA
. ISA
,
,
,
. .
, -
ISA Server 2004
ISA ■
317
: , VPN-
«
■
»;
; ,
ISA.
. , (
. 4.6), ,
-
. ,
. .
Block all (
). .
ISA,
. ,
. 4.6.
Block all (
ISA Server.
)
, , . , DNS
Block Internet access, allow access to ISP network services ( ,
, DNS. -
. ,
-
)
Allow limited Webaccess ( Web-
)
VPN-
ISA Server,
WebHTTP, HTTPS
FTP.
, ( -
)
-
HTTP, HTTPS FTP(
).
VPN-
(
.
-
.
.)
318
4 . 4.6. (
) ________________________
Allow access for all protocols (
ISA Server. ISA Server
VPN-
)
( ).
VPN-
: 1.
Microsoft Internet Security and Acceleration Server , Configuration ( ). Networks ( ). Networks ( ) Tasks ( ) Templates ( ). Edge Firewall Template ( ), . Next ( ) Welcome to the Network Template Wizard ( ). Export the ISA Server Configuration ( ISA Server) ISA. , . , , . Export ( ). Export Configuration ( ) ISA File name ( ), Pre-Edge Fire wall Template. , XML Export user permission settings ( ) Export confidential infor mation (encryption will be used) ( , ), 2004
2.
3. 4.
5.
ISA . Export (
. ). Exporting (
6. 7.
Next (
)
). , . Export the ISA Server Configuration ( ISA Server).
ISA Server 2004
8.
319
Internal Network IP Addresses (IP, . , ISA. (
), Add Adapter ( Add ( ) . Add Adapter ( Windows, , Add Private ( , . .
Next (
). )
. 4.45.
9.
)
)
-
Add ).
Add Private ( )
) Internal Network IP Addresses (IP. 445.
IP-
Select a Firewall Policy (
) .
. 4.6. Block All (
), ISA,
, .
, . ). 10. Wizard ( 11.
Block All ( Next ( Finish ( Apply ( .
). )
Completing the Network Template ). ),
-
320
4
12.
OK ).
Apply New Configuration ( ISA
-
, .
ISA
-
.
DMZ DMZ
ISA
.
, . DMZ
-
: ■ ■
— ; Perimeter Access (
■
Perimeter Configuration ( NAT
) ;
)
VPN. .
.
,
. DMZ.
DMZ DMZ
NAT,
-
DMZ. , DMZ
,
-
,
NAT. ,
DMZ ,
DMZ . -
VPN-
NAT. ,
,
, «
.
VPNDMZ NAT.
, DMZ
» DMZ -
ISA Server 2004
321
, «
-
». DMZ ,
. 4.7.
Block all (
),
.
. 4.7.
Block all (
ISA Server.
)
, , .
,
DNS-
Block Internet access, allow access to network services on the perimeter net-
ISA, VPN-
(DNS) .
,
work ( , )
Block Internet access, allow access to ISP network services (
ISA Server,
VPN-
DNS.
, ,
, ) Allow limited Webaccess ( Web)
DNS ,
- (
)
HTTP, HTTPS
WebHTTP, HTTPS
.
-
FTP-
FIT VPN-
-
(
).
-
VPN-
-
(
.
.
.)
322
4 . 4.7. (
)
Allow limited Web access, allow access to Webnetwork services on HTTPS FTP perimeter network (
HTTP, .
VPN-
Web-
,
HTTP, HTTPS -
FTP-
.
-
,
-
).
( DNS-
)
VPN. VPN-
Allow limited Web access, allow ISP network services ( Web,
-
HTTP-, HTTPS-, FTP-
,
DNS, -
VPN-
.
(
) (
). DNS ,
VPN-
). VPN-
ISA Ser-
Allow all protocols (
ver. ISA Server )
VPN-
. ,
(
). VPN-
DMZ ,
:]
-
-
-
Microsoft
Internet Security and Acceleration Server 2004 , Configuration ( Networks ( ). 2. Networks ( ) ( ) Templates ( ). 3-Leg Perimeter, .
). Task
ISA Server 2004
323
Next ( ) Welcome to the Network Template Wizard. Export the ISA Server Configuration ( ISA Server) ISA. , . , . Export ( ). 5. Export Configuration ( ) ISA File name ( ), Pre-3-Leg Perimeter Template. , XML Export user permission settings ( ) Export confidential 3. 4.
information (encryption will be used) ( ,
), ISA
. Export ( 6.
. ). Exporting (
).
, . ) Export the ISA Server Configuration ( ISA Server). Internal Network IP Addresses (IP) , . , ,— , ISA.
, Next (
7. 8.
(
), Add Adapter ( )
)
Add ).
Add Private ( Add Adapter ( Add Private (
Next ( ). 9. Perimeter Network IP Addresses (IP, DMZ. Add ( ), Add Adapter ( Add Private ( ). Adapter ( ). . 10. , DMZ, . . , Network Interfaces Information ( )( . 4.46)
). ) ) Add
.
4
324
, DMZ.
.
. 4.46.
11.
Next (
) Perimeter Network IP Addresses (IP). 12. Select a Firewall Policy ( ) , . Block all ( ) . Block all ( ) Next ( ). 13. Finish ( ) Completing the Network Template Wizard ( ). 14. Apply ( ), . 15. Apply New Configuration ( ).
. ,
, ISA .
, , —
ISA ISA.
ISA ,
-
;
,
-
ISA: ■ ISA —
, .
-
325
ISA Server 2004
«
»
.
,
,
;
■
Perimeter Access ( ). VPN, ISA.
.
ISA
,
. ISA
, «
»
NAT; ■
ISA ,
«
». ISA
« ISA ISA.
», , , . ,
/
. 4.47
-
ISA.
. 4.47.
ISA 10.0.0.0/24, ,
.
-
ISA. .
,
ISA.
ISA »
« ISA
.
,
-
326
4
ISA
, .
,
-
, .
,
ISA,
, ISA
192.168.1.0/24.
NAT
-
. , . ISA «
»,
IPISA
.
,
IP-
,
,
, ?
.
,
IP-
ISA -
?
ISA
,
-
, . 10.0.0.0/16,
ISA . ISA,
ISA
,
.
-
ISA. ISA
ISA ISA ISA.
ISA
,
ISA ISA,
,
-
. ,
ISA
-
.
-
,
. . 4.8 .
Block all ( ,
), .
-
ISA Server 2004
327
. 4.8. Block all ( )
ISA Server. , , . ,
Block Internet access, allow access to ISP network services
DNS ISA Server,
VPN-
DNS.
(
,
)
-
, . ,
-
(
-
)
Block Internet access (network services are on the perimeter network)
DNS ISA,
VPN-
-
DNS -
. ,
( ( ))
Allow limited Webaccess (network services are on the perimeter network) (
Web-
-
.
-
HTTP, HTTPS FTPVPN(
).
-
Web-
-
(
-
)) Allow limited Web access, allow ISP network services ( Web, ,
VPN-
Web-
HTTP, HTTPS FTP-
DNS, -
. -
VPN-
(
). DNS,
VPN-
) (
). VPN-
(
.
.
.)
328
4 . 4.8. (
)
Allow unrestricted access (
1.
2.
3. 4.
5.
_______________________ ISA Ser) ver. ISA Server . ,
; VPN-
. Microsoft Internet Security and Acceleration Server 2004 , Configuration ( ). Networks ( ). Networks ( ) Task ( ) Templates ( ). Front Firewall ( ), , Next ( ) Welcome to the Network Template Wizard. Export the ISA Server Configuration ( ISA Server) ISA. , . , , . Export ( ). Export Configuration ( ) ISA File name ( ), Pre-Front Firewall Template. , XML Export user permission settings ( ) Export confidential information (encryption will be used) ( , ), ISA . Export (
. ). Exporting (
6. 7.
Next (
)
). . Export the ISA Server Configuration ( ISA Server).
ISA Server 2004
8.
329
Perimeter Network IP Addresses (IP) , . , ,— , ISA. Add ( ), Add Adapter ( ) Add Private ( ). Add Adapter ( ) Add Private ( ). Next ( ). Select a Firewall Policy ( ) , . Block all (
9.
)
. ) Next ( ). Completing the Network Template ).
Block all ( Finish ( )
10. Wizard ( 11.
Apply ( .
12.
), Apply New Configuration (
).
Microsoft Inter-
, net Security and Acceleration Server 2004. , .
. 4.48.
12
. 4388
. 4.48 . 4.49
330
4
(
)
. 4.49.
. 4.9
-
.
Block all (
), .
. 4.9. Block all ( )
ISA Server. , , .
-
,
No access: Block Internet access (network services are in the perimeter network) (
ISA Server, .
:
,
(DNS) -
,
DNS VPN-
(
-
)
( ))
Restricted access: Allow limited Web access (network services are on perimeter network) (
-
:
-
HTTP, HTTPS
Web-
FTP.
VPN-
-
(
). DNSVPN.
Web( VPN))
ISA Server 2004 . 4.9. (
331
) ___________________________
-
Restricted access: Allow limited Webaccess, allow ISP network services ( : -
HTTP, HTTPS VPN-
FTP-
DNS, -
. (
), DNS
VPN-
,
-
, )
-
(
)
.
VPNISA Ser- VPN-
Unrestricted Internet access: Allow all protocols ( ver. ISA Server . :
-
(
)
,
,
) VPN. 1. 2004 2. ( 3. 4.
( 5. (
Microsoft Internet Security and Acceleration Server , Configuration ( ). Networks ( ). Networks ( ) Task ( ) Templates ). Back Firewall Template ( ). Next ( ) Welcome to the Network Template Wizard. Export the ISA Server Configuration ( ISA Server) ISA. , . , , . Export ). Export Configuration ( ) ISA File name ), Pre-Edge
332
4
,
Firewall Template. XML.
information (encryption will be used) ( ,
Export user permission settings ( ) Export confidential ), ISA
. Export ( 6.
. ). Exporting (
, . 7. ) Export the ISA Server Configuration ( ISA Server). 8. Internal Network IP Addresses (IP) , . , ISA. Add ( ), Add Adapter ( ) Add Private ( ). Add ( ) . Add Adapter ( ) Windows, , Add Private ( ) , . . Next ( ). 9. Select a Firewall Policy ( ) ( . . 4.50), ( . 4.9). Block all ( ) , ISA. . Block all ( ) Next ( ). 10. Finish ( ) Completing the Network Template Wizard ( ). 11. Apply ( ), . 12. Apply New Configuration ( ). , Next (
).
ISA Server 2004
333
. 4.50.
, ISA
.
ISA
-
,
-
, , ISA. . , ISA.
ISA HTTP, HTTPS
-
FTP-
Web-
,
, ,
.
.
,
, ,
-
,
. ISA .
ISA
:■ -
334
4
, . . ■
ISA HTTP, HTTPS ISA
■
FTP-
Web-
; ,
. ,
. ;
,
,
,
, ;
■ Web-
. ,
,
-
; ■
ISA .
,
, ■ ■
ISA, ISA VPN-
ISA
; ; ,
Web-
. ISA (
), ISA.
ISA
, SSL-SSL (
ISA
-
8 ). .
1. 2004 2. ( 3. 4.
Microsoft Internet Security and Acceleration Server , Configuration ( ). Networks ( ). Networks ( ) Task ( ) Templates ). Single Network Adapter Template. Next ( ) Welcome to the Network Template Wizard. Export the ISA Server Configuration ( ISA Server) ISA. , . -
335
ISA Server 2004
,
,
Export
. (
). Export Configuration (
5.
) File name Pre-Edge Export user permission settings ( ) Export confidential ISA
( ), Firewall Template. XML.
,
information (encryption will be used) ( ,
), ISA
. Export ( 6.
. ). Exporting (
).
, 7. На
Next (
(
. 4.51)
. 4.51.
9.
)
, .
Export the ISA Server Configuration ( ISA Server). Internal Network IP Addresses (IPIPv4 . Next ( ).
)
IP-
Select a Firewall Policy ( Single Default NIC ( Next (
) ). ).
336
10. Wizard (
4__________________________________________________________
Finish (
)
Completing the Network Template ).
ISA IPISA.
, ISA
,
.
ISA. ,
1. Server 2004, 2.
3.
4.
5. 6. 7.
8.
ISA, . Microsoft Internet Security and Acceleration Firewall Policy (
). Firewall Policy ( ) Tasks ( ). System Policy Tasks ( ) Show System Policy Rules ( ). System Policy Rules ( ) Firewall Policy ( ). № 8 Allow DHCP replies from DHCP server to ISA Server ( DHCPDHCPISA Server) Edit System Policy ( ). , Configuration Groups ( ) Network Services ( ) DHCP. From ( ). From ( ) Add ( ). Add Network Entities ( ) New ( ). Computer ( ). New Computer Rule Element ( ) DHCPName ( ). — ISP DHCP Server. IPDHCPComputer IP Address (IP). Description (optional) ( , ). . Add Network Entities ( ) Computers ( ), ISP DHCP server. IPDHCP, Networks ( ) External ( ). Close ( ).
910.
Apply ( .
ISA Server 2004
337
System Policy Editor ( ),
).
11.
-
Apply New Configuration ( ).
12. . ,
. 4.52.
IPipconfig/all.
ISA . 4.52.
,
DHCP-
DHCP-
, IP-
ISA,
DHCP-
-
VPN-
.
-
, VPN-
.
ISA
:
VPNNetwork Connections (
. ) (connectoid) ) .
-
ISA. Network Connections ( ISA
.
ISA ,
ISA
, Microsoft Internet Security and Network Connections.
Acceleration Server 2004,
ISA
-
: ■ ■ ■
. ISA , (
, ISA VPN-
,
. VPN).
VPNISA. DSL
.
-
338
4 , . VPN-
-
ISA .
, . VPN-
, .
-
.
, Windows Server 2003
VPN-
,
. Windows 2000. 1. My Network Places ( ) Properties ( ). 2. Network Connections ( ) New Connection Wizard ( ). 3. Next ( ) Welcome to the New Connection Wizard ( ). 4. Network Connection Type ( ) Connection to the network at my workplace ( ) Next ( ). 5. Network Connection ( ) Virtual Private Network connection ( ) Next ( ). 6. Connection Name ( ) VPNCompany Name ( ), — VPN to ISP. Next ( ). 7. VPN Server Selection ( VPN) IPVPNHost name or IP address ( IP). Next ( ). 8. Connection Availability ( ) Anyone's use ( ) Next ( ). 9. Completing the New Connection Wizard ( ) Finish ( ). 10. Connect VPN to ISP ( VPN ISP) Properties ( ). 11. Connect VPN to ISP Options ( ). Redialing ( ) Redial if line is dropped ( ). Redial attempts ( ) 99-
ISA Server 2004
339
Time between redial attempts ( ) 5 seconds (5 ). Idle time before hanging up ( ) Never ( ). 12. Connect VPN to ISP ( VPN ISP) , . Save this user name and pass word for the following users ( ). Anyone who uses this computer ( ). 13. Connect ( ), , . ISA . 1. Microsoft Internet Security and Acceleration Server 2004 , Configuration ( ). General ( ). 2. General ( ) Specify Dial-Up Preferences ( ). 3. Dialing Configuration ( ) : a I will dial the connection myself ( ). , , . , .
VPN-
-
, ; a Allow automatic dialing to this network ( ). ISA Web-
, SecureNAT ISA. VPN-
.
, I will dial the connection myself ( ); □ Configure this dial-up connection as the default gateway ( ). ISA VPN, , .
340
4__________________________________________________________
; a Use the following dial-up connection ( ). ; □ Use this account ( ,
). . .
,
Apply (
. 4.
),
.
VPNVPN-
VPNISA, L2TP/IPSec. ,
(
, -
IPSec NAT-T),
, -
,
IPSec
. L2TP/
. ,
VPN-
,
. 1. 2004 2.
3.
4. 5.
6.
7.
Microsoft Internet Security and Acceleration Server , Firewall Policy (
). Firewall Policy ( ) Tasks ( ) . Create a New Access Rule ( ). Welcome to the New Access Rule Wizard ( ) Access Rule name ( ), — to ISP. Next ( ). Allow ( ) Rule Action ( ). Next ( ). Protocols ( ) Selected protocols ( ) This rule applies to ( ). Add ( ). Add Protocols ( )( . 453) VPN and IPSec . Close ( ). , VPN. Next ( ) Protocols ( ).
ISA Server 200'
. 4.53.
VPN-
8.
Access Rule Sources ( (
9-
341
)
Add
).
Add Network Entities ( ) Networks ( ), Local Host ( ). Close ( ). 10. Next ( ) Access Rule Sources ( ). 11. Access Rule Destinations ( ) Add ( ). 12. Add Network Entities ( ) New ( ) Computer ( ). 13 New Computer Rule Element ( ) VPNName ( ), — ISP VPN Server. IPVPN- Computer IP address (IP). . 14. Computers ( ) Add Network Entities ( ) ISP VPN Server. Close ( ). 15. Next ( ) Access Rule Destination ( ). 16. Next ( ) User Sets ( ).
342
4__________________________________________________________
17. Finish ( Wizard ( 18. Apply ( . 19. ).
)
Completing the New Access Rule ).
), Apply New Configuration ( ISA
-
.
, /
ISA.
«
VPN7.
»( ISA) «
»,
,
.
,
-
ISA, ». ISA,
« . ISA
ISA Server 2000 ISA Server 2000 ISA Server 2000 LAT. LAT. ,
. . . LAT,
LAT (
—
, IP-
, . LAT) -
ISA Server 2000. ISA Server 2004 ISA —
LAT
.
,
ISA,
. , LAT
ISA Server 2000. ISA
,
.
,
, ISA, ,
. ISA.
-
ISA Server 2004
■ ■ ■
343
. . ,
ISA .
■
IP-
,
,
. ■
IP.
■
, IP-
ISA, ,
ISA, .
■
VPN-
VPN,
,
,
VPN-
. ■
,
, . , 10.0.0.0/16, , 10.1.0.0/16, 10.2.0,0/16 . . , 10.0.0.0/8; .
,
ISA , ,
, .
, ISA — 10.0.0.0/16, 172.16.0.0/16.
,
,
, ISA.
,
, . ,
, . 4.54). ,
(
ISA
, -
. . 4.54
.
-
, «
».
— 10.0.0.0/24, Checkpoint
, 10.10.10.0/24.
Checkpoint, .
Checkpoint
, VPNISA.
, . 4.54
«
3 ».
344
4 10.10.10.2/24 DG: 10.10.10.1
«
. 4.54.
,
IP-
»
SecureNAT — , ISA. SecureNAT ISA, ISA, SecureNAT ISA, SecureNAT , ISA.
. 4.54
IP-
, ,
SecureNAT SecureNAT. , -
10.0.0.5/24
10.0.0.1, ,
ISA. 10.10.10.1, Checkpoint. 10.0.0.1, , Checkpoint. ISA,
IP-
10.10.10.224 -
-
Checkpoint ISA Checkpoint ISA
-
IPTCP-
.
. ISA. UDP-
,
Winsock, IPISA, . .
,
.
ISA Server 2004
,
. 4.54 , 10.0.0.1
IP-
345
10.0.0.5/24
-
. 10.10.10.1/24 IP-
10.0.0.1.
ISA.
-
, .
, ,
ISA. ,
, ».
« . 4.55 (
).
SecureNAT
ISA SecureNAT. Checkpoint, Checkpoint Checkpoint Checkpoint
ISA
. .
. 4.55.
SecureNAT
. 4.55
-
SecureNAT SecureNAT , , , . SecureNAT, SecureNAT,
346
4
,
.
:
. 4.56
-
:
(
)
.
—
,
,
. , ISA.
,
,
,
,
. ,
. 131.107.1.1. (Reliable Datagram Protocol, . , , , RDP-
ISA RDP-cep) ,
RDP-
, . ,
,
-
ISA,
RDP-
. . IP-
, -
,
. IP-
10.0.0.0/24
,
10.10.10.0/24.
,
.
, ,
ISA
.
—
,
, . , , ,
, SecureNAT
, . SecureNAT. RDP-
, ,
-
347
ISA Server 2004
,
. ISA
SecureNAT ,
,
.
RDP-
, . , ,
,
SecureNAT .
, /
.
. 4.56
-
. • .......................................... •
SecureNAT — Eotjnm wm
. 4.56.
RDPRDPRDP-
.
, ,
ISA.
-
.
Client Username (
-
348
4__________________________________________________________
), .
,
,
RDP,
,
. ,
, SecureNAT. ,
, . .
, SecureNAT ISA,
. ,
, , -
. 4.57 .
. 4.57. SecureNAT
?
, ,
, NAT, ISA
Secure ,
IP-
. . , .
,
SecureNAT
ISA
,
SecureNAT, ,
. TCP
, UDP),
ICMP (
ping
( tracert).
Winsock,
ISA Server 2004
349
. sock-
,
Win-
,
.
ISA
SecureNAT
-
, ,
ISA
,
.
SecureNAT .
. 4.58
.
. 4.58.
,
,
-
,—
. , /
,
, ,
ISA. ,
ISA . IP-
, , ,
350
4 _________________________________________________________
ISA
, ,
. ,
.
-
, .
,
,
.
-
, ASL (Access Control List,
)
.
WebWeb-
— WebWeb-
ISA. (downstream)
, ISA (upstream) ISA
ISA. , . WebWeb-
ISA
ISA ISA
ISA. —
, -
.
Web-
-
. ■
ISA ISA ISA
■
. ,
, ISA,
,
ISA, .
■
WebISA Web-
ISA Web-
ISA.
,
, ISA
. 4.59
Web.
Web-
. -
ISA Server 2004
351
. 4.59. WebProxyChaining.vsd
1.
ISA ,
2.
WebISA,
Web. .
ISA ,
.
ISA
WebISA
.
ISA
, ,
ISA .
,
3.
,
Web-
, . 4. Web-
ISA .
352
4
5.
ISA ISA ,
.
ISA ISA
WebISA
. WebWeb-
ISA
6.
.
ISA
,
.
ISA Web,
,
.
Web-
ISA ,
7.
.
Web-
.
ISA.
Web-
ISA. 8.
ISA
Web-
ISA
,
. ISA
.
ISA Web-
, ,
Web-
. Web-
9.
ISA
,
ISA
,
.
ISA
,
WebWeb,
, 10.
ISA
Web-
.
. , ,
, Web-
-
. ,
.
Web-
ISA
, ISA
. -
. Web-
, ISA
Web. 4.60
,
WebWeb-
. ISA.
.
ISA Server 2004
. 4.60.
353
Web-
ISA Web-
.
-
WebISA,
,
.
,
ISA
,
.
,
, ,
-
, .
ISA
,
.
ISA ,
(
Web-
)
. WebNetwork (
Web Chaining ). 1.
Microsoft Internet Security and Acceleration Server ,
2004 Networks (
Configuration ( ).
).
354
2.
4
Networks ( ) Web Chaining ( WebDetails ( ). Tasks ( ) Create New Web Chaining Rule ( Web). Welcome to the New Web Chaining Rule Wizard ( Web) Web chaining rule name ( Web), — Chain to ISA-1. Next ( ). Web Chaining Rule Destination ( Web) ISA, . URL ISA. . Add, . Add Network Entities ( ) Networks ( ), External ( ). Close ( ). Next ( ) Web Chaining Rule Destination ( Web). Request Action ( ) ISA, , . . )
3. 4.
5.
6.
7. 8.
Retrieve requests directly from the specified location (
-
). ISA
ISA.
,
,
, ISA
, ,
Web-
ISA
, . Web-
,
ISA ,
-
. ISA Web-
,
,
,
-
,
.
Redirect requests to a specified upstream server ( ). Web-
.
Web-
ISA.
Allow delegation of basic authentication credentials ( ) .
?
?
-
355
ISA Server 2004
? Web-
?
Web?
?
? .
,
, Web-
, Web-
,
,
.
,
,
.
Redirect requests to (
). ,
Web-
.
,
,
-
,
Web, . Use automatic dialup (
HTTP
. FQDN
IPSSL
). -
.
, ,
.
,
ISA . ,
. . 4.61
. 4.61.
.
-
356
4
9.
Redirect requests to a specified )
upstream server (
Disable the Allow delegation of basic authentication credentials ( ).
Next ( ). Primary Routing (
10. FQDN
) ISA
IP-
FQDN,
ISA ISA.
,
Port (
SSL)
)
IPSSL Port (
, ISA. SSLWeb. SSL-
ISA
,
ISA
WebISA. Web-
ISA
SSL
SSL port
TCP 8080
-
,
SSL.
,
, www.isaserver.org. . 4.62
, Web-
.
■
. 4.62.
Web-
Web-
.
Web,
Web-
ISA Server 2004
357
Web-
. Web-
Web-
Use this account ( ). Set Account ( ). Set Account ( )( . 4.63) User ( ) COMPUTERNAME/Username ( / ). ISA. ISA , DOMAINNAME/Username ( / ). Password ( ) Confirm password ( ). Set Account ( ). Authentication ( ) Integrated Windows. WebWeb, . , WebSSL, . Next ( ) Primary Routing ( ). . 4.63 . ,
. 4.63.
11. Backup Action ( D Ignore requests ( Web-
)
.
).
Web,
, ,
,
□ Retrieve requests directly from the specified location ( ).
. -
358
4 _________________________________________________________
ISA Web-
Web-
,
,
Web-
.
,
-
ISA D
, WebRoute requests to an upstream server ( ). WebWeb. Web-
. -
ISA ISA
,
ISA, ISA
.
□ Use automatic dial-up (
). ,
ISA ,
,
,
). Next
,
ISA ( . . 12. Ignore requests ( ) ( ) Backup Action ( ). 13. Finish ( ) Completing the New Web Chaining Rule Wizard ( Web). ISA ISA. He
Web-
ISA, WebHTTPS FTP.
-
,
,
HTTP, Web-
ISA ,
,
,
-
ISA, . . ISA
, Web-
.
ISA
, , ,
, ), ,
, ISA SAM (Serial Access Memory, , ISA.
ISA Server 2004
359
Web-
.
ISA ISA.
Web-
,
WinsockWeb-
(HTTP/HTTPS/FTP). ,
TCP UDP, Web.
,
ISA,
. , -
www.isaserver.org.
ISA DHCPISA ISA DHCP ISA
SOHO, DHCP-
. ,
ISA IP,
-
. DHCP-
. ISA ,
DHCP-
,
,
DHCPIP-
-
. DHCP-
,
-
: 1.
Microsoft Internet Security and Acceleration Server , Firewall Policy ( ). Tasks ( ). Create a New Access Rule ( ). 2. Welcome to the New Access Rule Wizard ( ) Access Rule ( ), — DHCP Request. Next ( ). 3. Allow ( ) Rule Action ( ). Next ( ). 2004
360
4__________________________________________________________
Protocols (
4. (
) )
).
Selected protocols This rule applies to (
Add ( ). 5. Add Network Entities ( ) Infrastructure ( ), DHCP Request. Close ( ). 6. Next ( ) Protocols ( ). 7. Access Rule Sources ( ) Add. 8. Add Network Entities ( ) Networks ( ) Internal ( ). Close ( ). 9. Next ( ) Access Rule Sources ( ). 10. Access Rule Destination ( ) Add ( ). 11. Add Network Entities ( ) Networks ( ) Local Host ( ). Close ( ). 12. Access Rule Destination ( ) Next ( ). 13User Sets ( ) Next ( ). 14. Completing the New Access Rule Wizard ( ) Finish ( ). 15. Apply ( ), . 16. Apply New Configuration ( ). — DHCP. 17. DHCP Request (DHCP) ( ). 18. DHCP Request (DHCP) Paste ( ). 19DHCP Request (1) (DHCP, 1) Properties ( ). 20. General ( ) DHCP Request (1) (DHCP, 1) DHCP Reply (DHCP) Name ( ). 21. Protocols ( ). DHCP (request) (DHCP, ) Remove ( ). Add ( ). Protocols ( ) Infrastructure ( ) DHCP (reply) (DHCP, ). Close ( ).
ISA Server 2004
361
22.
From ( ). Internal ( ) Remove ( ). Add ( ). Add Network Entities ( ) Networks ( ) Local Host ( ). Close ( ). 23. ( ). Local Host ( ) Remove ( ). Add ( ). Add Network Entities ( ) Networks ( ) Internal ( ). Close ( ). 24. Apply ( ), . 25. Apply ( ), . 26. Apply New Configuration ( ). DHCP-
ISA .
IPDHCPVPN-
IP-
.
ISA
DHCPDHCP.
VPN-
ISA ISA . ,
, . VMware
ISA
. -
. ISA. ISA ISA Server 2000, .
,
ISA
,
«
»
-
. ISA
,
ISA.
, ISA WebDHCP13
4388
,
, ISA
.
-
362
4
ISA ,
«
-
». . 0
, , ,
ISA, .
0
, , (
ISA
400
/ ).
ISA,
-
ISA
-
,
. .
.
0
Windows
, ,
,
-
. ISA
, ,
ISA
.
ISA Server 2004 ,
-
, . 0
VMWare Workstation 4.51. VMNet, Ethernet .
,
-
ISA Server 2004
0
363
VMware 4.51 . (Alessandro Perilli),
, VMware .
ISA 0
ISA ,
LAT, .
—
ISA , VPN. «multi network ing» ( ISA .
-
) ,
ISA, . -
ISA.
,
, .
ISA ,
: ,
,
VPN-
VPN-
. 0 0
,
ISA.
, ,
ISA.
El
, ISA.
0
VPN-
, .
0
VPN-
VPN-
VPN-
,
. ,
0 -
»
-
, VPN-
«
0
,
-
. « 0
-
.
«
» .
» ,
NAT. IP-
-
364
4
0
NAT
, IP-
S3
IP-
-
,
.
ISA
:
,
, URL,
,
,
, .
-
). Web-
-
, Web-
,
ISA.
0
ISA ,
, Web-
: ,
(
0 , .
,
,
.
0
ISA
. VPN-
,
-
. 0
ISA .
ISA.
0
«
»
ISA.
,
, ISA,
-
,
ISA , ,
.
Web0
WebISA WebWebWebWeb-
0
Web.. Web-
,
0
WebWeb-
Web-
.
-
,
.
, .
ISA Server 2004
365
ISA Web-
ISA ISA. ,
-
,
,
-
.
ISA
DHCP-
ISA
DHCP-
0 DHCPDHCP0 DHCP-
. DHCP
ISA . ISA
, . DHCPDHCP-
Ч
,
ISA,
IPVPNDHCP VPNDHCPVPN-
-
.
, . www.syngress. com/solutions ( «Ask the Author»). . ITFAQnet.com. :
Web,
Web-
,
.
? :
, Web-
ISA.
:
-
WebIPDNS
, IP-
:
ISA
.
:
,
. .
-
, ,
.
-
366
4
ISA
,
, .
.
? ISA
:
IP-
ISA ISA.
, .
-
, ,
, ISA
ISA, ISA
, , ISA.
, ISA.
:
ISA .
-
, ,
.
:
?
, ISA, IPv4
( ).
,
ISA
,
-
, . :
ISA
DHCPDHCP-
. DHCP VPN:
,
DHCP, .
,
DHCP-
?
ISA, DHCP VPN-
DHCP-
.
-
DHCP-
DHCPVPN-
ISA, DHCP.
:
ISA
,
DHCP. ISA.
. ,
DHCP?
:
ISA DHCPIP-
-
,
DHCP-
-
, , .
,
,
ISA Server 2004 : ISA Server 2004 ISA Server 2004
368
5
,
ISA Server
ISA Server 2004, — 2004.
ISA Server:
, .
-
, . ISA Server , ISA Server .
WebWebISA Server 2004 ,
2004
ISA Server -
. ISA Server 2004.
, ISA Server 2004 . ,
ISA Server 2004, Server 2004.
ISA ,
ISA Server 2004, «
ISA Server 2004. « -
»
»
ISA Server 2004.
ISA Server 2004 , ■ ■ ■
ISA Server, ISA Server 2004:
SecureNAT; ; Web-
. ,
ISA Server 2004. SecureNAT,
, SecureNAT
. 5.1
Windows XP WebWeb-
ISA Server 2004
. . ,
,
-
, .
369
ISA Server 2004 ISA Server 2004
. 5.1. SecureNAT
Web-
. cureNAT
-
Se-
.
.
Web-
-
-
-
,
?
ISA
-
Server 2004 Web-
ISA Server 2004.
.
. TCP/IP
-
Web-
Server 2004
ISA ( )
-
SecureNAT
-
WebWindows, Windows 98 Windows Server 2003
. Windows, MacOS, Unix, Linux , -
-
,
WebWeb-
. -
, , -
WebTCP/IP SecureNAT
-
. (
WebWins oc k,
-
-
-
TCP UDP.
)
HTTP, HTTPS (SSL/TLS) FTP (FTP )
, -
ISA Server 2004
-
TCP UDP,
-
( .
.
.)
5
370 .
(
)
5.1. WebSecureNAT
-
. - NAT
Secure-
.
-
ISA Server 2004 ,
.
Web-
/ ,
SOCKS 5,
ISA Server 2004, -
-
. Web-
SOCKS 5
ISA Server 2004 , Win-
Windows, - dows, Secure
,
Web-
-
WebHTTP, - HTTPS, FTP.
