419 68 6MB
English Pages 704 Year 2000
Exam 70-227
MCSE ISA Server 2000
TRAINING GUIDE
Roberta Bragg
ii
MCSE T R A I N I N G G U I D E (70-227) ISA S E R V E R 2000
MCSE TRAINING GUIDE (70-227): INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT INTERNET SECURITY AND ACCELERATION SERVER 2000, ENTERPRISE EDITION Copyright 2002 by New Riders Publishing First Printing: July 2002 All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. International Standard Book Number: 0-7357-1092-9 Library of Congress Catalog Card Number: 00110877 05 04 03 02 01 7 6 5 4 3 2 1 Interpretation of the printing code: The rightmost double-digit number is the year of the book’s printing; the rightmost single-digit number is the number of the book’s printing. For example, the printing code 01-1 shows that the first printing of the book occurred in 2001. Composed in Garamond and MCPdigital by New Riders Publishing
PUBLISHER David Dwyer ASSOCIATE PUBLISHER Al Valvano EXECUTIVE EDITOR Stephanie Wall MANAGING EDITOR Gina Brown PRODUCT MARKETING MANAGER Stephanie Layton PUBLICITY MANAGER Susan Nixon ACQUISITIONS EDITORS Jeff Riley Deborah Hittel-Shoaf DEVELOPMENT EDITOR Christopher Morris MEDIA DEVELOPER Jay Payne TECHNICAL REVIEWERS Emmett Dulaney Richard D. Coile
Printed in the United States of America
PROJECT EDITOR Linda Seifert
Trademarks
INDEXER Brad Herriman
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. New Riders Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.
Warning and Disclaimer This book is designed to provide information about the ISA Server exam. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as-is basis. The authors and New Riders Publishing shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it.
MANUFACTURING COORDINATOR Jim Conway BOOK DESIGNER Louisa Klucznik COVER DESIGNER Aren Howell PROOFREADER Sheri Replin COMPOSITION Gina Rexrode
iii
Contents at a Glance 1 Introduction: What Is ISA Server? ..................................................................................................9
Part I Installation and Upgrade 2 Plan Before Acting: Preinstallation Activities
..........................................................................45
3 Installing ISA Server............................................................................................................................71 4 Upgrading Microsoft Proxy 2.0
................................................................................................109
Part II Configuring and Troubleshooting ISA Server Services 5 Outbound Internet Access ............................................................................................................133 6 ISA Server Hosting Roles ..............................................................................................................181 7 H.323 Gatekeeper
............................................................................................................................205
8 Dial-Up Connections and RRAS................................................................................................235 9 ISA Virtual Private Networks
......................................................................................................265
Part III Configuring, Managing, and Troubleshooting Policies and Rules 10 Firewall Configuration
..................................................................................................................309
11 Manage ISA Server in the Enterprise
......................................................................................337
12 Access Control in the Enterprise ................................................................................................361
Part IV Deploying, Configuring, and Troubleshooting the Client Computer 13 Planning and Deploying Clients ................................................................................................383 14 Installing and Configuring Client Options ............................................................................399
iv
MCSE T R A I N I N G G U I D E (70-227) ISA S E R V E R 2000
Part V Monitoring, Analyzing, and Optimizing ISA Server 15 Monitoring Network Security and Usage................................................................................421 16 Performance Analysis and Optimization
................................................................................449
Part VI Final Review Fast Facts
..............................................................................................................................................477
Study and Exam Prep Tips ............................................................................................................497 Practice Exam ......................................................................................................................................503
Part VII Appendixes A Microsoft Proxy Server 2.0 Configuration Backup
............................................................531
B ISA Setup Log ....................................................................................................................................539 C ISA Upgrade Log D Glossary
..............................................................................................................................599
................................................................................................................................................611
E Overview of the Certification Process ......................................................................................619 F What’s on the CD-ROM
..............................................................................................................625
G Using the ExamGear, Training Guide Edition Software ..................................................627 Index
......................................................................................................................................................653
v
Table of Contents Introduction
1
Notes on This Book’s Organization ........................................................................1 How This Book Helps You ....................................................................................2 What the Installing, Configuring, and Administrating Microsoft Internet Security and Acceleration (ISA) Server Exam (70-227) Covers ................................................4 Installing ISA Server ........................................................................................4 Configuring and Troubleshooting ISA Server Services ......................................4 Configuring, Managing, and Troubleshooting Policies and Rules ....................5 Deploying, Configuring, and Troubleshooting the Client Computer ..............5 Monitoring, Managing, and Analyzing ISA Server Use ....................................5 Hardware and Software You’ll Need ......................................................................6 Advice on Taking the Exam ....................................................................................7 New Riders Publishing ..........................................................................................7
1 Introduction: What Is ISA Server?
9
Introduction ........................................................................................................11 Architecture Overview ..........................................................................................12 ISA Server Clients ................................................................................................15 Web Proxy Clients ..........................................................................................15 Firewall Clients ................................................................................................15 SecureNAT Clients ..........................................................................................15 ISA Server Is a Multilayered Enterprise Firewall ..................................................16 Packet Filtering ................................................................................................17 Circuit-Level Filtering ....................................................................................17 Application-Level Filtering ..............................................................................17 Stateful Inspection ..........................................................................................18 Built-In Intrusion Detection ............................................................................18 System Hardening Templates ..........................................................................19 Virtual Private Networking ..............................................................................19 ISA Server Is a High-Performance Web Caching Server ......................................19 Reverse Caching ..............................................................................................20 Forward Caching ............................................................................................21 Scheduled Caching ..........................................................................................22
vi
MCSE T R A I N I N G G U I D E (70-227) ISA S E R V E R 2000
Distributed Caching ........................................................................................23 Hierarchical Caching or Chaining ..................................................................24 ISA Server Hosting Services ..................................................................................27 ISA Server Provides Integrated, Centralized Management and Control ................28 Enterprise or Standard Editions ......................................................................29 Firewall, Caching, or Integrated Modes ..........................................................30 Policy-Based Rules ..........................................................................................31 Tiered Policies: Both Enterprise and Array Level ............................................35 Bandwidth Control ..........................................................................................36 Logging and Reporting ....................................................................................37 Review Questions ............................................................................................39 Exam Questions ..............................................................................................39 Answers to Review Questions ..........................................................................40 Answers to Exam Questions ............................................................................40
Part I:
Installation and Upgrade
2 Plan Before Acting: Preinstallation Activities
45
Introduction ........................................................................................................47 Network Design and Planning ............................................................................47 Network Size ..................................................................................................48 User Needs ......................................................................................................48 Installation Options ........................................................................................48 ISA Server Mode and Array Considerations ....................................................49 Active Directory Integration Needs ................................................................50 Interoperation with and Requirements for Other Services ..............................51 Making Hardware Choices ..............................................................................53 Client Considerations ....................................................................................56 Windows 2000 Installation and Configuration ....................................................57 Preinstallation Network Configuration ................................................................58 Server Placement ............................................................................................58 Verify Network Connectivity ..........................................................................58 Verify Internet Connectivity ..........................................................................62 Verify Name Resolution ..................................................................................63 Exercises ..........................................................................................................65 Review Questions ............................................................................................65 Exam Questions ..............................................................................................65 Answers to Review Questions ..........................................................................67 Answers to Exam Questions ............................................................................68
vii
3 Installing ISA Server
71
Introduction ........................................................................................................74 Installation Processes Common to Several Configurations ....................................74 Constructing and Modifying the Local Address Table (LAT) ..........................75 Configuring the Cache ....................................................................................77 ISA Server Installation ..........................................................................................79 Installation Defaults ........................................................................................80 Standard Edition Generic Instructions ............................................................81 Enterprise Edition ..........................................................................................83 Installing the ISA Server Schema in the Active Directory ..............................83 Install ISA Server Enterprise Edition ..............................................................85 Unattended Setup ............................................................................................91 Installing Additional ISA Servers in an Array ..................................................93 Troubleshooting the Installation ..........................................................................95 Failed Installation ............................................................................................95 Was Installation Successful? ............................................................................97 Uninstalling ISA Server ........................................................................................99 Exercises ........................................................................................................101 Review Questions ..........................................................................................103 Exam Questions ............................................................................................104 Answers to Review Questions ........................................................................107 Answers to Exam Questions ..........................................................................108
4 Upgrading Microsoft Proxy 2.0
109
Introduction ......................................................................................................111 Reasons for Upgrading ......................................................................................111 The Migration Process ........................................................................................112 Back Up the Proxy Server Configuration ......................................................114 Stop and Disable Proxy Server Services ..........................................................115 Upgrade to Windows 2000 and Install ISA Server ........................................116 Review the Setup Logs ..................................................................................117 Array Migration ............................................................................................118 Proxy Configuration Migration Results ..............................................................120 Predetermined Migration Effects ..................................................................120 Impact of Proxy 2.0 Array Membership and ISA Installation Selections on Migration ..............................................................................121 Post Migration Necessities ............................................................................122 Migrating the Mindset ......................................................................................123
viii
MCSE T R A I N I N G G U I D E (70-227) ISA S E R V E R 2000
Exercises ........................................................................................................126 Review Questions ..........................................................................................126 Exam Questions ............................................................................................126 Answers to Review Questions ........................................................................128 Answers to Exam Questions ..........................................................................129
Part II:
Configuring and Troubleshooting ISA Server Services
5 Outbound Internet Access
133
Introduction ......................................................................................................136 Post Installation Default Settings ........................................................................136 ISA Server Object Permissions ......................................................................137 Service Permissions ........................................................................................141 Local Access Table (LAT) ..............................................................................142 Policy Settings ..............................................................................................142 Packet Filtering ..............................................................................................143 Routing ........................................................................................................144 Caching ........................................................................................................145 Publishing ......................................................................................................145 Alerts ............................................................................................................146 Configuring Access Rules and Tools ..................................................................146 Understanding and Configuring Outgoing Web Request Properties ..............147 How Are Rules Evaluated? ............................................................................149 Creating Policy Elements ..............................................................................149 Configuring Site and Content Rules ..............................................................153 Configuring Protocol Rules ..........................................................................154 Authentication and Rules ..............................................................................158 Custom HTML Error Messages ....................................................................158 Configuring a Single System Versus an Array ....................................................160 Configuring Caching ..........................................................................................161 Standalone Cache ..........................................................................................161 Configuring Hierarchical Access ....................................................................161 Configuring CARP ........................................................................................163 Configuring Network Settings ............................................................................163 Bandwidth Rules ..........................................................................................164 LAT and Local Domain Tables ......................................................................166 Configuring Routing Rules ............................................................................167 Configuring ISA Server Chains ......................................................................168
ix
Troubleshooting Client Access Problems ............................................................169 A Protocol Rule Exists for a Protocol Definition, but Clients Cannot Use It 169 Clients Can’t Use a Specific Protocol ............................................................170 Clients Cannot Browse External Web Sites ....................................................170 Clients Receive a 502 Error Every Time They Attempt to Browse the Web ..171 Clients Can Still Use a Protocol After the Rule for this Protocol Has Been Disabled ......................................................................................171 All Other Errors Including Intermittent Issues ..............................................172 Exercises ........................................................................................................174 Answers to Exercises ......................................................................................175 Review Questions ..........................................................................................175 Exam Questions ............................................................................................177 Answers to Review Questions ........................................................................179 Answers to Exam Questions ..........................................................................179
6 ISA Server Hosting Roles
181
Introduction ......................................................................................................183 Configuring ISA Server for Web Publishing ......................................................184 Configuring Destination Sets ........................................................................186 Configuring Listeners ....................................................................................186 Creating Web Publishing Rules ....................................................................187 Enabling CARP ............................................................................................188 Configuring Server Certificates and Authentication Methods ........................189 Redirecting HTTP and SSL Requests ............................................................190 Configuring ISA Server for Server Proxy ............................................................193 DNS and Mail Proxy ....................................................................................194 The Mail Server Security Wizard ..................................................................194 Content Filtering ..........................................................................................195 Configuring ISA Server for Server Publishing ....................................................197 Creating Server Publishing Rules ..................................................................197 Publishing Servers on a Perimeter Network ..................................................199 Exercises ........................................................................................................201 Review Questions ..........................................................................................201 Exam Questions ............................................................................................201 Answers to Review Questions ........................................................................203 Answers to Exam Questions ..........................................................................203
x
MCSE T R A I N I N G G U I D E (70-227) ISA S E R V E R 2000
7 H.323 Gatekeeper
205
Introduction ......................................................................................................208 What Is an H.323 Gatekeeper? ..........................................................................208 What Is the H.323 Protocol? ........................................................................209 Where Does T-120 Fit In? ............................................................................210 What’s the Difference Between a Gatekeeper and a Gateway? ......................211 How Does the Gatekeeper Work? ..................................................................211 H.323 Gatekeeper Limitations and Other Considerations ............................216 How to Add an H.323 Gatekeeper to ISA ........................................................217 Enabling and Configuring H.323 Protocol Access ........................................218 Configuring DNS ..........................................................................................220 Adding the H.323 Gatekeepers ....................................................................221 Enabling Fast Kernel Mode and Data Pumping ............................................222 Gatekeeper Administration ............................................................................222 Configuring Gatekeeper Call Routing Rules ......................................................223 Configuring Destinations ..............................................................................224 Configuring Phone Number Rules ................................................................224 Configuring Email Address Rules ..................................................................225 Configure IP Address Rules ..........................................................................226 H.323 Gatekeeper Scenarios ..............................................................................227 Exercises ........................................................................................................231 Review Questions ..........................................................................................231 Exam Questions ............................................................................................232 Answers to Review Questions ........................................................................233 Answers to Exam Questions ..........................................................................233
8 Dial-Up Connections and RRAS
235
Introduction ......................................................................................................238 Dial-on-Demand Connections ..........................................................................238 Configure Network and Dial-Up Connections ..............................................239 Create a Dial-Up Entry ................................................................................240 Create a Dial-Up Routing Rule ....................................................................240 Enable Dial-Up Entry in Firewall Chaining Configuration ..........................242 Managing and Limiting ISA Dial-Up Connections ......................................................................................243 Troubleshooting ISA Server Dial-Up Connections ............................................243 Routing and Remote Access Service Versus ISA Server ......................................245 Routing ........................................................................................................246 Connecting Remote Clients ..........................................................................246 Static Routes ..................................................................................................247
xi
Using RRAS for Dial-on-Demand Connections ................................................249 Troubleshooting Common RRAS Problems ..................................................250 Remote Administration ......................................................................................253 Using ISA Management Console from a Remote Computer ........................253 Using Terminal Services to Manage ISA Server ..............................................254 Exercises ........................................................................................................256 Review Questions ..........................................................................................256 Exam Questions ............................................................................................258 Answers to Review Questions ........................................................................261 Answers to Exam Questions ..........................................................................262
9 ISA Virtual Private Networks
265
Introduction ......................................................................................................269 Configuring VPN Endpoint for VPN clients ....................................................269 Using the VPN Allow Wizard ........................................................................270 Examining Wizard Results ............................................................................270 Making Additional Configurations ................................................................272 Creating Client Connections and Testing the VPN ......................................272 Configuring VPN Pass-Through ........................................................................274 Configuring ISA Server as a VPN Endpoint ......................................................275 Using the Wizard ..........................................................................................275 Without the VPN Wizard ............................................................................284 Configuring Microsoft Certificate Services ........................................................289 Install and Configure Root CA ......................................................................290 Configure Enterprise Root CA ......................................................................291 Configuring the L2TP over IPSec Tunnel ..........................................................292 Requesting Certificates from a Standalone CA ..............................................292 Verifying Server Certificates ..........................................................................296 The L2TP/IPSec VPN ..................................................................................297 Exercises ........................................................................................................299 Review Questions ..........................................................................................300 Exam Questions ............................................................................................301 Answers to Review Questions ........................................................................303 Answers to Exam Questions ..........................................................................304
xii
MCSE T R A I N I N G G U I D E (70-227) ISA S E R V E R 2000
Part III: Configuring, Managing, and Troubleshooting Policies and Rules 10 Firewall Configuration
309
Introduction ......................................................................................................311 Understanding Packet Filters ..............................................................................312 Configuring Packet Filter Rules ........................................................................312 Examining Default Packet Filters ..................................................................313 Configuring New Packet Filters ....................................................................314 Configuring/Enabling IP Packet Filter Properties ..........................................316 Configuring and Using Application Filters/Extensions ......................................318 FTP Access Filter ..........................................................................................318 HTTP Redirector Filter ................................................................................319 RPC Filter ....................................................................................................320 SOCKS V4 Filter ........................................................................................321 Configuring for System Hardening ....................................................................321 Pre-Installation Considerations, Lifetime Chores ..........................................321 Authentication Rules ....................................................................................322 The ISA Server Security Configuration Wizard ............................................325 Special Considerations for Perimeter Networks ..................................................328 Configuring the LAT ....................................................................................329 Publishing Perimeter Network Servers ..........................................................330 Troubleshooting Access ......................................................................................330 Exercises ........................................................................................................332 Review Questions ..........................................................................................332 Exam Questions ............................................................................................332 Answers to Review Questions ........................................................................334 Answers to Exam Questions ..........................................................................334
11 Manage ISA Server in the Enterprise
337
Introduction ......................................................................................................339 Managing and Configuring Arrays ....................................................................339 Understanding Hierarchical and Distributed Arrays ......................................340 Understanding Enterprise Policy Scope ........................................................340 Managing ISA Server Arrays ..........................................................................342 Configuring for Scalability ................................................................................350 Configuring Cache Array Routing Protocol (CARP) ....................................350 Configuring Network Load Balancing (NLB) ................................................352
xiii
Exercises ........................................................................................................356 Review Questions ..........................................................................................356 Exam Questions ............................................................................................357 Answers to Review Questions ........................................................................359 Answers to Exam Questions ..........................................................................359
12 Access Control in the Enterprise
361
Introduction ......................................................................................................364 Determining Where to Do It: An Access Policy Functional Framework ........................................................364 Determining Who Can Do It: An Access Policy Permissions Framework ..........368 Applying Access Policy: An Access Policy Strategy for the Enterprise ............................................................................................369 Creating Policy Elements ..............................................................................369 Creating Rules ..............................................................................................370 Putting Together an Implementation Plan ....................................................371 Troubleshooting Access Problems ......................................................................372 Investigation Via Rule Processing Order ........................................................372 Identifying the Problem as Being User- or Packet-Based ................................373 Exercises ........................................................................................................377 Answers to Exercise Questions ......................................................................377 Review Questions ..........................................................................................377 Exam Questions ............................................................................................378 Answers to Review Questions ........................................................................379 Answers to Exam Questions ..........................................................................379
Part IV: Deploying, Configuring, and Troubleshooting the Client Computer 13 Planning and Deploying Clients
383
Introduction ......................................................................................................385 Considering Current Infrastructure Issues ..........................................................385 Introducing ISA Server Client Types ............................................................386 Using Multiple Clients on a Single Computer ..............................................389 Migrating Proxy 2.0 Clients ..........................................................................389
xiv
MCSE T R A I N I N G G U I D E (70-227) ISA S E R V E R 2000
Considering Cost and Complexity ....................................................................390 Considering Authentication Issues ................................................................390 Assessing General Client Needs ....................................................................392 Evaluating Network Infrastructure Changes ..................................................393 Exercises ........................................................................................................395 Review Questions ..........................................................................................395 Exam Questions ............................................................................................395 Answers to Review Questions ........................................................................396 Answers to Exam Questions ..........................................................................397
14 Installing and Configuring Client Options
399
Introduction ......................................................................................................401 Configuring ISA Server and the Network to Support Clients ............................401 Modifying Routing ........................................................................................401 Adding DHCP and/or DNS Settings ............................................................402 Configuring ISA Server Properties ................................................................403 Configuring ISA Server Client Settings ........................................................404 Installing and Configuring Clients ....................................................................407 Configuring the SecureNAT Client ..............................................................407 Configuring Web Proxy Clients ....................................................................408 Installing and Configuring Firewall Clients ..................................................409 Using Multiple Clients on Single Computers ................................................411 Troubleshooting Client Trouble Spots ................................................................411 Troubleshooting Client Installation ..............................................................412 Troubleshooting Autodetection ......................................................................412 Troubleshooting Authentication ....................................................................413 Exercises ........................................................................................................415 Review Questions ..........................................................................................415 Exam Questions ............................................................................................416 Answers to Review Questions ........................................................................417 Answers to Exam Questions ..........................................................................417
Part V: Monitoring, Analyzing, and Optimizing ISA Server 15 Monitoring Network Security and Usage
421
Introduction ......................................................................................................423 Monitoring Security and Network Usage with Logging and Alerting ............423 Configuring Logs ..........................................................................................424
xv
Configuring Intrusion Detection ..................................................................429 Configuring Alerts ........................................................................................433 Automating Alert Configuration ..................................................................435 Monitoring Alert Status. ..............................................................................435 Troubleshooting Problems with Security and Network Usage ............................436 Confirming Configuration with Security Configuration and Analysis ..........436 Detecting Connections with Netstat ..............................................................438 Testing External Port Status with Telnet and Network Monitor ....................440 Exercises ........................................................................................................444 Review Questions ..........................................................................................444 Exam Questions ............................................................................................444 Answers to Review Questions ........................................................................446 Answers to Exam Questions ..........................................................................446
16 Performance Analysis and Optimization
449
Introduction ......................................................................................................451 Analyzing ISA Server Performance Using Reports ..............................................451 Summary Reports ..........................................................................................455 Web Usage ....................................................................................................455 Application Usage ..........................................................................................456 Traffic and Utilization ....................................................................................457 Security ..........................................................................................................458 Optimizing Performance ....................................................................................459 Using the Registry to Optimize Performance ................................................459 Analyzing Performance Using Performance Monitor ....................................460 Analyzing Performance Using Reporting and Logging ..................................468 Controlling RAM Used by Caching ..............................................................469 Exercises ........................................................................................................471 Review Questions ..........................................................................................471 Exam Questions ............................................................................................471 Answers to Review Questions ........................................................................472 Answers to Exam Questions ..........................................................................473
Part VI: Final Review Fast Facts
477
Install ................................................................................................................477 PreInstallation Process ..................................................................................478 Minimum System Requirements ..................................................................478
xvi
MCSE T R A I N I N G G U I D E (70-227) ISA S E R V E R 2000
Post Installation ............................................................................................479 Firewall Mode ....................................................................................................480 Intrusion Detection ......................................................................................481 Application Filters ........................................................................................482 Packet Filters ................................................................................................482 Caching Mode ....................................................................................................483 ISA Server Editions ..........................................................................................483 Policy ..................................................................................................................483 Default Rules ................................................................................................484 Policy Elements ............................................................................................484 Logs and Reports ................................................................................................485 Logs ..............................................................................................................485 Reports ..........................................................................................................485 Cache Adjustments ........................................................................................485 Authentication ....................................................................................................486 Remote Access Authentication ......................................................................486 Chained Authentication ................................................................................487 Interoperability ..................................................................................................487 Enterprise Edition ..............................................................................................488 Enterprise Policies ..........................................................................................488 Array Types ....................................................................................................488 Promotion ....................................................................................................489 Understanding CARP ....................................................................................489 Network Load Balancing ..............................................................................489 Clients ................................................................................................................490 Client Types ..................................................................................................490 Infrastructure Changes for Client Types ........................................................490 Migration from Proxy 2.0 ..................................................................................491 Publishing ........................................................................................................492 Web Publishing ............................................................................................492 SSL Bridging ................................................................................................493 Publishing Servers on a Perimeter Network ..................................................493 H.323 ................................................................................................................493 Routing ............................................................................................................494 VPNs ..................................................................................................................495 Client to Server VPN Wizard ........................................................................495 Gateway to Gateway VPN ............................................................................495
xvii
3-Homed ISA Server ..........................................................................................495 Testing Tools ......................................................................................................495
Study and Exam Prep Tips
497
Learning as a Process ..........................................................................................497 Study Tips ..........................................................................................................498 Study Strategies ............................................................................................498 Pre-Testing Yourself ......................................................................................499 Exam Prep Tips ..................................................................................................499 Putting It All Together ..................................................................................500
Practice Exam
503
Exam Questions ................................................................................................504 Answers to Exam Questions ..............................................................................521
Part VII: Appendixes A Microsoft Proxy Server 2.0 Configuration Backup
531
B ISA Setup Log
539
C ISA Upgrade Log
599
D Glossary
611
E Overview of the Certification Process
619
F What’s on the CD-ROM
625
G Using the ExamGear, Training Guide Edition Software
627
Index
xix
About the Author Roberta Bragg, CISSP, MCSE, MCT is a veteran of more than 20 years of information system experience, and currently specializes in Windows NT and Windows 2000 security issues. She is a columnist (Security Advisor) and contributing editor for Microsoft
Certified Professional Magazine and a frequent contributor of security-related articles for popular industry magazines and e-zines. She can be found consulting, teaching, and speaking at conferences, training centers, and private companies.