NAT, ( dows 95),
HTTP/HTTPS
-
,
Win-
-
FTP. -
Windows, Windows 95, -
, Web,
, Server 2004
.
,
.
-
-
Web-
-
,
ISA
-
Secure NAT -
SecureNAT. cureNAT dows,
,
Se-
-
Win-
ICMP
SecureNAT ISA Server 2004 SecureNAT
,
, ISA Server 2004. .
ISA Server SecureNAT
______
ISA Server 2004
_______ 371
SecureNAT ; ; VPN-
■ ■ ■
ISA Server. :
. , .
,
: —
. ( .
, 10.0.0.0/8).
. 5.1
ISA Server 2004 ISA Server 2004 , ISA Server 2004 .
. 5.1.
SecureNAT
SecureNAT
IPISA. DHCP, SecureNAT.
DHCPISA Server
2004 . ,
-
, 3. SecureNAT, SecureNAT. ,
, SecureNAT SecureNAT
,
-
. ,
, ISA Server 2004.
SecureNAT
,
, . 5.2
SecureNAT.
372
5
. 5.2.
SecureNAT
VPN-
,
VPN-
-
ISA Server 2004. VPN-
ISA Server 2000, ,
VPN-
,
VPN-
.
-
, , ISA Server 2000.
VPNWebISA Server 2000.
VPN-
, ling). ISA Server 2000, VPNVPN-
VPNISA Server 2000 VPNISA Server 2000 (split tunneVPN.
ISA Server 2004
,
WebISA Server SecureISA,
VPN-
2004,
.
WebNAT. VPN-
VPN, VPN
,
.
, VPN-
,
VPN-
Windows
ISA Server 2004
373
.
, , VPNISA Server 2004/VPN-cepBepoM, ISA Server .
VPN2004,
, , . ISA Server 2004
VPNSecureNAT -
VPNISA Server 2004,
, .
, SecureNAT VPN-
ISA Server 2004
/
VPN-
. ,
SecureNAT VPN8.
SecureNAT SecureNAT ISA Server 2004,
ISA Server 2004.
SecureNAT
-
:
■ /
;
■ ■
; ;
■
ISA Server 2004 . SecureNAT
ISA Server , -
2004, .
TCP/IP .
Web, ,
ISA Server 2004
WebWeb. SecureNAT,
, /
SecureNAT
.
, , , .
-
374
5
SecureNAT
( ISA Server 2004) ,
—
ISA Server.
,
-
. FTP
. FTP
FTP-
,
(« TCP 20. FTP
FTP
-
», control channel) FTP-
, (
) .
TCP 21
-
FTP-
, ,
FTP. FTP
FTP, ISA Server 2004
.
ISA Server 2004 FTP(FTP Access Application Filter). FTP FTP-
. 5.3.
-
. 5.3 .
FTP
-
FTP-
, -
-,
/
.
, SecureNAT ,
. ,
.
,
, , . , . , SOCKS 4.
, SecureNAT SecureNAT
-
ISA Server 2004
SOCKS 4
375
ISA Server 2004.
SOCKS 4 SecureNAT.
SecureNAT, SOCKS 4,
, SOCKS-
, SOCKS/
.
-
SOCKS 4
ISA Server 2004
,
-
/
.
SecureNAT
. Web-
(
-
, ISA Server 2004 -
, ISA Server 2004),
SecureNAT
ISA Server 2004.
, ISA Server 2004, . ,
SecureNAT, ISA Server 2004. , SecureNAT « , ,
, SecureNAT » . , TCP UDP
. -
,
, (
ICMP
-
IP).
-
SecureNAT SecureNAT, :
■ (
,
■ ■
, HTTP/HTTPS FTP). ICMP
,
Web. ,
, ,
WebSecureNAT
. 5.2.
.
376
5
. 5.2.
SecureNAT -
SecureNAT ( ISA Server 2004.
)
ISA Server 2004
/ .
-
, IP-
SecureNAT,
-
/ .
-
,
.
-,
-
SecureNAT
-
, ISA Server 2004. , SOCKS 4
— -
SecureNAT, SecureNAT ISA Server 2004.
-
, .
-
SecureNAT 2004
-
ISA Server
, ISA Server 2004.
(
) -
Web, ISA.
-
Web-
, 1-6
,
. Web-
ISA
. IP-
SecureNAT ,
-
SecureNAT SecureNAT ■ ■ ■
: ,
,
Windows; TCP/UDP ( ICMP); .
SecureNAT
,
-
ISA Server 2004
377
, WebWindows. SecureNAT, Web-
-
. ,
(HTTP/HTTPS
, FTP).
-
SecureNAT Microsoft. TCP- UDP-
Win-
, sock, ISA Server 2004. ICMP (Internet Control Message Protocol, (Generic Routing Encapsulation, ) ( VPN) UDP TCP , . ISA Server 2004 SecureNAT.
)
GRE
-
:
, -
/ ( ,
TCP/UDP).
VPN. GRE, , -
, , .
ISA Server 2004
,
,
.
. -
IP8.
, GRE VPN-
ping, .
tracert, , VPN,
VPN-
SecureNAT. UDP 500 4500 NAT-T L2TP/IPSec.
,
. NAT-T L2TP/IPSec, NAT-T L2TP/IPSec VPN-
SecureNAT
. .
,
,
ISA Server
378
5 __________________________________________________________
2004
Web-
-
,
.
,
,
, Web.
-
, , ,
.
. 5.3
SecureNAT.
. 5.3.
SecureNAT __________ -
__________________________________________ , , Web( . . HTTP/ HTTPS/FTP), SecureNAT -
, SecureNAT — Server 2004, . Ping, tracert
, TCP/UDP
Linux, UNIX
Macintosh ISA TCP/ , -
, — SecureNAT.
, /
, SecureNAT
TCP/UDP, SecureNAT -
-
. ,
, ISA Server 2004 , —
. SMTP-
, . SMTPSecureNAT
, SMTP-
( IP-
ISA).
-
SMTPSecureNAT
SMTP-
. 10
IP-
______
ISA Server 2004
______ 379
SecureNAT , ISA Server 2004, ISA Server 2004 -
2004.
.
,
ISA Server SecureNAT DNS-
SecureNAT.
,
SecureNAT TCP/IP,
-
,
, , .
-
,
, ISA Server 2004, .
SecureNAT SecureNAT
DNS-
,
, .
DNSSecureNAT
. DNS-
,
, ,
DNS .
« ISA Server 2004
»
,
internal.net ISA Server -
, 2004. . ,
IP-
, Web-
Web192.168.1.10.
www.internal.net IPwww.internal.net
DNS222.222.222.1.
. WebServer 2004, Web.
SecureNAT , ,
DNS WebWeb-
ISA . -
SecureNAT
380
5
DNS, www.internal.net. ISA Server 2004, Webwww.internal.net ISA Server 2004, Web. WebIP-
,
Web, ISA Server 2004, . 5.4 , ISA Server 2004.
. 5.4.
SecureNAT, ISA Server 2004 SecureNAT. Web-
, ,
«
IPIPSecureNAT.
Web,
SecureNAT IP-
IPSecureNAT
»
SecureNAT -
.
Web«
.
»
-
SecureNAT
DNS.
, ,
, SecureNAT » (roaming clients) (
,
, ).
DNS «
-
ISA Server 2004
381
DNS ,
DNS-
SecureNAT
,
. ,
IP-
. -
ISA Server 2004, SecureNAT ISA Server 2004 . . 5.5
,
DNS SecureNAT. . 54 DNS SecureNAT. Web-
IP-
,
. , Webhttp://192.168.1-1/info,
-
Web,
Web-
. ,
IP-
Web-
, , .
JavaSharePoint Portal Server, ( ISA Server 2004).
. 5.5.
DNS SecureNAT
Microsoft,
-
382
5 DNS
. 5.4.
SecureNAT
DNS SecureNAT
SecureNAT
-
DNS. DNS, DNS, SecureNAT,
. ,
SecureNAT ISA Server 2004
, .
ISA Server 2004
-
, .
SecureNAT
DNS-
IPISA Server 2004.
,
SecureNAT ,
IP.
-
, DNS
DNS-
-
.
DNS-
DNS. DNSDNS-
-
. , , SecureNAT
DNS DNS-
, .
DNS-
, NetBIOS SecureNAT
HOSTS.
WINS,
-
(
,
DNS, . DNS-
-
).
DNS-
-
ISA Server 2004 SecureNAT
SecureNAT
, DNS. SecureNAT
SecureNAT , nslookup,
. -
383
ISA Server 2004 . 5.4.
(
)
DNS SecureNAT
SecureNAT
SecureNAT DNS ,
. SecureNAT . DNS-
DNS-
SecureNAT ( SecureNAT DNS . SecureNAT
-
, DNS-
,
),
, DNS-
,
-
, SecureNAT
DNS-
-
,
,
DNS-
DNSSecureNAT. ISA Server 2004,
-
DNSISA Server 2004.
DNSISA Server 2004, , DNS, DNS,
-
DNS, , -
. SecureNAT . DNSISA Server 2004 DNS,
.
ISA Server 2004 -
, Windows . Windows: ■
/ Winsock,
TCP UDP; ISA Server 2004
■ ; ■
, ,
;
384
5
■ ■
DNS-
; , ;
■
.
/ Winsock, TCP
UDP ISA Server 2004
-
.
, ,
, .
/
. , ,
,
. ,
,
-
,
,
,
. ,
.
Web-
.
.
-
, .
,
,
-
,
.
(
)
ISA Server 2004. ,
Windows Active Directory, 2004.
,
Active Directory, , ISA Server 2004 ISA Server 2004
.
-
NT, ISA Server -
. /
,
Windows
.
_______
ISA Server 2004
385
, ,
,
-
SAM (Security Account Manager, ) ISA Server 2004. ,
Active Directory, / .
. ISA Server 2004,
, .
ISA Server 2004 , ISA Server 2004, ISA Server 2004. ,
,
,
.
, /
. ,
, ,
,
,
.
, , SecureNAT, , TCP
, Winsock
-
UDP .
ISA Server 2004
-
,
, . , ,
SOCKS
, -
-
.
386
5
DNSSecureNAT ,
.
2004 ,
ftp://ftp.microsoft.com, ISA Server 2004. ISA , ISA Server 2004, , FTPftp.microsoft.com. DNS, . . 5.6 .
Server 2004 DNS IPFTPISA Server 2004
IP.
ISA Server
DNSISA Server DNS.
XOCTOI ipi
JIOT «
t ISA
DNS!
. 5.6.
1. 2. 3. DNS4. ,
ftp.microsoft.com. ISA Server 2004 DNSftp.microsoft.com IPISA Server 2004. ISA Server 2004 IPftp.microsoft.com .
DNS-
.
ISA Server 2004
5.
387
IP-
ftp.microsoft.com,
. 6,
ISA Server 2004.
, .
-
SecureNAT, , IP-
-
ISA Server 2004. IPISA Server 2004. , . . 5.5
. 5.7.
. 5.7 ISA Server 2004. .
ISA Server 2004
388
5 . 5.5.
/
/ Winsock,
Winsock TCP
TCP
-
UDP,
UDP , /
-
,
-
ISA Server 2004 ,
ISA Server 2004
, -
TCP/UDP,
, /
.
,
-
SecureNAT ISA Server 2004
-
.
-
ISA Server 2004 ISA Server 2004 .
DNS-
ISA Server 2004 .
DNSDNS-
, DNSWeb, FTP
, ISA Server 2004, . -
, , -
SecureNAT, ISA Server 2004 , IPISA Server 2004.
-
SecureNAT
ISA Server 2004
389
Microsoft .
TCP -
,
ISA Server 2004,
,
1745
.
ISA Server 2004 ( , ,
,
FTP
Telnet). , -
.
,
-
, . ISA Server 2004 (Local Adress Table, LAT).
ISA Server 2004
LAT, . -
, ISA Server 2004,
, . ,
. ,
,
-
. ISA Server 2004 ,
, .
,
( )
, .
ISA Server 2004, . ISA Server 2004 ISA Server 2004
-
.
. (
, , ).
, (
.
.
.)
390
5
. ,
, , ,
ISA Server 2004 LAT (1 , ISA Server 2004 -
. callat.txt)
, 4.
ISA Server 2004 (Winsock Proxy Client 2.0
-
ISA Server 2000) ISA Server 2004.
-
, ISA Server 2004 2004
.
ISA Server
,
, , Microsoft Network Monitor Ethereal). ISA Server 2004 ,
(
-
, , .
ISA Server 2000, (Stefaan Pouseele) «Understanding the Firewall Client Control Channel» ( ) : www.isaserver.org/articles/ Understanding_the_Firewall_Client_Control_Channel.html. IPSec, IPSec ISA Server 2004, .
-
, ) ISA Server 2004. Microsoft Internet Security and Acceleration Server 2004 , Configuration ( ) General ( ). Define IP Preferences ( IP). , IP Routing (IP) Enable IP Routing ( IP). IP routing (IP-
ISA Server 2004
391
. ISA Server 2004,
. ISA
Server 2004. 2004,
ISA Server ,
( ),
■ ■ ■ ■ ■
. : Microsoft CIFS (Common Internet File System, ) (TCP); Microsoft CIFS (UDP); NetBIOS (NetBIOS Datagram); NetBIOS (NetBIOS Name Service); NetBIOS (NetBIOS Session). , .
Microsoft ,
Microsoft (Client for Microsoft Networks) ISA Server 2004, ISA Server 2004.
-
. . : ISA Server 2004 , Autorun ( ). Install ISA Server 2004 ( ISA Server 2004). 2. Next ( ) Welcome to the Installation Wizard for Mic rosoft ISA Server 2004 ( Microsoft ISA Server 2004). 3. I accept the terms ( ) Next ( ). 4. , . Next ( ). 1.
-
392
5
5.
Setup Type ( ) Custom ( ) Next ( ). 6. Firewall Services ( ) This feature will not be available ( ). ISA Server Management ( ISA Server) This feature will not be available ( ). Firewall Client Installation Share ( ) This feature, and all the subfeatures, will be installed on local hard drive ( )( . 5.8). Next ( ).
. 5.8.
7.
Install (
)
Ready to Install the Program (
). 8.
Finish (
)
Installation Wizard Completed ( ).
9.
Autorun (
).
. : %System%\Program Files\...\Microsoft ISA Server\clients. : mspclnt. Share Permissions ( ) Everyone Read ( ). NTFS: ■ — Full Control ( );
-
ISA Server 2004
■
393
, ), List Folder Contents ( (
, — Read&Execute ( ) Read
);
■
— Full Control (
).
: ■ ■ ■ ■
SMB/CIFS-
; Active Directory; ; (Systems Management Server,
SMS). ,
.
-
, ,
, .
,
,
,
,
, .
-
, . -
.
,
, ,
,
-
, Active Directory (
, Active Directory). -
,
.
, -
, . , , ,
.
SMS-
. :
Active Directory
394
5
■ ISA Server 2004; ■ . ,
, .
, .
;
■ ; ■ Windows 95)
Windows ( Internet Explorer 5.0.
,
: 1. 2. 3.
4. 5.
6. 7. 8.
Start (
), Run ( ). Run ( ) \\FILESERVER\mspclnt\setup ( FILESERVER — ISA Server 2004) . Next ( ) Welcome to the Install Wizard for Micro soft Firewall Client ( Microsoft). Next ( ) Destination Folder ( ). ISA Server Computer Selection ( ISA Server) Connect to this ISA Server computer ( ISA Server) remoteisa.msfirewall.org . Next ( ). Install ( ) Ready to Install the Program ( ). Finish ( ) Install the Wizard Completed ( ). ( 5.9). TCP UDP, , . $10 47 AM . 5.9. VPN-
VP N.
ISA Server 2004
395
ISA Server 2004 ,
, .
,
,
-
,
. ,
-
. , Common.ini Manage men t.ini, Documents and Settings\All Users\ Local Settings\Application Data\Microsoft\Firewall Client 2004. Common.ini (FwcAgent) Windows Server 2003, Windows XP, Windows 2000 Windows NT. Windows 9x. , Management.ini, . Management.ini Common.ini .
Microsoft Internet Security and Acceleration Server 2004, . , Microsoft Internet Security and Acceleration Server 2004, , , , . ISA Server 2004 Microsoft Internet Security and Acceleration Server 2004. , .
-
: ■ ■
; . .
, TCP .
UDP 1745
,
396
5
Configuration ( Networks (
)
Microsoft Internet Security and Acceleration Server 2004, , Configuration ( ). ) Networks ( ), Details ( ). Properties ( ).
Firewall Client ( ) Enable Firewall client support for this network ( ), . 5.10. Firewall client configuration ( ) ISA Server 2004 ISA Server name or IP address ( IPISA Server).
otrtlou ton m to Гш Л
Vib
»
. 5.10.
NetBIOS). Qualified Domain Name,
( FQDNISA Server 2004
NetBIOSFQDN-
) ,
(Fully ISA
DNS Server 2004. . DNSISA Server 2004
,
-
. DNS,
DNS-
, ( )
ISA Server 2004.
-
ISA Server 2004
397
ISA Server 2004 DNS2004 ISA Server).
,
,
ISA Server 2004. IPISA Server ISA Server name or IP address ( IP, . .
Webration on the Firewall client computer ( ). WebWeb. , . ) ) , Discovery,
Automatically detect settings ( Web, Internal Properties ( Web-
),
Web browser configuWebWebWebWeb Browser (Web). WPAD(Web Proxy AutoDNS DHCP.
Use automatic configuration script ( ) ) Web.
tion,
-
Web-
ISA Server 2004. , Automatically detect settings ( Use default URL (
URL
(Proxy Autoconfigura. , ). ) ISA Server 2004
.
-
, ISA Server 2004, URL (
URL).
Use custom -
Using Automatic Configuration and Automatic Proxy ( ) www.microsoft.com/ resources/documentation/ie/5/all/reskit/en-us/part5/ch21auto.mspx. Use a Web Proxy server ( Web,
Web) ISA Server 2004
398
5
Web-
,
. Web-
SecureNAT,
,
-
. ,
-
. , ,
Web-
Web-
. Web-
WebWeb(
. , Web-
-
WebJava), .
,
Web, . , /
SecureNAT.
Domains (
. 5.11.
),
Domains (
Domains (
. 511.
)
)
, .
Domains (
)
-
399
ISA Server 2004
(
, -
). , ),
Domains ( , -
,
.
, Domain Properties (
Add (
)
Domain Properties (
. 5.12.
-
),
. 5.12.
)
. ,
FQDN,
FQDN,
.
-
. (*)
, .
Domains ( ,
) ,
,
. ,
.
, ,
ISA Server 2004, ISA Server 2004.
-
, . /
WinsockISA Server 2004 Winsock(Remote Winsock Proxy Protocol),
-
400
5 _________________________________________________________
Server 2004.
ISA -
, ISA Server 2004
,
. Web-
ISA Server 2004. Winsock Proxy 2.0 ISA Server 2004. -
/Winsock-npoKCH, : 1.
2. 3.
4. 5. 6.
Microsoft Internet Security and Acceleration Server 2004 , Configuration ( ). General ( ). General ( ) Define Firewall Client Settings ( ) Details ( ). Firewall Client Settings ( ) Connection ( ). Allow nonencrypted Firewall client connections ( ). Apply ( ), . Apply ( ), . Apply New Configuration ( ).
, ,
.
-
, Configure (
).
General ( )( . 5.13) Microsoft Firewall Client for ISA Server 2004 ( Microsoft ISA Server 2004) Enable Microsoft Firewall Client for ISA Server 2004 ( Microsoft ISA Server 2004). Server)
Automatically detect ISA Server ( WPADDHCPDNSISA Server 2004,
ISA .
ISA Server 2004
. 5.13.
401
Firewall Client Configuration )
(
. 5-14
Detect Now (
).
Firewall Client is detecting ISA Server
Detecting ISA Server (
. 5.14.
,
ISA Server)
, WPAD.
DNS-
DHCP, .
WPAD, Manually select ISA Server ( ISA Server IPDNSISA Server 2004, Test Server ( ), IP, TCP 1745
), . ISA
Server 2004. Server (
ISA Server 2004, ISA Server).
Detecting ISA
402
5
, ,
. 5.1 , ,
,
, (Hex decode pane).
. 5.16.
Web Browser (WebWeb browser automatic configuration ( Web). , Acceleration Server 2004. ), , . .
).
Enable WebMicrosoft Internet Security and Configure Now ( , -
, Hide icon in notification area when connected to ISA Server ( ISA Server). , management. ini, \Documents and Settings\user_name\Local Settings\Application Data\Microsoft\Firewall Client 2004, [Traylcon] TrayIconVisualState=1 . .
-
403
ISA Server 2004
,
ISA Server 2004.
-
,
Web-
ISA Server
,
ISA Server. ISA Server
-
,
, .
,
Test Server (
(
«
).
ISA Server IP, »
). Winsock
-
,
.
,
. ,
,
ini.
. .
, . ,
( . 5.17):
■ ■
common.ini, management.ini, .
. 5.17.
;
404
5
, ,
. .
. ,
,
, Windows XP.
Windows Search ( ).
Windows XP : ■ \Documents and Settings\All Users\\Local Settings\Application Data\Microsoft\Firewall Client 2004; ■ \Documents and Settmgs\uMa_nojib3oeamejia\Loc2L\ Settings\Application Data\Microsoft\Firewall Client 2004. application.ini,
. , :
1.
,
ini-
configuration.ini .
,
. Documents and Settings\All .
2. Users. , ,
. .
3.
ISA Server, ,
ISA
Server 2004. 4.
ISA Server 2004, . , ,
ISA Server. , .
.
common.ini, . .
application.ini
, -
ISA Server 2004
405
, ,
-
.
, . Microsoft Internet Security and Acceleration Server 2004 . . 5.6 , . . . , , ternet Security and Acceleration Server 2004. . 5.6.
,
, , Microsoft In-
ISA Server,
Serve rName :0
1.
1,
Disable :0 DisahlcEx
1.
1,
. Server 2004.
ISA ,
Disable
(
). :0
Autodetection N
1.
1,
ISA Server, :L
R. ISA Server,
a meResol u do n
,
.
R,
ISA Server .
LocalBindTcpPorts LocalBindUdpPorts Rem o te B i ndTcp Ports Re mo teB indUdpPor ts Se rve rB in dTcpPorts
L, TCPUDPTCPUDPTCP-
-
, , , ,
,
, (
.
.
.)
5
406 5
. . 6 .
(
)
Persistent
:0 ISA Server
1.
1
.
,
-
ForceCredentials
(
).
Windows
.
1, ,
, . Credtool.exe, .
-
, ISA Server. .
, NameResolution ForLocalHost
:L( ,
),
.
( ) LocalHost sock API gethosbyname
gethostbyname API. WinLocalHost,
. gethostbyname (LocalHost), IPL, gethostbynameO . gethostbynameO ISA Server — IP, ControlChannel
-
,
: Wsp.udp
IP-
Winsock . IP, -
Wsp.tcp (
-
).
ISA Server 2004 , .
, wspcfg.ini
-
— ISA Server 2000
Proxy Server 2.0,
ISA Server 2004 ,
407
,
. ,
.
-
ISA Server 2004 wspcfg.ini.
ISA Server 2004 , ,
-
,
, Microsoft Internet Security and Acceleration Server 2004, , ISA Server 2000. , Microsoft Internet Security and Acceleration Server 2004, Configuration ( ). General ( ), Define Firewall Client Settings ( )( . . 518).
-
Define Firewall Client Settings . 5.18.
Define Firewall Client Settings ( )
Application Settings (
).
. 5-19-
. 5.19.
Firewall Client Settings (
)
408
5
, ISA Server 2004. outlook Disable 1).
outlook Disable 0 (
-
, -
Microsoft Outlook. Outlook , . kazaa.exe. Disable. 1. 2.
3. 4. ( 5.
-
, , :
Firewall Client Settings ( Application Settings ( Application Entry Settings ( Kazaa ( ) ). Disable ( ) 1 Value ( ). . Settings ( ) ), . Apply ( . 5-20), . Discard I
) )
New (
). )
Application ( Key ( ).
kazaa.
Apply
To save changes and update the configuration, click Apply.
. 5.20.
6.
Apply New Configuration ( ). , ,
kazaa.exe.
,
-
. kazaa,
HTTP , ISA Server (www.akonix.com), .
HTTP Akonix L7,
-
ISA Server 2004
Web-
409
ISA Server 2004 Web-
,
-
ISA Server 2004 Web-
.
Web.
, , ISA Server 2004 . Web-
Web,
Web-
.
,
-
, Web-
. Web-
:
■ SecureNAT
Web-
;
■
,
■
; (HTTP/HTTPS/FTP),
Web;
■
/
Web-
; ■
RADIUS Web-
;
■ ■
WebWeb-
;
,
.
SecureNAT WebWeb-
Web-
ISA Server 2004 WebISA Server 2004. ISA Server 2004. ,
. TCP 8080 WebWeb, . SecureNAT
TCP 8080
Web-
Web-
, ,
. Web.
-
410
5
, Web, Web-
.
WebWeb. -
, Web:
■ ; WPAD-
■
DNS /
DHCP
Web-
; Web.
-
,
Web-
, . Web-
,
,
-
. Weba DNS / IP-
DHCP.
,
WPADWeb-
WPADISA Server 2004,
Web.
Web-
,
Java -
Hotmail. WebDirect Access ( ,
, ).
Web-
Web-
,
,
SecureNAT Web-
.
Web-
(HTTP/HTTPS/FTP)
Web, . WebHTTP, HTTPS (SSL/TLS-over-HTTP) FTP-
HTTP-
.
-
ISA Server 2004
411
Web-
, .
Web-
,
ISA Server 2004, ISA Server 2004 Web.
ISA Server 2004. www.microsoft.com, HTTP, —
, Web-
TCP 8080.
, www.microsoft.com , ftp.microsoft.com, HTTP,
WebWeb-
HTTP-
ftp:// FTP-
ISA Server 2004, ISA Server 2004 FTP. FTP
8080. ,
FTP-
— , ftp.microsoft.com FTP .
-
Web
TCP - FTP- Web-
FTP-
Web-
FTP. FTP, .
SecureNAT
/
WebWebISA Server 2004, , ISA Server 2004 .
, , . . Web-
. ,
,
,
( ),
-
Web. ,
.
Web-
ISA Server 2004, Web.
.
-
412
5
, denied» (
ISA Server 2004 Web. 5.21, ,
) .
Web-
«access
-
. Web:
■ ■ ■ ■ ■
Windows; ; Digest; ; RADIUS. Web, .
Web-
, -
Digest, RADIUS ,
WebWebWeb-
, ISA Server 2004
.
-
, .
. 5.21.
, ISA Server 2004,
ISA Server 2004 . Web-
,
ISA Server 2004
413
ISA Server 2004 RADIUS
,
Active Directory Windows NT 4.0.
-
, SAM
ISA Server 2004.
. SSLWeb-
.
SSL- Web. WebISA Server 2004
WebWeb-
.
Web,
.
WebWeb-
.
-
. , .
ISA -
Web-
Server 2004 RADIUS, . ISA Server 2004 — Web. RADIUS Web, . , , ISA Server 2004,
RADIUS
-
ISA Server 2004 -
, ISA Server 2004. , ,
ISA Server 2004,
RADIUS
. ,
RADIUS
-
-
ISA Server 2004. , RADIUS RADIUS, IAS (Internet Authentication Server,
Microsoft — ).
ISA Server 2004 RADIUS. RADIUS -
414
5 ________________________________________________________________
RADIUS
RADIUS Web-
WebRADIUS. ISA Server 2004
,
RADIUS. RADIUS , RADIUS
,
. RADIUS
, RADIUS , RADIUS . RADIUS Web-
RADIUS.
-
-
: Web-
■ RADIUS; ■ (Remote Access Permission) ; ■
PAP (Password Authentication Protocol, ). Web-
Web: Microsoft Internet Security and Acceleration Server 2004 , Configuration ( ). Networks ( ) Internal network ( )( , Web). Properties ( ). Internal Properties ( ) Web Proxy (Web). Web Proxy (Web) Authentication ( ), Authentication ( ) . , , . , RADIUS ( . 5.22). RADIUS Servers ( RADIUS). Add RADIUS Server ( RADIUS) ( . 5.23) IPRADIUS Server name ( ). FQDN, ISA Server 2004 IP. Server description ( ). Port ( ) Time-out (seconds) ( - , ) RADIUS,
1.
2. 3. 4.
5. 6.
ISA Server 2004 , authenticator (
7. 8.
.
. 5.22.
Authentication (
. 5.23.
Add RADIUS Server (
Change (
RADIUS
415
). Shared Secret ( New secret ( ). RADIUS. RADIUS
Always use message ).
)
RADIUS)
) )
Confirm new secret ( ,
RADIUS
.
416
5
.(
:
;
RADIUS
RADIUS
24
,
.) Add RADIUS Server ( RADIUS.
9. 10.
RADIUS).
RADIUS, 11. 12.
. Authentication (
Apply (
( 13-
-
). Internal Properties
) ).
Apply ( .
),
-
14.
Apply New Configuration ( ). , . Windows 2000
-
, Windows Server 2003.
,
,
-
, . Windows
, .
1.
Active Directory Users and Computers ( Active Directory) , , RADIUS, , RADIUS. 2. Properties ( ) Dial-in ( ). 3. Dial-in ( Allow access ( ). 4. Apply ( ), .
)
RADIUS Web-
-
.
,
, RADIUS
Web-
PAR
,
, ,
ISA Server 2004
-
RADIUS. IPSec.
ISA Server 2004
1.
2.
3.
4.
5. 6.
7.
417
: (Internet Authentication Server, Start ( ) Administrative Tools ( ). Internet Authentication Services ( ). Internet Authentication Services ( ) Remote Access Policies ( ) . Remote Access Policies ( ) . RASVPN. , Connections to other access servers ( ), Web. . Connections to other access servers Properties ( ) Edit Profile ( ). Edit Dial-in Profile ( ) Authentication ( ). Authentication ( ) Unencrypted authentication (PAP, SPAP) ( , PAP, SPAP). Apply ( ) . IAS)
. 5.24. (
Connections to other Access Servers Properties )
418
5__________________________________________________________
8.
Connections to other access servers Properties (
)( . 5.24) , Windows-Groups matches..., , WebRADIUS. Add ( ), . Grant remote access permission ( ). 9Apply ( ) Connections to other access server Properties ( ). , .
WebWeb.
-
, , .
Properties ( . Security and Acceleration Server 2004 Configuration ( ). ).
Properties (
(Web-
,
WebWebMicrosoft Internet , Networks ( ) Details ( -
).
Properties ( ) Web Proxy Web Proxy (Web) Advanced ( Advanced Settings ( ) : Unlimited ( ) ). Maximum ( ) . Connection timeout (seconds) ( , ), . 120 . . , , . , , -
).
). ( . 5.25) Maximum (
-
)
.
419
ISA Server 2004
Advanced Settings (
. 5.25.
)
Web-
Server 2004 2004 , «
,
WebWebWeb-
ISA Server 2004, . ,
» (downstream) ISA Server 2004 Web, « ISA Server 2004.
Web, » (upstream)
Web■
Web-
ISA ISA Server Web, , Web-
: ISA Server 2004
; ■
, ,
/ ISA Server 2004, ;
Web-
■
ISA Server 2004 (back-to-back), Web-
ISA Server 2004 WebISA Server 2004. ISA Server 2004
,
. 10.
ISA Server 2004 ISA
, Web-
,
420
5
SecureNAT.
.
,
ISA.
,
, SecureNAT. ,
TCP
,
UDP SecureNAT
. TCP .
UDP
,
SecureNAT SecureNAT
, ping, tracert . GRE. ICMP, TCP UDP.
ICMP, . 5.7
Winsock . SecureNAT Ping
tracert -
GRE
,
-
. . 5.7.
ISA Server 2004
Secure NAT
SecureNAT Web-
Web-
Web-
TCP UDP SecureNAT TCP/UDP TCP/UDP WebHTTP/HTTPS/FTP ( ) WebSecureNAT HTTP/HTTPS/FTP ( ). , , FTP, SecureNAT, SecureNAT WebHTTP/HTTPS/FTP ( Web.
sock TCP (
. ,
-
WinHTTP/HTTPS/FTP , -
UDP, ) WebWeb-
Winsock. -
)
. .
Winsock ,
TCP
TCP UDP UDP
ISA Server 2004 . 5.7. (
421
)
ISA Server 2004 ____________________________________________________________________
SecureNAT,
HTTP/HTTPS/FTP ( WebWebFTP, ,
) Web-
, Web-
. -
. TCP/UDP
Winsock
-
. SecureNAT
ISA Server 2004 (
.
ISA Server 2004 . 5.8)
2004
ISA Server .
, , ,
. 5.8.
SecureNAT Web-
, ISA Server 2004
SecureNAT Web-
WebSecureNAT
. 5.9 ISA Server 2004-
SecureNAT Web-
, ISA Server 2004
. 5.9. ______________
ISA Server 2004 __________________
-
SecureNAT
Web-
.
SecureNAT , .
Web.
-
WebWeb(
.
.
.)
422
5 . 5.9. (
) ISA Server 2004
HTTPS
FTP Web-
HTTP, -
SecureNAT. Web-
-
ISA Server 2004.