About the Technical Reviewers Emmett Dulaney, MCT, MCSE, LPIC, Network+, A+ is the director of training for Mercury Technical Solutions in Anderson, Indiana. The StudyGuides Editor for Certification Magazine, he is also a monthly contributor to UnixReview and the author of over 30 books. He can be reached at [email protected].
Richard D. Coile works for New Horizons Training Center of Tampa Bay as a Microsoft Certified Trainer. His certifications include Microsoft Certified Systems Engineer + Internet, Microsoft Certified Trainer, Comptia’s A+, iNet+ and Network+, and Prosoft’s Certified Internet Webmaster—Certified Instructor. He also has a Masters degree in Education Technology from the University of Central Florida. He has been working with computers since 1986. While in college he worked for Tandy Computers as a Computer Sales Specialist and provided computer support for his customers. His networking experience includes three years of network admin of a 350-node network that he built from the ground up as well as his three years network training as a Microsoft Certified Trainer. You can reach him at [email protected].
xx
MCSE T R A I N I N G G U I D E (70-227) ISA S E R V E R 2000
Dedication This one’s for women in technology. You go girl!
Acknowledgments Once again the New Riders crew came through. Without you…well, you know the answer. Thanks again to Chris Morris—I didn’t have to sweat the small stuff. And to Jeff Riley and Deborah Hittel-Shoaf—for being good sounding boards even if neither one of you can find Chicago-style pizza in Chicago.
xxi
Tell Us What You Think! As the reader of this book, you are the most important critic and commentator. We value your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdom you’re willing to pass our way.
When you write, please be sure to include this book’s title and author as well as your name and phone or fax number. I will carefully review your comments and share them with the author and editors who worked on the book. Fax:
317-581-4663
As the Executive Editor for the Certification team at New Riders Publishing, I welcome your comments. You can fax, email, or write me directly to let me know what you did or didn’t like about this book—as well as what we can do to make our books stronger.
Email:
[email protected]
Mail:
Stephanie Wall Executive Editor New Riders Publishing 201 West 103rd Street Indianapolis, IN 46290 USA
Please note that I cannot help you with technical problems related to the topic of this book, and that due to the high volume of mail I receive, I might not be able to reply to every message.
How to Use This Book New Riders Publishing has made an effort in the its Training Guide series to make the information as accessible as possible for the purposes of learning the certification material. Here, you have an opportunity to view the many instructional features that have been incorporated into the books to achieve that goal.
CHAPTER OPENER Each chapter begins with a set of features designed to allow you to maximize study time for that material. List of Objectives: Each chapter begins with a list of the objectives as stated by Microsoft.
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Installing ISA Server section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Install ISA Server. Installation modes include integrated, firewall, and cache.
. Construct and modify the Local Address Table (LAT). . Calculate the size of and configure the cache. There are two versions of ISA Server:
Objective Explanations: Immediately following each objective is an explanation of it, providing context that defines it more meaningfully in relation to the exam. Because Microsoft can sometimes be vague in its objectives list, the objective explanations are designed to clarify any vagueness by relying on the authors’ test-taking experience.
. Standard. This version can only be installed on a standalone or member server. It cannot be part of an array. . Enterprise. The Enterprise edition can be part of an array and take advantage of the Active Directory to share policies. Each version can be installed in one of three modes: . Firewall. ISA Server will be a dedicated firewall. . Caching Server. ISA Server will be a caching server. Requests from the private network for access to public network services are filtered through ISA server’s rules and policies. Approved requests (unless they are SSL or HTTPS or otherwise configured will be cached on the ISA Server. Subsequent approved requests for this material are served from the ISA Server. Additional access to the Internet is not necessary. In caching mode, the ISA server can also be configured to forward requests from the public network to Web servers on the private network. The requested pages can be cached on ISA Server and served to the public network.
C H A P T E R
3
Installing ISA Server
HOW
TO
USE THIS BOOK
xxiii
OUTLINE Introduction Dial-on-Demand Connections
3 3
Configure Network and Dial-Up Connections 5
Using RRAS for Dial-on-Demand Connections Troubleshooting Common RRAS Problems
Remote Administration
17 20
24
Create Dial-up Entry
5
Create a Dial-up Routing Rule
6
Enable Dial-up Entry in Firewall Chaining Configuration
Using ISA Management Console from a Remote Computer
25
8
Using Terminal Services to Manage ISA Server
26
Managing and Limiting ISA Dial-Up Connections
9
Chapter Summary Exercises
Troubleshooting ISA Server Dial-Up Connections Routing and Remote Access Service Versus ISA Server
10
Chapter Outline: Learning always gets a boost when you can see both the forest and the trees. To give you a visual image of how the topics in a chapter fit together, you will find a chapter outline at the beginning of each chapter. You will also be able to use this for easy reference when looking for a particular topic.
27 27
Review Questions
29
Exam Questions
31
Answers to Review Questions
35
Answers to Exam Questions
37
13
Connecting Remote Clients
14
Static Routes
15
S T U DY S T R AT E G I E S . If you do not understand the principals of a VPN, you need to start there first. Use some of the resources at the end of this chapter to gain more knowledge. . Many first attempts at creating a VPN in the test lab fail, not because of a misunderstanding of VPNs, but because the tester does not understand IP routing. Be sure that you understand why static routes may be necessary, and how data is routed (or not) between three subnetworks where no routers are present. . Read RFCs, Microsoft documentation, and other references for specific information about the protocols (PPTP and L2TP/IPSec) used by the
ISA Server to create the VPN. Understanding the protocol’s intimate details is not necessary for setting up the VPN to work, but it does become helpful when troubleshooting why your implementation is not working.
. Read through this entire chapter before following the exercises. . Complete the exercises. Make it work! Many people report large leaps in their understanding when they first can successfully retrieve data from the internal network on the opposite side of the tunnel.
Study Strategies: Each topic presents its own learning challenge. To support you through this, New Riders has included strategies for how to best approach studying in order to retain the material in the chapter, particularly as it is addressed on the exam.
USE THIS BOOK
Warning: In using sophisticated information technology, there is always potential for mistakes or even catastrophes that can occur through improper application of the technology. Warnings appear in the margins to alert you to such potential problems.
Exam Tip: Exam Tips appear in the margins to provide specific examrelated advice. Such tips may address what material is covered (or not covered) on the exam, how it is covered, mnemonic devices, or particular quirks of that exam.
What’s In a Name? In order for demand-dial routing to work, the username created must match exactly the demand dial interface name on the opposing router. Examine Figure 8.11 to see how this might be configured correctly. This issue, the matching of username to demand-dial interface is critical.
Chapter 16
PERFORMANCE ANALYSIS AND OPTIMIZATION
It is the last usage in the preceding list that can assist you in moving from the status of “fighting fires” to one of orderly management and growth over time. You will, over time, use gathered performance data and reports to:
More Hardware or More Policy One way to respond to growth in usage is to purchase more hardware. Another is to manage policy. Recently I was asked to advise a company as to how much additional capacity they needed to handle their growth in Web usage. An analysis of Web usage revealed that most growth resulted from users using streaming media. Web browsers were being used to listen to favorite radio stations! A change in policy, and blocking this type of traffic reduced the demand on the current systems and relieved the company of having to make immediate hardware purchases—purchases that would have not gained them anything business wise.
Cache Adjustments What if your efforts to justify more powerful hardware or another server in the array fail? What then? There are several areas of cache configuration that can aide performance. The Cache Configuration pages can be used to make some adjustments (refer to Figure 16.10).
á Understand server workload á Understand impact of workload on responses á Track trends á Follow results of changes á Tune configuration For example, as you begin to review reports, logs, and Performance Monitor charts gathered over time, you can begin to spot trends in usage, or in growth of demand for certain services. You can analyze these trends (trend analysis) to determine if they will mean changes necessary to ISA Server configuration, addition of more powerful hardware, ISA Server added to the array, or a change in policy which reduces the availability of Web services to users and thus the need to expand the size of the array or purchase more hardware.
Objective Coverage Text: In the text before an exam objective is specifically addressed, you will notice the objective is listed to help call your attention to that particular material.
Controlling RAM Used by Caching Control the total RAM used by ISA Server for caching
If the ISA Server computer is only used as a caching server then it will use RAM as primary cache storage for more efficient service. However, if the ISA Server computer is used for other services, then this characteristic, is not beneficial. You can, however, throttle down the amount of RAM used by ISA Server for caching; to do so follow Step-by-Step 16.6.
• Do not cache objects larger than
Note: Notes appear in the margins and contain various kinds of useful information, such as tips on the technology or administrative practices, historical background on terms and technologies, or side commentary on industry issues.
469
NOTE
These books include a large amount and different kinds of information. The many different elements are designed to help you identify information by its purpose and importance to the exam and also to provide you with varied ways to learn the material. You will be able to determine how much attention to devote to certain elements, depending on what your goals are. By becoming familiar with the different presentations of information, you will know what information will be important to you as a test-taker and which information will be important to you as a practitioner.
Don’t Do This! If you enable RRAS and set up static routes without enabling packet filtering in ISA Server, you have made ISA Server just another router. You compromise your firewall. IP traffic from the untrusted network, that is, the Internet, flows freely into your private network.
NOTE
INSTRUCTIONAL FEATURES WITHIN THE CHAPTER
WA R N I N G
TO
TIP
HOW
EXAM
xxiv
• Do not cache dynamic content • Reduce the size of the maximum URL cached in memory • Use scheduled downloads instead of active caching
HOW
STEP BY STEP 14.1 WPAD Entries in DHCP 1. Click Start, Programs, Administrative Tools, DHCP.
TO
USE THIS BOOK
xxv
Step by Step: Step by Steps are hands-on tutorial instructions that walk you through a particular task or function relevant to the exam objectives.
2. Right-click the DHCP server and select Set Predefined Options. 3. Click Add. 4. In the name box, type WPAD. 5. Type 252 for code. 6. In data type, select String. Click OK. 7. Enter http://computername:autodiscoveryport#/Wpad.dat (see Figure 14.1). Click OK. 8. Right-click Server Options and select Configure Options. FIGURE 14.1 Configuring DHCP for automatic discovery.