WebSecureNAT
, Web-
Web-
-
,
-
WebISA Server 2004 /
, Web-
Web-
.
Web-
. / HTTP/HTTPS/FTP ( Web. / Winsock
) TCP
UDP.
,
ISA Server 2004,
-
SecureNAT ISA Server 2004. SecureNAT,
Web-
,
IP,
. .
-
WebIPIPISA Server 2004 ( , , ). IPIPISA Server 2004, IPISA Server 2004, . WebIPSecureNAT Web. SecureNAT, SecureNAT . , , Web, ISA Server 2004 Web. . , ( , ISA Server 2004 , )
ISA Server 2004 . 5.9. (
423
) ____________ /
ISA Server 2004 ________________ ,
/ SIP, (ISA Server 2004
SIP). -
ISA Server 2004 Web: ■
DHCPWeb-
■
; DNS-
Web-
;
■
Web;
■ IEAK
WebInternet Explorer. ,
WebActive Directory.
WPAD
tion Kit, WebWeb-
, IEAK (Internet Explorer AdministraInternet Explorer) .
: DNS
DHCP.
. 5.10
-
, . 5.10.
. DNS
DHCP
Web-
DHCP ______________________________ DNS __________________________________ DHCP DNSInternet Explorer 5.0 Internet Explorer 5.0 DHCPINFORMWPAD , ( Windows 2000, Windows XP FQDN, Windows Server 2003) IPISA Server 2004
(
.
.
.)
424
5 . 5.10. (
)
DHCP
DNS WPADISA Server 2004
ISA Server 2004 -
-
TCP 80
DHCPWPAD-
DNSWPAD-
.
, WPADISA
, Server 2004
WPAD (Web Proxy Auto discover y Protocol) ISA Server 2004 : www.microsoft.com/technet/treeview/ default.asp?url=/techn9t/ prodtechnol/isa/ roddocs/isadocs/CMT_AutoDetect.asp IEAK Web26 «Using Automatic Configuration, Automatic Proxy, and Automatic Detection» ( , ) : www.microsoft.com/resources/documentation/ie/6/all/res-
kit/en-us/pa rt6/c26ie6rk.mspx.
DHCPWebDHCP
-
ISA Server 2004, DHCP. DHCP,
WebDHCP-
, . DHCP-
, Web.
DHCP■ ■
DHCP
. WDAD DHCP-
: ; DHCP;
425
ISA Server 2004
■ ■ ■ ■
DHCP-
DHCP 252; ; ;
ISA Server 2004 ;
■
.
DHCPDHCP-
4.
DHCP IP-
DHCP DHCPDHCP , DNS-
1.
Start ( DHCP.
2.
. 4388
.
, TCP/IP, (DHCP options). DHCPTCP/IP, .
DHCPDHCPWINS-
,
),
DHCP: Administrative Tools (
DHCP Authorize (
. 5.26.
15 3
, DHCP-
DHCP, ), .
)(
Authorize (
. 5.26).
)
426
5
3.
Refresh (
)
.
:
,
,
,
.
4. 5.
Next (
New Scope ( )
6.
). Welcome to the New Scope Wizard ( ). Scope Name (
). . Description ( ). Next ( ). 7. IP, DHCPIP Address Range ( IP). Start IP-address ( IP) End IP-address ( IP). IPSubnet mask ( 8. , . 5.27, 10.0.2/24. DHCP IP, . IPStart IP address ( IP) 10.0.2.100, — 10.0.2.150 . IP, , IP, . IPDHCP. Next ( ).
. 5.27.
IP-
, IP).
24-
DHCP
.
ISA Server 2004
427
9.
Add Exclusions ( ).
Next (
).
] 0.
Lease Duration ( ) Next ( ). 11. Configure DHCP Options ( DHCP) Yes, I want to configure these options now ( , ) Next ( ). 12. Router (Default Gateway) ( , ). SecureNAT, IP. Web. Next ( ). 13Domain Name and DNS Servers ( DNS) Primary domain name ( ) , DHCP, DNS server address ( DNS) DNS, DHCP. 14. Web. Web, WPAD. . Parent domain ( ) msfirewall.org ( . 5.28). DHCPmsfirewall.org, . IPDNSIP address. IPDNS— 10.0.2.2. Add ( ) IP. Next ( ).
. 5.28.
DHCP-
428
5
15.
WINS-
WINS Servers (WINSWINS, VPNMy Network Places ( Network Neighborhood ( ). WINS-
VPN-
) ). 16. Activate Scope ( to activate this scope now ( , ) Next ( ). 17. Finish ( )
). -
.
Next (
18. (
)
DHCP . . 5-29).
Yes, I want
Completing the New Scope Wizard ( ). DHCP,
-
. 5.29.
—
DHCP, Web-
DHCP-
.
DHCP 252 DHCP 252 Web-
. DHCP-
Web,
, (Power users group) ( Windows 2000). Windows XP (Network Configuration Operators group) DHCP( DHCPINFORM). Internet Explorer 6.0 Microsoft «Automatic Proxy Discovery in Internet Explorer with DHCP Requires Specific Permissions» ( Internet Explorer DHCP ) : http://support.microsoft.com/default. aspx?scid=kb;en-us;312864. DHCP
DHCP DHCP-cepaepc:
, -
429
ISA Server 2004
1.
DHCP
Administrative Tools (
) -
. )(
Set Predefined Options ( . 530).
Set Predefined Options )
. 5.30. (
2. )(
. 5.31. (
3.
Predefined Options and Values ( . 531) Add ( ).
-
Predefined Options and Values )
Option Type ( )( . 5.32) : D Name ( ): wpad D Data type (
): String
430
5
a Code ( ): 252 n Description ( .
. 5.32.
): wpad entry
Option Type (
)
Value ( ) URL ISA Server 2004 String ( ). : http://ISAServe r nam e:Au to discovery Port Number/wpad.dat. — TCP 80. ISA Management. . . 533, String ( ): http://isa2.msfirewall.org:80/wpad.dat. wpad.dat . «Automatically Detect Settings Does not Work if You Configure DHCP Option 252» ( , DHCP 252) : http://support.microsoft.com/default. aspx?scid=kb;en-us;307502. . 5.
. 5.33. (
Predefined Options and Values )
431
ISA Server 2004
6.
Scope Options ( Configure Options (
) ). 7.
Scope Options ( Available Options ( 252 wpad. Apply (
. 5.34.
)(
. 5.34)
) )
.
Scope Options (
)
DHCP Scope options ( 252 wpad. 9. DHCP.
)
-
DHCPDHCP Web-
, DHCP-
DHCP-
. Windows 2000
-
.
-
.
Windows TCP/IP IP.
DHCP
DHCP: 1. My Network Places (
) Properties (
8
).
,
432
5__________________________________________________________
2.
Local Area Connection ( Network and Dial-up Connections ( ) Properties ( ). Local Area Connection Properties ( — ) Internet Protocol (TCP/IP) ( , TCP/IP) Properties ( ). Internet Protocol (TCP/IP) Properties ( , TCP/IP) Obtain an IP address automatically ( IP) Obtain DNS server address automatically ( DNS). OK Local Area Connection Properties ( — ). Network and Dial-up Connections ( ). )
3.
4.
5. 6.
DHCP , DHCP-
252 Internet Explorer 6.0,
.
-
.
-
. ,
. Web-
:
1. 2. 3.
4.
Internet Explorer Properties ( ). Internet Properties ( ) Connections ( ). LAN Settings ( Local Area Network (LAN) Settings ( Automatically detect settings ( ). . Internet Properties (
). )
).
ISA Server 2004 ,
Web.
.
ISA Server 2004 ,
WebISA Server 2004.
, -
433
ISA Server 2004
. ISA Server 2004
,
Web.
,
ISA Server 2004
Web-
-
, ISA Server 2004
1.
:
Microsoft Internet Security and Acceleration Server 2004. ). Networks ( ).
2. (
, Networks ( )
Configuration ( ). Networks (
3.
)
Details Networks (
Properties (
)(
. 5.35. (
)
. 5.35).
Internal Network Properties )
4.
Internal Properties ( ) Publish automatic discovery information ( ). Use this port for automatic discovery request ( ) : 80. 5. Apply ( ) . 6. Apply ( ), . 7. Apply New Configuration ( ).
Web-
Explorer
WebISA Server 2004 . Web: 1. Internet URL ISA Server Microsoft www.mic-rosoft.com/isaserver.
434
5
2.
DHCP, WebDHCP (
. . 5.36)
,
DHCP 252.
DHCPINFORM
. 5.36.
3.
. 5.37
DHCP-
.
. 5.37.
-
, .
-
DHCPINFOBM
Web-
ISA Server 2004, , ISA Server 2004
. 5.38.
Web-
, DHCPDHCP 252.
,
ISA Server 2004. ( . 5.38) URL,
-
Web-
,
. isa2.msfirewall.org,
WebDHCP 252.
DNS-
WPAD
IP-
ISA Server 2004
435
DNSWeb-
Web-
DNSWPAD-
.
DNS
.
DHCP
,
DHCP
,
-
, Windows. ,
-
Web. WPADWebWPAD,
. ,
,
,
,
WPAD-
.
. DHCP
, -
WebDNS .
DNS
TCP 80.
Web-
DNS,
-
: ■ ■ i ■
WPAD-
DNS; WPAD-
; ;
.
WPAD-
DNS
WPAD( ) ISA Server 2004 ( ) DNS. ( ) ISA Server 2004
DNS. ISA Server 2004, IP. CNAME. DNS, ISA Server 2004 , ISA Server 2004 . DNS.
-
5
436
DNS: Start (
1.
) DNS.
Administrative Tools ( DNS ( . 5.39)
). -
New Alias (CNAME) (
, CNAME). Update 5 ™0»1 Hjkwd New ibl [CNAME).,. New «1 Exchange r(MX),.. New D elegation... Other Ne« Records...
All Taijt i
►
View New Window from Here
>
Refrntb
Exprnlint Propel tau Help
. 5.39.
2. wpad , Browse ( ).
. 5.40.
New Alias (CNAME) (
New Resource Record ( Alias name (
, CNAME)
)(
. 5.40) -
)( ).
New Resource Record (
)
ISA Server 2004 3.
Browse ( Records (
4.
)
). Browse (
Zone (
) )
5.
Browse ( Records ( Browse ( Records ( ).
6.
Forward Lookup Records (
).
) ). )
ISA Server 2004 (
New Resource (
. 5.41.
7. 8.
437
. 5.41).
)
New Resource Record ( DNS(
CNAME (alias)
. 5.42.
WPAD DNS 9. DNS Management.
). . 5.42).
5
438
WPAD WebWPAD-
.
,
WPAD-
Web.
Web-
Web.
DNS-
, DNS-
. Web-
. WPAD-
, .
Web,
,
DNS-
DNS-
.
, WPAD-
, DNS-
,
-
. ■ ■
:
DHCP
; . :
1.
My computer ( )
2. Identification ( 3. (
. 5.43)
. 5.43.
Properties ( System Properties ( ). Identification Changes ( More ( ).
Identification Changes (
). ) Properties (
Network ). )
)
ISA Server 2004 4.
439
DNS Suffix and NetBIOS Computer Name (DNS)( . 544) , WPADPrimary DNS suffix of this computer ( DNS). , WPAD, DNSDNS-cep— , . , . , Change primary
NetBIOS,
.
DNS suffix when domain membership changes ( ,
DNS-
)
. Cancel (
. ,
. 5.44. (DNS-
NetBIOS-
) .
DNS Suffix and NetBIOS Computer Name )
5. DHCP. DHCP-
,
DHCPDHCP. DHCP-
DNS Domain Name DHCP( . 5.45) . DHCP( , WPAD),
DHCP. (DNS-
) msfirewall.org.
,
, DNSDNS-
. 5.45.
-
. ,
DNS-
.
440
5
6.
DHCPipconfig/all . Connection-specific DNS Suffix (DNSmsfirewall.org.
.
, )
DHCP
DNS(
. 5.46). DHCP, Active Directory.
DNSWPAD-
,
-
DNS-
. .
. 5.46.
DHCP-
, , .
,
DNS
WPADWPAD-
,
, WAN.
,
CNAME
WPADWPAD-
, ,
.
, ISA Server 2004,
. DNS,
-
.
, .
,
Web-
-
441
ISA Server 2004
, Web-
ISA Server 2004.
1.
Internet Explorer Properties ( ). 2. Internet Properties ( ) Connections ( ). LAN Settings ( 3Local Area Networks (LAN) Settings ( ) Automatically detect settings ( ). . 4. Apply ( ), Properties ( ). ISA Server 2004 Web-
LAN). Internet .
ISA Server 2004 ISA Server 2004 Web, ISA Server 2004: 1. ISA Server 2004 Micro soft Internet Security and Acceleration Server 2004. , Configuration ( ). Networks ( ). 2. Networks ( ) Networks ( ) Details ( ). 3. Networks ( ) Properties ( )( . 5.47).
. 5.47.
Internal Network Properties (
Internal Properties ( Publish automatic discovery information ( ).
)
) Use this port for
-
442
5
automatic discovery request ( ) 5. Apply ( ) 6. Apply ( ), . 7. ).
80. .
Apply New Configuration (
DNS Web-
-
DNS Web1.
: www.microsoft.
Internet Explorer com/isaserver.
2.
, (
wpad.msfirewall.org. DNS. 5.48)
Web,
DNS- IP-
ISA Server 2004.
Protocol
0x406A:Std Qry «or upad. msfirewall. org. of type Host Addr an clas s IHIT addr. 0x406A:Std Cry Besp . f o r "pad. bisf irewall. org. ol type Host Addr on class IUET ___ 3 W l«i: D, snq: 7? ? -77 44 7 , : 0, wlTi:163B4, src:
TCP
. 5.48.
3.
DNS-
WPAD
WebISA Server 2004 " , , WPAD. GET/wpad.dat HTTP/1.1.
. 5.49.
DNS-
IP(
. 549)
WPAD
:
ISA Server 2004
443
32Windows 95.
-
Windows ,
,
.
■
/ TCP Web-
UDP.
,
HTTP, HTTPS TCP UDP, SecureNAT ,
■ ,
. , ,
FTP.
.
■
, SecureNAT.
■ ISA Server 2004; , . ■ ;
ISA Server 2004 . . .
-
, . ,
, ,
. ISA Server 2004
,
, . .
,
,
:
444
5
■ ■
; . ,
-
ISA Server,
ISA Management.
Web-
ISA ,
-
,
Microsoft Internet , Web-
. , Security and Acceleration Server 2004, .
1. 2.
3. 4.
ISA Server 2004: Microsoft Internet Security and Acceleration Server 2004 , Configuration ( ). Networks ( ), Networks ( ) Details ( ). Properties ( ). Internal Properties ( ) Firewall Client ( ). Firewall Client ( ) Enable Firewall client support for this network ( ). Firewall client configuration ( ) ISA Server 2004 ISA Server name or IP-address ( IPISA Server). . (NetBIOS) FQNDISA Server 2004. FQDN, DNS , ISA Server 2004. . DNS, . Web-
Web
browser configuration on the Firewall client computer (
Web-
). Web-
Web-
.
-
ISA Server 2004
,
445
Web-
.
Automatically detect settings ( WebWeb, Browser (Web) Internal Properties ( ), . 5.50.
Web -
)
. 5.50.
Internal Properties (
)
Use automatic configuration script ( ) Web. Web. ISA Server 2004. , , Automatically detect settings ( ). Use default URL (
URL
) ISA Server 2004 .
-
, (
ISA Server 2004, URL).
Use custom URL «Using
446
5
Automatic Configuration and Automatic Proxy» ( )
www.microsoft.com/resources/
documentation/ie/5/all/reskit/en-us/part5/ch21auto. mspx. Use a Web Proxy server ( Web, Web,
Web) ISA Server 2004
-
. Web-
SecureNAT, -
, . ,
-
. , Web-
, .
WebWeb-
Access (
)
Direct -
WebWeb(
-
. , Web-
WebJava), .
,
-
Web-
, . , /
1.
Web Browser (Web(
SecureNAT.
).
. 5.51) . ,
Web-
, Web,
-
, . Bypass proxy for Web server in this network (He Web) Web, . , WebURL http://SERVERl, WebISA Server 2004. WebSERVER1. ISA Server 2004 -
ISA Server 2004
447
ISA Server 2004
-
.
Directly access computers specified in the Domains tab ( ,
) ,
(
Domains
),
, ISA Server 2004 .
, , Web.
, ISA Server 2004,
Web.
Directly access these servers or domains ( )
.
, Add (
).
■
. 5.51. Web Browser (WebInternal Properties ( )
2.
(
)
Add Server ( ), IP address within this range (IPIPIP. )
. 5.52, ), , Domain or computer -
448
5
,
. msn.com,
passport.com
,
hotmail.com,
, Web-
. 5.52.
3.
Microsoft Hotmail.
Add Server (
ISA Server Internet (
,
)
Use this backup route to connect to the
,
Web.
,
Web-
4.
5.
SecureNAT SecureNAT / , WebApply ( ), ). Apply ( .
) -
,
. ,
-
. , Internal Properties (
), Web-
ISA Server 2004, .
, -
ISA Server 2004
449
.
, . ,
, -
, . . . Active Directory (
).
. WMI (Windows . (
Management Instrumentation, Windows), ,
); ,
-
, .
, ,
.
,
-
, ,
, :
1.
Start (
).
2.
3. 4. .
) Administrative Tools ( Active Directory Users and Computers ( Active Directory). Organizational Unit ( ). New Object — Organizational Unit ( — ) Name ( ). FWCLIENTS. . Computers ( ) . Move ( ). Move ( ) FWCLIENTS,
-
450
5
5.
,
FWCLIENTS. .
6.
FWCLIENTS Properties (
7. CLIENTS. ject ( (
). Group Policy ( New (
)
FW New Group PolicyObNew Group Policy Object Edit ( ). ),
), ).
) Computer Configuration ( Software Settings ( ). Software installation ( ), New ( ) Package ( ). 9Open ( ) Microsoft (msi) File name ( ). : \\isa2\mspclnt\MS_FWC.MSI, isa2 — NetBIOSISA Server 2004 , ; mspclnt — ISA Server 2004, , a MS_FWC.MSI — Microsoft . Open ( )( . 5.53).
8.
. 5.53.
10. )
Deploy Software ( Assigned (
)(
-
. 5-54)
, Computer Configuration ( shed ( ).
) .
Publi,
, -
,
. ,
.
.
ISA Server 2004
. 5.54.
451
Assigned (
)
11.
. . , . 5.55. ,
-
, Installation and Maintenance» (
«Step-by-Step Guide to Software ) : ww w.microsoft.com/windo ws2000/techinfo/planning/management/swinstall.asp.
. 5.55.
12.
13.
Group Policy Object Editor ( Active Directory Users and Computers ( Active Directory). FWCLIENTS ( . 5.56), ,
)
Windows.
. 5.56.
452
5
,
-
, , (silent installation script). ,
, ,
. . Notepad (
); fwcinstall.cmd: msiexec /i \\ISA2\ //ISA2 — , . . , , . ,— -
mspclnt\MS_FWC.msi /qn /l'v c :\mspclnt_i.log. ISA Server 2004, Web. ,
, , .
. , .
. ,
, ,
,
-
.
SMS,
SMS 2003 (Systems Management Server, ),
. )
,
SMS
Active Directory.
SMS 2003 .
1.
SMS 2003 Windows (msi, -
,
, . SMS-
(collection)
ISA Server 2004
453
,
, SMS-
.
IP- -
,
, ,
,
.
2.
,
Windows Windows
(MS_FWC.msi).
, . . , .
, .
, . 3.
SMS-
, .
,
,
.
,
ISA Server
, ISA.
ISA: Web-
SecureNAT,
. ,
,
, ,
. SecureNAT WebTCP/IP
. , ISA Server.
2004. Linux/UNIX Macintosh, Windows Windows 95, Windows
MS-DOS, .
ISA Server. , ,
ISA Server SecureNAT SecureNAT ISA,
454
5 _________________________________________________________
HTTP/HTTPS FTP. WebWeb).
-
(
, Web— HTTP/HTTPS ,
.
-
FTP , . .
. SecureNAT:
Web-
). ISA Server
ISA ( SecureNat ,
SOCKS 5, SOCKS 5.
Windows. Windows 98
Windows, TCP/UDP, . , -
Winsock, , ; .
: / ISA Server
,
-
. .
-
. Web.
. DHCP-
DNS-
Web-
.
, IEAK,
SMS-
Web-
.
,
. ISA Server 2004, ,
ISA Server.
ISA Server 2004
455
SecureNAT ISA Server 2004 0
SecureNAT —
.
-
, ISA Server 2004. SecureNAT . 0
, ,
( , FTP) ISA Server 2004.
SecureNAT (Protocol list)
,
-
ISA Server 2004. SecureNAT , .
, , SecureNAT
SecureNAT SecureNAT ISA Server 2004. 0 SecureNAT ISA Server 2004.
-
SecureNAT. .
,
IP-
.
0
SecureNAT , tracert) (
, TCP/UDP, GRE,
ping UDP
( TCP ).
SecureNAT ISA Server 2004, / TCP/UDP. SecureNAT .
0
,
Microsoft, ,
. , DHCP-, DNS-
0
, SecureNAT.
IAS,
. WebIP-
IP-
ISA Server 2004.
,
456
5
0
SecureNAT ISA Server 2004, , SecureNAT ;
WebSecureNAT Web-
. SecureNAT
, ,
IP-
Web-
ISA Server 2004.
ISA Server 2004 ,
WebWebWeb-
0
,
Web-
Web(SSL/TLS)
0
,
,
ISA Server 2004 Web;
Web-
. /
Web0
,
.
;
0
-
,
. HTTP, HTTPS
FTP. Web-
FTP. Web-
WebISA Server 2004. Web-
ISA Server 2004, . ,
0
WebISA Server 2004.
Web-
, Web-
ISA Server 2004 Web, IPWeb, . Web,
-
WPAD Web-
.
,
Java Web-
RFC. 0
Web. Web-
. ISA Server 2004
ISA Server 2004
457
,
Web-
-
. 0
Web.
Web-
SSLWebISA Server 2004 .
, SSL-SSL, SSL-
,
ISA Server 2004 0
ISA Server 2004, .
0
. .
, UDP
, TCP .
0
TCP
UDP
Winsock ISA Server 2004.
.
,
ISA Server 2004. ISA Server 2004
WPAD-
DHCP
DNS.
0 Directory, 0 SMS,
Active . -
SMS,
, , .
0 Web-
Web; 32Windows 95. ISA Server 2004. SecureNAT
Windows
Winsock, UDP
43
TCP.
. -
-
458
5__________________________________________________________
ISA Server 2004 SecureNAT
, .
WebISA Server 2004 Web. Web-
0
-
WPAD-
DNS /
DHCP.
;
,
-
Web, ISA Server 2004.
Web-
SMS-
DHCP
,
Active Directory .
0
ISA Server 2004
WPAD-
DNS /
DHCP. -
ISA Server 2004.
Ч
, . www.syngress.com/ .
solutions ( «Ask the Author»), ITFAQnet.com. :
SecureNAT. FTP. ? ISA Server 2004 FTP
:
FTP, .
, .
FTP -
FTP, . :
. Outlook,
Microsoft -
ISA Server 2004
459
,
-
? OJ
Outlook .
-
-
. SecureNAT
, . Microsoft Internet Security and Accelera-
Outlook tion Server 2004. :
WebJava ?
:
, . , ISA Server 2004
.
.
, Java
, ,
Web-
,
RFC WebWeb, , HTTP. SecureNAT . , , WebSecureNAT /
-
RFC-
, .
.
,
RFC -
. :
DHCP-
WPAD-
,
Web:
-
. DHCP-
,
.
?
DHCPWPAD-
,
,
WPAD-
.
, ,
DNS : , . Os -
WPAD-
. Yahoo SecureNAT, , , .
Yahoo.
? ,
.
-
460
5
SecureNAT, , .
,
SOCKS 4, SOCKS 4 ISA Server 2004.
SOCKS 4 :
WebTCP 8081,
SSL-
Web-
.
, SSL,
-
Web?
:
Web-
(Jim Harrison)
www.isatools.org. ,
SSL.
-
isa2k4_ssl_tpr.zip. :
SecureNAT
.
.
Web-
.
Web-
,
SecureNAT
? :
,
, DNS-
.
SecureNAT
,
Web-
, ISA Server 2004, .
SecureNAT
DNS.
SecureNAT DNS , -
ISA : ■
ISA
■
ISA «
»
■
ISA
■ ISA ■
ISA
■ ( ■ ■
ISA ISA
) ISA ISA
462
6
ISA ISA,
-
: ■ ■ ■ ■ ■ ■
; ; DNS-
; ISA; ; .
,
-
ISA, ■ ■ ■
: Intel 256
■
AMD 550 Windows 2000 ; 512 1 000 ;
; Windows Server 2003; ISA
Web;
Web-
; ■
, ISA Server;
■
,
NTFS,
150
( ,
);
■ ■
;
,
; ;
,
,
Web-
ISA. ISA
Windows 2000
: ■
Windows 2000 Service Pack 4 (SP4) ;
■ ■ ,
Internet Explorer ; Windows 2000 SP4 SplitStream1 821 887 «Events for Authorization Roles Are Not
1
,
Microsoft, .—
.
.
ISA
463
Logged in the Security Log When You Configure Auditing for Windows 2000 Authorization Manager Runtime» Microsoft (http://support.microsoft.com/ default.aspx?scid=kb;enus;821887); ■ L2TP IPSec ; ■ RADIUS VPN; ■ ISA Server . . ISA, , ISA . ,
. 6.1
-
, . ,
. 6.1. 25 /
7,5 / 1
1
Pentium III 550 ( )
Pentium IV
,
45 / 1
2,0-3,0
, 2,0-3,0
-
(«
»
, -
), Pentium IV 256
512
Web-
1
256-512 -
150
10/100 /
2,5
10/100 /
5
100/1000 /
,
, (
.
.
.)
464
6 . 6.1. (
) 7,5 25 45 / / / _____________________________________________________________________
150 VPN-
700
850
Standard Edition
VPN. Enterprise Edition ,
ISA 1000 , -
ISA «Microsoft ISA Server 2004 Performance Best Practices» ( ISA Server 2004) www.microsoft.com/technet/ prodtechnol/isa/2004/plan/bestpractices.mspx.
ISA ISA.
-
, ISA. ISA
,
. , -
, .
,
, , ISA . . ISA « ,
ISA, . . ,
- « »
», -
. . 6.1
IP: 192.168.1.0/24
« 192.168.2.0/24. ISA,
, .
,
- -
».
192.168.1.0/24. ISA, — 192.168.2.0/24.
465
ISA
ISA
|1 .1 .1. 11 . 6.1.
ISA («
»
, ,
ISA).
192.168.1.0/24
-
,
ISA,
, ,
192.168.2.0/24 ISA.
, ,
ISA
(
IP-
),
ISA,
.
,
ISA ISA
192.168.1.0/24
.
ISA -
192.168.2.0/24, , .
ISA,
,
192.168.2.0/24, IP192.168.2.1 RRAS (Routing and Remote Access Service, ) ROUTE netsh .
.
ISA .
,
ISA ,
-
ISA: . ISA, ,
IP-
-
. i
DNSISA . , ISA.
DNS-
466
6
ISA
DNS.
, -
ISA
Web-
. ,
Web.
,
ISA
, . , WebISA FQDN(Fully Qualified Domain Name, Web, .
WebSSL
-
), WebDNS, , .
. 6.2
,
DNS ,
,«
»
.
DNSwww.msfirewall.org ISA WebWeb-
1
,
' DNSwww.msfirewall.org
. 6.2.
DNS
1. WebISA. DNSIP,
www.msfirewall.org, ISA
Webwww.msfirewall.org,
,
-
, ISA Web-
.
Web-
-
ISA
467
2.
WebIP, WebWeb. 3. ISA www.msfirewall.org IP, Webwww. msfirewall.org , DNS, msfirewall.org. 4. ISA IP, Webwww.msfirewall.org . 5. Webwww.msfirewall.org. DNS, msfirewall.org. DNSwww.msfirewall.org IP, Webwww.msfirewall.org . 6. WebWebwww.msfirewall.org. WebISA Webwww.msfirewall.org , Webmsfirewall.org. DNS
-
,
. .
,
,
.
-
,
, «
»
, DNS. DNS
■ DNS-
,
:
, ,
■ DNS-
,
; ,
,
;
■ DNS-
DNS.
,
DHCP; • DNSDHCP; ■
ISA ISA .
,
DNS.
,
468
6
, DNS-
ISA, DNS-
.
,
ISA DNSISA
DNS-
,
.
, DNS-
. .
(Jim Harrison) Designing An ISA Server Solution on a Complex Network ( ISA Server ) http://isa server. org/tutorial s/Designi ng_AnJS A_Server_Solution_on_a_Complex_Network.html , ISA.
ISA ,
ISA, IP-
ISA, -
, DNS
NetBIOS-
,
,
. :
■ ISA; ■ ISA. . 6.2
IP-
6.3 ISA
.
. 6.2. _____________
___________
Microsoft Networks -
, ISA
-
Microsoft
Networks ,
, -
ISA (
)
(
ISA )
469
ISA . 6.2.
(
)
(TCP/IP) IP-
IP-
IP-
,
, ,
-
,
,
IP-
.
(
,
DMZ
-
),
-
-
ISA DNS-
DNS-
.
,
-
DNSISA .
DNS,
DNS-
-
-
DNSISA
. DNS-
DNS
, ISA IP-
WINS
DNS. VPN-
, -
NetBIOSWINS NetBIOS
/ NetBIOS TCP/IP
470
6 . 6.3. _____
Microsoft Networks -
, ISA
-
Microsoft Networks , , ISA (
) ISA ( )
(TCP/IP) IP-
IP, IP-
,
, .
-
,
DHCP, -
, . DHCP
. -
-
IPDMZ
(
,
ISA
-
-
), DNS-
DNS-
, .
DNS-
.
.
: -
IPDHCP, DNSISA
. DHCP
-
-
-
DHCP
471
ISA . 6.3. (
) ____ -
DNSDNS-
, .
. DNSISA ,
:
IP-
DHCP
-
DHCP, DNS-
-
ISA DNS WINS WINS NetBIOS
NetBIOS TCP/IP . :
IP-
DHCP-
-
DNSDHCP,
-
IPWindows,
-
,
.
,
, .
, , Network and dial-up connections ( ). (
), WAN (
). Rename ( .
)
DMZ (
LAN
, ).
: 1. My Network Places ( Properties (
) ).
472
6
2.
Network and Dial-up Connections ( Advanced ( ), Settings ( ). 3 Advanced Settings (
) Advanced ) (
Adapters and Bindings ( ,
, .
. 6. .
-
Advanced Settings (
4.
. 6.3) )
Connections ( ).
)
Advanced Settings (
OK ).
ISA ISA. msiund.ini,
, ISA
. 6.4, ISA
,
-
. ISA
ISA
.
.
ISA
\FPC.
msisaund.ini . 6.4 msisaund.ini.
-
473
ISA Server 2004 , -
msisaund.ini
. 6.4. ______________________ PIDKEY INTERNALNETRANGES
____________________________________ . Msisaund.ini IP. . : N Froml-Tol,Frorn2-To2,..FromN-ToN, N — , a FromI Tol
InstallDir « {Install_directory}
ISA Server. , . : . %Program Files%\Microsoft ISA Server , -
COMPANYNAME = Company_Name DONOTDELLOGS = {0|1}
1
,
-
.
-
0 DONOTDELCACHE = {0|1}
1
, .
ADDLOCAL = (MSFirewall_ Management}, {MSFirewall_ ), Services}, {Message_Screener}, . {Publish_Share_Directory}, {MSDE} ADDLOCAL = ALL REMOVE = {MSFirewall_ Management}, (MSFirewall_ ), Services}, {Message_Screener}, {Publish_Share_Directory}, {MSDE} IMPORT_CONFIG_FILE = Importfile.xml
0 (
-
(
. REMOVE = ALL
ISA : 1.
Msisaund.ini.
2.
: PathToISASetup\Setup.exe [/[X|R]] /V" /q[b|n] FULLPATHANSWERFILE=Y'PathToINIFile\MSISAUND. INI\""
474
6
D
PathToISASetup (
ISA Server
ISA Server 2004 ,
ISA Server). /q[b|n] b
D
□
,
. -
.
,
.
/R /X PathToINIFile
.
. , . -
. ■ . ■ ISA Server 2000. INTERNALNETRANGES IP,
■
Msisaund.ini IP.
Server. ■
ISA
(Msisaund.ini)
FPC. ■ , UND.INI\"" Msisaund.ini, ■ , MSDE
-
CD\FPC\setup.exe /v" /qn FULLPATHANSWERFILE=\"G\ MSISAISA Server :\. MSDE Advanced logging ISA . .
ISA
RDP (Remote
. , Desktop Protocol, IP-
) , ISA. ISA
,
RDPISA.
-
ISA
ISA «
475
»
, ISA Server 2004 Ethernet) ,
(
Windows Server 2003.
Server 2003
«
» Windows
IP.
. ISA
1.
-
, ISA Server 2004
:
,
ISA Server 2004. ,
2.
isaautomn.exe . Microsoft Internet Security and Acceleration Server 2004 Review Release Notes ( ) . .
, . Read Setup and Feature Guide ( ). , . Install ISA Server 2004 ( ISA Server 2004). 3. Next ( ) Welcome to the Installation Wizard for Microsoft ISA Server 2004 ( Microsoft ISA Server 2004). 4. I accept the terms in the license agreement ( ) License Agreement ( ). Next ( ). 5. Customer Information ( ) User Name ( ) Organization ( ). Product Serial Num ber ( ). ISA, , ISA . . Next ( ).
476
6
6.
(
Setup
)(
. 6.4)
Custom ( ISA Server
). 2004
:,
Change ( .
), Typical (
-
) SMTP.
Complete ( ISA,
soft Internet Security and Acceleration Server 2004, SMTP .
. 6.4.
7.
Setup Type (
Custom Setup ( , Custom ( Firewall Services, ging —
)
Next (
Micro).
)
) (
. 6.5)
. ) ISA Server Management Advanced Logging. Advanced LogMSDE, . SMTP Message Screener,
,
SMTP-
. IIS 6.0
SMTP-
IIS 5.0
IIS, ISA. Next (
).
, Message Screener, ISA. SMTP ISA -
477
ISA
. 6.5.
Custom Setup (
8.
)
Internal Network ( (
)(
).
Add
, ISA Server 2004
LAT ISA Server 2000. , ISA. Active Directory, DNS.
. 6.6)
, DHCP-
, .
. 9.
,
, .
,
, Add (
,
From ( ). Select Network Adapter ( ISA ,
)
(
) , ).
. Adapter ( 10.
ISA. )( . 6.6). Configure Internal Network ( Add the following private ranges... ( ...). , ,
ISA.
, Select Network )
478
6
Add address ranges based on the Windows Routing Table ( Windows), . 6.7.
, . ,
.
-
OR You « (
. 6.6.
the add№! Itroei 5c nhdc In If» Inluinnt Or tk\ Select Nst™ sassociated with specific network adapters,
Internal Network Address (
)
AiM ^ ranp» band cm (he Vmdoni Rouiflg S «( tho «ktreji rengei thai «e aitoculid ™th the Itdmwg I nientl netymk eitstert.
. 6.7.
11.
Select Network Adapter (
OK ( . 6.8), routing table ( Windows).
,
)
Setup Message ( ) The Internal network was defined, based on the Windows -
ISA
. 6.8.
Setup Message (
12. ),
. 6.9. (
13. 14.
479
)
Internal network address ranges ( . 6.9-
-
Internal network address ranges )
Next (
) Internal Network ( ). Allow computers running earlier versions of Fire wall Client software to connect ( )( . 6.10), , Winsock Proxy (Proxy Server 2.0) ISA Server 2000. ISA Server 2000 ISA Server 2004. ISA 2004 ISA . ISA Server 2004 , ISA . Next ( ).
6
480
. 6.10. (
15.
Firewall Client Connection Settings )
Services (
)
ce ISA net Connection Sharing (ICF) / RRAS NAT), 16. ( 17. ) 18.
ISA
,
SNMP IIS Admin Servi . Internet Connection Firewall (ICF) / Inter IP Network Address Translation ( , . . ISA. ) Ready to Install the Program
Install ( ). Installation Wizard Completed ( Finish ( ). Yes ( ) Microsoft ISA Server ( . 6.11). , . , TCP/IP , TCP/IP 65 535, , .
You muf «[till system iha confijutafon ttangei >M& la hlicromrl ISA Server la take olfecl Click Vet 1.1 ' ft i i si i i ic№ or N rj.l yrju plan Lrj : fts I ai L Ibler
. 6.11.
,
ISA
481
19 . 20.
Start ( ). ISA Server Management (
)
All Programs ( Microsoft ISA Server ISA Server). Microsoft
Internet Security and Acceleration Server 2004, to Microsoft Internet Security and Acceleration Server 2004.
Welcome
ISA Windows XP ,
Windows Server 2003. , , Remote Management Computers (
).
ISA
:
■ ISAWRAP_'.log MSDE; ■ ISAMSDE_'.log
MSDE, Advanced Logging;
■ ISAFWSV_*.log ISA. , Advanced Logging ( , )
MSDE), Add/Remove Programs (
/
-
, . -
IAS, IAS.
,
IAS
ISA
Windows 2000.
ISA ISA
,
-
. missions), .
. 6.5 .
(Network Settings), ,
(User Per(Firewall Policy) :
482
6
■ ■
/
ISA;
ISA, ; VPN/VPN-Q
■ «
»;
■ NAT; ■
ISA. ISA
. 6.5.
.
ISA
, (Network Rules): . -
ISA «
»(
,
NAT, ). NAT VPN-
VPNNAT
.
.
-
,
.
VPN»
«
-
VPN-
.
,
VPN«
(
»
(Default Rule)) ISA
. ,
-
. , Web-
(Default Rule)
,
-
Web-
. Web-
. Web0.
. .
,
WebISA Server 2000 ,
ISA . 6.5. (
483
)
_______
____________________________
Web. Web-
-
. , Web-
ISA ISA —
,
.
/ ,
/ .
-
, ISA, — . . 6.6 ISA.
/ .
. 6.6.
ISA
/
/ __________________________________________
1.
,
ISA ? -
-
2,
ISA ,
-
LDAP, (UDP), GC (Global Catalog), LDAPS, LDAPS GC (Global Catalog) Microsoft FirewallControl, NetBIOS, NetBIOS, NetBIOS, ( )
___________________
-
-
-
-
-
(
.
.
.)
484
6 . 6.6.
(
)
/
/ _________________________________________
3.
,
RDP (
-
,
-
-
)
-
ISA. ISA RDP,
4. (
-
NetBIOS,
). ,
NetBIOS,
SQL-
NetBIOS RADIUS RADIUS Accounting
NetBIOS 5. -
-
RADIUS ISA Server -
RADIUS,
RADIUS -
6. ISA
KerberosSec (TCP), KerberosSec (UDP)
beros ISA Server -
,
-
DNS
7. DNSISA Server
, ISA DNS-
DHCP (
8. ISA DHCP,
DHCPISA Server
)
-
485
ISA . 6.6. (
)
/
/ _________________________________________
9. ISA
DHCP ( )
DHCPDHCPDHCP- DHCPISA , Server
-
Ping 10.
1
,
-
-
(PING)
-
ISA Server -
IP11.
ICMPISA Server
( ICMP,
-
-
ICMP, Ping
, ISA
)
ICMP 12. (
VPNISA Server
).
VPNISA VPN-
13- (
-
). «
-
- » ISA Server
IPSec
VPN« - » ISA VPN«
14. ( ).
- ISA Server
- -
-
»
-
IPSec
VPN« - >> ISA
(
.
.
.)
6
486 (
.
)
6.6. /
/
15.
ISA
-
CIFS ISA Server
, 16. (
). SQL ISA Server
,
-
Microsoft CIFS (TCP), Microsoft CIFS (UDP)
-
Microsoft SQL (TCP) Microsoft SQL (UDP)
-
SQL 17. HTTP/HTTPS ISA Server -
, ISA
HTTP, HTTPS
, -
-
-
Windows Update. , , ISA 18. (
).
HTTP/ HTTPS ISA Ser- ver -
HTTP, HTTPS
( )
HTTP/HTTPS 19. (
-
). , ISA
-
ISA Server
Microsoft CIFS (TCP), Microsoft CIFS (UDP), MaNetBIOS, NetBIOS, NetBIOS
-
487
ISA
. 6.6. (
)
/
/ ________________________________________
20. (
-
). ,
NetBIOS,
-
-
NetISA Server
-
ISA
BIOS,
NetBIOS
NetBIOS,
21. ,
NetBIOS ISA Server -
-
NetBIOS, NetBIOS RPC ( )
ISA 22.
-
RPC-
-
, ISA Server RPC
HTTP, HTTPS
23. ISA
Microsoft -
-
HTTP/HTTPS Microsoft ISA Server -
SecurlD
-
-
Microsoft 24. ( -
).
SecurlD ISA Server -
,
Microsoft Operations Manager Agent
SecurlD
-
-
25. ( -
). ISA
, Server MOM (Micro soft Operations Ma nager, Microsoft) ISA
MOM
(
.
.
.)
488
6 .
(
)
6.6. /
/
26. (
HTTP ).
-
ISA
,
(
)
-
-Server ( ISA CRL CRL) ( , ISA SSL) NTP (UDP)
27. ,
NTP-
ISA Server
-
NTP-
NTP-
28.
SMTP
, ec-SMTPISA Server -
-
SMTP .
(Internal Destination) , SMTPISA 29. (
HTTP-
HTTP
). - ISA Server -
-
30.
-
, -
(
)
-
-
-
-
ISA
489
ISA
,
. 6.6. Firewall Policy ( Tasks ( System Policy Rules ( Hide System Policy Rules (
).
ISA ) Tasks (
,
,
)
Show ). ),
-
. ISA. , ISA
System Policy Editor.
ISA Edit System Policy ( ). ) ( . 6.12). General ( ) From ( ) Configuration Group ( ( ), From ( ) ( ) ISA.
. 6.12.
«SB
System Policy Editor (
, ) Tasks ( System Policy Editor ( ( ).
)
General ( ) /
)
490
6 IS A
. 6.7.
. ISA
-
,
IP-
, ISA
«
»(
NAT) . NAT VPN-
, VPN. NAT.
, .
VPN«
»
. VPN(Default Rule)
-
,
ISA Server
,
, . , Web-
,
(Default Rule)
,
-
Web0.
, .
Web. Web-
-
ISA
491
ISA ISA Server 2000 : ■ ■
; ISA Server 2000
«
» ISA Ser
ver 2004. ISA Server 2000 — ,
; ,
. -
: ■
ISA Server 2004
ISA Ser
ver 2000; ■
ISA ; ISA
■ ■ ■ ■
; ISA; ; ,
ISA ■ ■
;
WebISA; ISA Server 2000 ISA Server 2004
ISA Server 2000
. . ISA Server 2004, . ISA Server 2004 , ISA Server 2000,
-
ISA Server 2000.
, , ISA
,
ISA Server 2000. ISA Server 2000 Standard Edition ISA Server 2004 Standard Edition. ISA Server 2000 Enterprise Edition , ISA Server 2004 Standard Edition. B ISA Server 2004 Enterprise Edition , ISA Server 2000 Enterprise Edition ISA Server 2004 Enterprise Edition.
-
492
6
ISA (
ISA )
ISA . Proxy Server 2.0 . ISA Server 2004
,
ISA Server 2000
. ISA
, :
■ ■ ■ ■
; SecureNAT; ; , (Web-
■ VPN■ VPN■ IPv4 ■
HTTP, HTTPS
FTP,
-
-
); ; «
- -
»; (
); ,
HTTP.
ISA ,
, .
ISA , .
,
ISA ,
IP-
ISA . ISA
. ,
Web-
,
ISA . ISA :
-
ISA
1.
-
493
ISA Server 2004 ,
-
ISA Server 2004.
, isaautorun.exe
. 2.
Microsoft Internet Security and Acceleration Server 2004 Review Release Notes ( ) . .
, . Read Setup and Feature Guide ( ). , . Install ISA Server
2004 (
ISA Server 2004). Next ( ) Welcome to the Installation Wizard for Microsoft ISA Server 2004 ( Microsoft ISA Server 2004). 4. I accept the terms in the license agreement ( ) License Agreement ( ). Next ( ). 5. Customer Information ( ) User Name ( ) Organization ( ). Product Serial Num ber ( ). , , 3.
ISA
. ISA.
Next ( ). Setup Type ( ) ( ). 7. Custom Setup ( Services, Advanced Logging ISA Server Management 6.
WebISA,
Custom )
Firewall
,
,
.
ISA SecureNAT. .
—
ISA
. SMTP-
ISA
6
494
8.
9-
10.
11.
, . Next ( ). Internal Network ( ) Add ( ). Address Ranges for Internal Network ( ) Select Network Adapter ( )( . 6.1 3). Select Network Adapter ( ) Add the following private ranges ( ) Add address ranges based on the Windows Routing Table ( Windows) Add the following private ranges ( ) , ISA . . Setup Message ( ), , . ISA , IPIPv4 ( ) . , . ( . 6.13) IP, . .
. 6.13.
12.
ISA
Next (
)
Internal Network (
).
ISA
13-
Next (
)
Firewall Client Connection Settings ). -
( ,
495
ISA .
14. 15.
Next ( Install ( ).
( 16.
)
Services ( ). Ready to Install the Program
)
Invoke ISA Server Management when the wizard ISA Server Management Finish ( ).
closes ( ) ISA ,
-
, , .
ISA 7.
ISA ISA ISA. ,
, ISA
, , .
ISA
,
,
-
ISA. , .
-
, : ■ DNS-
Windows. DNS DHCP DHCP,
ISA. ISA
; ■ ■ ■
ISA Server 2004 Windows Server 2003 ; Windows Server 2003
Windows Server 2003;
,
. -
496
6__________________________________________________________
>; DSL
NAT-
»; DHCP-
■
ISA Server 2004 Windows Server 2003, ISA Server 2004,
■ Windows. ,
DHCP-
ISA
;
, ISA,
. , Windows ( ).
, Linux, Netware
. 6.14
ISA
.
,
, .
ISA ,
. 6.14.
, .
ISA Server 2004,
ISA : ■ ■
ISA; DNSDHCP-
■
ISA Server 2004; ISA Server 2004; ISA Server 2004;
SecureNAT
■
DHCP-
.
ISA
497
ISA ISA . ISA, IP-
■ ■ ■
: ; ISA; .
DNS-
IP-
DNSISA.
, ISA
DHCPIP-
IPISA . , ,
DNS-
-
,
. DHCP
,
DSL
. , (Point-to-Point Protocol over Ethernet, VPN,
«
-
»
Ethernet)
. :
■ ■
; .
IP-
, . .
ISA DNS-
.
ISA .
IP, Windows Server 2003
-
: 1.
My Network Places (
) Properties (
2.
Network Connections ( Properties (
).
)
).
498
6
3.
Properties ( ) Internet Protocol (TCP/IP) ( , TCP/IP) Properties ( ). 4. Internet Protocol (TCP/IP) Properties ( : , TCP/IP) Use the following IP address ( IP). IPIP address (IP). Subnet mask ( ). . 5. Use the following DNS server addresses ( DNS). IPISA Preferred DNS server ( DNS). , IP-address (IP) . 4. Internet Protocol (TCP/IP) Properties ( : , TCP/IP). 6. Properties ( ) . DNSISA IP-
DNS-
, -
.
DNS-
, . DNS, .
s DNS
Microsoft , ,
DNS-
DNS.
.
ISA .
17
ISA , . Windows.
-
ISA
499
IPISA,
:
1.
My Network Places (
) Properties (
2.
Network Connections ( Properties (
).
)
).
3.
Properties ( ) Internet Protocol (TCP/IP) ( , TCP/IP) Properties ( ). 4. Internet Protocol (TCP/IP) Properties ( , TCP/IP) Use the following IP address ( IP). IPIP address (IP). Subnet mask ( ). Default gateway ( — . 5. Properties ( ) .
:
).
DNSDNS-
. .
ISA Server 2004 , .
, Windows Server 2003: 1. My Network Places ( ) Properties ( ). 2. Network and Dial-up Connections ( ) Advanced ( ), Advanced Settings... ( ...). 3. Advanced Settings ( )( . 6.15) Connections ( ) Adapters and Bindings ( ). , , .
-
6
500
. 6.15.
Advanced Settings (
4.
OK
)
Advanced Settings (
).
DNSISA ISA
DNSISA .
,
,
. ISA
DNSDNSDNS-
. ,
, ,
ISA Server 2004 , DNSISA
DNS,
DNSDNS.
DNS DNSWindows . Windows Server 2003, DNS-
ISA.
Windows Server 2003 ,
Windows Server 2003:
DNS-
DNS
ISA
1.
Start (
),
Control Panel ( Add or Remove Programs (
) 2. 3.
4. 5. 6.
7. 8.
501
). Add or Remove Programs ( ) Add/Remove Windows Components ( Windows). Windows Components Wizard ( Win dows) Networking Services ( ) Components ( Windows). He ! Networking Services ( ), Details ( ). Networking Services ( ) Domain Name System (DNS) . Next ( ) Windows Components ( Windows). Insert Disk ( ). Files Needed ( ) i386 Windows Server 2003 Copy files from ( ) . Finish ( ) Completing the Windows Compo nents Wizard ( Windows). Add or Remove Programs ( ).
DNS DNS-
ISA ISA
ISA
DNS. DNS-
-
. DNSDNS; DNS-
DNSDNS — DNS DNS-
,
. DNS-
, .
. -
.
DNSDirectory,
, ISA DNS-
, DNSDNS-
. DNSISA Server 2004 .
Active
502
6
DNS Windows Server 2003 DNS
Windows Server 2003
-
: 1.
Start ( ).
(
)
Administrative Tools DNS.
2.
, View (
)
Advanced (
3. 4.
).
DNS. DNS
Properties ( ). ) Interfaces ( Only the following IP addresses ( IP, . IP, Remove ( ). Apply ( ). 6. Forwarders ( )( . .16). IPDNSSelected domain's forwarder IP address list ( IP), Add ( ). Do not use recursion for this domain (He ). DNSISA . , , . Apply ( ). 5.
Properties ( ). IP).
. 6.16.
Forwarders (
)
ISA
,
Forwarders (
503
DNS-
).
,
DNSISA . DNS-
,
,
7. 8.
, DNSISA.
Properties ( , (
)
Restart ( ,
All Tasks
Active Directory. DNS-
DNS-
). ).
, ,
-
,
DNS-cep-
. DNS-
Server
, Windows Server 2003.
. Active Directory
,
Windows 2000
9.
, DNS-
.
Reverse Lookup Zones ( ) New Zone ( ). 10. Next ( ) Welcome to the New Zone Wizard ( ). 11. Zone Type ( ) Stub zone ( ) Next ( ). 12. Network ID ( ID). Reverse Lookup Zone Name ( ) Network ID ( ID) , DNS( . 6.17). Next ( ). 13Zone File ( ) Next ( ). 14. Master DNS Servers ( DNS) IPDNSAdd ( ). Next ( ). 15. Finish ( ) Completing the New Zone Wizard ( ).
6
504
. 6.17.
] 6.
Reverse Lookup Zone Name (
)
. Forward Lookup Zones ( ) New Zone... ( ...). Next ( ) Welcome to the New Zone Wizard ). Zone Type ( ) Stub zone ( ) Next ( ). Zone name ( ) Zone name ( ). Next ( ). Zone File ( )( . 6.18) Next ( ).
17. ( 18. 19. 20.
. 6.18.
Zone File (
)
ISA
21.
Master DNS Servers ( Next (
DNSAdd (
)
505
IP-
DNS-
).
).
22.
Finish (
)
Completing the New Zone Wizard
(
).
23.
; All Tasks ( (
)
Restart
).
DNS
DNSDNS,
DNS-cepISA Server 2004 -
DNSDNS. ,
DNS
DNSDNS-
DNSISA Server 2004,
. DNS-
DNSISA Server 2004 IPDNS-
DNS,
,
. DNS-
, DNS-
,
ISA .
DNS-
,
.
DNS-
,
DNS-
-
ISA
: 1. ( 2.
Start ( ) ) DNS Management (
Properties ( ). 3. Properties ( ) ( )( . 6.19). 4. Forwarders ( ) ISA Server 2004 address list ( IPAdd ( ). 5. IP( . 6.19).
Administrative tools DNS. DNS-
)
Forwarders IPSelected domain's forwarder IP ). ISA Server 2004
506
6
. 6.19.
Forwarders (
6.
)
Do not use recursion for this domain (He )( . 6.20). , ISA .
DNS-
. 6.20.
,
DNS-
. DNS-
DNS-
, ISA.
,
.
DHCPISA IP-
, . ISA, .
IPISA ,
DHCP-
, .
.
DHCPDHCP-
507
ISA
, DHCP , DHCP-
2004
DHCPDHCP-
. , ISA Server
.
DHCP DHCPServer 2003. Windows 2000 Server
Windows 2000 Server
Windows
DHCPWindows Server 2003.
DHCP-
Windows Server 2003
DNS-
Windows Server 2003,
: 1.
Start ( ), Control Panel ( ) Add or Remove Programs ( ). 2. Add or Remove Programs ( ) Add/Remove Windows Components ( / Windows). 3. Windows Components Wizard ( Win dows) Networking Services ( ) Components ( Windows). He ! Networking Services ( ) Details... ( ...). 4. Networking Services ( )( . 6.21) Dynamic Host Configuration Protocol (DHCP) OK
. 6.21.
Networking Services (
)
-
508
6__________________________________________________________
5.
Next ( ) Windows). 6. Finish ( ) nents Wizard ( 7. Add or Remove Programs (
Windows Components ( Completing the Windows Compo Windows). ).
DHCP DHCP-
IP-
,
. DPICP,
IP,
DNS-cep-
. DNS-
,
,
IP-
ISA. DHCPDHCP,
. DHCP, IP-
.
DHCP.
, IP-
,
,
,
Web-
. ,
, IP, ,
,
,
(bad address group). , IP-
.
, ,
IP-
.
DHCP-
Windows Server 2003 IP-
,
DHCPISA. DHCP-
Start ( ).
.
)
Administrative Tools DHCP. DHCP. New Scope (
).
, -
ISA, DHCP-
2.
-
: DHCP-
(
-
,
,
1.
.
DHCP-
ISA
3.
Next (
( 4. ( 5.
6.
7. 8.
)
Welcome to the New Scope Wizard ). SecureNAT Client Scope ( SecureNAT) Name ( ) Scope Name ( ). Next ). IP Address Range ( ) IPIPStart IP address ( IP) End IP address ( IP). , 192.168.1.0 255.255.255-0 IP192.168.1.1, IP192.168.1.254. Next ( ). Add Exclusions ( ) IPISA Start IP address ( IP) Add ( ). IP, , . Next ( ), , DHCP. Lease Duration ( ) Next ( ). Configuring DHCP Options ( DHCP)
Yes, I want to configure these options now ( ) 9.
509
Router (
Next ( , ISA
,
). ) Add (
IP-
). Next ( ). 10. Domain Name and DNS Servers ( DNS) IPISA IP address (IP) Add ( ). Active Directory, Parent domain ( ). Parent domain ( ), Active Directory. Next ( ). 11. WINS Servers (WINS), WINS. WINS, IPIP address (IP). Next ( ). 12. Yes, I want to activate this scope now ( , ) Activate Scope ( ) Yes ( ). 13Finish ( ) Completing the New Scope Wizard ( ).
510
6
ISA Server 2004 ISA. ISA Windows Server 2003 : 1.
, -
-
ISA Server 2004
,
ISA Server 2004. ,
2.
3. 4.
5.
6.
7.
isaautorun.exe . Microsoft Internet Security and Acceleration Server 2004 Review Release Notes ( ) . . Read Setup and Feature Guide ( ). , . Install ISA Server 2004 ( ISA Server 2004). Next ( ) Welcome to the Installation Wizard for Microsoft ISA Server 2004 ( Microsoft ISA Server 2004). I accept the terms in the license agreement ( ) License Agreement ( ). Next ( ). Customer Information ( ) User Name ( ) Organization ( ). Product Serial Number ( ). Next ( ). Setup Type ( ) Custom ( ). ISA :, Change ( ), . Next ( ). Custom Setup ( ) . Firewall Services, Advanced Logging ISA Server Management. SMTP(Message Screener), , , , . Message Screener, SMTPIIS 6.0 ISA Server 2004. -
ISA
511
Firewall Client Installation Share, . Firewall Client Installation Share
This feature, and all subfeatures, will be installed on the local hard drive ( )(
. 6.22).
-
, . 5.
. 6.22.
8.
Next (
Custom Setup (
).
)
Internal Network ( ). Address Table),
)
Add ( (LAT, Local ISA Server 2000. ,
ISA. Active Directory, DNS, DHCP,
.
. 9.
Internal Network ( ) Select Net work Adapter ( ). 10. Configure Internal Network ( ) Add the following private ranges... ( ...). Add address ranges based on the Windows Routing Table ( Windows) ( . 6.23). , . -
512
6
, .
-
.
. 6.23.
Select Network Adapter (
11.
)
OK
, Windows. Internal network address ranges (
12. ). 13. 14.
Next (
)
Internal Network ( ). Allow computers running earlier versions of Firewall Client software to connect ( ). ISA. ISA Server 2000)
(
Proxy 2.0
. ISA
ISA 15.
. Services (
)
Next ( ). , SNMP IIS Admin Service . ISA Internet Connection Firewall (ICF)/Internet IP Network Address Translation,
Server 2004 Connection Sharing (ICF) / , . . ISA Server 2004. 16. Install ( ) ( ). 17. Installation Wizard Completed ( ) Finish ( ).
Ready to Install the Program
_____________________ 18.
Yes (
ISA
)
513
Microsoft ISA Server,
,
.
19. 20.
Start ( ).
. All Programs ( ISA Server
) Microsoft ISA Server
Management. Acceleration Server 2004, Security and Acceleration Server 2004.
Microsoft Internet Security and Welcome to Microsoft Internet
ISA ISA. : ,
DHCPISA;
■
,
ISA
DHCP-
; ■
,
DNSDNSDNS-
ISA ■
.
, ;
,
DNSISA.
,
DNSISA , «
■
DNS-
;
», .
. 6.8-6.12 . 6.8.
. DHCP-
D
HCP Request to Server (
DHCP (
-
) _________ _
)
DHCP-
DHCP,
DHCPISA
51 4
____________________________ . 6.9.
DHCP________________ DHCP Reply from Server (DHCP-
DHCP (
)____________
)
DHCP-
DHCPDHCP-
. 6.10.
ISA DNS-
________________ Internal DNS Server to Forwarder ( _________________________ DNS-
DNS DNS-
(DNS))
'
DNS(DNS) ISA Server 2004. , '
DNS-
. . 6.11. ________________________
DNSInternal Network to DNS Server ( DNS-
DNS
) _______________________
515
ISA . 6.11. (
) Internal Network to DNS Server ( DNS-
) ____________
DNSISA.
, DNS-
DNS-
, DNS. 6.12.
«All Open» Open («
»)
,« ,
»,
-
. ISA
, , .
ISA , /
,
, ISA
-
.
, DHCP-
, DHCP-
.
«DHCP Request to Server»
«DHCP Request to Server» (DHCP-
),
:
1.
Microsoft Internet Security and Acceleration Server Firewall Policy (
2004 ).
-
516
6
Firewall Policy (
) Tasks ( Create a New Access Rule (
).
-
). Welcome to the New Access Rule Wizard ( ) DHCP Request to Server (DHCP) Access Rule name ( ). Next ( ). 4. Rule Action ( ) Allow ( ) Next ( ). 5. Protocols ( ) Selected protocols ( ) This rule applies to ( ) Add ( ). 6. Add Protocols ( )( . 6.24) Infrastructure ( ). DHCP (request) (DHCP, ) Close ( ).
3.
. 6.24.
7. 8. 9-
10.
Add Protocols (
)
Next ( ) Protocols ( ). Access Rule Sources ( ) Add ( ). Add Network Entities ( ) Computer Sets ( ). Anywhere ( ) Close ( ). Next ( ) Access Rule Sources ( ).
ISA
11.
Access Rule Destinations ( ) ). Add Network Entities ( ) Networks ( ) Local Host ( ). Close ( ). Next ( ) Access Rule Destinations ( ). User Sets ( ) All Users ( ) , Next ( ). Completing the New Access Rule Wizard ( ) Finish ( ).
517
Add (
12.
1314. 15.
-
«DHCP Reply from Server»
1. 2004 2. ( Rule ( 3.
4. 5.
6.
7. 8. 9.
«DHCP Reply from Server» (DHCP) : Microsoft Internet Security and Acceleration Server Firewall Policy ( ). Firewall Policy ( ) .
)
Tasks Create a New Access
). Welcome to the New Access Rule Wizard ( ) DHCP Reply from Server (DHCP) Access Rule name ( ). Next ( ). Rule Action ( ) Allow ( ) Next ( ). Protocols ( ) Selected protocols ( ) This rule applies to ( ) Add ( )( . 6.25). Add Protocols ( ) Infrastructure ( ). DHCP (reply) (DHCP, ) Close ( ). Next ( ) Protocols ( ). Access Rule Sources ( ) Add ( ). Add Network Entities ( ) Networks ( ). Local Host ( ) Close ( ).
6
518
. 6.25.
Protocols (
)
10.
Next ( ) Access Rule Sources ( ). 11. Access Rule Destinations ( Add ( ). 12. Add Network Entities ( ) Networks ( ) ( ). Close ( ). 13. Next ( ) Access Rule Destinations ). 14. User Sets ( ) (All Users ( )) Next ( 15. Completing the New Access Rule Wizard ( ) Finish ( ).
)
Internal (
).
«Internal DNS Server to DNS Forwarder»
DNS1. 2004 2.
«Internal DNS Server to DNS Forwarder» ( DNS) : Microsoft Internet Security and Acceleration Server Firewall Policy (
). Firewall Policy ( ( ) . Access Rule (
) ).
Tasks Create a New
ISA
519
3.
Welcome to the New Access Rule Wizard ( ) Internal DNS Server to DNS Forwarder ( DNSDNS) Access Rule name ( ). Next ( ). 4. Rule Action ( ) Allow ( ) Next ( ). 5. Protocols ( ) Selected protocols ( ) This rule applies to ( ) Add ( ). 6. Add Protocols ( ) Infrastructure ( ). DNS Close ( ). Next ( ) ). Protocols ( ). 8. Access Rule Sources ( ) Add ( ). 9. Add Network Entities ( ) ( . 6.26) New ( ), Computer ( ).
. 6.26.
10.
(IP-
( 12. 1314.
)
New Computer Rule Element ( Internal DNS Server ( DNS) ). 10.0.0.2 Computer IP Address ). . Add Network Entities ( ) ( . 6.27) Computers ( ) Internal DNS Server ( DNS). Close ). Next ( ) Access Rule Sources ( ). Add ( ) Access Rule Destinations ( ). Add Network Entities ( ) Networks ( ) Local Host ( ). Close ( ). ) Name (
11.
Computer (
520
6
. 6.27.
15.
Computer (
)
Next ( ) Access Rule Destinations ( ). User Sets ( ) All Users ( ) Next ( ). Completing the New Access Rule Wizard ( ) Finish ( ).
16. 17.
-
«Internal Network to DNS Server»
DNS1. 2004 2. ( Rule ( 3.
). 4.
)
«Internal Network to DNS Server» ( : Microsoft Internet Security and Acceleration Server Firewall Policy (
). Firewall Policy ( ) .
)
Tasks Create a New Access
). Welcome to the New Access Rule Wizard ( ) Internal Network to DNS Server ( DNS) Access Rule name ( Next ( ). Rule Action ( ) Allow ( Next ( ).
)
ISA
5.
Protocols (
) )
( )
521
Selected protocols This rule applies to ( ). ) ). DNS
Add ( Add Protocols ( Common Protocols ( Close ( ). 7. Next ( ) Protocols ( ). 8. Access Rule Sources ( ) Add ( ). 9Add Network Entities ( ) Networks ( ). Internal ( ) Close ( ). 10. Next ( ) Access Rule Sources ( ). 11. Add ( ) Access Rule Destinations ( ). 12. Add Network Entities ( ) Networks ( ) Local Host ( ). Close ( ). 13. Next ( ) Access Rule Destinations ( ). 14. User Sets ( ) All Users ( ) Next ( ). 15. Completing the New Access Rule Wizard ( ) Finish ( ). 6.
»
1. 2004 2. ( Rule (
-
Open»
«All Open» ( ) : Microsoft Internet Security and Acceleration Server Firewall Policy ( ). Firewall Policy ( ) .
)
). Welcome to the New Access Rule Wizard ( ) All Open ( Access Rule name ( ). 4. Rule Action ( ) Next ( ).
Tasks Create a New Access
3.
I8
*4
) Next ( Allow (
). )
522
6
5.
Protocols (
)
All outbound traffic ( This rule applies to ( ). Protocols ( ). )
) )
Next ( Next ( ) Access Rule Sources ( Add ( ). Add Network Entities ( ) Networks ( ). Internal ( Close ( ). Next ( ) Access Rule Sources ( ). Add ( ) Access Rule Destinations ( ). Add Network Entities ( ) Networks ( ) External ( Close ( ). Next ( ) Access Rule Destinations ( ). User Sets ( ) All Users ( ) Next ( ). Completing the New Access Rule Wizard ( ) Finish ( ).
6. 7. 8. ) 9. 10. U.
12. 13. 14.
,
).
. 6.28.
. ,
,
,
-
.
. 6.28.
SecureNAT ISA Server. SecureNAT —
,
ISA
IP-
523
, IP-
ISA Server 2004. ,
DHCP
ISA, IPDHCP-
ISA. ISA.
,
, , ISA Server 2004,
,
. , .
« SOHO
»
IP-
.
-
. ISA
,
-
.
DHCPDHCP, DHCP-
.
IPDHCP. Windows 2000 (Server Professional) Windows. DHCP,
: 1. 2. 3.