9. On the General Page, scroll down until you find 252 WPAD and check the box. Click OK.
Figure: To improve readability, the figures have been placed in the margins wherever possible so they do not interrupt the main flow of text. IN THE FIELD Even a simple tool can lead to interesting results. I was recently asked to audit the setup of an ISA Server. Figure 15.13, which is a snapshot of a portion of a window after running netstat –na on an ISA Server with a published Web server, clearly shows the Web proxy port 8080 open and listening on the internal interface and the port 80 open and listening on the external interface. Note that also open and listening on the external interface is the NetBIOS session port TCP 139. This is not a good thing. NetBIOS ports are often used by attackers to obtain information on, and access to, shared Windows systems. This company was aware of that and had disabled “Client for Microsoft Networks” and “File and Printer Sharing for Microsoft Networks” on the external network interface (see Figure 15.14). However, as noted the external interface is still listening on port 139. My advice to them, and to you, is to also disable this port by disabling NetBIOS over TCP/IP on the external interface. (Be sure you only do this on the external interface!) This can be done on the WINS tab of the advanced property pages of TCP/IP properties. (see Figure 15.15). Figure 15.16 shows another netstat capture after disabling NetBIOS over TCP/IP on the external interface.
R E V I E W
B R E A K
In the Field Sidebar: These more extensive discussions cover material that perhaps is not as directly relevant to the exam, but which is useful as reference material or in everyday practice. In the Field may also provide useful background or contextual information necessary for understanding the larger topic under consideration.
. Two versions of ISA Server are available: Standard (standalone) and Enterprise. . Three modes of installation are available for either version: Caching, Firewall, and Integrated. . By default, all clients are allowed access to all content on all sites at all times; however, there is no default protocol rule so no traffic can occur. . Packet filtering is only available for Firewall or Integrated mode installation. . Before the first Enterprise Edition ISA server can be installed in the forest, modifications must be made to the AD Schema. . An Enterprise Edition ISA Server must be installed into an array or it is installed as a standalone server. . The default Enterprise policy is configured to use an Enterprise policy and not to allow array policies to restrict Enterprise policy.
Review Break: Crucial information is summarized at various points in the book in lists or tables. At the end of a particularly long section, you might come across a Review Break that is there just to wrap up one long objective and reinforce the key points before you shift your focus to the next section.
xxvi
HOW
TO
USE THIS BOOK
CHAPTER SUMMARY One of the first security lessons to learn is that being proactive is not just setting up a firewall and then calling your network secured. Setting up a firewall is only step one. Next you must test the firewall defenses to see that it is really doing what you believe you have configured it to do. Remember, a firewall is only defending your network from external attack if you unplug its external interface from the network. As long as it allows some access in or out, you are vulnerable to two types of successful attacks. First, if there is some configuration flaw that allows an attack that you thought you were blocking and preventing. Second, some new attack or vulnerability is discovered. The only recourse is to remain vigilant, test configuration, set up intrusion detection and review logs.
Key Terms: A list of key terms appears at the end of each chapter. These are terms that you should be sure you know and are comfortable defining and understanding when you go in to take the exam.
KEY TERMS • ODBC Data Source Name (DSN) • Internet Assigned Numbers Authority (IANA) • Well-known ports • Security Configuration and analysis
1. You are required to provide a firewall solution for a non-Windows shop. Can ISA Server fit this bill? If so, what version would you install? 2. A Fortune 500 company requires an Internet access control solution. They are looking for load balancing, fault tolerance, performance, and the capability to control hours of access, users, and systems. What selections would you make during installation of ISA Server? 3. This same company realizes it must use more than one server. Which version of ISA Server must they use? 4. What action must be taken prior to installing the first ISA Server in the forest? Why is this necessary? 5. Which clients can benefit from an installation of ISA Server in caching mode? 6. Installation proceeds smoothly and indicates that it was successfully accomplished. It’s late in the day. In the morning, you attempt to verify the installation and get an error messaging stating that a service cannot start. What is wrong? What should you do? 7. You would like to provide forward caching services for a company with 10,545 employees. What configuration would you recommend? (How many servers? Mode? RAM? Other specs?)
At the end of each chapter, along with some summary elements, you will find a section called “Apply Your Knowledge” that gives you several different methods with which to test your understanding of the material and review what you have learned.
Chapter Summary: Before the Apply Your Knowledge section, you will find a chapter summary that wraps up the chapter and reviews what you should have learned.
A P P LY Y O U R K N O W L E D G E
Review Questions
EXTENSIVE REVIEW AND SELF-TEST OPTIONS
Exam Questions 1. The first ISA server in an array has been successfully installed and verified. You attempt to install the second array member but during installation get an error message that the Windows 2000 server is not a member of a site and will be installed as a standalone server. What could be wrong? (Select all that apply.)
Exercises: These activities provide an opportunity for you to master specific hands-on tasks. Our goal is to increase your proficiency with the product or technology. You must be able to conduct these tasks in order to pass the exam.
A. The Windows 2000 server is not a domain member server. B. The Windows 2000 server is not a member of the original array server’s domain. C. You have used the Standard edition ISA Server CD-ROM. D. The Windows 2000 server is not a member of the same site as the server which is the first member of the ISA server array.
Exam Questions: These questions reflect the kinds of multiple-choice questions that appear on the Microsoft exams. Use them to become familiar with the exam question formats and to help you determine what you know and what you need to review or study more.
E. The Windows 2000 server is not a member of the same subnet as the server, which is the first member of the ISA server array. It is a member of the same site. F. The Windows 2000 Server has not been configured as a member of the same site, or the information has not been updated in the Active Directory. 2. The ISA Server will be used when first installed as a firewall. It may be required to provide forward caching in the future. You should: A. Install the server in Firewall mode. If it is required to also provide forward caching, the caching service can be added at a later date.
Review Questions: These open-ended, shortanswer questions allow you to quickly assess your comprehension of what you just read in the chapter. Instead of asking you to choose from a list of options, these questions require you to state the correct answers in your own words. Although you will not experience these kinds of questions on the exam, these questions will indeed test your level of comprehension of key concepts.
HOW
TO
USE THIS BOOK
xxvii
A P P LY Y O U R K N O W L E D G E
Answers to Review Questions
Answers to Exam Questions 1. A. If the server is not a member of a domain it cannot be installed as an Enterprise server in an array. B is incorrect. Although the server must be a member of the other server’s domain it can be a member of another domain and still be installed in an array, just not in this one. C is incorrect. If you use the standard edition CD-ROM, you will not be given any opportunity to install in an array, but this error message will not occur. D is incorrect. If the server is a member of any site, you will not get this error. E is incorrect. The server can be in another subnet. F is correct. Even if the server is a member server, if the information of its membership in some site is not in the Active Directory, the installation program will give this answer. See the section, “Failed Installation.”
1. Yes. The ISA server must be installed on a Windows 2000 system, but clients can be of any type. See the section, “Introduction.” 2. Install Enterprise edition, caching mode, array. Use multiple servers in the array to provide the necessary load balancing and fault tolerance. See the sections, “Introduction,”and “Install ISA Server Enterprise Edition.” 3. Enterprise edition. See the section, “Install ISA Server Enterprise Edition.” 4. Modify the Active Directory Schema. This must be done to provide the objects and attributes necessary. Active Directory is necessary to provide centralized management of multiple ISA Servers. No Active Directory, no arrays, no centralized management. See the section, “Installing the ISA Server in the Active Directory.”
2. A. You can run the install program and add modules. B is therefore incorrect. You could go ahead and install the server in Integrated mode but the reason for doing so is incorrect. C is incorrect. You cannot export and import configurations. You can backup a configuration, but restoring it would overwrite what is currently there. D is incorrect. Caching mode installation will not include the ability to configure the firewall. See the section, “Installation Procedures Common to All Server Configurations.”
5. All types of clients can benefit. See the section “Introduction.” 6. One possibility for the service not starting is that there is not adequate cache space. A minimum of 5MB on an NTFS partition must be provided. Although you would have to have configured adequate caching space during installation, if the drive on which it was configured becomes corrupt, or crashes, adequate space is not available, and the service will stop and not start. You need to check the Event log for messages to determine if this might be the case and then prepare another drive. See the section, “Failed Installation.”
3. C, D. A and B are incorrect. Continuing the installation will install the server as a standalone server. You can promote a standalone server to array membership, but in this case, you will still have the same problem so that will not be possible. C and D are correct, after canceling, solve the problem then run the installation program again. See the section, “Failed Installation,” “Install ISA Server: Enterprise Edition.”
7. Enterprise edition, caching mode. At least six servers in array(s). At least 256MB RAM per server. Pentium III. See the section, “Configure the Cache.”
Suggested Readings and Resources 1. “Network Intrusion Detection,“ Stephen Northcutt, September 2000, New Riders Publishing; ISBN: 0735710082.
Answers and Explanations: For each of the Review and Exam questions, you will find thorough explanations located at the end of the section.
2.
www.iana.org:
Internet Assigned Numbers
Authority. 3.
www.grc.com:
The Shields Up program.
Suggested Readings and Resources: The very last element in every chapter is a list of additional resources you can use if you want to go above and beyond certification-level material or if you need to spend more time on a particular subject that you are having trouble understanding.
Introduction MCSE Training Guide: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server is designed for advanced users, technicians, or system administrators who want to understand, install, configure, and administer ISA Server. They might also have the goal of certification as a Microsoft Certified Systems Engineer (MCSE). It covers the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server exam (70-227). This exam measures your ability to install, configure, manage, and troubleshoot ISA Server services, policies, and rules. Passing this exam counts as an elective towards certification as an MCSE. This book is your one-stop shop. Everything you need to know to pass the exam is in here. You do not have to take a class in addition to buying this book to pass the exam. However, depending on your personal study habits or learning style, you might benefit from buying this book and taking a class. Microsoft assumes that the typical candidate for this exam will have a minimum of one year of experience implementing and administering network operating systems in medium to very large network environments. These environments consist of between 200 and 26,000+ supported users and multiple physical locations. In addition, typical requirements are for outbound access to services such as Web, email, telnet, FTP, Virtual Private Networking, desktop management, and access control policies. External access requirements consist of hosting network services such as internal and external Web hosting and messaging. There is a recognized need for firewalls. Other connectivity needs include connecting individual offices and users from remote locations to corporate networks and connecting the network to the Internet.
NOTES ON THIS BOOK’S ORGANIZATION This book is organized to help you become comfortable with the multifaceted capabilities of the ISA Server. First, a general introduction provides you with an overview of the product and its numerous features. This discussion helps you identify the exciting possibilities of the product as well as the areas you need to study. Next, an installation and upgrade section presents the requirements, options, and issues that you will face. A chapter on upgrading from Proxy 2.0 will help you prepare for the post-installation configuration that is necessary. The products share some feature sets, but the ISA Server goes way beyond the capabilities of Proxy. Part II, “Configuring and Troubleshooting ISA Server Services” introduces each service, firewall, Web proxy, control, and H.323 gateway. Standalone server access policies and rules are detailed, as are the policy elements that can be used to create them. Included here are instructions on remote access, internal server publishing, routing, and the construction of Virtual Private Networking using ISA Server as endpoints. When you have finished this section, you have toured most of the operations available to standalone ISA Servers. Part III, “Configuring, Managing, and Troubleshooting Policies and Rules” continues the discussion of controlling access by defining packet filters, and then describes operations that involve the Enterprise edition of ISA Server. Enterprise edition ISA Servers can be configured in distributed arrays, use tiered policies to control access centrally while allowing for tighter policies on different arrays within the enterprise, and integrated with the Active Directory for increased security and management possibilities.