4.
5.
My Network Places ( ) Properties ( ). Network Connections ( ) Properties ( ). Properties ( ) Internet Protocol (TCP/IP) ( , TCP/IP) Properties ( ). Internet Protocol (TCP/IP) Properties ( TCP/IP) ( . 6.29) Obtain an IP-address automatically ( IP). Use the following DNS server addresses ( DNS). IPPreferred DNS server ( DNS). Internet Protocol (TCP/IP) Properties ( TCP/IP).
524
6
526
__________________________________________________________
■ ISA.
ISA . ;
■
ISA.
ISA . ,
ISA
,
;
■
ISA. He ISA
. ISA
, ISA;
■
ISA.
ISA
, ISA.
ISA.
ISA ISA Server 2000 ,
-
ISA.
ISA
,
,
Hardening Templates
. , ISA Server 2000
System .
ISA
. ISA
.
. 6.13 ISA Server,
-
, . -
,
Windows, ISA. ISA,
-
. . 6.13.
,
____________ + Event System ( +) Cryptographic Services ( ) (
ISA ______________________
)
ISA . 6.13. (
Event Log ( IPScc Services (
527
)
) IPSec) (
)
Logical Disk Manager ( ) Logical Disk ( Manager Administrative Service ( ( ) Microsoft Firewall ( Microsoft) Microsoft ISA Server Control ( ISA Server Microsoft) Microsoft ISA Server Job Scheduler ( ISA Server Microsoft) Microsoft ISA Server Storage ( ISA Server Microsoft) MSSQLJMSFW
) )
ISA Server ISA Server ISA Server
ISA Server ,
Network Connections ( ) NTLM Security Support Provider ( NTLM) Plug and Play Protected Storage ( ) Remote Access Connection Manager ( ) Remote Procedure Call ( (RPC)) Secondary Logon ( ) Security Accounts Manager ( )
ISA Server MSDE
(
)
(
)
(
) ISA Server
(
)
(
.
.
.)
528
6 . 6.13. (
Server (
)
) ISA Server ( )'
Smart Card (
-
) (
)
SQLAgentSMSFW
,
ISA Server MSDE ( Advanced Logging
)
System Event Notification (
)
Telephony (
) ISA Server
Virtual Disk Service ( ( ) Windows Management Instrumentat ion ( WMI Performance Adapter ( WMI)
) (WMI) Windows (WMI)) (WMI)
"
: ■
ISA ;
■
(VPN) ISA Server.
,
, (Extensible
Authentication Protocol,
)
VPN;
■ •
; , , ( VPN-
—« ,
». ISA Server Microsoft Internet Security and Acceleration Server 2004) « - ». VPN.
ISA , . .
. 6.14
,
ISA one-
529
ISA
ISA. ISA,
,
-
,
.
,
. 6.14. ISA
_____
Windows Installer Win-
- Microsoft .
,
dows Installer
-
ISA
-
MS Software Shadow Copy Provider
-
Volume Shadow ( )
-
Removable Storage Service ( -
NTBackup ISA NTBackup ISA NTBackup ISA
) Error - Reporting Service (
, Windows,
-
)
Microsoft ABTD
Help and Support , ,
-( ) Microsoft Server (
,
) ISA
SMB/CIFS
(
.
.
.)
530
6
. 6.14. (
) ____
______
- MSSQLSMSFW MSDE. ,
MSDE SQL
.
r(
Event Vie we .
)
Advanced logging ISA ,
-
ISA Server (
Performance Logs and Alerts ( )
ISA) -
Workstation (
)
Windows ( ISA)
Windows
- Server (
)
Windows ( Windows
Remote Registry (
ISA)
)
ISA NTP. Windows Time ( Windows) ( ISA)
Remote Desktop Help Session Manager ( ) Terminal Services (
)
ISA
531
ISA ,
,
ISA
-
, . ISA,
. 6.15 ,
,
,
-
. WUS
SUS
. . 6.15.
,
ISA
,
-
-
Microsoft Windows ,
Background Intelligent Transfer Service ( Microsoft
Windows DHCP
DNS
, ISA Server IP-
_____ Automatic Updates ( )
) DHCP Client (DHCP-
)
DHCP, ISA Server
, ISA Server
,
DNS Client (DNS)
Network location awareness (NLA) ( ) Net logon ( )
ISA Server , ISA Server
Windows Time ( Windows)
(
.
.
.)
532
6 . 6.15. (
)
_____________________________________________ ________________ , TCP/IP NetBIOS DNS ISA Server Helper ( NetBIOS Windows. TCP/IP) , ISA Server ;
Microsoft
, ISA Server
Workstation (
)
Windows. , ISA Server ;
WINS
, ISA Server
TCP/IP NetBIOS - Helper ( WINS NetBIOS TCP/IP)
ISA, Windows (.inf).
-
www.isaserver.org ,
.
ISA ISA. ,
-
ISA
. ISA:
■ ISA Server Basic Monitoring ( ■ ISA Server Extended Monitoring ( ■ ISA Server Full Administrator ( . 6.16
ISA Server); ISA Server); ISA Server). .
ISA . 6.16.
533
ISA
_______________
____________________________________________________
ISA Server Basic Monitoring
,
ISA Server Extended Monitoring
,
, ISA Server
-
,
,
-
, ,
,
ISA Server Full Administrator
,
, ISA Server,
-
, , , SAM (Security Account Manager, ISA, Active Directory . ISA . , ISA Server ISA Server; Performance Monitors User Windows Server 2003. ISA Server
) ISA
, ,
-
(PerfMon)
.
. 6.17
, .
,
. 6.17. ISA
_____________________ ______________________________ Basic Monitoring Extended Monitoring Full Administrator
XX ,
X
, X
VPN
X X
X X
X
X
X X
X X
X
X X X X
534
6
Extended Monitoring (
) ,
.
,
-
. , 1.
Start ( ), Management.
2.
3.
4. 5.
6. 7.
8. 9.
), Microsoft ISA Server
: All Programs ( ISA Server
Microsoft Internet Security and Acceleration Server 2004. Define Administrative Roles ( ) Tasks ( ). Welcome to the ISA Server Administration Delegation Wizard ( ISA Server) Next ( ). Delegate Control ( ) Add ( ). Group (recommended) or User ( ( ) ) , . Role ( ) . . Next ( ) Delegate Control ( ). Finish ( ) Completing the Administration Delegation Wizard ( ). Apply ( ), . Apply New Configuration ( ).
ISA , ISA
, , . :
■ ,
-
-
, ,
ISA
535
, ; ■
. ,
-
ISA
.
ISA (Packet Filter Engine)
1.
: ISA (fweng) .
2. (
).
, .
, DNS.
DNS,
.
, .
3.
ISA ,
, .
. DHCP, DHCP-
DHCP( (
,
UDP 67) UDP 68)
.
4. VPNISA. VPN-
«
- -
»
.
5. ISA. 6. ISA Server
.
ISA
, . ISA
,
, ISA. Blaster.
Web, Web-
.
-
536
6
,
Web-
,
. UDP, ICMP
Raw IP
-
, .
TCP-
.
,
-
,
. . ISA
ISA
Server. TCP-
1000
160
.
TCP-
160
.
,
,
.
,
,
,
. ,
IP-
. , : Start ( ), Microsoft ISA Server
1.
All Programs (
), ISA Server
Management. 2.
Microsoft Internet Security and Acceleration Server 2004 Configuration ( ). General ( ). 3. Define Connection Limits ( ) Details ( ). 4. Connection Limit ( )( . 6.32) Limit the number of connections ( !) ). Connections created per second ( , ), ( TCP) Connections created per rule (non-TCP) ( TCP, ) ( TCP) Connections limit per client (TCP and non-TCP) ( TCP ). , . Add ( ) Computer Set ( -
537
ISA . 6.32.
Connection Limits (
),
)
Customer connection limit ( ).
-
,
-
. .
1000 .
■ ■
,
.
, : Connection Denied ( : FWXERULE_QUOTA_EXCEEDED_DROPPED.
:
,
UDP ,
);
. (spoofed)
-
IP
. ,
:
■
,
ISA,
, .
;
■
IP,
, ,
IP-
■
; IP-
,
. ,
ISA
.
538
6
,
-
. ISA IP-
,
ISA
, ,
. UDP
IP,
-
,
. UDP, ICMP
Raw IP
.
IP-
.
-
, ,
.
TCP-
-
. TCP,
SMTP,
SMTP.
(Raw IP
-
UDP) ,
.
DHCP DHCPISA, IP-
DHCP-
DSL-
.
DHCP IP-
,
-
IP. (spoofing attack)
DHCP.
, .
,
ISA -
DHCP, . DHCP:
HKLM\SYSTEM\Cu r rentCont rolSet\Se r vices\Fweng\Pa rameters\DhcpAdapte rs\
( 1. 2. 3.
. ISA. -
.
6.33)
:
539
ISA
4. 5.
ISA Server. .
«, ™
£ -,1 «
. 6.33.
DHCP
ISA
-
DHCP, :
1. ware
»(
2. 3.
4. . 6.34 ).
. 6.34.
DHCP «Client Ethernet Address» (Ethernet), . , ( ISA). , «Your IP-Address» (IPIP, ). , , . DHCP-
DHCP-
(
)
«Hard
)
DHCP( ISA
6
540
,
,
. 6.35.
. 6.35.
DHCP-
, «Renew DHCP addresses» ( ISA. . 6.36 , Renew DHCP Addresses .
DHCP) , DHCP)
(
kJ
. 6.36.
Renew DHCP Addresses (
Yes ( ,
DHCP,
)
DHCP)
, ipconfig /renew.
-
, (
).
,
, . DHCP-
DHCP :
-
ISA
1.
DHCP-
,
541
.
,
,
,
,
. 2. DHCP-
.
,
ISA
, -
(
), ISA
-
.
Renew DHCP Addresses ( DHCP. DHCP-
DHCP), . ,
ISA.
, ISA. . , ISA.
-
,
ISA 0
, ISA,
-
.
ISA . 0
DNS
,
. 0
DNS
ISA
,
-
. 0 ISA
-
,
. 0
MSDE ISA.
.
542
6
ISA « 0
» ISA
SMTP-
,
ISA IIS SMTP.
0
, ISA,
Active Directory, DNS, DHCP
. , ISA 2004. 0
ISA, ISA
.
ISA (
)
, -
ISA, ,
.
0
(
)
-
NAT. 0
Web-
.
,
-
.
0
.
ISA 0
,
0 Edition Edition —
ISA Server 2000,
ISA Server 2004.
. ISA Server: ISA Server 2000 Standard ISA Server 2004 Standard Edition, a ISA Server 2000 Enterprise ISA Server 2004 Enterprise Edition.
ISA 0
ISA
0
. ISA
Proxy
Server 2.0. 0
ISA HTTP, HTTPS FTP.
_____________________
ISA ______ 543
0 SecureNAT.
ISA 0 ISA
.
0 ISA.
,
-
,
ISA.
ISA , ,
-
ISA. ,
-
ISA. ISA,
, .
, . www.syngress.com/ .
solutions ( «Ask the Author»). ITFAQnet.com. :
, ISA
:
.
?
ISA ,
IP-
. -
IPv4 ( )
. , .
ISA
-
, . :
DNSISA
DHCPDNS-
ISA? DHCP,
: .
.
544
6
ISA
DNS-
DHCP-
.
-
ISA ,
. DNSISA.
:
DHCP-
,
ISA Server 2000 .
-
ISA Server 2004
?
:
,
-
. .
ISA Server 2000, ISA. ! ISA,
, ISA Server 2004,
ISA Server 2000 ISA Server 2004.
:
, ?
-
, ?
:
, .
-
ISA .
.
ISA .
, ,
ISA
:
. DNS? (
-
.local). :
DNS ,
, .
DNS ,
, .
,
domain.local, domain.com.
,
domain.com,
-
, WebISA. , com, ISA, owa.domain.com
-
, ,
owa.domain,
DNS , OWA.
ISA
:
545
. ?
:
.
,
IP-
,
,
, -
ISA. ISA
,
ISA .
-
,
, ISA
.
ISA Server 2004 : ISA ISA
DMZ
ISA
548
7
ISA ( Web(Web Publishing Rules), (Server Publishing Rules) (Access Rules). Web(inbound access), (outbound access).
) -
-
ISA ISA Server 2000. , ISA Server 2000 Address Table, LAT) . , LAT. «
, ) ISA Server 2000,
(
ISA ,
»
(Local
. Web,
, ISA,
,
-
, ,
ISA. .
— , (Network Address Translation, NAT), ,
NAT.
, (internal network)
.
, ,
-
, . -
,
-
,
NAT. -
,
.
DMZ
,
, ,
,
-
. DMZ
, .
-
ISA — .
(Access Policy)
ISA
ISA Server 2004
-
549
-
-
, -
. .
— ISA
.
ISA. ISA».
back)
«
ISA
(looping
. ISA
, ,
,
,
.
. (NAT)
, -
-
-
,
.
,
,
. .
IP-
(
,
) .
ISA
-
,
-
,
,
.
ISA
,
,
,
, ,
-
.
,
-
-
.
,
,
ISA -
ISA
. ,
ISA
-
,
.
-
ISA (
, rule),
).
ISA
. , ,
.
(Allow -
, : ■ ■ ■
; (
, ;
);
550
7 _________________________________________________________
■
(
,
,
, URL-
); ■ ■
; (content groups). ,
. ,
-
ISA . ,
(Last Default rule). ISA.
,
, ,
,
NAT-
.
- -
ISA
(
Web(
Web (Web chaining rules) )
) SecureNAT ( ).
Web ISA.
Web-
Web-
,
(upstream) Web-
. SecureNAT (upstream)
Web-
, ISA
ISA. Web-
. , card, NIC):
-
ISA , «All Open» (
.
—
(network interface . ), -
ISA Server 2004
■
, )
(
■
ISA: (
-
-
551
);
, . (NAT)
,
-
,
. (
) — public addresses —
( ).
-
ISA (Policy Elements). ISA Server ». ,
ISA «
2000 — (New Access Rule Wizard). ISA Server 2000, , , .
,
ISA ■ ■ ■ ■ ■
:
; ; ; ; .
ISA
, Web-
,
-
. , (New Protocol Wizard) , .
. ,
, ,
.
.
Web-
ISA. -
SecureNAT
, Web-npo-
552
7
,
HTTP
Web-
.
. . ■
■ ■
■ ■ ■
TCP (Transmission Control Protocol, ), UDP (User Data Protocol, ), ICMP (Internet Control Message Protocol, Internet) IP(Internet protocol, ). ICMP, ICMP . , ICMP IP. UDP Send, Receive, Send Receive Receive Send. TCP — Inbound Outbound. ICMP IP— Send Receive. ( TCP UDP) 1 65535, . ICM? IP, — . ( IP) , GRE (Generic Routing Encapsulation, ) IP47. ICMP ( ICMP) ICMP . ( ) , , , ( ) . . (inbound), (outbound) . (primary)
IP-
IP-
.
(Internet Protocol addresses) .
-
, (authentication protocol). — .
(credentials).
Web-
ISA Server 2004
553
ISA (User Set),
,
,
». ISA. Windows, Dial-In User Service, ).
,
SecurlD ( RADIUS
Windows
«
, RADIUS (Remote Authentication ) SecurlD -
, . ISA . ■
(All Authenticated Users) ,
.
,
, . . VPN-
SecureNAT , SecureNAT (Virtual Private Network, VPNISA, VPNSecureNAT. ISA, VPN .
). SecureNAT VPN■
(
,
Users) ,
,
, ,
. ISA, .
Microsoft
Internet Security and Acceleration Server 2004 ( )—
Sessions ( . (System and Network Service)
■
ISA. .
I'
2004
8
)
554
7
MIME (Multipurpose Internet Mail Extensions, ) . ,
HTTP ,
. -
, ,
. HTTP-
(tunneled) FTPFTP,
Web-
, FTP-
ISA.
. ,
,
ISA, .
ISA
,
-
,
-
,
. , .
, ISA
,
ISA, Web-
).
Web-
ISA
MIME-
- (
WebWeb-
(
HTTP)
(
,
Web-
).
ISA
-
,
, .
,
-
ISA , ,
. MIME-
,
.
, ,
Director :
-
( *) application/*.
.
MIME-
■ .dir; ■ .dxr; ■ ; ■ application/x-director. MIME, -
MIME-
. .
MIME-
(/).
ISA Server 2004 ______555
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
ISA : Application ( ); Application data files ( Audio ( ); Compressed files ( ); Documents ( ); HTML documents (HTML); Images ( ); Macro documents ( ); Text ( ); Video ( ); VRML (Virtual Reality Modeling Language, ).
-
);
MIME-
,
.
MIME, Web-
Web-
MIME-
,
. MIMEMIMEWeb-
.
. 7.1.
,
, .
, MIME-
Network Monitor ( WebMIME-
, , Web, ,
-
,
-
, Web,
,
). HTTPWeb-
,
.
, (Internet Information Services, IIS).
. . 7.1. IIS MIME-
MIME.hta .isp .crd .pmc .spc ,sv4crc .bin .clp .nrny
.clp ,mny
Application/hta Application/x-internet-sign Application/x-mscardfile App l ic a t i on /x - perfmon Application/x-pkcs7-certific Application/x-sv4crc Application/octet-stream Application/x-msclip Application/x-msmoney
______ MIME-
.hta .isp .crd .pmc
___________
Application/hta Application/x-internet-signu Application/x-mscardfile Application/x-perfmon Application/x-pkcs7-certifica Application/x-sv4crc Application/octet-stream
,sv4crc .bin
Application/x-msclip Applica tion/x-msmoney (
.
.
.)
556
7
. 7.1. (
) MIME-
. 7 .evy ,P7s .eps .setreg ,xlm .cpio .dvi .p7b .doc .dot ,P7c .pa .wps .csh ifl .pmw
.man .hdf .mvb .texi .setpay .stl .mdb ,oda .hip ,nc ,sh .shar .tcl ,ms ods
.axs .xla ,mpp .dir .sit
Application/x-pkcs7-certreqresp Application/envoy Applica tion/pkcs7-signa ture Application/postscript Application/set-registration-initiation Application/vnd.ms-excel Application/x-cpio Application/x-dvi Application/x-pkcs7-certificates Applica tion/msword Application/msword Applica tion/pkcs7-mime Applica tion/postscript Applica tion/vnd.ms-works Applica tion/x -csh Application/x-iphone Application/x-perfmon Application/x-troff-man Application/x-hdf Application/x-msmediaview Applica tio n /x-texinfo Applica tion/set-payment-ini tiation Application/vndms-pkistl Applicat ion/x-msaccess Applica tion/oda Applica tion/winhlp Appl ication/x-netcdf Application/x-sh Applica tion/x-shar Applica tion/x- tcl Applica tion/x-troff-ms Application/oleobject Application/olescript Application/vnd.ms- exce l Application/vnd.ms-project Applica tion/x-director Application/x-stuffit
557
ISA Server 2004 . 7.1. (
)
MIME-
• .crl
.al JClS
.wks .ins pub .wri .spl .hqx .plO JttlC
.xlt .dxr ■is
,ml3 .trm .pml
.me
.won .latex ,ml4 .wmf ,cer .zip ,pl2
.pfx .der .pdf .xlw .texinfo .p7m •PPS .dcr
gtar so. tit
Application/octet-stream Application /pkix -crl Appl ica tion/postscript App l i c a t i on / vnd. ms-e xce l Appl ication/vnd.ms-works Application/x-internct-signup Application/x-mspublisher Application/x-mswrite Application/futuresplash Application/mac- bi nhex40 Application/pkes 10 Applica tion/vnd.ms-excel Application/vnd.ms-excel Application/x-director Application/x-javascript Appl ica t ion/x-msmediaview Application/x-msterminal Application/x-perfmon Application/x-troff-me Application/vnd.ms- works Application/x-latex Appl icat ion/x-msmedia view Application/x-msmetafile Applica t ion/x-x 5 09-ca-cert Application/x-zip-compressed Application/x-pkcs12 Application/x-pkcs12 Applica tion/x-x 509-ca-cert Application/pdf Application/vnd.ms-excel Application/x-texinfo Applicat ion/pkcs7 -mime Application/vnd.ms-powerpoint Application/x-director Application/x-gtar text/scriptlet Application/fractals
(
.
.
.)
7
558 . 7.1. (
) MIME-
.
Application/octet-stream
№
Application/vnd.ms-powerpoint Application /vnd ms - pk icert s tore Application/vndms-pkipko Application/x-msschedule Application/x-tar Application/x-troff Application/x-troff Application/pics-rules Applica tion/rtf Application/vnd.ms-powerpoint Application/vnd.ms-works Application/x-bcpio Application/x-msdownload Application/x-perfmon Application/x-perfmon Application/x-troff Application/x-wais-source Application/internet-property-stream Application/vndms-pkiseccat Application/x-cdf Application/x-compressed Application/x-sv4cpio Application/x-tex Application/x-ustar Application /x -x 5 09- ca -cert audio/x-pn-realaudio audio /mid audio/basic audio/basic audio/wav audio/aiff audio/x-mpegurl audio/x-pn-reala udio audio/a iff audio/mid audio/x-aiff
. .scd .tar .roff .t prf .rtf .pot .wdb .bcpio .dll .pma .pmr .src .acx .cat tgz ,sv4cpio .tex .ustar .crt X*
.mid .au snd .wav .alfc ,m3u .ram .rmi ,alf
ISA Server 2004 . 7.1. (
559
)
MIMEaudio /m peg Appl i c a tio n /x -gz ip Appl i c a tio n/x - c ompre ss tex t /t a b-s epara ted - va lu es text/xml text/h323 tex t /we bv iewht ml text/html text/html text/xml text/html image/cis-cod image/ief image/x-portable-bitmap image/tiff image/x-portable-pixmap image/x-rgb image/bmp image/jpeg image/x-cmx image/x-portable-anymap image/jpeg image/pjpeg image/tiff image/jpeg image/x-xbitmap image/x-cmu-raster image/gif
•gz z .isv .xml .323 .htt .stm .html .xsl .htm .cod (cf .pbm
as .ppm rgb .dib -Ipeg ,crax .pnm ■Jpe .jfif .tif -]P8 .xbm .ras •gif
Ч (Schedule),
. :
■ Work Hours (
)
09:00 (
■ Weekends ( (
) );
17:00, );
560
7
■ Always (
)
(
).
, .
-
, . -
,
. .
Hours (
,
)
Work -
,
17:00. .
,
ISA. 4.
ISA . . ,
,
Web(receive). -
. , Access Rule Wizard), Properties,
(New .
Acceleration Server 2004, , Firewall Policy ( Tasks ( ) ( ). come to the New Access Rule Wizard ( ). ( ). )»,
Microsoft Internet Security and , ). Create New Access Rule WelAccess Rule name «All Open ( (Internal Network),
561
ISA Server 2004
,
(External
Network).
Next (
). «All Open» (
)
, .
ISA «All Open
, ,
(
)»
, . ,
, /
-
. ,
, — ISA
, ,
.
Rule Action Rule Action ( Deny ( ). Deny ( ) Allow ( ) . 7.1.
. 7.1.
) ISA Server 2000 .
: Allow ( ISA Next (
Rule Action (
) -
),
)
Protocols Protocols ( applies to (
)
, )
This rule
. .
562
7__________________________________________________________
■ All outbound traffic (
) . ,
.
,
,
, SecureNAT ,
, ISA Protocols ( ,
, ■ Selected protocols ( ,
, Definition) « ». . ■ All outbound traffic except selected ( ) (
), .
, , Microsoft)
( , tocols ( Defined (
, SecureNAT ,
).
(Protocol Definition) SecureNAT. FTP, (application filter), SecureNAT. ) . , ISA (Protocol
ISA
Add (
(secondary), .
ISA,
,
AOL Instant Messenger ( ), MSN Messenger ( IRC (Internet Relay Chat, )( . . 7.2).
Selected Protocols ( ). ).
)
Common Protocols ( )
, ISA ) ISA.
Add Protocols , . ) , , Mail Pro, , . User, All Protocols ( -
ISA Server 2004
)
,
, ISA.
,
. 7.2.
Protocols (
-
)
All Protocols ( ISA.
,
) ISA
, ,
-
. 7.3.
. 7. .
563
Add Protocols (
)
564
7
,
, New ( ). ) RPC Protocol ). -
, Protocol ( (Remote Procedure Call Protocol, , . ,
,
. (
,
, Add Protocols (
)
-
( ).
-
, Add Protocols ( Protocols ( )
(
).
) All outbound traffic This rule applies to ( Next ( ).
)
Access Rule Sources Access Rule Sources (
)
, Add (
.
-
),
,
. Add Network Entities (
) . , New (
, , .
,
). -
. Networks ( ), Internal ( ). Add Network Entities
, Close ( (
) ),
. 7.4. Next (
).
)
Access Rule Sources (
-
565
ISA Server 2004
. 7.4.
Add Network Entities (
)
Access Rule Destinations Access Rule Destinations ( , Add ( ), Add Network Entities (
)
-
. . ), ,
. , New (
Close ( Entities (
,
)
. Networks ( ), External ( ). Add Network Next ( ) ).
),
). Access Rule Destinations (
User Sets User Sets (
) .
(
, All Users -
—
). ,
, Remove (
).
566
7
, Edit (
,
). , Add Users (
Add (
).
,
,
) (Firewall Group),
. New ( Edit (
), ). All Users (
). Add Users ( (
)
. 7.5.
Close ( ).
),
User Sets (
User Sets (
Next . 7.5.
),
)
Completing the New Access Rule Wizard ( ). Finish ( ).
, , SecureNAT
, All Users ( ISA, All Users ( SecureNAT. SecureNAT
-
), . ), , .
-
ISA Server 2004
567
, ,
)
Properties ( .
■ ■ ■ ■ ■ ■ ■ ■
Properties ( : General ( ); Action ( ); Protocols ( ); From ( ); ( ); Users ( ); Schedule ( ); Content Types (
)
). Proper-
ties (
).
General —
General (
).
,
Name (
).
, Enable (
-
).
Action Action (
)
,
-
. . ■ Allow (
)
, ISA, .
■ Deny (
)
, ISA,
. ш Redirect HTTP requests to this Web page ( Web) , Web. (Deny). ,
HTTP,
,
Web-
,
-
-
568
7
, URL, matching this rule ( )
,
. , , http://corp.domain.com/accesspolicy.htm. Log requests , , , . , , , NetBIOS.
, , (Network Basic Input Output System, NetBIOS broadcast protocols). . 7.6
. 7.6.
Action (
Action (
NetBIOS —
).
)
Protocols Protocols (
)
, This rule applies to ( ) : Allow all outbound traffic ( ), Selected protocols ( ) All outbound traffic except selected ( ). Add ( ) .
569
ISA Server 2004
.
Remove (
,
Protocols (
Edit ( (
)
-
), ,
)
Protocols
). , . , , ).
Protocols ( , ), ,
Protocols ( , .
Filters (
,
, ,
. 7.7.
Protocols (
. 7.7.
)
ISA. Source Ports Allow traffic from any allowed ). , , , -
, Ports ( ( source port (
),
). ,
, (
,
,
SMTP),
Limit access to traffic from this range of source
ports (
), From (
(
.
-
)
. 7.8).
)
( ,
),
-
570
7
. 7.8.
Source Ports (
)
From From (
)
, .
,
,—
. , Add ( ), applies to traffic from these sources ( ). , Remove ( ). , Edit (
. 7.9.
From (
)
,
This rule
, ).
ISA Server 2004
571 ,
This rule applies to traffic from these sources ( ) , Exceptions (
).
, (Point-to-Point Tlinneling Protocol, VPN (Virtual Private Network, , Remote Management Computers (
) ). ). tions ( Remove (
), )
Add ( )
Edit (
). Exceptions (
,
,
Excep) -
. 7.9-
( ) Access Rule Destination ( .
,
, sent to these destinations ( ).
. 7.10.
(
)
This rule applies to traffic , )
572
7
, External (
, ). Web-
(Domain Name Set)
Hotmail.
, Add (
Hotmail, )
Exceptions (
)
-
Hotmail. HTTP
Hotmail (
.
. 7.10).
Users Users (
)
, ,
. 7.11.
, ,
,
( ,
, . All Authenticated Users ), System and Network Service ( -
).
. 7.11.
Users (
)
Schedule Schedule (
)
,
. Access Rule Wizard) : Always (
(New . ), Weekends
ISA Server 2004
(
)
Work hours ( New (
,
. 7.12.
Schedule (
573
), ),
. 7.12.
)
, ,
,
. )
Active Directory.
Internet Security and Acceleration Server 2004
Logon Hours ( ,
. -
, Microsoft .
Content Types , (New Access Rule Wizard), — . Content Types ( ) , . HTTP, , Content Types ( ). — All content types ( ). , , Selected content types (with this option selected, the rule is applicable only HTTP traffic) ( (
574
7
,
-
)
,
-
, (
. 7.13). Web-
HTTPSecureNAT
, -
, ,
Web-
. 7.13.
Content Types (
.
)
Properties (
)
-
.
Properties ( ) . , Content Types ( ), Properties ( ), Content Types Properties (
). -
. »,
1
« 1
.
,
, « .—
» .
.
-
ISA Server 2004
575
, ■ Properties ( ties ( ■ Delete ( ■ (
.
)
Proper
). )
. )
, .
■ Paste (
)
, .
■ Export Selected (
) xml. ISA
. ■ Import to Selected (
) xml-
(Access Policy). ■ Move Up (
,
) .
■ Move Down (
) .
■ Disable (
) ,
, ■ Enable (
, . ) , ). HTTP) HTTP.
Disable ( ■ Configure HTTP (
, Configure HTTP ( (HTTP Security Filter)
HT TPHTTP, FTP) .
■ Configure FTP ( FTP,
HTTP)
ISA. , , .
■ Configure RPC Protocol (
,
RPCRPC).
) , (Remote Procedure Call Protocol, ,
576
7
RPC-
(strict RPC compliance), DCOM (Distributed Component Object Model, ). (
)
, (New Access Rule Wizard) ( ).
.
Paste (
-
).
,
-
(1),
,
. Properties ( .
)
-
,
, .
-
, .
RPC, All IP Traffic ( IPRPCConfigure RPC Protocol (
. 7.14. RPC-
RPCRPC),
. RPCRPC-
Configure RPC protocol policy ( )
, ,
).
.
-
ISA Server 2004
), RPC compliance ( .
Configure RPC protocol policy ( . 7.14, RPC). , RPC, DCOM.
,
577
RPCEnforce strict RPC, ,
,
ISA,
.
RPC-
.
,
RPCISA.
FTP,
FTPFTP-
FTP). policy (
FTPRead Only (
), FTP
FTP-
. 7.15. FTP-
Configure FTP ( Configures FTP protocol . 7.15. ). . FTP, . .
Configures FTP protocol policy ( )
,
.
578
7
HTTP, HTTPHTTP-
HTTPHTTP-
.
, ,
. HTTP-
,
10.
. . ■
Web(Web Publishing Rules) (Server Publishing Rules) .
■
(Deny) Web-
. (
,
■
). (Allow) .
(
,
■
). (Deny) (
, ),
. ■
(Allow) ,
,
,
,
,
,
,
,
, .
,
-
, (
, ,
EXECS , ,
SecureNAT)
.
: HTTP, HTTP, HTTPS, FTP, IRC EXECS,
MSN Messenger.
-
HTTP,
, ,
, .
,
-
ISA Server 2004
579
NNTP (Network News Transfer Protocol, , EXECS HTTP, HTTPS, FTP, IRC MSN Messenger, NNTP , , , EXECS. ),
,
. ISA,
,
,
,
, (credentials) ,
ISA, ,
.
.
. )
«Anonymous Users ( , «Anonymous Users» ( , , ,
,
ISA ,
Name Service (
NetBIOS)
ISA
,
NetBIOS Datagram (
)», -
, .
. NetBIOS: NetBIOS NetBIOS). -
ISA. , ,
2004 ( ( 2. ).
,
. 1.
,
,
, NetBIOS. Microsoft Internet Security and Acceleration Server ) , , Firewall Policy ). Tasks ( ) Create New Access Rule (
580
3.
7
Welcome to the New Access Rule Wizard ( ) Rule name ( ). Block NetBIOS logging ( NetBIOS). Next ( ). 4. Deny ( ) Rule Action ( ) Next ( ). 5. Protocols ( ) Selected protocols ( ) This rule applies to ( ). Add ( ). 6. Add Protocols ( ) Infrastructure ( ). NetBIOS Datagram ( NetBIOS) NetBIOS Name Service ( NetBIOS). Close ( ). 7. Next ( ) Protocols ( ). 8. Access Rule Sources ( ) Add ( ). 9Add Network Entities ( ) Computer Sets ( ) Anywhere ( ). Close ( ). 10. Next ( ) Access Rule Sources ( ). 11. Access Rule Destinations ( ) Add ( ). 12. Add Network Entities ( ) Computer Sets ( ). Anywhere ( ) Close ( ). 13. Next ( ) Access Rule Destinations ( ). 14. Next ( ) User Sets ( ). 15. Finish ( ) Completing the New Access Rule Wizard ( ). 16. Block NetBIOS Logging ( NetBIOS) Pro perties ( ). 17. Block NetBIOS Logging Properties ( NetBIOS) Log requests matching this rule ( , ).
ISA Server 2004
18. 19.
Apply ( Apply ( . 20. Apply New Configuration ).
( ,
),
581
. )
, NetBIOS, ( ,
).
!
WebSecureNAT ,
SecureNAT ( )
.
HTTPWebSecureNAT, WebISA). ,
CERNWeb-
.
WebSecureNAT -
ISA (
Web(CERN compliant) Web. (Direct Access), HTTP. ,
,
WebSecureNAT. 1. Microsoft Internet Security and Acceleration Server 2004 ( ) , , Firewall Policy ( ) . 2. Toolbox ( ). Command Protocols ( ) HTTP. 3. HTTP Properties ( HTTP) Parameters ( ). . 4. Parameters ( ) Web Proxy Filter ( Web). Apply ( ) . 5. Apply ( ) . 6. Apply New Configuration ( ).
582
7
WebSecureNAT
,
HTTPWeb,
.
, , SecureNAT ,
,
-
Web.
,
HTTP Access (
HTTP),
HTTP.
, HTTPwww.spyware.com. www.spyware.com, HTTP Access ( HTTP). SecureNAT HTTP Access — ),
HTTP — (
Web-
, www.spyware.com WebSecureNAT
. , WebHTTP ( Configure HTTP policy for rule — HTTP) HTTPMicrosoft Internet Security and Acceleration Server 2004 ( ). , HTTP, Web. HTTP, HTTPWeb. HTTPWebHTTP. ,
Web.
!) Web, Web-
( HTTF'-
HTTP.
ISA — , (stateful application layer inspection). —
( «
ISA
»
)—
-
ISA Server 2004
583
. ISA —
, ,
. «
.
«
, 1990-
, -
», »
,
.,
,
,
ISA . ,
-
XXI ,
,
«
»
—
.
, ISA. ,
/
,
-
. , ),
,
URL-
«Web Users» (Web1 500
.
,
1 500 ISA. :
5 000
,
(Domain Name Set) .
. ,
URLURL-
.
, ISA,
, . (
, ,
).
,
-
, URL-
. .
, URL-
URLs.vbs.
7.1, . Import-
584
7 7.1.
URL-
< -----, Set Isa = CreateObjectC'FPC.Root")
—>
Set Set Set Set Set Set For
CurArray = Isa.GetContainingArray RuleElements = CurArray.RuleElements URLSets = RuleElements.URLSets URLSet = URLSets.Item("Urls") FileSys = CreateObjectC'Scripting.FileSystemObject") UrlsFile = FileSys.OpenTextFileCurls.txt", 1) i = 1 to URLSet.Count URLSet.Remove 1 Next Do While UrlsFile.AtEndOfStream True URLSet.Add UrlsFile.ReadLine Loop WScript. Echo "Saving..." CurArray.Save WScript.Echo "Done" < --- З ч , —> , .
,
: Set URLSet = URLSets.ItemfUrls")
Urls
URL-
,
ISA. : Set UrlsFile = FileSys. OpenTextFileCurls.txt", 1)
,
urls.txt
URLISA.
,
,
. ImportDomains.vbs.
7.2
7.2. < -----, Set Isa = CreateObjectC'FPC.Root"
Set Set Set Set
—>
CurArray = Isa.GetContainingArray RuleElements = CurArray.RuleElements DomainNameSets = RuleElements.DomainNameSets DomainNameSet = DomainNameSets. Item("Domains")
-
585
ISA Server 2004 Set FileSys = CreateObject ("Scripting.FileSystemObject") Set DomainsFile = FileSys. OpenTextFile("domains.txt", 1) For i = 1 to DomainNameSet.Count DomainNameSet.Remove 1 NextDo While DomainsFile.AtEndOfStream True DomainNameSet. Add DomainsFile.ReadLine Loop WScript.Echo "Saving..." CurArray.Save WScript.Echo "Done" < —— , —>
,
,
-
. В
: Set DomainNameSet =
DomainNameSets.Item("Domains") Domains ISA.
,
-
: Set DomainsFile = FileSys.OpenTextFileC domains.txt",
domains.txt
1)
,
,
-
ISA.
, . , ,— URLMicrosoft Internet Security and Acceleration Server 2004 ( ). , . URL, URL-
. ;
Acceleration Server 2004 ( ■ 2004 ( ( 20
. 4388
,
-
URLs, , URLMicrosoft Internet Security and ).
URLURLs . Microsoft Internet Security and Acceleration Server ) , , Firewall Policy ).
586
7
Firewall Policy ( Toolbox (
) ) )
. Toolbox ( Network Objects (
-
). Network Objects ( ) New ( ) / URL Set ( URLNew URL Set Rule Element ( URL), . 7.16, URLs Name ( ). .
. 7.16.
New URL Set Rule Element ( URL-
)
URL-
URL-
. 7.17.
. 7.17.
).
URL-
,
587
ISA Server 2004
— , ,
Domains, ImportDomains. ; ,
,
. Domains
. 1.
Microsoft Internet Security and Acceleration Server ) , , Firewall Policy ( ). 2. Firewall Policy ( ) Toolbox ( ) . Toolbox ( ) Network Objects ( ). 3. Network Objects ( ) New ( ) / Domain Name Set ( ). 4. New Domain Name Set Policy Element ( ), . 7.18, Domains Name ( ). . 2004 (
. 7.18.
New Domain Set Policy Element ( )
Domain Name Sets ( . 7.19.
),
588
7
. 7.19.
Domain Name Sets (
)
Apply ( .
)
■
Apply New Configuration (
). : urls.txt
domains.txt. , .
.
, ,
, :
domains.txt ■ stuff.com; ■ blah.com; ■ scumware.com. URL-
urls.txt ■ http://www.cisco.com; ■ http://www.checkpoint.com; ■ http://www.sonicwall.com.
:
Import URLs .vbs. : Saving
. :. . 7.20 (
-
).
.
. 7.20.
URL,
589
ISA Server 2004 . 7.21.
. 7.21 .
,
,
-
.
.
ImportSaving (
Domains.vbs.
).
. Done (
).
.
Microsoft Internet Security and Acceleration Server 2004 ( ), . Microsoft Internet Security and Acceleration Server 2004 ( ) Firewall Policy ( ) . -
Microsoft Internet Security and Acceleration Server 2004 ( ), Refresh ( ). Toolbox ( Network Objects ( URL Sets ( URL). URLs. , ,
. 7.22.
URL-
)
-
). URLURL. 7.22.
590
7
Domains.
Domain Name Sets ( ,
).
,
,
-
. . 7.23
,
.
. 7.23.
URL-
,
-
. URL-
,
URL-
.
SSLSSL-
Web, SSL (Secure Sockets Layer,
Web-
,
SSL-
.
) ,
, 4433
SecureNAT
Web, .
HTTP.
-
SSL- 443. ,
SecureNAT ISA —
Web-
-
ISA Server 2004
, SSLSSL-
443,
, .
SSL. (Jim Harrison) , , ISA.
591
Web-
-
443, Web-
http://www.isatools.org , ISA
SSL. www.isatools.org
■
isa_tpr.js, ISA. He
. . ■ , ■ ■ ■
, , ,
, isa_tpr.js. : This is your current Tunnel Port Range list ( ). NNTP(Network News Transfer Protocol, ). . SSL(Secure Sockets Layer, . isa_tpr.js :. :
isa_tpr.js /? ■ ■
,
. 7.24. ,
8848,
: Cscript isa.tpr.js /add Ext8848 8848
■
, . 7.25.
. . , .
).
592
7
. 7.24.
isajpr.js
. 7.25. SSL-
tools.org
ISATpre.zip, (Steven Soekrasno),
: .NET,
www.isa-
, SSL)
GUI (graphical user interface, .
.
ISA. . 1.26 -
593
ISA Server 2004
. 7.26.
.NET
(Steven Soekrasno)
ISA ISA — (loop back)
ISA,
, -
,
. ISA
,
.
,
ISA
,
, Web-
. , . Web-
SecureNAT
Web. WebURL-
URLhttp://www.msfirewall.org.
http://webl
, Web-
,
WebISA)
URLhttp://www.msfirewall.org? DNS (Domain Name Server, www.msfirewall.org ISA, ( www.msfirewall. org. ISA, . SecureNAT, (
), IP)
ISA, .
-
-
594
7
ISA ,
,
-
. Web(
SecureNAT, (Direct Access) ,
ISA
,
-
,
). . ■
DNS, ,
.
DNS.
, .
,
,
—
.
,
,
. ■
,
WebIP-
, , Web-
. .
■
, ,
. ISA
ISA
5
4.
,
Web-
(HTTP-
,
)
,
ISA,
-
WebWeb-
ISA.
,
. —
.
Web-
WebWeb(
)
.
,
,
-
. ,
Web-
.
Web(
407)
-
ISA Server 2004
.
595
Web-
ISA
. . 7.27
HTTP-
407,
. (frame),
WebASCII-
Network Monitor ( ). /1.1407 Proxy Authentication Required (HTTP/ ). 407, ISA.
1.1 407 WebWeb-
. 7.27.
,
407,
Web-
MSN Messenger —
ISA.
,
.
■
HTTP (HTTP Security Filter) Web ( )URL-
, ■
. , .
■
, , (custom)
.
■ Web-
, URLWeb-
■
, (Principle of Least Privilege). , . ,
. ,
.
,
,
. , ,
,
-
596
7
, ( 1
MSN Messenger 6.2 : MSN HTTP-
Microsoft). (Deny) , ,
Messenger; ■ MSN Messenger.
«all open» (
), HTTP
, (signature), MSN Messenger.
MSN Messenger. 7.3
. 7.2
-
. . 7.2.
All Open
MSN Messenger 6.2
HTTP
____________________________ ____________________________ Name ( ) All Open -1 Action ( ) Allow Protocols ( ) HTTP and HTTPS From /Listener ( / ) Internal To ( ) External Condition ( ) All Users Purpose ( ) ISA . HTTP(HTTP signature) HTTPMSN Messenger 6.2 . 7.3.
,
MSN Messenger
____________________________
Name ( ) Action ( ) Protocols ( ) From/Listener ( / To ( ) Condition ( ) Purpose ( )
)
_________________________
Deny Messenger Protocol Deny MSN Messenger Internal External All Users MSN Messenger , . 7.2
, (
Messenger)
7.3-
TCP-
1863
, Deny Messenger Protocol All Open (
). .
. 7.28.
597
ISA Server 2004
MSN Messenger
. 7.28.
Configure HTTP ( Configure HTTP policy for rule ( HTTPAdd ( ). . 7.29, : , MSN Messenger; :) ; Request headers ( )
All Open -1 HTTP). ) Signature ( ), Name: ( :) Description (optional): ( Search in: ( :) ; HTTP Header: (HTTP; Signature: ( :)
:)
User-Agent: (
, Properties (
. 7.29.
)
:)
.
MSN Messenger ,
Apply ( , tion (
-
-
). Apply New Configura-
).
Signature (
)
598
7 _________________________________________________________
. 7.30
MSN Messenger.
,
,
MSN Messenger, MSN Messenger (HTTP Security Filter) All Open ( ). IB 6J
GET ■;■
POSI
HTTP
1 Auk IFM Monuben DovMwMBtiPiaigBil'
DeniedCollection
BSO
—
Mi» «MLDOb'*,» dPOet
« Sew
t«P «gmxiw №»| =m/,»i»-
DeniedConnecton
. 7.30.
Badi«il*il»HirPSKmylitt.
AIOtan-1
, HTTP
MSN Messenger , HTTP Status (
HTTP
HTTP) ISA.
MSN Messenger
Web-
MSN Messenger
-
HTTP.
, Web,
, ,
MSN Messenger, MSN Messenger,
MSN Messenger MSN Messenger, , MSN Messenger, , ,
,
Hotmail. (credentials)
. MSN Messenger,
, ,
ISA. ISA, -
. ,
HTTPS (Hypertext ) MSN messenger. -
Web, Transmission Protocol, Secure, ,
HTTP
, , /
MSN Messenger. .
, ,
, ,
ISA Server 2004
MSN (Microsoft Network,
599
Microsoft)
-
(Direct Access).
■ ■ ■ ■ ■
HTTP; Config. messenger. msn.com; Gateway.messenger.hotma il.com; Loginnet.passport.net; Loginnet.passport.com; 207.46.110.0/24 (this is a Subnet Network Object). ,
viewer) ,
(real time log MSN Messenger.
ISA. ,
, ,
. 7.4
, MSN Messenger.
, . 7.4.
Web-
WebMSN Messenger
____________________ ____________________________________ Name ( ) MSN Messenger Web Proxy Access Action ( ) Allow Protocols ( ) HTTP and HTTPS From/Listener ( / ) Internal To ( ) Messenger Subnet Messenger Sites ( , MSN Messenger) Condition ( ) All Users Purpose ( ) Web, MSN Messenger, . , HTTP HTTPS
ISA ISA (firewall state table), . .
ISA
-
600
7
, (
1-2
).
,
.
■ address».
ISA, ping
-
«ping -n IP
. +.
ping ,
,
ping ■
ISA
ISA. (Deny)
Ping
, ping ■
ISA.
ping
,
,
.
, ping
.
■
, .
ping , ping
ISA.
-
. ■
ping, . , Apply ( .
),
-
, ■
. Sessions (
Monitoring ( ). Microsoft Internet Security and Acceleration Server 2004 ( 2004) Monitoring, Sessions , , , Disconnect Session ( ) Tasks ( ■ — Microsoft Firewall. Microsoft Internet Security and Acceleration Server 2004 Monitoring, Services ( ), Microsoft Firewall, Tasks ( ) Stop Selected Service ( ), Start Selected Service ( ).
)
).
ISA Server 2004
601
DMZ ISA Server 2004 ISA Server 2000 — (multinetworking). 4, , ISA Server 2004 « », ISA Server 2000, « » « » ( (LAT) LAT (not-LAT)), ISA Server 2004 ,
-
ISA Server 2004, VPN (Virtual Private Network, VPN.
, )
-
ISA Server 2004 (
-
(
) VLAN (virtual LAN, ,
)) ISA Server 2004. ISA Server 2000,
-
« RRAS (Routing and Remote Access Service, ).
»,
, .
DMZ , ISA Server 2000 DMZ.
DMZ
Server 2000 ; ISA Server 2000
, ( , NAT)
, (stateful packet filters) ( ISA Server 2004
ISA -
DMZ , ,
).
-
, ,
NAT. ,
DMZ
, -
, , ,
(
(DNS). ,
DNS-
IPDMZ, ),
-
602
7
.
ISA Server 2004, DMZ,
,
«
»
-
.
,
«
»
.
.
ISA ,
, :
. ,
NAT.
, -
, -
-
. ,
ISA Server 2000 ( . .
, NAT) . ,
-
ISA. . 7.31
, .
«
DMZ. »
-«
» PC-
, ) ,
172.16.0.2. DNS,
. 7.31.
DMZISA Server 2004
DMZ,
DMZ-
PDA (Personal Digital Assistant, DMZ, , IPDMZ, IP. .
603
ISA Server 2004
DMZ, . IP-
, PC. 7.32.
PDA, ISA DMZ-
,
, DMZ-
-
,
-
,
. -
, (NAT),
.
-
IP-
ISA (NAT hiding) —
IP-
DMZ-
.
NAT.
*
"
PC-
PDA IPISA Server SOM
DMZWeb-
NAT-
. 7.32.
, DNS.
. 7.31-7.32 IP172.16.0.1 — IP-
DMZ-XOCTOM DMZ. DNS , DNS-cep-
IPDNS(
. ) IP-
DMZ-
. .
,
IPWeb-
WebISA Server 2000 .
ISA Server 2000
-
, Web-
.
, ISA Server 2004 , IP-
, WebISA.
-
7
604
DMZ,
-
,
:
Web-
. 7.5 DM2
ISA,
,
.
. 7.5. ,
.
NAT
DMZ,
— — _______ DMZ -
DMZ,
,
. IP-
-
. HTTP.
IP. Web-
DMZ-
DMZISA Server 2004 ,
DMZ-
IP, ISA Server 2004. IPDMZ, DNS, , . IPISA Server 2004
"
-
IP,
-
WebIPIPDMZ NAT
( IPISA Server 2004)
, -
DMZ-
IP, ISA Server 2004. IPDMZDNS, , . IPISA Server 2004
-
IP, Web-
IPIP-
( IPISA Server 2004).
-
ISA Server 2004 . 7.5. (
605
) — — ______________________________________________________________________
DMZ-
-
,
DMZ-
NAT
IP, ISA Server 2004. IPDMZDNS, , . IPISA Server 2004
"
, IP-
, Web-
IP-
( IP-
IP-
Server 2004).
?
DMZ, NAT
DMZCOM
IP, ISA Server 2004. IPDMZDNS, , . IPISA Server 2004
"
, IP-
, Web-
IP-
( IPISA Server 2004).
IP'
,
-
NAT.
,
,
Web,
. ,
Web-
-
.
. , ,
DMZ,
ISA
,
. .■
WebIPName, FQDN) (worms)
DMZ,
. IP-
(Fully Qualified Domain , .
606
7
■
We b(Web listeners),
Web,
Exchange, (delegation of basic authentication)
SecurlD (RSA).
■
Web(Secure Sockets Layer,
SSL
SSL
), SSL.
SSL
ISA Server 2004 «
SSL » SSL-
,
,
, ,
.
,
■
, WebISA Server 2004
SSL-
, Web-
.
Web, .
SMTP, DNS-
, DNS, (Post Office Protocol v. 3,
,
,
). DMZ-
,
, .
■
Web-
DMZ,
HTTP. HTTPHTTP
,
ISA Server 2004. , HTTP
ISA Server URLScan
2004. HTTP-
, HTTP-
ISA Server 2000
. -
DMZ-
. ,
, , ISA Server 2004.
,
,
-
ISA ,
-
ISA Server 2004
607
;
,
. :
■
, ;
■ ■ ■
; ISA Server 2004; DMZ IIS (Internet Information Services, ) WWW SMTP (Simple Mail Transfer Protocol, );
■ ■
DMZ; ,
DMZ
DMZ
,
;
■
, DMZ
DNS ;
■
,
DNS ;
■
,
HTTP-
,
SMTP-
DMZ; ■ DMZ; ■ ■
DMZ; DMZ, Web-
.
,
ISA, DMZ
, DMZ
.
, DMZ.
DMZ,
. -
. DMZ.
IPISA Server 2004
608
7 __________________________________________________________
(ID)
DMZ.
DMZ
, , ,
. -
, 192.168.1.0/24.
ISA, IP-
IP-
ISA — 192.168.1.70 ( ID 172.16.0.0/16. , ,
,
DMZ Windows XP, ISA Server 2004 172.16.0.0/16.
ID).
IPID,
, ,
-
:
route add 172.16.0.0 MASK 255.255.0.0 192.168.1.70
, (public address block). , DMZ
,
,
-
ISA Server 2004.
, ,
DMZ
,
-
ISP (Internet Service Provider, DMZ
ISA Server 2000 ,
). ISP.
,
,
.
,
DNS
DNS —
.
ISA,
-
Web.
ISA DNS-
DNS.
DNS,
, , ISA
«
». DNS ■
ISA . DNS-
, .
,
-
ISA Server 2004 _______ 609
■
DNS,
ISA
DMZ
DNS-
■ DNS-
DMZ DNS, ,
.
. , DNS-
, . ■
DNSDNS-
, DNS.
ISA ,
DNS,
,
Web. SOHO (Small Office/Home Office,
, ),
. DNS-
DNS-
ISA — .
■
DNS,
■
DNS-
! DNSNetwork and Dial-up Connections ( ISA , IPDNS-
, ).
. DNS-
DMZ
DNS-
,
DMZ,
,
, DNSDNS-
. ,
. DNS-
:
DNS-
,
, ,
ISA. DNSDMZ,
.
610
7
ISA Server 2004 , Server 2004 «
DNS
ISA
— ISA Server 2004. -
, ,
: » (
,
-
),
5, ISA.
IIS WWW
SMTP
DMZ-
Windows Server 2003 DMZ . IIS 6.0 WWW (W3SVC) IIS 6.0 SMTP. . , ; : Exchange Server publishing OWA (Outlook Web Access, WebOutlook), (Object Management Architecture, ), ActiveSync ( ), RPC over HTTP ( HTTP) . DMZ
IP-
,
DM2. DMZ. DMZ,
, DMZ-
ISA Server 2004 IP-
-
, ,
.
DNS-
DMZ-
IP,
ISA. NAT , DMZDNS-
IP-
DMZ DNS-
,
DMZIF-
. , SMTP-
DMZ
SMTP(SMTP relay). SMTPMX (mail exchange,
) ,
DNS-
.
. -
-
ISA Server 2004
611
DMZ DMZ-
.
ISA Server 2004 DMZ. , ,
, ISA
IP-
DMZ
— ,
. ,
IP-
DMZ (network ID). ,
IP,
, (Network Templates), DMZ. ,
DMZ. ISA
-
, ISA Server 2004. , ,
. . ,
, , ,
■
■ ■
■ ■
,
.
DMZ. Microsoft Internet Security and Acceleration Server 2004 ( 2004) , , Configuration ( ). Networks ( ). Networks Networks Details ( ) . Tasks ( ) Create a New Network ( ). Welcome to the New Network Wizard ( ), . 7.33, Network name ( ). DMZ. Next ( ). Network Type ( ) Perimeter Network ( ). Next ( ). Network Addresses ( ) Add Adapter ( ).
612
7
. 7.33.
New Network Wizard
Select Network Adapters ( . 7.34, DMZ . , . , Network Interface Information ( ) .
. 7.34.
■
Select Network Adapters (
Next ( ).
)
),
.
)
Network Addresses (
-
ISA Server 2004
■
613
Completing the New Network )
Wizard ( Finish (
).
DMZ DMZ ,
DMZ
,
DMZ,
(
,
,
). DMZ
NAT (network address translation, DMZ .
)
DMZ IP. , DMZ , (Server Publishing Rule) . , DNS-
DNS-
DMZ-
DNS-
DNS-
.
, DMZ 1.
Networks (
), Network Rules (
( ( 2.
3. 4.
5. 6.
).
. , ) Details Create a New Network Rule Tasks ( ),
) . Welcome to the New Network Rule Wizard ( ) Network rule name ( ). DMZOExternal. Next ( ). Network Traffic Sources ( ) Add ( ). Add Network Entities ( ) Networks ( ) DMZ. Close ( ). Next ( ) Network Traffic Sources ( ). Network Traffic Destinations ( ) Add ( ).
-
614
7
7. ). tions ( ( ( (
Add Network Entities ( ) Networks ( ) External ( Close ( ). Next ( ) Network Traffic Destina), Network Relationship ) Route ) Next ( ). Completing the New Network Wizard ) Finish ( ). —
DMZ
. DMZ
. NAT
DMZ Networks (
1.
. ), Network Rules (
( ( 2.
3. 4.
5. 6. 7.
8.
).
, ) Details Create a New Network Rule Tasks ( ),
) . Welcome to the New Network Rule Wizard ( ) Network rule name ( ). DMZOInternal. Next ( ). Network Traffic Sources ( ) Add ( ). Add Network Entities ( ) Networks ( ) Internal. Close ( ). Next ( ) Network Traffic Sources ( ). Network Traffic Destinations ( ) Add ( ). Add Network Entities ( ) Networks ( ) DMZ. Close ( ). Next ( ) Network Traffic Destina tions ( ).
ISA Server 2004
9-
Network Relationship ( (
)
( Finish (
Next (
615
) ).
Route
Completing the New Network Wizard ) ).
, DNS
DMZ
DMZ-
,
.
- DMZ,
DMZ,
.
SMTP-
(SMTP relay) .
DNS. 1.
2.
3.
4. 5.
DMZ-
, DNS-
-
. Microsoft Internet Security and Acceleration Server 2004 ( 2004) Firewall Policy ( ). Tasks ( ) Create a New Server Publishing Rule ( ). Welcome to the New Server Publishing Rule Wizard ( ), . 7.35, Server publishing rule name ( ). Publish Internal DNS Server. Next ( ). Select Server ( ) IPDNS, . IPDNS10.0.0.2. Next ( ). Select Server ( ) DNS Server . Next ( ). IP Addresses (IP) DMZ. , DNS-
.
Next ( ). Completing the New Server Pub )
6. lishing Rule ( Finish (
).
616
7
. 7.35.
New Server Publishing Rule Wizard
,
DNS
DNS-
DNS,
DNSDNS-
1.
2. 3.
4. 5.
.
DNSDNS-
.
DNSDNS. Microsoft Internet Security and Acceleration Server 2004 ( 2004) Firewall Policy ( ), . Tasks ( ) Create a New Access Rule ( ). Welcome to the New Access Rule Wizard ( ) Access Rule name ( ). Outbound DNS Internal DNS Server. Next ( ). Rule Action ( ) Allow ( ) Next ( ). Protocols ( ) Selected protocols ( ) This rule applies to ( ). Add ( ).
-
ISA Server 2004
617
6.
Add Protocols ( ) Common Protocols ( ) DNS. Close ( ). 7. Next ( ) Protocols ( ). 8. Access Rule Sources ( ) Add ( ). 9. Add Network Entities ( ) New ( ), Computer ( ). 10. New Computer Rule Element ( , ) Name ( ). Internal DNS Server. Computer IP Address (IP) IPDNS, 10.0.0.2. . 11. Computers ( ) Internal DNS Server ( DNS). Close ( ). 12. Access Rule Sources ( ) Next ( ). 13. Access Rule Destinations ( ) Add ( ). 14. Add Network Entities ( ) Networks ( ). External ( ), Close ( ). 15. Next ( ) Access Rule Destinations ( ). 16. User Sets ( ) All Users ( ) Next ( ). 17. Completing the New Access Rule Wizard ( ) Finish ( ).
,
HTTP-
DMZ — DMZ-
, .
HTTP-
-
, ,
Web-
-
,
IP-
WebHTTP,
21
. 4388
.
618
7
HTTP
,
-
HTTP, Web-
,
.
WebDMZ . 1. Microsoft Internet Security and Acceleration Server 2004 ( 2004) Firewall Policy ( ), , Create a New Access Rule ( ) Tasks ( ) . 2. Welcome to the New Access Rule Wizard ( ) Access Rule name ( ). Inbound to DMZ Web Server. Next ( ). 3. Rule Action ( ) Allow ( ) Next ( ). 4. Protocols ( ) Selected protocols ( ) This rule applies to ( ). Add ( ). 5. Add Protocols ( ) Common Protocols ( ) HTTP. Close ( ). 6. Next ( ) Protocols ( ). 7. Access Rule Sources ( ) Add ( ). 8. Add Network Entities ( ) Networks ( ), External ( ). Close ( ). 9. Access Rule Sources ( ) Next ( ). 10. Access Rule Destinations ( ) Add ( ). 11. Add Network Entities ( ) New ( ). Computer ( ). 12. New Computer Rule Element ( , ), . 7.36, Name ( ). DMZ Web Server. Computer IP Address (IP) IPWebDMZ, 172.16.0.2. .
619
ISA Server 2004
New Computer Rule Element )
. 7.36. (
,
13-
Add Network Entities ( ) Computers ( ) DMZ Web Server (WebDMZ). Close ( ). 14. Next ( ) Access Rule Destinations ( ). 15. User Sets ( ) All Users ( ) Next ( ). 16. Completing the New Access Rule Wizard ( ) Finish ( ).
,
SMTP-
DMZ ,
WebSMTP-
.
,
, DMZ.
-
, ,
, SMTP-
1. 2004 (
SMTP,
.
. Microsoft Internet Security and Acceleration Server 2004) Firewall Policy ( ),
620
7
,
Create a New Access Rule ) Tasks ( ) . Welcome to the New Access Rule Wizard ( ) Access Rule name ( ). Inbound to DMZ SMTP Server. Next ( ). Rule Action ( ) Allow ( ) Next ( ). Protocols ( ) Selected protocols ( ) This rule applies to ( ), . 7.37, Add ( ). Add Protocols ( ) Common Protocols ( ) SMTP. Close ( ). (
2.
3. 4.
5.
. 7.37.
6. 7.
New Access Rule Wizard
Next ( ) Access Rule Sources ( Add ( ). 8. Add Network Entities ( Networks ( ) ( ). Close ( 9. Access Rule Sources ( Next ( ). 10. Access Rule Destinations ( Add ( ). 11. Add Network Entities ( Computers ( ) Server (WebDMZ).
Protocols (
). ) ) External
). ) )
Close (
) DM.Z Web ).
ISA Server 2004
12.
Next ( ).
( 13
)
User Sets ( All Users (
621
Access Rule Destinations )
)
Next (
-
). 14.
Completing the New Access Rule Wizard )
( Finish ( 15.
). Apply ( .
)
16.
Apply New Configuration (
). , . 7.38.
. 7.38.
DMZ . 1.
WebDMZ.
IPhttp://172.l6.0.2
Web-
. IPWebDMZ — 172.16.0.2,
. 2.
WebServices, WebConstruction (
). Web-
Web). , , DMZ,
IIS (Internet Information Under , .
622
3.
7
, . Windows Explorer ( DOWS\system32\LogFiles\W3SVCl.
WebC:\WIN-
) .
,
. .
IP-
.
,
,
IP-
—
, ,
Web-
IPDMZISA Server 2004.
.
Web-
HTTP. .
,
, ,
«Software: Microsoft Internet Information Services 6 , 0 «Version: 1.0 #Date: 2004-06-18 05:47:14
2004-06-18 05:56:21 172.16.0.2 GET /iisstart.htm - 80 - 172.16.0.1 Mozilla/ 4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0 2004-06-18 05:56:25 172.16.0.2 GET /pagerror.gif 4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0
4.
- 80 - 1 7 2 . 1 6 . 0 .1 Mozilla/ 0
WebDMZ Internet Information Services (IIS) Manager ( ) Administrative Tools ( ) Start ( ). 5. Internet Information Services (IIS) Manager ( ) Default Virtual SMTP Server ( SMTP) Properties ( ). General ( ) Enable Logging ( ). Apply ( ), . 6. . telnet 172.16.0.2 25 . 7. SMTP. help . , SiMTP, . 7.39. quit SMTP.
. 7.39.
,
SMTP-
623
ISA Server 2004
8.
C:\WINDOWS\system32\LogFiles\SMTPSVCl DMZ. , . IP. , WebDMZ. , , IPIP-
,
. IPISA.
((Software: Microsoft Internet Information Services 6 . 0 ((Version: 1.0 #Date: 2004-06-18 06:07:22
«Fields: time c-ip cs-method cs-uri-stem sc-status 06:07:22 192.168.1.187 QUIT - 240
DNS
DMZ
, ,
,
DMZ-
, ,
. , ,
—
,
DMZ.
DNS-
DNS-
1.
DMZnslookup www.hotmail.com
. nslookup,
2. . 7.40. Publish Internal DNS Server, Outbound DNS Internal DNS Server. DNSDNSDNS-
. 7.40.
.
.
, . 7.41
nslookup
, DMZDNS.
,
7
624 . 7.41.
3.
(real time log monitcr) . 7.41.
,
Web-
,
, DMZ
IPISA Server 2004 . , HTTP, 1.
2. 3. 4.
5. 6. 7.
WebWeb-
IP-
.
Web. Microsoft Internet Security and Acceleration Server 2004 ( 2004) Inbound to Web Server Properties ( ). Inbound to Web Server Properties ( In bound to Web Server) Protocols ( ). Protocols ( ) HTTP Protocols ( ) Edit ( ). HTTP Properties ( HTTP) Parameters ( ). Parameters Web Proxy Filter ( Web) Application Filters ( ). Apply ( ) . Inbound to Web Server Pro perties ( Inbound to Web Server). Apply ( ) . Apply New Configuration ( ). , , Web. 1. Web, http://172.l6.0.2 .
625
ISA Server 2004
2.
Under Construction (
).
,
Refresh (
)
. 3.
WebWWW Web. IP-
DMZ .
-
, IP-
.
.
«Software: Microsoft Internet Information Services 6.0 «Version: 1.0 (•Date: 2004-06-18 07:42:37 «Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status 2004-06-18 07:42:37 172.16.0.2 GET /iisstart.htm - 80 - 192.168.1.187 Mozilla/ 4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0
2004-06-18 07:42:37 172.16.0.2 GET /pagerror.gif - 80 - 192.168.1.187 Mozilla/ 4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0 ,
Web-
HTTP
IPWeb, ,
Web.
-
,
WebSecureNAT WebWebWeb-
,
.
,
,
Web-
Web-
HTTP-
Web-
.
, ,
, . ,
TCP 80 Outbound. HTTP-
-
DM2
.
, HTTP.
Web-
!
ISA ISA
-
DMZ
, ISA
.
-
626
7
. ,
,
,
,
-
,
DM2
,
, . ,
Exchange Server . Active Active Directory
SMTPDirectory, . ,
ISA,
ISA
,
. ,
ISA.
«
«
»
-
» .
ISA
~
, , . .
,
,
. 7.42.
DMZ
. 7.42.