2
MCSE TRAINING GUIDE (70-227): ISA SERVER
While simple Web-proxy configuration allows internal clients outbound access to the Internet dependent on the ISA Server policies, additional client options exist. SecureNAT, Web proxy, and firewall client types are discussed in Part IV, “Deploying, Configuring, and Troubleshooting the Client Computer.” Finally, Part V, “Monitoring, Analyzing, and Optimizing ISA Server” concludes your study. Reports, monitoring tools, and productivity techniques are presented.
HOW THIS BOOK HELPS YOU This book takes you on a self-guided tour of all the areas covered by the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server exam and teaches you the specific skills you need to achieve your certification. You also find helpful hints, tips, real-world examples, and exercises, as well as references to additional study materials. Specifically, this book is set up to help you in the following ways:
á Organization. The book is organized by individual exam objectives. Every objective you need to know for the Designing Security for a Microsoft Windows 2000 Network exam is covered in this book. We present the objectives in an order that is as close as possible to that listed by Microsoft. However, we have not hesitated to reorganize the objectives where needed to make the material as easy as possible for you to learn. We make the information accessible in the following ways: • The full list of exam topics and objectives is included in this introduction. • Each chapter begins with a list of objectives to be covered.
• Each chapter also begins with an outline that provides you with an overview of the material and the page numbers where particular topics can be found. • The objectives are repeated where the material most directly relevant to it is covered (unless the entire chapter addresses a single objective). • The CD-ROM included with this book contains, in PDF format, a complete listing of the test objectives and where they are covered within this book.
á Instructional features. This book is designed to provide you with multiple ways to learn and reinforce the exam material. The following are some of the helpful methods: • Objective explanations. As mentioned previously, each chapter begins with a list of the objectives covered in the chapter. In addition, immediately following each objective is an explanation in a context that defines it more meaningfully. • Study strategies. The beginning of the chapter also includes strategies for studying and retaining the material in the chapter, particularly as it is addressed on the exam. • Exam tips. Exam tips appear in the margin to provide specific exam-related advice. Such tips might address what material is covered (or not covered) on the exam and how it is covered, and might discuss mnemonic devices or particular quirks of that exam. • Review breaks and summaries. Crucial information is summarized at various points in this book in lists or tables. Each chapter ends with a detailed summary.
INTRODUCTION
• Key terms. A list of key terms appears at the end of most chapters. • Notes. These appear in the margin and contain various kinds of useful information, such as tips on technology or administrative practices, historical background on terms and technologies, or side commentary on industry issues. • Warnings. When using sophisticated information technology, there is always the potential for mistakes or even catastrophes that can occur because of improper application of the technology. Warnings appear in the margin to alert you to these potential problems. • In the field. These more extensive discussions cover material that might not be directly relevant to the exam but that is useful as reference material or in everyday practice. These tips might also provide useful background or contextual information necessary for understanding the larger topic under consideration. • Exercises. Found at the end of the chapters in the “Apply Your Knowledge” section, exercises are performance-based opportunities for you to learn and assess your knowledge. Solutions to the exercises, when applicable, are provided later in a separate section titled “Answers to Exercises.”
á Extensive practice test options. This book provides numerous opportunities for you to assess your knowledge and to practice for the exam. The practice options include the following: • Review Questions. These open-ended questions appear in the “Apply Your Knowledge” section at the end of each chapter. They allow you to quickly assess your comprehension of what you just read in each chapter. Answers to the questions are provided later in a separate section titled “Answers to Review
3
Questions.” • Exam Questions. These questions also appear in the “Apply Your Knowledge” section. Use them to help you determine what you know and what you need to review or study further. Answers and explanations for exam questions are provided in a separate section titled “Answers to Exam Questions.” • Practice Exam. A practice exam is included in the “Final Review” section. The “Final Review” section and the practice exam are discussed later in this list. • ExamGear. The special Training Guide version of the ExamGear software included on the CD-ROM provides further opportunities for you to assess how well you understand the material in this book.
á Final Review. This part provides you with three valuable tools for preparing for the exam: • Fast Facts. This condensed version of the information contained in this book will prove extremely useful for a last-minute review. • Study and Exam Prep Tips. Read this section early on to help you develop study strategies. This section also provides you with valuable exam-day tips and information on exam/ question formats, such as adaptive tests and case study-based questions. • Practice Exam. A practice exam is included in this section. Questions are written in styles similar to those used on the actual exam. Use this to assess your understanding of the material in this book. This book contains several other features, including a section titled “Suggested Readings and Resources” at the end of each chapter that directs you toward further information that could aid you in your exam preparation or your actual work. Valuable appendixes
4
MCSE TRAINING GUIDE (70-227): ISA SERVER
are also included, as well as a glossary (Appendix D), an overview of the Microsoft certification process (Appendix E), and a description of what is on the CD-ROM (Appendix F). For more information about the exam or the certification process, contact Microsoft: Microsoft Education: 1-800-636-7544 Internet: ftp://ftp.microsoft.com/Services/MSEdCert
World Wide Web: http://www.microsoft.com/train_cert
CompuServe Forum: GO
MSEDCERT
WHAT THE INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT INTERNET SECURITY AND ACCELERATION (ISA) SERVER EXAM (70-227) COVERS á Installing ISA Server á Configuring and Troubleshooting ISA Server Services
Installing ISA Server Preconfigure network interfaces.
á Verify Internet connectivity before installing ISA Server. á Verify DNS name resolution. Install ISA Server.
á Construct and modify the local address table (LAT). á Calculate the size of and configure the cache. á Install an ISA Server computer as a member of an array. Upgrade a Microsoft Proxy 2.0 Server computer to ISA Server.
á Back up the Proxy 2.0 Server configuration. Troubleshoot problems that occur during setup.
Configuring and Troubleshooting ISA Server Services Configure and troubleshoot outbound Internet access. Configure ISA Server hosting roles.
á Configuring, Managing, and Troubleshooting Policies and Rules
á Configure ISA Server for Web publishing.
á Deploying, Configuring, and Troubleshooting the Client Computer
á Configure ISA Server for server publishing.
á Monitoring, Managing, and Analyzing ISA Server Use Before taking the exam, you should be proficient in the job skills represented by the following units, objectives, and subobjectives.
á Configure ISA Server for server proxy.
Configure H.323 Gatekeeper for audio and video conferencing.
á Configure gatekeeper rules. Rules include telephone, email, and Internet Protocol. á Configure gatekeeper destinations by using the Add Destination Wizard.
INTRODUCTION
Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections.
á Set up and verify routing rules for static IP routes in Routing and Remote Access. Configure Virtual Private Network (VPN) access.
á Configure the ISA Server computer as a VPN endpoint without using the VPN Wizard. á Configure the ISA Server computer for VPN pass-through. á Configure multiple ISA Servers for scalability. Configurations include Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP).
5
Troubleshoot access problems.
á Troubleshoot user-based access problems. á Troubleshoot packet-based access problems. Create new policy elements. Elements include schedules, bandwidth priorities, destination sets, client address sets, protocol definitions, and content groups. Manage ISA Server arrays in an enterprise.
á Create an array of proxy servers. á Assign an enterprise policy to an array.
Deploying, Configuring, and Troubleshooting the Client Computer
Configuring, Managing, and Troubleshooting Policies and Rules
Plan the deployment of client computers to use ISA Server services. Considerations include client authentication, client operating system, network topology, cost, complexity, and client function.
Configure and secure the firewall in accordance with corporate policies.
Configure and troubleshoot the client computer for secure network address translation (SecureNAT).
á Configure the packet filter rules for different levels of security, including system hardening. á Create and configure access control and bandwidth policies. á Create and configure site and content rules to restrict Internet access. á Create and configure protocol rules to restrict Internet access. á Create and configure routing rules to restrict Internet access. á Create and configure bandwidth rules to control bandwidth usage.
Install the Firewall client software. Considerations include the cost and complexity of deployment.
á Troubleshoot autodetection. Configure the client computer’s Web browser to use ISA Server as an HTTP proxy.
Monitoring, Managing, and Analyzing ISA Server Use Monitor security and network usage by using logging and alerting.
á Configure intrusion detection. á Configure an alert to send an email message to an administrator.
6
MCSE TRAINING GUIDE (70-227): ISA SERVER
á Automate alert configuration. á Monitor alert status. á Troubleshoot problems with security and network usage. á Detect connections by using Netstat. á Test the status of external ports by using Telnet or Network Monitor. Analyze the performance of ISA Server by using reports. Report types include summary, Web usage, application usage, traffic and utilization, and security. Optimize the performance of the ISA Server computer. Considerations include capacity planning, allocation priorities, and trend analysis.
á Analyze the performance of the ISA Server computer by using Performance Monitor. á Analyze the performance of the ISA Server computer by using reporting and logging. á Control the total RAM used by ISA Server for caching.
HARDWARE AND SOFTWARE YOU’LL NEED As a self-paced study guide, MCSE Training Guide: Installing, Configuring, and Administrating Microsoft Internet Security and Acceleration (ISA) Server is meant to help you understand concepts that must be refined through hands-on experience. To make the most of your studies, you must have as much background on and experience with all versions of Windows 2000 (Professional, Server, and Advanced Server) as possible, and with running ISA Server in standalone and arraybased scenarios. The best way to do this is to combine studying with work on ISA Server installations. This
section gives you a description of the minimum computer requirements that you need to enjoy a solid practice environment.
á At least two Windows 2000 Servers and at least two client machines. More server computers and more clients allow you a richer set of study systems with which to deploy typical scenarios. á All computers running Windows 2000 should be, or their components should be, on the Microsoft Hardware Compatibility List. á Pentium II (or better) processor. á 2GB (or larger) hard disk. á VGA (or Super VGA) video adapter and monitor. á Mouse or equivalent pointing device. á CD-ROM drive. á All clients should have a Network Interface Card (NIC). á Ideally, both servers should have two Network Interface Cards, and one should have a modem.. á Alternatively, the modem on one server can serve as the second interface, but both servers should have two networking interfaces. á Presence on a test network. This can be created using multiple small hubs. Exercises for VPN are best experienced with the creation of three physical subnets within the test network. It is not advisable to perform ISA Server exercises on a production network. á Internet access is not required, but can be adventageous in many exercises. Otherwise you can simulate access to Web sites by placing a test Web server on the external side of the ISA Server in the test network. á 128MB of RAM on each server (256MB recommended).
INTRODUCTION
á Windows 2000 SP 1 or latest service pack. á Hotfix rollup for ISA Server is required prior to the release of SP 2. It is fairly easy to obtain access to the necessary computer hardware and software in a corporate business environment. It can be difficult, however, to allocate computers to a test network and to allocate enough time within the busy work day to complete a self-study program. Most of your study time will occur after normal working hours, away from the everyday interruptions and pressures of your regular job.
7
á Review the exam objectives. Develop your own questions and examples for each topic listed. If you can develop and answer several questions for each topic, you should not find it difficult to pass the exam. Remember, the primary object is not to pass the exam—it is to understand the material. After you understand the material, passing the exam should be simple. Knowledge is a pyramid; to build upward, you need a solid foundation. This book and the Microsoft Certified Professional programs are designed to ensure that you have that solid foundation. Good luck!
ADVICE
ON
TAKING
THE
EXAM
More extensive tips are found in the “Final Review” section titled “Study and Exam Prep Tips,” but keep this advice in mind as you study:
á Read all the material. Microsoft has been known to include material not expressly specified in the objectives. This book has included additional information not reflected in the objectives in an effort to give you the best possible preparation for the examination—and for the real-world experiences to come. á Do the Step by Step tutorials and complete the Exercises in each chapter. They help you gain experience using the specified methodology or approach. All Microsoft exams are task- and experienced-based and require you to have experience actually performing the tasks on which you will be tested. á Use the questions to assess your knowledge. Don’t just read the chapter content; use the questions to find out what you know and what you don’t. You also need the experience of analyzing case studies. If you are struggling at all, study some more, review, and then assess your knowledge again.