. 7.6
,
,
, . ,
. 7.6. Action ( Protocols (
) )
,
Allow ADLogon/DirRep* Direct Host (TCP 445)" DNS
Kerberos-Adm (UDP) Kerberos-Sec (TCP)
ISA Server 2004 . 7.6. (
)
_____________________
From (
)
Users ( Schedule ( Content Types (
_____________________________
Kerberos-Sec (UDP) (TCP) LDAP (UDP) LDAP GC (Global Catalog) RPC Endpoint Mapper (TCP 135)*" NTP Ping DM2 Member Server Internal Network DC ( Internal Network DC DM2 Member Server ( DM2) All Always All content types
( ) ) )
)
)
ADLogon/DirRep: RPC "
627
: 50000 TCP
(
Exchange Server).
Direct Host: ,
: 445 TCP ).
"• RPC Endpoint Mapper: ,
(
: 135 TCP ).
(
-
RPC (Remote Procedure Call,
)
versally unique identifier, UUID), (globally unique identifier, GUID). UUID ( , RPC) . RPC ,
RPC (high) 1024)
( RPC.
UUID , ,
(uni-
-
, .
-
. RPC, ,
,
, (
135)
. RPC,
-
RPC
UUID. RPC-pac-
628
7_______________________________________________ _
_
. , ,
. ,
RPC,
. ,
RPC,
.
,
-
. DM2 .
,
-
.
:
HKEY_LOCAL_MACHINE\SYSTEM\Cu r rentCont rolSet\Services\NTDS\Pa ramete rs\ , RPC-
ISA RPC-
. RPC-
(RPC negotiations) .
, RPCDMZ
. -
, . RPC-
,
RPC,
,
ISA
«
»—
.
DWORD, IP)
,
TCP/IP Port ( .
TCP/
. , RPC-
50000. )
Start (
1. ).
Open (
)
Run ( Regedit
. 2.
: HKEY_LOCAL_MACHI NE\SYSTEM\Cu r rentCon trolSe t\Services\NTDS\Para meters\ 3. Edit ( ) New ( ). DWORD Value ( DWORD).
629
ISA Server 2004
4.
New Value *1 . Edit DWORD Value ( Decimal ( ).
5. data (
TCP/IP Port DWORD) Value
50000
).
.
6.
. ISA ,
ROUTE ( DMZ (Network Template)
.
-
NAT ( NAT
,
)
, , DMZ, ).
,
. -
, ,
ROUTE (
,
,
DMZ . 7.43.
),
,
. 7.43.
, -
-
DMZ
.
, .
,
-
DMZ
. ,
, ,
-
DMZ .
-
.
630
7
(Protocol Definitions),
, -
. ,
.
, 1.
2.
3.
4. 5.
6.
DMZ
. Microsoft Internet Security and Acceleration Server 2004 ( 2004) , , Firewall Policy ( ). Firewall Policy ( ) Tasks ( ) . Create a New Access Rule ( ). Welcome to the New Access Rule Wizard ( ) Access Rule name ( ). Member Serveralnternal DC. Next ( ). Rule Action ( ) Allow ( ) Next ( ). This rule applies to ( ) Selected protocols ( ). Add ( ). Add Protocols ( ) All Protocols ( ) : DNS Kerberos-Adm (UDP) Kerberos-Sec
(TCP)
Kerberos-Sec
(UDP)
LDAP LDAP (UDP)
LDAP GC (Global Catalog) NTP (UDP) Ping 7. 8.
New ( ) Protocol ( ). Welcome to the New Protocol Definition Wizard ( ) AD Logon /DirRep Protocol Definition name ( ). Next ( ).
631
ISA Server 2004
9-
Primary Connection Information ( New ( ). 10. New/Edit Protocol Connection ( / ) TCP Protocol type ( Outbound ( ) Direction ( ). Port Range ( ) 50000 From ( ( ), . 7.44. . )
).
-
)
. 7.44.
11.
Next ( mation (
12.
No (
)
)
Primary Connection Infor ). Secondary Connections (
). 13Finish ( ) Completing the New Protocol Definition Wizard ( ). 14. New ( ) Protocol ( ). 15. Welcome to the New Protocol Definition Wizard ( ) Direct Host Protocol Definition name ( ). Next ( ). 16. Primary Connection Information ( ) New ( ). 17. New/Edit Protocol Connection ( / ) TCP Protocol type ( ). Outbound ( ) Direction ( ). Port Range ( ) 445 From ( ) ( ). .
632
7 . 7.45.
18.
Next (
)
mation (
),
19.
No (
)
Primary Connection Infor.
Secondary Connections (
). 20.
Finish (
)
Completing the New Protocol Definition Wizard ( ). 21. New ( ) Protocol ( ). 22. Welcome to the New Protocol Definition Wizard ( ) RPC Endpoint Mapper (TCP 135) Protocol Definition name ( ). Next ( ). 23. Primary Connection Information ( ) New ( ). 24. New/Edit Protocol Connection ( / ) TCP Protocol type ( ). Outbound ( ) Direction ( ). Port Range ( ) 135 From ( ) ( ). . 25. Next ( ) Primary Connection Infor mation ( ). 26. No ( ) Secondary Connections ( ). 27. Finish ( ) Completing the New Protocol Definition Wizard ( ). 28. Add Protocols ( ) User-Defined ( ). : ADLogon/DirRep, Direct Access RPC Endpoint Mapper (TCP 135). Close ( ).
ISA Server 2004
29. 30.
Next ( ) Access Rule Sources ( Add ( ). Add Network Entities ( New ( ).
31. ( 32.
633
Protocols (
). ) ) Computer
).
New Computer Rule Element ( , ) DMZ Member Server Name ( ). 172.16.0.2 Computer IP Address (IP). . 33. Add Network Entities ( ) New ( ) Computer ( ). 34. New Computer Rule Element ( , ) Internal DC Name ( ). 10.0.0.2 Computer IP Address (IP). . 3 5. Add Network Entities ( ) Computers ( ). DMZ Member Server. Close ( ). 36. Next ( ) Access Rule Sources ( ). 37. Access Rule Destinations ( ) Add ( ). 38. Add Network Entities ( ) Computers ( ). Internal DC. Close ( ). 39Next ( ) Access Rule Destinations ( ). 40. User Sets ( ) All Users ( ) Next ( ). 41. Completing the New Access Rule Wizard ( ) Finish ( ). 42. Apply ( ) . 43 Apply New Configuration ( ), Firewall Policy ( ) , . 7.46.
634
7
Firewall Policy (
. 7.46.
)
,
DMZ
Active Directory
.
, -
. .
. 7.47 -
.
,
, ISA
.
J nri;w
^On
. 7.47.
!;.^ 1
4eti>okj|indL
«
.'^ MtJ«tMC»ktEeryJLoCJiHocll * AlUttn
, -
File System,
TCP 445. Microsoft CIFS (TCP) (Common Internet ), Direct Host,
ISA Server 2004
,
635
.
, ,
,
-
. Protocol (
135. RCP (all interfaces) (RCP, RCP Endpoint Mapper, . RCP (all interfaces), . , RPCISA, RPC.
) ) —
,
-
ADLo-
. RPC-
gon/DirRep
,
.
,
-
ISA.
ISA,
. ,
,
ISA, ,
,
.
ISA Server. ), ISA Server: all authenticated users ( ), all users ( ) system and network service ). , HTTPFTP, , .
(
(
. ,
.
-
, ,
. RPC-, FTP-
,
HTTP-
. , URL-
.
636
7
, MSN Messenger MSN
, Messenger
Web-
. DMZ (
)
. DMZDMZ
,
-
. , ISA Server. ,
, , ,
RPC-
-
,
,
.
ISA 0
,
send , ,
.
Web-
, receive,
,
-
. .
0
Rule Action ( Deny ( ). Deny ( ISA
) ISA 0
) ISA Server 2000 )
: Allow (
-
. -
,
.
0
,
, New Access Rule Wizard (
). (
Properties
)
.
0
, ,
-
.
,
,
. 0
( Rule Wizard (
)
,
New Access )
ISA Server 2004
637
. ( (
).
Paste
).
0
ISA —
,
ISA, ,
.
ISA . 0
ISA ,
,
. SecureNAT,
Web-
(Direct Access) ( ISA,
—
0
-
, ).
—
ISA.
-
, . MSN Messenger
0 Messenger,
ISA. ,
MSN MSN Messenger,
, , 0
.
,
,
ISA
,
. . (
0
1-2
).
— (
-
ISA
, «
ISA .
»
-
),
,
0 ISA »,
« ,
.
-
6 38
7 ,
,— Microsoft
URL-
Internet Security and Acceleration Server 2004 (
-
2004). URL-
.
URL-
,
URL-
.
DMZ ISA Server 2000, ( (LAT)
),
ISA Server 2004
,
ISA Server
2004, , VPN (Virtual Private Network, .
)
VPN- -
ISA Server 2004 ( VLAN (virtual LAN, , ISA Server 2004. , , , -
)) , 0 DMZ , (DNS). ISA Server 2004
0
, ,
-
, -
:
. ,
, NAT, -
,
NAT (network address translation, ). . WebISA Server 2000 ISA Server 2000 ISA Server 2004
,
IPWeb-
.
-
ISA Server 2004_______ 639
IP-
Web-
IP-
,
-
ISA Server 2004. DMZ
0
,
-
DMZ. DMZ
.
0
,
IP-
DMZ. ISA Server 2004 DMZ.
(ID)
-
, DMZ ( ) DNS (Domain Name System, ISA Server 2004, WebDNSDNS. DNS-
. ) .
-
ISA Server 2004 ,
, 0
,
-
DMZ
. ,
—
DMZ,
(
-
.
-
, ). 0 DMZ-
,
DMZ,
DNS-
DNSDNS, DNS-
Web-
.
DNS-
DNSWebIPISA Server 2004.
0
.
. IP-
-
,
.
ISA 0 .
,
,
640
7
DMZ
, (dedicated network services),
-
. Exchange Server .
SMTPActive Directory, Active Directory
.
RPC(UUID), (GUID). RPC(
,
-
UUID — )
RPC-
. ISA
0 RPCRPC-
.
(
) RPC-
(RPC negotiations) (high port). (Network Template) — NAT.
0 DMZ,
, . www.syngress.com/ .
solutions ( «Ask the Author»), ITFAQnet.com. :
FTP-
FTP-
-
. FTP-
,
. ,
FTP-
.
-
? :
, FTPgure FTP (
, FTP).
ConfiFTP-
FTP.
:
, ISA.
:
? ,
ISA.
-
ISA Server 2004
, (Windows Sockets, Web-
ISA ).
641
Winsock -
, : HTTP, HTTPS
HTTP
FTP. .
:
ISA FTPFTP, , ?
ISA
:
, FTP-
.
. ,
.
,
.
,
FTP-
, ,
, ,
.
-
, . ,
.
-
,
.
:
,
. TCP-
-
44 7
5587-5600.
, , (Default Access Rule). Web.
SecureNAT
,
? :
,
,
,
SecureNAT -
. . — . ,
-
ISA .
:
,
SecureNAT
Web-
, Web-
.
-
642
7
WebWeb- ? ,
SecureNAT , , ISA ,
. SecureNAT ISA,
Web,
ISA.
, . :
, ISA.
,
SecureNAT
IP-
ISA. DNS,
Web-
IP-
ISA,
Web-
,
IPIP-
Web-
(
:
SecureNAT Web). Web-
. -
, , MSN Messenger ( , Web,
HTTP HTTPS. , Microsoft) Web? , MSN Messenger MSN ISA, MSN Messenger. MSN Messenger
: Web-
HTTP. MSN Messenger .
, -
, Web-
)
. (
-
, ISA.
), MSN Messenger SecureNAT. , .
HTTP 407, — MSN Messenger Properties ( MSN. , Web-
, -
( ISA.
)
8
ISA Server 2004 : WebWeb,
Web-
SSL
SSL
644
8
WebWeb,
ISA, ,
-
. ,
SMTP (Simple Mail Transfer Protocol, ), NNTP (Network News Transfer Protocol, ), (Post Office Protocol v. 3, ), IMAP4 (Internet Message Access Protocol v. 4, ), Web (« »), OWA (Outlook Web Access, Outlook),Terminal Services ( ) ,
Web-
(Perimeter Networks). Web-
-
. Web-
Web-
, -Web.
,
. Web-
. Web-
.
,
-
Web-
.
WebWeb. Webproxy).
Web« Web-
,
WebWeb-
Web-
» (reverse ISA
,
.
Web:
■ ■
Web-
,
ISA; ,
■ ■ Web-
Web; (Path redirection); , (Forward basic authentication credentials, );
ISA Server 2004
■ ■
(Reverse Caching) Web-
Web-
645
; IP-
; ■ URL■ IP■ ■ ■
Link Translator ( , WebIP; SecurlD;
)
ISA
WebISA,
;
RADIUS; , Web-
■
;
(redirection)
. .
Web-
,
ISA Web,
,
WebISA.
, ,
, ISA.
-
, NAT (network address translation, ), ISA. WebWeb-
Web-
Web-
ISA ,
-
.
ISA
WebWeb. HTTP, . , . ,
, WebWebISA,
-
WebWeb-
.
, WebWebWeb-
—
ISA -
646
8
Web-
.
.
Web-
ISA Web-
.
Web-
-
ISA. HTTPHTTP-
, HTTP-
-
. Web-
: (payload length); (high-bit characters); (verifying normalization); , Windows; , , ; ; (request) (re
■ ■ ■ ■ ■ ■ ■ sponse); ■
(signatures), ,
URL-
,
,
,
.
HTTP (HTTP Security Filter)
HTTPHTTP
-
10 ISA.
, ,
/deployment_kits. Web-
( , /deployment_kits.
Web. ; ■ www.msfirewall.org/scripts; ■ www.msfirewall.org/deploymentkits.
www.msfirewall.org/kits. WEBSERVER1 Web/kits)
,
Webwww. msfirewall.org/scripts
—
: www.msfirewall.org/
ISA Server 2004
deployment_kits. WEBSERVER1,
www.msfirewall.org/script — Web-
647
WebWEBSERVER2. Web-
. -
.
, WebWeb(credentials) gation).
(
, basic dele-
, ISA. Web-
. Web-
-
Web-
-
. OWA.
, Web-
0WA,
Web-
ISA
. ISA, WebISA,
0WA. Web-
,
Web-
.
.
Web-
-
Web.
,
, Web-
. Web-
(
-
ISA )
Web-
.
ISA Web. . ,
,
-
Web,
Web.
648
8
WebISA
WebWebWebISA.
)
,
. ,
( Web-
WebWeb-
-
,
ISA
-
. Web-
WebISA
-
, Web-
Web-
.
ISA,
Web-
-
, Web-
WebISA
.
, .
-
. , Web-
,
Web-
ISA . ISA
, -
.
WebIPWebIP-
,
ISA.
Web-
ISA ,
. ISA
-
. , ISA. ISA. www.msfirewall.org www.tacteam.net. Web. i www.msfirewall.org
IPWebWeb-
-
, URL-
,
,— (
)
msfirewall.org
ISA Server 2004
,
ISA, www.tacteam.net ISA,
Web-
649
WebWebwww.tacteam.net.
,
( )
,
DNS( (fully-qualified domain names) ISA. DNSWeb,
) IP, Web-
.
Link Translator URL, Web-
ISA
ISA
,
WebWebURL,
.
,
,
. Web-
,
,
URL(private names) http://server l /documents
. URL/webserver2/users. , WebSharePoint Portal Server ( ).
webserver2/users www. tacteam.net/users,
) WebHTTP-
SSLSSL (Secure Sockets Layer, ISA Web, ISA, , Web, . Web. 10
. 4388
http:/ , -
. -
, , . http://serverl /documents http://www.msfirewall.org/documents .
Web-
22
-
,
.
http:// http:// ,
SSL SSL-
, -
.
650
8 __________________________________________________________
Web-
IP-
ISA,
IP, , IPWeb-
2000,
Web-
IP-
ISA Server WebISA Server Web, ISA Server. ISA Server — , ,
IP, Web. , Web-
.
,
ISA ISA Web-
IPIP-
WebWeb-
Web-
IP,
IPIPIP.
. ,
. ,
Web-
,
-
, Web-
.
SecurlD SecurlD
RSA Security Inc. — ,
SecurlD)
, -
-
(
(
). ISA SecurlD WebWeb.
,
-
RADIUS ISA , ISA —
, (back-to-back) (front-end) .
, . ,
-
, ,
RADIUS (Remote Authentication Dial-In User Service,
-
_______
ISA Server 2004 ______ 651
(
)
WebISA
RADIUS RADIUS
. , RADIUS-
Directory
)
.
.
RADIUS, Active
(RADIUS-compliant) RADIUS
,
ISA. -
WebWebRADIUS
ISA —
(
ISA (back-to-back firewall), .
)
, WebWebWeb,
,
ISA, Web.
-
, Web-
-
,
,
. Web-
,
, Web-
Web,
.
ISA , (Web listener) 8888
.
, Web-
ISA TCP-
.
-
Web80, Web-
,
ISA.
Web. , . WebFTP-
-
,
HTTP, ,
ISA FTPGET,
WebWeb-
WebFTP GET ISA. HTTP-
FTP-
.
652
8
Web-
, ,
-
ISA. . ■
,
NAT
«
-
» (Port Mapping), . ■
IP-
TCP/UDP
,
. ■ ■
. .
■ (
)
. , .
■
IP.
■
IP-
IPISA.
■ ■
. » (Port address translation, PAT,
« ), . .
, ,
«
»
.
.
NAT
, » (Port Mapping),
«
, ,
NAT (
NAT
), ISA
(
) ,
,
ISA.
, . -
ISA Server 2004
WebWebIP.
653
,
-
,
,
ISA -
.
IP-
TCP/UDP
, WebHTTP-, HTTPS,
HTTP.
FTP-
HTTPS-
, TCP-
IPUDP-
.
-
,
.
Web-
, ISA. ,
-
.
HTTP-
ISA
, , Web-
■ ■ ■ ■ • ■ ■
(Application Filters). ISA : DNS (security filter, FTP Access Filter; .323 Filter; MMS Filter; PNM Filter; POP Intrusion Detection Filter ( Filter; RPC Filter ( );
. );
,
);
654
■ ■ ■ ■
8 ________________________________________________________________
RTSP Filter; SMTP Filter ( SOCKS v4 Filter; Web Proxy Filter (
); ).
,
NAT NAT. .323, MMS(Microsoft Windows Media, ) RTSP(Real Time Streaming Protocol, ). , — ISA (compliance testing) . DNS, POP Intrusion Detection ( ) RPC(Remote Procedure Call, ). .
-
SecureNAT ( )
,
, SecureNAT-
,
-
. .
RPC-
10.
. ,
,
,
,
,
, . (
)
,
.
IP-
ISA, IP-
, .
IP-
,
, ,
-
ISA Server 2004
,
655
(Terminal Server) ,
,
-
.
IPIPIP-
ISA
ISA Server 2000 ,
, .
ISA
IPISA.
IP-
,
Web-
,
,
-
. .
,
PAT
(Port Address Translation) Web-
,
-
,
. -
26
-
27
.
ISA
, SMTPSMTP-
(PAT).
Web-
, WebWebWeb-
SSL , ISA (Web Publishing Rule Wizard), Web, , -
ISA. Web-
. Web-
SSL-
.
SSL-
, ,
656
8
, SSL-
),
WebMicrosoft Internet Security and Acceleration Server 2004 ( 2004) , . Firewall policy ( — Tasks ( ). Tasks ( ) Publish a Web Server ( Web-
Web-
).
Welcome to the New Web Publishing Rule Web- Web publishing rule name ( .
Wizard ( ). Next (
Web.
)
).
Select Rule Action Select Rule Action ( Deny ( ) ,
(
)
(
)
) WebDeny (
.
) Web-
Web-
Web-
. . Next ( Action (
. 8.1.
Allow ( ).
Allow . Allow
WebWeb)
-
, ,
. 8.1
Select Kule ).
Select Rule Action (
)
ISA Server 2004
657
Define Website to Publish Define Website to Publish ( Web) Web, ISA. . 8.2, : ■ Computer name or IP address ( IP); ■ Forward the original host header instead of the actual one (specified above) ( , ); ■ Path ( ); ■ Site (
).
Computer name or IP address ( IPFQDN) Web-
IP) (fully-qualified domain name, ISA. ISA , IP- -
, , IP-
, WebISA.
ISA. Web-
, ,
DNS-
HOSTS
name or IP address ( IP-
IPURL ,
ISA.
FQDN ) WebIP-
Computer WebISA. -
,
. DNS .
. 8.2.
Define Website to Publish (
Web-
)
658
8
Forward the original host header instead of the actual one (specified above) ( )— . name or IP address ( , ,
,
-
, , IP-
Computer Web-
), ,
WebWeb-
. Web-
,
. . 8.3-8.5.
. 8.3
, ISA HTTP: Host =www.msfirewall.org .
msfirewall.org.
. 8. .
HTTP-
www.
,
ISA
Web-
( . HTTP: Host Computer name 1 -
Computer name or IP address ( IP. 8.4), =10.0.0.2, . or IP address ( ,
)
IP-
, Web,
,
, IP-
).
. 8.4 Web-
,
.
. 8.4.
HTTP-
,
Web-
,
ISA Server 2004
. 8.5
, Web, Forward the original host header instead of the actual one (spe, , HTTP: Host =www. msfirewall.org.
cified above) ( ). Web-
. 8.5.
HTTP-
,
Web-
Path (
)
,
, Web-
-
. , Properties
/*. . , )
(
659
, Web.
Site (
) URL-
, , 10.0.0.2
IP-
. Web-
)
/*.
.
Computer name or IP address ( . Next ( ).
Public Name Details Public Name Details (
)
,
-
IPWeb-
Web. ■ Accept requests for ( ■ Path (optional) ( , ■ Site ( ).
(type below) (
: ); );
Accept requests for ( Any domain name ( , ).
)
) This domain name Any domain
660
8
name (
),
IP-
Web-
.
-
, (worm attacks)
, . , 80
(
, name (
Web), Web. IPISA.
,
www.worm.com) IP- . Any domain , , WebWeb-
This domain name (type below) ( , Web. www.msfirewall.org, , . ), , (
-
,
http://l.1.1.1 ,
This domain name (type below) ( Public name ( . www.msfirewall.org. ) .
). http://www.worm.com ,
Public Name Details , Web-
. 8.6.
Public Name Details (
-
)
)
.
______
ISA Server 2004
Path (optional) ( (
), Web-
) -
.
, Web, Public Name Details ( ( . 8.6), ,
, ) (
,
)
Web-
. Properties
.
Select Web Listener HTTP WebWeb Listener ( ) IP-
661
ISA, msfirewall.org.
Web). Web— Web. Web-
Web-
. HTTPWeb-
Web-
,
Select , ( , -
Webwww.msfirewall.org,
, IP-
www.
, , ISA
.
, ISA
NAT
-
ISA. www.msfirewall.org
, IP-
Web-
ISA.
ISA WebSelect Web Listener ( Web) ■ Edit ( ); ■ New ( ). Edit ( ) , New ( )— Web. ISA Web, New ( ). Welcome to the New Web Listener Wizard ( Web) WebWeb listener name ( Web).
, :
Web-
-
Web-
-
8
662
HTTP Listener ( ;
IP-
,
,
).
Next ( IP Addresses (IP-
).
)
. IP-
ISA
IP,
,
,
. WebISA.
,
, -
,
External (
).
Web-
-
, IP-
ISA. ,
,
Web-
.
-
,
. ,
-
. ),
. 8.7.
IP Addresses (IP. 8.7.
IP Addresses (IP-
)
Addresses (
)
Network Listener IP Selection ( IP ) ( . 8.8) : ■ All IP addresses on the ISA Server computer that are in the selected network (Bee IPISA Server, ); ■ The default IP address on the ISA Server computer in the selected network (IPISA Server, );
-
ISA Server 2004
■ Specified IP addresses on the ISA Server computer in the selected network ( IPISA Server,
663 ).
IP addresses on the ISA Server computer that are in the selected network (Bee IPISA Server, ) , . , , ( ), . , WebIP, . The default IP address on the ISA Server computer in the selected ISA Server, ) , , IP{primary IP address), . — , , , , ( ).
network (IP-
Specified IP addresses on the ISA Server computer in the selected IPISA Server, ) IP, . IPAvailable IP addresses ( IP). IP, Web, Add ( ), Selected IP Addresses ( IP).
network (
(
External Network Listener IP Selection )
. 8.8. IP
. 8.8 .
,
, Available IP Addresses (
ISA , 172.16.0.1 192.168.1.70, IP). . 192.168.1.70 -
664
8
( 172.16.0.1 ,
), ISA.
DMZ (
,
IP.
DMZ-
, DMZ,
,
. 8.8 ISA. IP Addresses (IP-
) , , .
IP-
,
Next (
)
).
Port Specification ( TCP,
),
.
. 8.9,
Web80. ,
-
,
-
ISA. WebSSL-
(SSL listening port). . SSL-
SSL-
ISA 2004. . SSL(machine certificate), ISA. .
, ,
,
-
. 8.9, Next (
-
). —
(TCP
UDP), IP-
. . ,
,
Web,
, , . ISA, -
WebWeb-
,
ISA.
, ISA
ISA,
, ,
ISA,
,
-
ISA.
Finish ( Listener Wizard ( Web-
)
Completing the New Web Web). Listener properties ( -
ISA Server 2004
).
Edit ( Web-
. 8.9.
)
)( . 8.10). ) Advanced (
)
Edit ( )( . 8.10). Advanced (
. 8.10.
Authentication ( ,
Aut .
) ),
Preferences ( Authen .
)
Preferences (
Web-
)
.
Port Specification (
tication (
665
Authentication ( ) ( . 8.11) .
)
) -
8
Integrated ( ,
).
. 8.1
Web.
Web-
. 8.1. Basic (
-
,
_______________________________________ Web(Base64),
) .
SSL(oneDigest (
way) Web-
)
HTTP 1.1. (reversible encryption) (
WDigest Windows Server 2003)
(case sensitive) ISA Windows Server 2003,
WDigest
Windows NT 4.0
-
Digest NTLM, Kerberos Integrated ( )
Negotiate
-
ISA ,
. ,
CANCEL ( RADIUS RADIUS (Remote Authentication Dial-In User Service, (
) )
) ,
(
) RADIUS DOMAIN\User ISA (shared secret) RADIUS,
MD5 ,
-
667
ISA Server 2004 . 8.1. (
)
IPSec (
-
IP)
ISA
RADIUS RADIUS,
ISA, ,
RADIUS. RADIUS (Virtual Private Network, . RADIUS
VPN Web-
) Web-
VPN-
RADIUS
-
WebWebSecurlD ISA
(PIN, personal ID number) RSA ACE/Agent RSA ACE/Agent RSA/ (Cookie) , . SecurlD Web-
,
SSLISA Help
ISA Server 2004
Outlook Web Access OWA Forms-based (OWA, Outlook Web Access, WebOutlook, )
(OWA, Web-
Outlook) ISA
cookie ,
, OWA (session
Web-
time-out limits) SSL-
-
ISA ,
(
.
.
.)
668
8 . 8.1.
(
)
RADII'S (hotfix). http:// su p pa n. mi crosof t. c o m /d e f a u l t. a s px ?sci d=kb;e n- u s; 8 84 5 60 ,
SSL Certificate ( SSL)
. 8.11.
Authentication (
. 8.11.
)
, Web(
. Web-
Users) . ,
ISA, Web.
, , ISA
,
RADIUS
,
-
.
, (front-end)
, , ISA (
—
,
,
ISA).
ISA , RADIUS.
(back-end), Directory,
-
, ISA
Active
ISA Server 2004
,
669
.
,
ISA
, RADIUS.
Require all users to authenticate ( ), Web, ( Web-
, WebISA
.
Require all users to authenticate ) Web, , Web. 5.
RADIUS Servers ( RADIUS. Select Domain (
RADIUS), )
,
.
Configure ( ), Configure OWA forms-based authentication ( OWA), , cookie OWA. . , Authentication ( ). HTTP Listener Properties ( HTTP) Advanced ( ). Advanced Settings ( ), . 8.12. Number of connections ( ), , . , Advanced Settings ( ). RADIUS
.
-
(hotfix), RADIUS. You cannot use the RADIUS authentication protocol when you use the Outlook Web Access (OWA) Forms-Based Authentication on a Web publishing rule to publish an internal Web site such as OWA in ISA Server 2004 ( RADIUS, OWA, , Web, Web, OWA, ISA Server 2004) http://support.microsoft. com/default.aspx?scid=kb;en-us;884560.
670
8
Advanced Settings (
. 8.12.
Properties (
, HTTPSelect Web Listener (
)
HTTP Listener Next ( )
), Web-
).
User Sets User Sets (
), ,
Web,
. 8.13)
,
, — All Users ( Web-
Add (
. 8.13.
)( Web.
), Add Users ( (User Set), .
User Sets (
), ,
)
Web. . -
671
ISA Server 2004
, ,
All Users ( Web-
)
,
.
Web, All Users (
).
, 10.
Next (
)
User Sets ( )
) Finish ( ting the New Web Publishing Rule Wizard ( Web).
Properties
Firewall Policy ( Web Publishing Rule ( Properties ( Web-
. Web-
Comple-
Web-
Web). Web) ). Properties ( ) : General ( ); Action ( ); From ( ); ( ); Traffic ( ); Listener ( ); Public Name ( ); Paths ( ); Bridging ( ); Users ( ); Schedule ( ); Link Translation ( ).
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
, -
-
,
, .
General WebName ( ). Description (optional) ( ,
Enable (
, ),
, ). Web. 8.14.
672
8
General (
. 8.14.
)
Action Action ( ) , Log requests matching this rule ( ). ,
(Allow)
(Deny) Web-
-
. ,
,
, ,
-
,
. , . (
. 8.15.
Action (
Apply ( . 8.15).
)
)
,
-
673
ISA Server 2004
From From (
) Web-
,
. , Web-
,
Anywhere ( , Web-
IP-
,
From (
.
Web, Remove ( Add ( )
Anywhere ( ), Anywhere ( ), Add Network Entities ( , Web.
).
-
),
). -
,
) Exceptions ( Web,
, ,
, . ISA
). -
, ,
,
-
. Apply ( .
. 8.16.
From (
)
)
From (
)(
. 8.16)
674
8
( )— ). Server ( ) WebServer ( , ISA ( ), tual one (specified above) ( , (
,
URLWeb)
, . ,
-
ISA.
,
Server Forward the original host header instead of the ac). , ISA
,
Properties -
,
(
), — -
,
Server ( ). ■ Requests appear to come from the ISA Server computer ( ISA Server). ■ Requests appear to come from the original client ( ).
.
Requests appear to come from the ISA Server computer ( ISA Server) SecureNAT.
WebSecureNAT ,
,
. ,
ISA
ISA .
,
IP-
-
, ISA —
. , ISA.
-
, ISA
.
Requests appear to come from the original client ( ) IPWeb-
ISA
-
, .
, IP-
,
Web.
Web-
ISA.
,
Web,
-
675
ISA Server 2004
: WebISA, ISA
, IP-
.
ISA. ISA .
-
,
,
-
ISA Web-
-
ISA Web(
Web.
-
,
-
)
WebISA
Web.
Web,
, ,
-
Web-
ISA
. (
)
. 8.17. -
(FQDN)
Server (
) Web-
( .
FQDN
. 8.17.
.
(
)
). ,
8
676
Traffic Traffic ( Web-
)
,
.
.
, Web-
,
.
Notify HTTP users to use HTTPS instead ( HTTPSHTTP) SSL. ISA , Web, , HTTP HTTPS(HyperText Transmission Protocol, Secure, ). HTTPHTTPS —
,
-
Web-
. ,
«s» . «
-
».
Require 128-bit encryption for HTTPS traffic ( HTTPS) , SSL. SSLWindows 128Windows -Windows, ;
128Web. ,
,
. Apply ( ,
. 8.18.
Traffic (
)
)
, . 8.18.
-
677
ISA Server 2004
Listener Listener (
)
, Web-
,
Properties ( New ( Web-
,
). ) .
Web-
Web,
Web-
,
,
,
ISA, , This rule applies
to requests received on the following listener ( ,
-
). Listener (
. 8.19.
)(
Apply ( . 8.19).
Listener (
)
)
Public Name Public Name ( ,
) WebWeb-
,
.
,
, Web-
msfirewall.org, Web-
.
,
,
, .
,
Web-
www. Web,
8
678
Web, Public Name (
)
. , ,
Web-:ianpo-
(Host header) . , Web-
.
, IP-
— ) . -
( ,
Web-
, Web: www.msfirewall.org www.tacteam.net ,
, IPwww.tacteam.net. Public Name ( , ,
,
). -
, ,
Web-
www.tacteam.net.
, Web-
. , Add (
),
-
,
Edit (
)
Apply ( ) Public Name (
,
Public Name (
)
). -
),
. 8.20.
. 8.20.
Remove (
ISA Server 2004
679
Paths Paths (
)
, ,
Web: External Path (
, Internal Path (
)
.
, -
).
External Path ( Web-
)—
,
, Web. , http://www.msfirewall.org/docs, URLhttp:// — /graphics.