NEW RIDERS PUBLISHING The staff of New Riders Publishing is committed to bringing you the very best in computer reference material. Each New Riders book is the result of months of work by authors and staff who research and refine the information contained within its covers. As part of this commitment to you, the NRP reader, New Riders invites your input. Please let us know if you enjoy this book, if you have trouble with the information or examples presented, or if you have a suggestion for the next edition. Please note, however, that New Riders staff cannot serve as a technical resource during your preparation for the Microsoft certification exams or for questions about software- or hardware-related problems. Please refer instead to the documentation that accompanies the Microsoft products or to the applications’ Help systems. If you have a question or comment about any New Riders book, there are several ways to contact New Riders Publishing. We respond to as many readers as we can. Your name, address, or phone number will never become part of a mailing list or be used for any
8
MCSE TRAINING GUIDE (70-227): ISA SERVER
purpose other than to help us continue to bring you the best books possible. You can write to us at the following address: New Riders Publishing Attn: Al Valvano 201 W. 103rd Street Indianapolis, IN 46290 If you prefer, you can fax New Riders Publishing at 317-581-4663.
You also can send email to New Riders at the following Internet address: [email protected]
NRP is an imprint of Pearson Education. To obtain a catalog or information, contact us at [email protected]. To purchase a New Riders book, call 1-800428-5331. Thank you for selecting MCSE Training Guide: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server.
OBJECTIVES This chapter does not fulfill a specific Microsoftspecified objective for the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam; however, it does lay a solid foundation on which to approach the objectives and other chapters in this book.
C H A P T E R
1
Introduction: What Is ISA Server?
OUTLINE
S T U DY S T R AT E G I E S
Introduction
11
Architecture Overview
12
ISA Server Clients
15
Web Proxy Clients Firewall Clients SecureNAT Clients
ISA Server Is a Multilayered Enterprise Firewall
15 15 15
16
Packet Filtering Circuit-Level Filtering Application-Level Filtering Stateful Inspection Built-In Intrusion Detection System Hardening Templates Virtual Private Networking
17 17 17 18 18 19 19
ISA Server Is a High-Performance Web Caching Server
19
Reverse Caching Forward Caching Scheduled Caching Distributed Caching Hierarchical Caching or Chaining
20 21 22 23 24
ISA Server Hosting Services
27
ISA Server Provides Integrated, Centralized Management and Control
28
Enterprise or Standard Editions Firewall, Caching, or Integrated Modes Policy-Based Rules Bandwidth Rules Protocol Rules Site and Content Rules Application Filters How Rules and Filters Combine to Implement Policy Tiered Policies: Both Enterprise and Array Level Bandwidth Control Logging and Reporting
29 30 31 33 33 33 33 34 35 36 37
Chapter Summary
38
Apply Your Knowledge
39
Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions
39 39 40 40
. Use this section as an introduction to ISA Server concepts, vocabulary, and features. . As you review the material, focus on where you might use an ISA Server. . If you have knowledge of how Proxy Server 2.0 works, see if you can identify key differences in the two products. You should realize that ISA Server is not Proxy 3.0. . If you have knowledge of competing firewalls and caching servers, identify advantages and disadvantages of these systems versus ISA Server.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
INTRODUCTION This chapter, while it does not speak directly to a particular exam objective, helps you identify exactly what ISA Server is by presenting a broad overview of its features and capabilities. Microsoft Internet Security and Acceleration Server is an engaging combination of a firewall and caching server. It can be used to protect the enterprise from external access while allowing internal users access to the Internet. It can be used to improve Web access performance by caching downloaded Web information. These modes—firewall and caching—can be implemented separately or integrated. Either way, a rich collection of features awaits the curious administrator or engineer. But even more exciting, the Enterprise edition can provide centralized administration and enterprise policy implementation. No longer must a panoply of firewalls be uniquely configured one at a time and laboriously checked for the maintenance of correct settings. Enterprisewide imperatives can be configured once, and their implementation and maintenance ensured on all servers. It is important, before you delve into the study of this product, to briefly explore the range and extent of features available, and to explore the concepts that will form the basis of your understanding. This chapter will fulfill these goals. In short it covers:
á Architecture overview á ISA Server clients á ISA Server as a multilayered Enterprise firewall á ISA Server as a high-performance Web-caching á ISA hosting services á ISA Server provides integrated, centralized management and control á ISA Server versions
11
12
Par t I
INSTALLATION AND UPGRADE
ARCHITECTURE OVERVIEW Despite being multifaceted, all ISA Server services have a common goal: Protecting an internal, private network from an external network while allowing efficient access of the external network from the internal one. In English: Web surfing allowed and network penetration prevented. The architecture that enables this is composed of four parts:
á Core services. The Web Proxy service for outbound access and the Firewall service for in-bound protection and the management of protocol specific filters. á Clients and servers on the private network that desire access to the public network such as • Web proxy clients • SecureNAT clients • Firewall clients • Web servers, and other servers such as mail servers and databases
á Clients and servers on the private network that want no access, either inbound or outbound with the public network. á The rest of the world represented by the Internet in most examples. Figure 1.1 illustrates this overview. This is the world as we would like to see it, with the firewall protecting the internal network. Figure 1.2 is more representative, indicating that the ISA Server can only afford protection for and from those communications that must pass through it.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
Internal Network
Big Bad Internet
FIGURE 1.1 The world as we would like it.
A
rs
ute mm
co
Internal Network
le Te
p
Firewall
op Modem skt s De
Unknown
orized Dial-u uth
W a r D i a l e r s
FIGURE 1.2 The real world.
Internally, as pictured in Figure 1.3, the two services act in concert with each other and with protocol specific filters to provide connections between the private and public network. Think of the two services and the filters as composing the “meat and cheese” of a sandwich with the packet filtering posing as the wrapper or bread. External to this, like a loose wrapping of waxed paper is an Intrusion Detection (ID) and alerting mechanism. If entrance into and out of the network must pass through the ISA Server, then all traffic must penetrate the packet filter. If attacks are defined in the ID engine, then alerts will be generated when they are used against the system. (like the loosely wrapped sandwich, the ID protected network cannot prevent all intrusions and leakages from occurring.)
13
14
Par t I
INSTALLATION AND UPGRADE
Web proxy service Web proxy client
http redirector
Firewall client
NAT driver
SecureNAT client
Firewall service
Filters
P u b l i c N e t w o r k
Packet filters FIGURE 1.3 Architectural viewpoint.
Outbound HTTP requests may be satisfied by the Web Proxy cache, or passed through a Web filter and then to the pubic network. The Web proxy service manages this traffic. Protocol specific filters manage other types of outbound requests. The firewall service in turn manages these filters. Inbound requests for hosted services (Web servers, mail servers, other types of hosted servers) are regulated by the firewall service. All other inbound requests can be both blocked by protection mechanisms (packet filters, stateful inspection, and so on) and potentially trigger alerts or other intrusion detection responses. ISA Server can be installed to handle all these functions, or can be dedicated to either being a firewall or a caching server. These choices are defined during installation by selecting one of three installation modes:
á Firewall. Control inbound access and outbound access via filters, rules and settings. á Caching. Manage outbound access via rules and by caching downloaded data for repeated access. á Integrated. A combination of firewall and caching modes.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
ISA SERVER CLIENTS Three types of clients on the private network can use the ISA Server services:
á Web proxy clients á Firewall clients á SecureNAT clients Only one of these clients, the firewall client, requires the installation of a specific, ISA provided client application.
Web Proxy Clients Clients whose Web browsers can be pointed at a proxy server can use the Web proxy service to access the Internet. No additional software is required. In addition, requests for Web pages are cached for efficient servicing of subsequent requests.
Firewall Clients Firewall clients have the ISA Server “firewall client” application installed. The firewall client software runs a subset of Winsock applications. Winsock applications must be able to use the ISA firewall service. A local address table (LAT) on the client specifies which address ranges exist on the local network. If a requested location lies on the external network, then the firewall client forwards the request to the ISA Server. The firewall client can only be used by Windows ME, Windows 9x, Windows NT 4.0, and Windows 2000.
SecureNAT Clients All other clients who make requests for external (public) network services through the ISA Server are SecureNAT clients. No “SecureNAT” software is added to the client system. Their requests are handled through the firewall service. Processing can include:
á HTTP requests are handed to the Web proxy service.
15
16
Par t I
INSTALLATION AND UPGRADE
á Other requests may use firewall service managed application filters. á Servers may be published as SecureNAT clients. á SecureNAT enforces ISA Server policies as an extension of Windows 2000 NAT.
ISA SERVER IS A MULTILAYERED ENTERPRISE FIREWALL Every network that allows access to the Internet should have a firewall protecting the avenue of access. In the simplest of scenarios, an ISA Server is outfitted with two network interfaces: one to connect it to the public network and one to the private network. While in most cases, these two networks are represented by the Internet (the public network) and the internal, company network (the private network), this might not always be the case. Thus, the ISA Server is in the position to screen all communication between the two networks. A business’s security policy can be implemented by putting ISA Server Enterprise and/or array policies into place. These policies consist of rules and filters that limit inbound and outbound access. Several technologies are used, to implement the desired actions of preventing unauthorized access to the network and preventing the delivery of malicious content to it, while allowing granular outbound access controls to specify schedules, destinations, type of traffic, and application. The best defense is defense in depth. Rather than rely on one technology, ISA Server’s firewall strategy combines the best of modern firewall techniques. These include:
á Packet filtering á Circuit-level filtering á Application-level filtering á Stateful inspection á Built-in intrusion detection
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
á System hardening templates á Virtual Private Networking
Packet Filtering The header of each packet is inspected by ISA Server. Because the protocol, port, destination, and source address can be determined by this inspection, packets can be passed to their destination, or dropped before they enter the network.
Circuit-Level Filtering Each application request is redirected by the firewall service to the ISA Server—no application-specific gateway is necessary. Applications that do not support a proxy can be accessed this way. Access to Windows applications (using Winsock for communications over the Internet) are supported for client machines that have the Firewall Client software installed. These requests can be inspected per session, versus at the time of connection or by mere packet level filtering. Circuit-level filtering supplies built-in support for protocols with secondary connections. SOCKS connections can be filtered at the circuit-level via a SOCKS filter, which forwards requests to the ISA firewall service. SOCKS supports client platforms such as Unix and Macintosh.
Application-Level Filtering Application-level filtering analyzes a data stream for an application and can inspect, screen, block, redirect, or modify data as it passes through the firewall. ISA Server uses application-level filtering to protect against unsafe SMTP commands or DNS server attacks. In addition, third-party tools for content screening, virus detection, lexical analysis, and site categorization can apply application and Web filters.
17
18
Par t I
INSTALLATION AND UPGRADE
Stateful Inspection Stateful inspection involves inspecting both protocol and connection states. Dynamic packet filters only open a port in response to a user request. The port only stays open while that request is being filled. This reduces vulnerability.
Built-In Intrusion Detection Besides ISA application filters that protect from attacks against the known vulnerabilities for DNS and POP, ISA detects and protects the network from several common attacks against the network. A set of configured alerts is issued in response to these detected attacks. This system of intrusion detection in ISA Server is based on licensed technology from Internet Security Systems, Inc. (www.iss.net). Attacks detected are
á All ports scan attack. An attempt to access at more than the configured number of ports (settable threshold). á IP half scan attack. Many attempts at connection to a computer made, but no corresponding ACK packets communicated. á Land attack. A TCP SYN packet sent with a spoofed source IP address and port number matching the destination IP address and port. á UDP bomb attack. UDP packets constructed with illegal values in some fields are being sent. á Enumerated port scan attack. An attempt to count the services running. á Windows out-of-band attack. A denial-of-service attack attempt against an internal computer that includes unexpected information, or lacks expected information. á Ping of death attack. A large amount of information is appended to an Internet Control Message Protocol (ICMP) echo request (ping) packet.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
System Hardening Templates An ISA Server Security Configuration Wizard can be used to apply system security settings to all servers in an array. Three security levels exist:
á Secure. For ISA Servers combined with other servers such as IIS, SMTP, or database servers. á Limited Services. ISA Server is in integrated mode and may be protected by another ISA Server. á Dedicated. ISA is only acting as a dedicated firewall.