URL— /docs. www.tacteam.net/graphics, Internal Path ( ,
) — ISA /docs, URL-
Web,
ISA /publicdocuments. ISA
, (
. , — /publicdocuments. http://www.msfirewall.org/docs ISA ( ) ) 10.0.0.2, Webhttp://10.0.0.2/
publicdocuments. Web, , Web-
-
. : /path/*.
, ,
names.htm.
: /path. documents
names.htm Paths ( Add (
/documents/*. documents, ) ),
, Web, /documents/
. 8.21.
. Path mapping ( ) Specify the folder on the Web site that you want to publish. To publish the entire Web site, leave this field blank ( Web, . Web). : Same as published folder ( , ) The following folder ( ), . 8.22. , Same as published folder ( , ).
680
8
,
The following folder ( .
)
. 8.21.
Paths (
)
Path Mapping (
. 8.22.
) ISA
Web-
, URL-
/ (
, . 8.23).
(
),
10.0.0.2. —
. , http://www.msfirewall.org/firewalldocs, Web/firewalldocs/*, a
firewalldocs
, 10.0.0.2.
ISA Server 2004
}
AfM-v-
Fmm
j
]
To
|
TrrfirC
681
\
Ldnn* |
. 8.23.
Web-
Access (OWA, WebPaths ( /Exchange\. ,
ISA — /Exchange Web-
WebOutlook). ).
Outlook Web
— /*,
— , Mail -
(\) /Exchange/
Server Publishing Wizard ( . OWA
, ,
Web-
). Paths ( ) . 8.24. OWA
, Naming Convention, OWA . /exchange/*
)
23
. 4388
.
Paths (
), , , OWA
UNC (Universal ) HTTP. Web« » : /Exchange\ ,
ISA ( . 8.24.
-
682
8
. 8.24.
Web-
, , URL■ www.msfirewall.org/scripts; ■ www.msf irewall.org/articles; ■ www.msfirewall.org/ids-ips.
OWA
Exchange
.
-
:
URL.
Web(Public URL), Paths ( )
, Name), (
).
,
,
,
, (
Public Name ( ).
Bridging Bridging (
),
. 8.25, Web-
.
: Web Server (Web); Redirect requests to HTTP port ( Redirect requests to SSL port ( Use a certificate to authenticate to the SSL Web server ( SSLWeb■ FTP server (FTP); ■ ■ ■ ■
HTTPSSL); );
);
-
ISA Server 2004
683
■ Use this port when redirecting FTP requests ( FTP).
-
Web Server (Web) HTTPHTTPS. . Redirect requests to HTTP port ( HTTP) HTTPWebWeb, . . WebHTTP, ( HTTP, Web).
Web-
-
80. ,
Redirect requests to SSL port ( ) :
SSLSSL-
HTTP-,
SSL, , SSL-
. . .
HTTP, ,
, SSL-
HTTPSSLSSL,
. ,
WebWeb-
, ,
. ISA — ( ).
ISA,
Use a certificate to authenticate to the SSL Web server SSLWebISA SSL, Web. ISA Web, . Firewall ISA Web.
FTP server (FTP-
)
Web.
HTTP,
HTTPS; FTP.
FTPSSL-B-FTP FTP-
,
FTPISA.
SSL)
.
, , Bridging (
GET ,
. 8.25.
684
8
. 8.25.
Bridging (
)
Users Users (
) Web-
.
WebWeb).
All Users (
Web-
ISA, , ISA . Web-
,
, -
. ISA, (
All Users Add ( : All Users ( ) . 7. ).
) ).
ISA ), All Authenticated Users ( System and Network Service (
. 8.26
). , Users (
,
ISA . ISA Web-
.
,
-
685
ISA Server 2004
.
,
,
. I
on |
From
I
|
Traffic
|
T bit lull 4PPtinlQe 6 ( AOL Misssenger Request headers (and alI Gecko ( browsers) ( Gecko) Yahoo Messenger Kazaa KazaaCilient: Kazaa Kazaa
Request headers ( Request headers (
HTTP) ) ) ) )
User-Agent: (
MSN Messenger -
User-A gent: ( ) User-A gent: ( ) User-A gent: ( ) User-Agent: ( -
Host (
)
) MSMSGS Netscape/7
Netscape/6 Gecko/ )
msg yah oo. com
) P2P-Agent
Kazaa
Use r-Agent:
KazaaClient
X-Kazaa-Network: ( X- Kazaa)
KaZaA
)
Request headers ( Request headers
)
(
)
(
.
.
.)
918
10
. 10.5. (
)
Request headers ( Request headers ( Request headers ( Response header ( Response header ( Request headers ( Request headers (
Gnutella eDonkey Internet Explorer 6.0 Morpheus BearShare BitTorrent SOAP over HTTP
HTTPUse r-Agent: ( Use r-Agent: ( ) User-Agent: ( ) Server ( )
) ) )
)
Gnutella Gnucleus e2dk MSIE 6.0 Morpheus
) Server (
)
Bearshare
) User-Agent; ( User-Agent: ( )
) )
. 10.6
BitTorrent ) SOAPAction
HTTP-
, .
HTTP. 10.6, . HTTPHTTP. 10.6. HTTP-
,
, Headers (
, ) HTTP-
-
,
.
,
Жа ая
X- Kaz aa - User na me: X-Kazaa-IP: X-KazaaSupernodelP:
(Request Header)
BitTorrent
.torrent P2P-Agent
(Request Header) (peer-to-peer clients)
SSLISA — ,
-
, , .
-
, ,
,
,
-
919
,
(
),
,
-
. ,
VPNWebInstant Messenger
, Web).
(
, ,
-
, OWA (Outlook Web Access, Web( PIX TCP443-
Sonic— .
ISA. , .
, Web-
SSLOutlook).
wall) (Access Control List, ACL)
OWA OWA-
«
SSL-
OWA. , » SSL.
,
, ,
SSL-
-
.
ACL
:« OWA.
SSL, .
SSL-
, ».
,
-
, ,
,
,
, . .
-
.
,
», HTTP- / HTTPSHTTPHTTP/HTTPS-
,
.
« «
, ,
» -
, .
, WebHTTP(S), GoToMyPC , (http://www.google.com/search?hl=en&ie=UTF-8&q=HTTP+ tunnel). RPC
920
10
«SSL VPNs» (VPN. VPN-
SSL)
-
SSL ,
SSL-
.
-
, (
RPC
HTTP),
,
:
SSL«SSL VPNs» —
. VPN«SSL VPN», IP.
VPN-
. -
, ,
SSL (HTTPS). VPNs» Microsoft
. RPC HTTP, «SSL VPNs». SSL, ( over SSL).
OWA VPN-
-
SSL,
«SSL , .
SSL-
, ,
ISA
,
.
, ; SSL-
, ISA
,
-
, , .
,
ISA
-
, .
,
,
, SSL-
ISA — ISA, SSL, ,
. . SSL-
, -
.
ISA
SSL-
,
SSL-
,
, SSL-
.
SSL-
-
_________
_____ 921
,
SSL-
—
.
VPN-
SSL
, SSL-
.
,
ISA Web-
,
. . ,
SSL-
.
,
, SSL-
SSL-
.
,
. , ISA,
, ,
-
).
-
( ,
SSL,
.
, SSLSSL-
. ,
, .
ISA,
ISA Server , ,
ISA (Link Translator)
Web-
ISA
.
Web-
ISA.
, -
, Web-
,
,
.
Web-
,
URL- -
, ,
URLWeb-
http://, a https://. .
Web-
,
, ,
922
10
URL-
-
http://www.msfirewall.org:8181, ,
. ,
Web,
-
. . .
■
Web-
, Web-
,
( ) Web( http://www. 192.168.1.1), ,
IP). , microsoft.com SERVER 1 ( http://SERVERl , http://www. microsoft .com. ■ Web, . , . , Web88, , , 88. ■ HTTPS (HyperText Transmission Protocol, Secure, ) ISA, HTTPHTTPS. , ISA , SERVER1. ISA , www.msfirewall.orgdocs. WebGET /docs HTTP/1.1 Host: www.insfirewall.org
),
, Internet Information Services (IIS, , http: //SERVERl /docs/, .
(/).
, 302
-
http://www.msfirewall.org/docs/.
■ ■ ■ ■
: http://SERVERl http://SERVERl:80 https://SERVER l https://SERVERl:443
http://www.msfirewall.org; http://www.msfirewall.org; https://www.msfirewall.org; https://www.msfirewall.org.
923
, Web-
, ■ ■ ■ ■ (
http://SERVERl http://SERVERl:80 https://SERVERl https://SERVER l:443 ,
HTTP, ■ http://SERVERl:88 ■ https://SERVERl:488
SSL-
https://www. msfirewall.org; https://www.msfirewall.org; https://www. msfirewall.org; https://www.msfirewall.org. WebHTTP- SSL88, SSL488), , . , http://www.msfirewall.org; https://www.msfirewall.org.
,
ISA
, , 85
( ■ ■ ■ ■
-
SSL. :
SSL), http://SERVERl http://SERVERl:80 https://SERVERl https://SERVERl:443
Web-
, 885
HTTP:
http://www.msfirewall.org:85; http://www.msfirewall.org:85; https://www.msfirewall.org:885; https://www.msfirewall.org:885. .
,
http://SERVER1,
http://
SERVER1/. , .
-
, http://SERVER1, http://, https://.
http://SERVER1:80. , .
,
Web-
,
, ISA Server.
, WebWeb-
, Web,
, . ASP (Active Server pages, SharePoint — -
, )
,
,
Web-
.
924
10
Content-type ( ,
)
. -
,
(
), HTMLContent-type , )
(
.
ISA . Content-location . .
,
,
. ■
,
,
,
. ■
, ,
,
.
:
\t V \ +
,
; -
" /
< >
! =
" ?
& [
' \
]
)
$
)
*
"
>
JavaScript:
f.action='http: \/\/extranet.external.net\/Search iaspx', http:\\\/\\\/extranet. external. net\\\/Search.aspx
. «https»
(:)
and
.
«http»
. , .
-
Web,
,
.
.
, WebWeb-
, Web-
,
: . . 1. 2.
WebProperties ( ). Properties ( ) Link Translation (
Web).
10
926
3.
Link Translation ( ) absolute links in Web pages ( Add ( ). 4. Add/Edit Dictionary Item ( / ) Replace this text ( , With this text ( ( . 10.35).
Web-
) -
. ).
Add/Edit Dictionary Item (
. 10.35.
Replace ).
/
)
5.
. Content Types (
)(
. 10.36. Rule Properties (
. 10.36).
Link Translation (
) Web-
Link Translation (
6.
,
Web Publishing )
)
-
. HTML Documents (HTML, . .
). Web-
.
927 , Web-
FQDN)
.
,
IP-
Web(fully qualified domain name, . Web, Public ( ) WebIP.
,
,
, Properties (
) ,
WebWebWeb. ,
WebWebISA, ( Web-
ISA ,
, WebWeb-
,
Web Proxy Filter
). ,
— HTTPWeb,
HTTP,
.
-
, , HTTPWeb-
HTTP-
.
, www.isaserver.org,
. 10.37.
-
,
(
HTTP Properties
. 10.37).
928
10
SecurlD SecurlD
SecurlD ( )
.
SecurlD . 10.38
. 10.38.
Web.
10.39
HTTP Properties
»1 Iho taer Ssctt 10 od* u^voi
. 10.39.
ISA.
RSA SecurlD
Ы
Manage Domain Configuration
-
929
OWA-
,
OWA-
,
, WebOWA (Outlook Outlook), ISA. . 10.40 , , Web.
Web Access, WebWebOWA-
OWA,
,
8.
RADIUS. , . «You cannot use the RADIUS authentication protocol when you use the Outlook Web Access (OWA) FormsBased Authentication on a Web publishing rule to publish an internal Web site such as OWA in ISA Server 2004» ( RADIUSWebOutlook, WebWeb, OWA ISA Server 2004), http://support. microsoft, com/default. aspx?scid=kb;en-us;884560. ISA,
. 10.40. (OWA
,
,
OWA Forms-Based Authentication )
930
10
RADIUSRADIUS-
(Remote Authentication Dial-In User Service, ( ) RADIUSWebWeb, .
) , WebRADIUS RADIUS(
Web-
-
, .
,
Active Directory), ,
RADIUS RADIUSRADIUS-
-
. ,
, Web-
. RADIUS -
Web6
8.
IP-
/ ISA
.
:
■ ■ ■ IP-
(Common Attacks); DNSIP-
) , tion Server 2004 ( , ( ). General ( ) tion and DNS Attack Detection ( DNS). Common Attacks ( sion detection ( ,
; .
Intrusion Detection ( Microsoft Internet Security and Accelera2004), , Configuration General ( ). Enable Intrusion DetecCommon Attacks ( ) ).
). Enable intru, . -
.
Port scan ( after attacks ... well-known ports ( ) Detect after attacks on ... ports ( ( . 10.41).
\
),
Detect ... ...
)
, Log dropped packets (
,
. 10.41.
).
Common Attacks (
)
(Denial-of-service, DoS-
)
,
. ,
,
,
DoS, .
,
Web(warez news-
groups),
, , Warez —
» (crackers) ,
DoS-
.
,
«
-
(bootlegged) « ,
», . . , -
.
932
10
2000 . Yahoo.com
,
DoS-
DoSBuy.com.
-
—
,
,
. ,
CPU (
)
.
/ «
DoS-
»
,
. DoS«nuke» (
).
(DDoS) , , -
-
, .
,
( )
. ,
-
,
.
FloodNet), TFN2K, Trinoo »). UNIX Solaris, Windows.
Stacheldraht (German for «barbed wire» — « TFN2K DoS-
,
TFN (Tribe UNIX,
,
-
, ,
. Infrastructure Protection Center)
(National DoS-
. nipc/trinoo.htm.
www.fbi.gov/
, TFN, TFN2K, Trinoo Stacheldraht of Service Attacks» ( WebNetworkMagazine.com article/NMG20000512S0041.
«Distributed Denial ), www.networkmagazine.com/
, .
DoS-
,
933 , » (innocent middlemen) .
« DoS-
,
-
SYN-aTaKa/LAND-
SYNTCP-
« —
» («three-way handshake») no ,
.
TCP-
(
UDP- -
, ,
. (
,
). . SYN ( (acknowledge, , .
1. 2.
). ), 1, .
3.
, . , . . 10.42
. 10.42.
) -
.
TC P-
SYN,
934
10
. SYN,
IP-
, ,
-
SYN/ACK. ,
, SYN/ACK,
SYN/ACK
.
,
.
, .
SYN ,
SYN/ACK . IP-
,
SYN, ,
, , ,
.
, .
, LANDLAND-
, .
(
)—
SYN-
. IP- -
IP(spoof IP address), LAND,
. IP-
.
LAND-
ISA Server , (Alerts),
. Ping of Death DoS«Ping «Ping , .
,
ISA Server, — »(
«
»
IPIP-
,
65 536
(
»).
,
ISA Teardrop Teardrop .
»). , « -
«Ping
, Teardrop
, (offset fields)
«Ping ,
IP. ,
», IP-
».
, ,
935
(
),
,
. ,
:
Fragment 1: (offset) 100 - 300 Fragment 2: (offset) 301 - 600 , - ,
100-
— 301-
600- . ,
-
: Fragment 1: (offset) 100 - 300 Fragment 2: (offset) 200 - 400
-
,
.
, : ■ ■ ■ ■
NewTear; Teardrop2; SynDrop; Boink. .
Ping-
(
PingProtocol, »
(ping flood),
pingIP-
-
.
-
) -
(ICMP flood) (Internet Control Message ), — « . ping(ICMP) Winsock . ping. Ping, . ping storm (ping). fr'aggie(« (spoofed IP address), ping, ,
»). -
, -
936
10 fraggle-
-
.
,
NetXray,
ping-
IP. . Smurf-
Smurf-
—
«brute force» ( ,
ping-
),
,
-
ICMP-
.
ping, .
,
-
,
,
. .
,
192.168.1.0 1111111 —
, , 192.168.1.255 (255 ), z.
,
-
, .
— ping,
Smurf-
, .
IP-
. IP-
,
, ping,
-
,
, -
, .
Smurf-
, DoS-
,
SYN-
-
. TCP-
-
, Smurf)
50,
40 . ,
ISP ( ,
. 50 ping-
40 , . .
.
,
-
-1.
937
Smurf-
-
— .
. , IP-
, pingUDP-
.
UDP-
,
Datagram Protocol, UDP) , UDP-
,
. ,
(chargen) UDP, , -
-
(User , ,
UDP .
, UDPof the day (quotd)
. (UDP packet storm).
7
17 13
daytime. ,
.
UDP-
quote ,
19UDP-
(
/
135 ( —
-
) . UDP-
Snork
Snork-
UDP7( ) 19 ( (location service) , .
.
UDP) Microsoft).
Windows Out-of-Band)
WinNuke (
(out-of-band, OOB), bug, WinNuke (
,
Sinnerz
, ,
31
. 4388
,
: 139 (
NetBIOS).
Windows Microsoft. Muerte) . TCP/IP IP-
938
10
,
MSG_OOB ( Win sock (out-of-band data, OOB). , . WinNuke, ,
Urgent).
, Windows-
-
,
,
,
-
,
.
Windows ,
,
.
Windows 95
NT 3.5 1 4.0 , Windows 98/ME Windows 2000/2003 ISA Server .
WinNuke
.
WinNuke, Microsoft. WinNuke,
-
Mall Bomb
«
» (mail bomb) —
, -
.
, -
. ,
, . , -
-
, . {list linking). extreme Mail, Avalanche
Unabomber, Kaboom. ,
. ,
,
/
, -
,
-
.
{scanner)
,
_________
_______939
,
,
TCP/UDP-
,
. Security Administrator's Tool -
, for Analyzing Networks (SATAN, ), UNIX, . -
(
IP-
.
),
TCP/
,
, . :« ».
. , www.ladysharrow.ndirect.co.uk/Maximum%20Securi ty /scanners.htm.
—
« . TCP-
» TCP-
UDP-
UDP.
(well-known ports),
. ,
Telnet
23,
, , ,
, (brute-force). ,
Telnet. ,
DNSDNS-
ISA
DNS-
, (Server Publishing Rules).
ISA
,
DNSIntrusion Detection ( Configuration ( General ( ). Details (
Intrusion Detection and DNS Attack Detection (
)
-
). ).
Enable
-
10
940
DNS) DNS Attacks (DNS) DNS attacks ( . 10.43, ■ ■
).
Intrusion Detection ( DNS Attacks (DNS). Enable detection and filtering of DNS). ,
DNS; DNS;
■
DNS.
DNS Attacks (DNS-
. 10.43.
)
DNS DNSDNS-
DoS, . «
. DoS-
DNS DNS-
DNS DNS-
-
DNS-
-
». DNS-
,
IP,
, ,
(DoS-
).
DNS«
». ,
,
-
941 , DNS-
,
DNS-
(refused response),
,
. DNS-
,
-
, Energy Computer Incident Advisory Capability ( ) J, http://www/ciac.org/ciac/bulletins/j-063.shtml.
IP,
IP-
IPIP-
,
10.45 IP, L2TP/IPSec
.
. 10.46
, . .
. 10.44.
ISA, . 10.44
. IP-
IP Options (IP-
)
-
942 10
. 10.45.
IP Fragments (IP-
)
. 10.46.
IP-
TCP/IP
(source routing),
. ■ Strict source routing (
-
. )
( ■ Loose source record route (LSRR) ( ) ), — ,
). ( . IP-
,
. , .
, . .
,
-
943
,
-
, (LAN),
,
-
,
,
. .
ISA
.
ISA. ISA:
, .
-
,
,
,
.
,
,
. ISA, . ,
-
ISA, .
, Web. Ш
, ,
-
.
WebWebHTTPS-
FTPWeb-
.Ш .
ISA no HTTP-, Web-
ISA
, .
-
944
10
ISA .
. ISA
, .
DNS
Web-
-
DNSISA ,
. IP- , -
, .
, . www.syngress.com/ .
solutions ( «Ask the Author»). ITFAQnet.com. :
, Authentication, FBA),
OWAFBA Web. ,
:
(Forms-based
? ,
-
, OWA: Os
. SMTP Message Screener ISA
.
SMTPSMTP Message Screener SMTP Message Screener
ISA? .
,
-
Exchange. Exchange.
:
WebURL-
, ,
.
-
SharePoint. , ,
?
:
, SharePoint,
Web-
. ISA ,
.
-
945
ISA, SharePoint :
.
,
, ISA
-
, ISA
.
,
. , RADIUS:
-
, .
OWA, ?
.
.
,
ISA. «You cannot use the RADIUS authentication protocol when you use the Outlook Web Access (OWA) Forms-Based Authentication on a Web publishing rule to publish an internal Web site such as OWA in ISA Server 2004» ( RADIUS, WebOutlook, , WebWeb, OWA ISA Server 2004), http://support.microsoft.com/ default.aspx?scid=kb;en-us;884560. :
SecurlD .
-
,
SecurlD? :
SecurlD, ,
RSA
. lD Bi
,
-
RSA , www.isaserver.org. MMS
Windows Server 2003 . MMS? : MMS . . , ,
Secur-
, Microsoft Media Server
? MMS-
, -
, ,
,
, RTSP, .
MMSRTSP-
11
ISA Server 2004 : WebISA Server 2004
ISA Server 2004
948
11
" ,
ISA Server 2004 —
-
Web,
—
. «
» (Web) —
-
.
Web, . .
, Web-
(
) -
. ,
, Web-
-
.
, .
,
-
, . . (screenshots), ISA Server 2004 Enterprise Edition. (Enterprise Edition) SE (Standard Edition) ( , , SE). , SE , .
. -1
,
-
-3
,
. , . (reverse) —
, .
, ,
.
(forward)
—
-
949
,
,
,
: 2, ISA Server 2004
, , .
Web-
, -
, , .
Web, ■ ■
Web-
:
; . ISA Server 2004
,
-
.
— Web-
-
, .
,
, (
Web-
, , ,
-
100 ,
) ,
/ 1,5
/
.
WebWeb-
. -
. , . .
-
. ,
,
ISA Server 2004,
WebWeb-
). . ISA Server 2004, ,
( , Web-
(Web, ) Web.
,
-
. ,
-
950
11
Web-
.
-
. ,
ISA Server
2004, — -
.
. Web-
,
,
,
Web-
« » (surrogate caches).
.
» (gateway caches)
«
, Web-
,
-
.
-
, (Internal)
. Web-
, . , Web-
Web, ISA Server 2004
, Web-
.
Web-
,
,
-
.
ISA Server 2004 .
Web, Web-
,
ISA ISA,
. -
: ■ ■
; WebWeb-
.
ISA Server 2004. ,
.
951
,
, . Web:
Web-
Web. Web-
.
Web,
, .
-
Web-
, ,
-
,
. Server 2004 — Web-
ISA
,
Web,
-
-
ISA.
WebWeb-
.
, :
■ ■
(distributed caching); (hierarchical caching). , ,
,
-
Web,
.
. 11.1
. : , -
.
-
,
. .
, ,
.
. 11.2. , .
—
952
11
. 11.1.
ISA
, Web-
ISA
, Web-npoi
. 11.2.
,
,
.
,
953
.
-
. 11.3.
ISA
,
ISA
Web-
, Web-
. 11.3.
WebWeb, Web-
, .
, Web. ■ Cache Array Routing Protocol (CARP) ( )— ,
. , .
-
Web. ■ Internet Cache Protocol (ICP) (
-
)— RFC 2186 (Requests for
, Comments,
), UDP/IP
-
954
11 _________________________________________________________
(Harvest). Web■ HyperText Caching Protocol (HTCP) ( )— , . ■ Web Cache Coordination Protocol (WCCP) ( )—
Squid, .
-
Web, ,
.
-
■ Cache digests (
)— Squid
.
-
,
,
,
Bloom filter ( ,
), .
ISA Server 2004 Enterprise Edition Web.
CARP-
-
WebISA Server 2004 ISA Server 2004 WebISA Server 2004 . ISA
Web-
. -
Web-
. ISA Server 2004
,
.
ISA Server 2004 (
( )
), ISA Server
.
-
. Web(WebISA Server.
ISA Server . ,
Web-
), ,
, ISA Server
, ( Web, ISA Server .
-
WebWeb, -
). ISA Server
______ 955
,
Web-
-
,
. .
ISA, ISA
,
Web,
,
,
-
. ISA Server
-
Web-
.
Web-
, , ISA Server ,
. Web.
Web-
-
. —
ISA, Web-
,
-
. (
). , . (RAM)
. . . ISA Server 2004
, ,
(
ISA Server 2004 ).
,
10% RAM, 1
100%.
. ,
-
. ,
,
,
ISA. ISA
Server 2004. .
,
(cache drive) ISA Server 2004. .
,
-
956
11
,
,
. ■
. .
■
NTFS. FAT
■
(
FAT32 , ISA Server. .
) /
. , ,
, , ISA Server, MSDE (Microsoft Data Engine,
/ ( . . (slaved with) ISA). , ,
,
Microsoft) ,
. MSDE, MSDE.
, , -
FAT
FAT32 convert.exe.
, urlcache а
NTFS
,
dirl.cdat.
,
. (cache content file).
,
,
-
. 64
(
,
). 64
-
, . .
ISA Server 2004
,
, ,
-
. , (
,
-
957
) . ISA .
.
, , . ■ Dynamic content (
)
, . ,
, ■ Content for offline browsing ( ) ( ), . , , « ■ Content requiring user authentication for retrieval ( )
.
, ISA Server 2004 » ,
.
. , ISA Server 2004 .
,
Maximum object size ( Web.
).
,
,
ISA
. (object's validity) , (Time to Live, TTL). HTTPFTP. . ■ Setting ISA Server 2004 to retrieve only valid objects from cache (those that have not expired) ( ISA Server 2004 ( , ) .
958
11
, ISA Web, , . ■ Setting ISA Server 2004 to retrieve requested objects from the cache even if they aren't valid ( ISA Server 2004 , ) , , ISA , . , ISA Web. ш Setting ISA Server to never route the request ( ISA Server ) ISA . . , ISA . Web. ■ Setting ISA Server to never save the object to cache ( ISA Server ) , . FTP.
HTTP-
(
)
.
,
HTTP-
, FTP-
.
SSL-
.
SSL(
SSL-
),
.
, ;
,
,
,
,
. ISA Server 2004,
,
. ,
.
ISA
-
, Web-
,
,
. .
-
959 (
.
12),
,
-
,
,
. . (URL-
),
.
, ISA Server 2004 control headers). , Web-
. ,
,
(cache -
,
. , . .
,
, -
Schedule Content Download Jobs ( ) ISA ( ISA),
, .
,
,
. All Networks (
HTTP-
-
),
,
HTTP-
. Web-
HTTP-
, —
.
HTTP (Web), Web, .
-
—
HTML-
, ,
HTML-
, HTML-
-
,
HTTP, . HTTP.
Web.
-
Web(
.
.
.)
960
11
HTTP 1.1
, (cache control response headers).
, Web-
-
: ■
(
, ,
); ■ ■
; . Etags
■ ■ ■ ■ ■ ■ ■
Last-Modified ( Web« » Microsoft Internet Information Services (IIS, Microsoft) HTTP Headers (HTTP) Web. ISA Server 2004 , HTTP, : cache-control1: no-cache response header; cache-control: private response header; pragma: no-cache response header; www-authenticate response header; set-cookie response header; cache-control: no-store request header; authorization request header ( , Webcache-control: public response header). , WebHTTP, www.mnot.net/cache_docs/#IMP-SERVER.
Cache-control —
-
.
) . Web-
,
961
ISA Server 2004 , ISA Server 2004
,
.
/ :
■ ■ ■ ■
; ,
;
; .
,
,
.
-
ISA Server 2004 .
— ISA Server 2004 Enterprise Edition
-
.
-
. , , Standard Edition.
-
Enterprise Edition ISA ( 1.
)
Configuration (
) / Cache
. (
) ISA Server 2004 Arrays ( Configuration ( Cache Drives (
( Enterprise Edition), 2.
, ), ). )
. 3.
Tasks ( ,
)
, Define Cache Drives (
,
). 4.
Cache Drives ( NTFS mum cache size ( Set ( ). 5. Apply (
)
(
. 11.4) Maxi
), ),
.
962
11
. 11.4.
Standard Edition ISA ( 1.
)
Configuration (
) / Cache
. ( ( Enterprise Edition),
2.
) ISA Server 2004 Arrays ( Configuration ( Cache ( )
, ),
Define Cache Drives ( ) Cache Rules ( ) Define Cache Drives (enable caching) ( ,( )) Tasks ( 3. Define Cache Drives ( NTFS Maximum cache size ( ), Set ( ). 4. Apply ( ), .
).
). )
Enterprise Edition , ) Disable Caching (
, Tasks (
Cache Drive Tasks ( ) ).
-
963
Disable Caching (
),
, , . Yes (
. ,
),
.
Standard Edition ISA Server 2004 Standard Edition .
,
1.
ISA Server 2004 Arrays ( ), Configuration (
( Enterprise Edition),
,
). 2.
Cache ( Caching ( Rules ( (
)
Disable Cache Disable Caching
) ) )
Tasks (
). — Cache Drives Define Cache
Reset ( ) ( Enterprise Edition) Drives ( Standard Edition). ,
-
,
.
, : ■ ■ ■ ■ ■
; ; (negative caching), ; ; . .
964
11
, 1. ( Enterprise Edition). 2.
, ISA Server 2004 Arrays (
. , ),
Cache Rules (
)
. 3. 4.
Tasks ( Configure Cache Settings ( ) Related Tasks ( Advanced (
5.
) ). )
Cache Settings ( 6.
). (
. 11.5)
,
,
, ,
.
200 (
,
. ,
HTTP-
), ( ).
. 11.5. ISA Server 2004 Standard Edition Cache Settings ( ( ), Advanced ( ) and Active Caching ( ). Active Caching ( ) Edition, Standard Edition , , , , 2004, .
): General Enterprise . ISA Server
965
HTTP,
, 200,
,
200, .
«
», . . ,
«
».
Cache Settings ( ), 1. ( Enterprise Edition). 2.
-
. ISA Server 2004 Arrays (
-
, ),
Cache Rules (
)
. 3. 4.
Tasks ( Configure Cache Settings ( ) Related Tasks ( Advanced (
5. Cache Settings ( 6. .
. ). )
). Maximum size of URL cached in memory (bytes) ( URL, , ) , , .
1. ( Enterprise Edition). 2.
)
Cache Settings ( ISA Server 2004 Arrays ( Cache Rules (
). , ), )
. 3. 4.
Tasks ( ) . Configure Cache Settings ( ) Related Tasks ( ). 5. Advanced ( ) Cache Settings ( ). 6. , , Web, Do not return the expired object (He ). .
966
11
7.
, (TTL), . -
, . ISA Server 2004 , 50%
60
.
Cache Settings ( ). 1.
ISA Server 2004 Arrays (
( Enterprise Edition). 2.
, ),
Cache Rules (
)
. 3. 4.
Tasks ( ) . Configure Cache Settings ( ) Related Tasks ( ). 5. Advanced ( ) Cache Settings ( ). 6. , Percentage of free memory to use for caching ( , ), . 10%
.
(
).
,
-
, , . , .
, ,
967
, . 1. ( Enterprise Edition). 2.
ISA Server 2004, . ISA Server 2004 Arrays (
, ),
Cache Rules (
)
. 3. 4.
Tasks ( Cache Rule Tasks ( Create a Cache Rule ( Cache Rule Wizard ( . 11.6.
)
. ) ).
New ),
. 11.6.
5.
Next (
).
6.
-
.
, Add ( ) Add Network Entities (
. )(
. 11.7).
968
11
. 11.7.
,
7. . Add ( 8. 9-
, , ).
. Close (
Cache Rule Destination ( ) Next ( ). 10. Content Retrieval ( ) . . □ Only if a valid version of the object exists in the cache ( )( Web, any version of the object exists in the cache ( ) ( . , Web). D If any version of the object exists in cache ( )( , Web). Next ( Cache Content ( ) , , . , .
).
, ). D If ,
-
). 11.
-
-
969
, : Never, no objects will ever be cached ( ) If source and request headers indicate to cache ( ). . , , , , : a Dynamic content ( ); D Content for offline browsing ( ); D Content requiring user authentication for retrieval ( ).
,
-
.
-
, (
. 11.8).
. 11.8.
12. 13-
Next ( Cache Advanced Configuration (
). )
, Do not cache objects larger than: (He :) ,
, (
14. .
SSL-
, ,
SSL-
,
-
. 3 5.
32
Next (
. 4388
. 11.9). SSL-
).
970
11
SSL-
. 11.9.
, .
HTTP-
. 11.10.
TTL T
16. HTTP-
HTTP Caching (H TP( )
, , (expiration) (
. 11.10).
) )
TTL (
.
971 20%
15 . («created») HTTP,
modified») . 17. 18.
,
, FTP Caching (FTP( (TTL) FTP-
. 11.11.
(«last WebNext (
).
) (
FTP). . 11.11).
—
.
FTP-
19. 20.
Next (
). .
,
Back (
.
),
Finish (
)
.
, Cache Rules ( ISA Server 2004 Edit Selected Rule ( ( )
^,
) ) ,
Properties ( Properties ( . 11.12.
Tasks ,
).
«tuv>idt >
Wmt w
— —
KHJt»»b