Virtual Private Networking ISA Server can function as the end-point for a Virtual Private Network (VPN). A VPN extends a private network by creating a secure link between two separate networks over a third. Two wizards assist in configuring endpoints for both sides of the VPN tunnel. ISA Server can also be configured to allow VPN traffic from external VPN clients to pass through the firewall to a VPN server on the internal network, or from internal VPN clients to a VPN server on the external network.
ISA SERVER IS A HIGHPERFORMANCE WEB CACHING SERVER When configured to do so, ISA Server implements a cache to store frequently used objects (Web pages, downloaded documents, and so on). Because future requests do not have to retrieve these objects from distant servers but can now find them on the local network, time and bandwidth savings result. Objects remain in the cache until replaced by more up-to-date versions or until space for more recently requested objects is desired. Caching can be implemented in the following ways:
19
20
Par t I
INSTALLATION AND UPGRADE
á Reverse caching á Forward caching á Scheduled caching á Distributed caching á Hierarchical caching or chaining
Reverse Caching Reverse caching allows objects such as Web pages requested from internal servers by external clients to be stored on the ISA Server. The internal server is “published” or advertised to the public network through an option on the ISA Server. All requests for Web pages from the server come to the ISA Server and are forwarded to the internal Web server. Reverse caching is illustrated in Figure 1.4 and by the listing that follows: 1. Alice, who’s surfing the Web today from Toronto (she could be
located anywhere with Internet access) enters the URL for the Web site Peachweaver.com in her browser. 2. DNS resolves the URL to the IP address of the ISA Server on the Peachweaver.com network in Grain Valley, MO. 3. The request is sent to the ISA Server. 4. The ISA Server forwards the request to the actual Web server within the Peachweaver.com network. (Web hosting settings on the ISA Server are established to forward port 80 requests to this server). 5. The home page is returned to the ISA Server and placed in its cache. 6. The home page is forwarded to Alice. 7. Bill, is also surfing the Web, but he’s sitting in a hotel in Paris. He also enters the URL for Peachweaver.com in his browser. 8. Again, DNS resolves the URL to the IP address of the ISA Server on the Peachweaver.com network in Grain Valley, MO. 9. The request is sent to the ISA Server. 10. The ISA Server finds the Web page in its cache and returns this to Bill. The internal server is not contacted at all.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
ISA Server DNS 6
2,8
4,5
3 9,10
Peachweaver.com
Alice 7
1
Bill
FIGURE 1.4 Reverse caching.
The ability to cache internal Web pages on the ISA Server reduces traffic on the internal network and improves performance and availability.
Forward Caching Like reverse caching, forward caching stores requested content. Figure 1.5 illustrates the concept and is further described in the listing that follows: 1. John and Mary are clients on the internal Peachweaver.com network. Mary enters the URL for The New York Times in her browser. 2. Her request is forwarded to the ISA Server on her network. 3. The ISA Server issues a request for The New York Times home page. 4. DNS resolves the request and The New York Times home page is retrieved and returned to the ISA Server. 5. The ISA Server places the content in its cache. 6. The ISA Server forwards the content to Mary. 7. John also wants to read The New York Times and enters the URL in his browser. 8. His request is forwarded to the ISA Server.
21
22
Par t I
INSTALLATION AND UPGRADE
New York Times
3 4 6 cache
Mary
8,9
2
1
ISA
5
John 7
FIGURE 1.5
NOTE
Forward caching.
Quick Thoughts These results are usually not noticed by the participants but can sometimes be dramatic. I still remember my first experience with Proxy 1.0. I needed to setup 25 client machines with some free software that could be downloaded from the Internet. The access was slow, using a normal phone line and a dial-up connection. Normally, I would have downloaded the software, then distributed it to all the clients locally and installed. Because we had just installed Proxy, I pointed all client Web browsers to it, and began the download from all clients. The first client took the normally expected time to download the software and then started the install. Almost immediately all other 25 clients began their install process. They were accessing the first client’s download now stored in the Proxy cache! The total time to install all 25 clients was roughly equal to the time taken to install one.
9. The ISA Server finds this content in its cache and returns the content to John. (No request is made to The New York Times Web server.) By storing frequently requested Web content in a local cache, ISA Server can improve the response time on Web requests. Mary might have had to wait a short time while her request was routed on the Internet, the busy New York Times server responded, and content was downloaded across a potentially overburdened link to the Internet. John probably retrieved the same page instantaneously.
Scheduled Caching The amount of content that can be retained on the ISA Server cache is a function of the size of the cache. Normally, an algorithm determines which content to replace with new requests by analyzing preset retention settings, frequency of requests, and recency of requests. However, the updating of content with changes can be scheduled. In addition, content can be chosen for download at regular intervals, regardless of the frequency and recency of request. Thus, if content is considered important, it can always be available and always current. Figures 1.6 and 1.7 show the parameters for a scheduled download of content.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
Distributed Caching ISA Servers are automatically installed in arrays, or collections of ISA Servers. Arrays can be composed of a single ISA Server or of multiple ISA Servers. Multiservers in a single array use the Cache Array Routing Protocol (CARP) to achieve scaling and efficiency. When content is to be stored in the array, a hashing algorithm determines the storage location. Hash-based routing, not querying, retrieves the location of the stored object when future requests are made. Content is not duplicated on multiple servers, instead it is distributed across all of the servers in the array. The array of ISA Servers becomes in essence, a single logical cache. The benefits of using CARP include:
á Automatic adjustment to changes in the number of servers in the array. When servers are added or removed from the array, CARP automatically adjusts. á Efficient management of content volume. A load factor can be set for each server or content can be evenly distributed across the array.
FIGURE 1.6 Frequency of scheduled content.
á Efficient, hash-based routing. It is not necessary for multiple queries to be made to locate cached content. á No duplication of content. CARP can quickly locate previously stored content and thus avoid duplications. á Scalability. As more servers are added to the array, CARP becomes faster and more efficient. Figure 1.9 illustrates CARP. 1. Johanna requests a Web page from www.amazon.com. 2. CARP searches the ISA Server array and finds that the content is not present in the cache. 3. The page is retrieved from www.amazon.com and CARP determines that it should be stored on ISA Server Bilbo in the Middle Earth array. 4. Miriam requests a Web page from Barnes and Noble (www.bn.com).
FIGURE 1.7 Parameters of scheduled content.
23
24
Par t I
INSTALLATION AND UPGRADE
FIGURE 1.8
EXAM
TIP
An array of one.
When Can You Have an Array? Although the interface may seem to imply so, an ISA Standard edition Server cannot be a member of an array (see Figure 1.8). To reap the benefits of CARP by implementing multiple servers in an array, you must purchase and use the Enterprise edition.
5. CARP searches the ISA Server array and finds that the content is not present in the cache. 6. The page is retrieved and CARP determines that it should be stored on ISA Server Gandalf in the Middle Earth array. 7. John requests the same Web page (from amazon.com) as Johanna. 8. CARP searches the ISA Server array and finds the content cached on the ISA Server Bilbo in the Middle Earth array. 9. The content is forwarded to John.
Hierarchical Caching or Chaining Arrays of ISA Servers can be arranged hierarchically, that is an array can route its Web requests to another ISA Server array. This process is also known as chaining. Retrieved objects are stored in each intermediary array between the requesting client and the ISA Server array that has a direct connection to the external or public network. Future requests for the object are resolved at the array that is closest to the client. Figure 1.10 shows this arrangement and the process is described here.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
Middle Earth Array 4
6 5
Gandalf 3
2 1
9
8 ISA
FIGURE 1.9 CARP.
3
4
8 Independence
Stu 1
2 ISA
Microsoft
7 11, 12 ISA
Find
9
5
10
14,15 Mark 13
FIGURE 1.10 Hierarchical caching or chaining.
1. Mark, Fred, and Stu are clients on the internal peachweaver.com network. However, Fred is located at the Grain Valley, MO office and Mark and Stu are located in Independence, MO. The ISA Server array in Grain Valley has a direct connection to the Internet. The ISA Server in Independence routes its requests to the ISA Server array in Grain Valley. Stu enters the URL for Microsoft in his browser.
25
26
Par t I
INSTALLATION AND UPGRADE
2. Stu’s request is forwarded to the ISA Server on his network. 3. The ISA Server routes the request to the array in Grain Valley. 4. An ISA Server in Grain Valley makes a request on the Internet. 5. DNS resolves the request and the Microsoft home page is retrieved and returned to the ISA Server in Grain Valley. 6. The ISA Server in Grain Valley places the content in its cache. 7. The ISA Server in Grain Valley forwards the content to the ISA Server in Independence. 8. The ISA Server in Independence stores the content in its cache. 9. The ISA Server in Independence forwards the content to Stu. 10. Fred also needs to visit the Microsoft home page and enters the URL in his browser. 11. His request is forwarded to the ISA Server in Grain Valley. 12. The ISA Server in Grain Valley finds this content in its cache and returns the content to Fred. (No Internet request is made.) 13. Mark needs to visit the Microsoft home page and enters the URL in his browser. 14. His request is forwarded to the ISA Server in Independence. 15. The ISA Server in Independence finds this content in its cache and returns the content to Mark. (No request is forwarded to Grain Valley.) By chaining ISA Server arrays, content can be distributed to multiple locations without making requests on the Internet. In our example, chaining takes place between multiple geographic locations. However, chaining could also be achieved at a single geographic location by simply routing requests from ISA Servers located close to workgroups, to ISA Servers that exist on the perimeter of the network. Caching Web content closer to users makes it more readily and quickly available as requests do not have to traverse a lengthy circuitous path through multiple internal routers. Figure 1.11 illustrates this concept. In this figure, three ISA Servers are located close to three workgroups. None of the workgroup ISA Servers have access to the Internet, they refer their requests to the perimeter ISA Server.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
Perimeter ISA Server
Workgroup 2
Workgroup 1
Public Network
ISA
Workgroup 1
FIGURE 1.11 Workgroup ISA Server chaining.
ISA SERVER HOSTING SERVICES Internal (private network) servers can be published to the Internet and yet protected. Access can be restricted to these servers while preventing access to other parts of the network. Server publishing and Web publishing rules decide which requests are passed on to the internal servers. To the external world, the ISA Server appears to be the actual server. For example: if an internal Web server is hosted, the external browser believes it is communicating with the ISA Server; to the browser, the ISA Server is the Web server. Ditto for Exchange. Any external client who attempts to access Exchange believes that the ISA Server is the Exchange server. This additional layer of obfuscation helps to protect the actual servers. (If your address is a post office box, I’m going to have a harder time showing up at your front door.) Figure 1.12 shows the relationship between the hosted, internal server, the ISA Server and the external Web client.
27
28
Par t I
INSTALLATION AND UPGRADE
Public Network
Private Network
External Client
Exchange 192.168.7.6
ISA
Destination address 208.67.89.5
Perimeter ISA Server 208.67.89.5
FIGURE 1.12 Server publishing relationships.
Web publishing rules can allow or deny access to a set of computers or group of users. In addition, you can
á Configure authentication methods (basic, Windows integrated, anonymous) á Require Secure Sockets Layer (SSL) connections between published servers and the ISA Server á Specify server certificates be used in communications with clients requesting a Secure Sockets Layers session.
ISA SERVER PROVIDES INTEGRATED, CENTRALIZED MANAGEMENT AND CONTROL ISA Server can be installed in an Active Directory environment or on standalone Windows 2000 Servers. Although installation in an Active Directory environment can provide additional centralized management an control, all ISA Server installations offer a number of features to manage the inbound and outbound access requirements of its associated internal network. These features include:
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
á Enterprise or Standard Editions á Firewall, caching, or integrated modes á Policy-based access rules á Tiered policies: both Enterprise and Array level á Bandwidth control á Logging and reporting
Enterprise or Standard Editions ISA Server can be purchased in either a Standard or Enterprise version. The Enterprise version enables integration with the Active Directory and provides additional benefits for centralized control, policy management and the increased efficiencies of hierarchical and distributed caching. The Standard edition can be installed on a Windows 2000 computer that is not joined in an Active Directory domain. (The Enterprise edition can also be installed as a standalone server not integrated with the Active Directory, but the Standard edition cannot achieve integration with the Active Directory. Table 1.1 lists ISA Server features and identifies which features are available in each edition.
TABLE 1.1
D I F F E R E N C E S B E T W E E N ISA S E R V E R E D I T I O N S Feature
Enterprise Edition
Standard Edition
Distributed Caching
Yes
No
Hierarchical Caching
Yes
Yes
Array Based Policy
Yes
Yes
Enterprise Policy
Yes
No
H.323 gatekeeper
Yes
Yes
Intrusion detection
Yes
Yes
Message Screener
Yes
Yes
Web publishing
Yes
Yes
Server publishing
Yes
Yes
continues
29
30
Par t I
INSTALLATION AND UPGRADE
TABLE 1.1
continued D I F F E R E N C E S B E T W E E N ISA S E R V E R E D I T I O N S Feature
Enterprise Edition
Standard Edition
Active Directory Integration
Yes
No
Firewall, caching, or integrated modes Yes
Yes
Bandwidth control
Yes
Yes
Logging and reporting
Yes
Yes
Packet filtering
Yes
Yes
Firewall, Caching, or Integrated Modes Either version of ISA Server can be installed in one of three modes:
á Firewall. ISA Server is installed as a firewall. á Caching. ISA Server is installed as a caching server. á Integrated. ISA Server is both a firewall and a caching server. Table 1.2 lists the features of ISA Server and identifies which features are available with each mode.
TABLE 1.2
F E AT U R E S A VA I L A B L E P E R I N S TA L L AT I O N M O D E Feature
Firewall
Caching
Integrated
Cache Configuration
No
Yes
Yes
Distributed Caching
No
Yes
Yes
Hierarchical Caching
No
Yes
Yes
Array Based Policy
Yes
Yes
Yes
Enterprise Policy
Yes
Yes
Yes
Access Policy
Yes
Only for HTTP, HTTPS, FTP
Yes
H.323 Gatekeeper
Yes
Yes
Yes
Intrusion detection
Yes
No
Yes
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
Feature
Firewall
Caching
Integrated
Message Screener
Yes
Yes
Yes
Web publishing
Yes
Yes
Yes
Server publishing
Yes
No
Yes
Active Directory Integration
Yes
Yes
Yes
Bandwidth control
Yes
Yes
Yes
Logging and reporting Yes
Yes
Yes
Packet filtering
Yes
No
Yes
Local Address Table
Yes
No
Yes
Application filtering
Yes
No
Yes
Web filters
Yes
Yes
Yes
Real time monitoring
Yes
Yes
Yes
Alerts
Yes
Yes
Yes
Reports
Yes
Yes
Yes
VPN
Yes
No
Yes
SecureNAT client support
Yes
No
Yes
Firewall client support Yes
No
Yes
Web Proxy client support
Yes
Yes
Yes
Policy-Based Rules Three types of rules can be configured:
á Bandwidth rules á Protocol rules á Site and content rules Access policies are composed of protocol rules and site and content rules. In addition, application filters may impact the behavior of protocol definitions and bandwidth rules set priorities for requests. A policy can be configured for an ISA Server array (consisting of one
31
EXAM
TIP
32
Par t I
INSTALLATION AND UPGRADE
Need Access To allow access to the Internet, a protocol rule and a site and content rule must exist that match the client, site, and protocol.
or more ISA Servers) or an ISA Server Enterprise (consisting of one or more ISA Server arrays—requires Enterprise edition). Rules are further defined and impacted by policy elements. Policy elements represent parts of the policy, such as the time of day it is effective, or the users to whom it applies. Rather than explicitly defining each of these rule components for each rule, you create policy elements and use them over and over. Definable policy elements are
á Destination sets. IP addresses of specific computers or computer names (including a particular path on the computer) á Users or groups. Windows 2000 users and groups (see Figure 1.13) á Client address sets. IP addresses of specific client computers á Schedules. When a rule is in effect á Bandwidth priorities. determine the priority level of a connection á Protocol definitions. port number, TCP or UDP, direction á Content groups. MIME types or filename extensions
FIGURE 1.13 The new bandwidth rule applies to Administrators.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
Bandwidth Rules Bandwidth rules can set priorities for requests according to protocol definitions, destination sets, schedule, client address set, content group, and required priority.
Protocol Rules Protocol rules identify which protocols clients can use to access the Internet. These rules are processed at the application level. Protocol definitions are preconfigured, but can also be added. Additional protocols are be made available by installing application filters.
Site and Content Rules Site and content rules define which sites, and what types of content, can be accessed. They are further distinguished by definitions of destination sets, schedules, and users.
Application Filters Application filters extend the firewall client access capabilities and restrictions. They can perform additional tasks such as authentication or virus checking. Third-party application filters can be added. The following application filters (extensions) are installed with ISA Server:
á File Transfer Protocol (FTP) access filter. Dynamically opens ports, and performs address translation for SecureNAT clients. á H.323 protocol filter. Uses H.323 protocol definitions (added when the H.323 gatekeeper is installed) to allow incoming and outgoing H.323 calls, audio, video, and application sharing. á HyperText Transfer Protocol (HTTP) redirector filter. Forwards HTTP requests from SecureNAT and firewall clients to the Web Proxy service. á Intrusion detection filters. DNS and POP intrusions detection filters. á Remote Procedure Call (RPC) filter. Enables publishing of RPC servers.
33
34
Par t I
INSTALLATION AND UPGRADE
á SOCKS filter. Forwards requests from SOCKS applications to the firewall service. á Simple Mail Transfer Protocol (SMTP) filter. Accepts and inspects SMTP traffic arriving on port 25. á Streaming media filter. Allows client access and server publishing of Microsoft Windows Media (MMS), Progressive Networks protocol (PNM or RealPlayer), and Real Time Streaming Protocol (RTSP or RealPlayer G2 and QuickTime 4).
How Rules and Filters Combine to Implement Policy Protocol rules, site and content rules and application filters determine whether a given request is allowed or denied. The following list describes the interaction of Protocol Rules and Site and Content Rules. Figure 1.14 presents the information in a flowchart. 1. A client requests an object using a specific protocol. 2. If a protocol rule specifically denies the use of the protocol, the request is denied. 3. If a protocol rule and a site and content rule allow access to the object, the request is allowed. 4. If no protocol rule exists for the protocol, the request is denied. 5. If a site and content rule exists that specifically denies the request, the request is denied. 6. If a site and content rule denies an HTTP request, the request can be redirected to another location. 7. If no site and content rule exists matching the request, the request is denied.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
Client request using protocol A
YES Does protocol
Request Denied
rule deny protocol A?
NO Does site
NO
YES
Is this a
and content l
request for
rule deny
HTTP?
Request Denied
protocol A?
YES
Can be redirected to
NO
another location, process begins again.
NO Does protocol
Request Denied
rule allow protocol A?
YES
Does site
NO
and content l rule allow
Request Denied
protocol A?
YES
Request Allowed
FIGURE 1.14 Finding the backup and restore utilities.
Tiered Policies: Both Enterprise and Array Level Policies can be configured at both the Enterprise (Enterprise edition) and Array level. When the Enterprise edition is installed and
35
WA R N I N G
36
Par t I
INSTALLATION AND UPGRADE
Watch What You Delete! An application filter may add protocol definitions. If it is later disabled, these definitions are disabled, thus any requests that use these definitions will be denied. For example, if the streaming media application filter is disabled, Windows Media and Real Networks protocols are blocked.
integrated with the Active Directory, Enterprise policy configuration determines the effectiveness of Array policy. Where allowed, array level policies can further restrict Enterprise policies. Thus, a tiered policy can be implemented. Figure 1.15 presents a logical view of just such a tiered policy. In the Middle Earth Enterprise Policy, access to all Web sites is allowed. In the Baggins array, site access is restricted by site and content rules. In the Wizards array, rules are used heavily to determine who can use which protocol to access what content at what time of day.
Enterprise Policy - Access to all Allowed
Baggins Array:
Wizard Array:
Site and Content Rules
Protocol Rules; Site
Restrict Access
and Content Rules
Middle Earth
FIGURE 1.15 Tiered policy: a logical view of the Middle Earth Enterprise.
Bandwidth Control Bandwidth rules set priorities for all communications that pass through the ISA Server. Bandwidth priorities (see Figure 1.16) define the priority for outbound/inbound communications by setting a number from 1 to 200. (where 200 allows the maximum bandwidth). Bandwidth rules are applied depending on matches between a combination of users, groups, destinations, protocols, schedules, and content groups. If a communication fits the rule,
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER?
37
the bandwidth priority assigned to the rule is assigned to the communication. All requests are evaluated and bandwidth apportioned accordingly. (If no bandwidth rule fits, the default bandwidth rule applies).
Logging and Reporting Logging can be configured to store data in a file (W3C extended log file format, or ISA Server file format), Access, or SQL Server database. New logs are created daily weekly, monthly, or yearly as configured. Logging can be configured separately for
á Packet filters á Firewall service á Caching service The fields that are logged depend on the service that is being logged and the selection from a list of log fields displayed in the service property pages. Figure 1.17 shows the default fields selected for the Packet filter log.
FIGURE 1.16 A bandwidth rule can be applied to specific users, groups, destinations, protocols, bandwidth priorities, schedules, and content groups.
Besides the logs, ISA Server can be configured to produce a number of predefined reports. Reports include:
á Summary report. Illustrates traffic usage. á Web usage reports. Top users, common responses, and browsers. á Application usage reports. Application usage by top users, incoming and outgoing traffic, client applications, and destinations. á Traffic and utilization reports. Total Internet usage by application, protocol, and direction. á Security Reports. Attempts to breech network security.
FIGURE 1.17 Default log fields for packet filters.
38
Par t I
INSTALLATION AND UPGRADE
CHAPTER SUMMARY KEY TERMS • Internal network • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
External network Private network Public network Web Proxy service Firewall service Web Proxy clients SecureNAT clients Firewall clients Firewall mode Caching mode Integrated mode Winsock applications SOCKS applications Local Address Table (LAT) Packet filtering Circuit-level filtering System hardening Virtual Private Networking Intrusion detection All ports scan attack IP half scan attack Land attack UPD bomb attack Enumerated port scan attack Windows out-of-band attack Ping of death attack Web caching server Reverse caching Forward caching Hierarchical caching Chaining Distributed caching Cache Array Routing Protocol (CARP) H.323 gatekeeper
Tiered policy • Enterprise policy • Array policy • Secure Sockets Layer (SSL)
By now you should have a fair picture of the services and features offered by ISA Server. At this point, it is easy to be overwhelmed with the dizzying array of features and configuration options. However, it is not necessary to have every potential usage and arrangement figured out. If you complete the exercises and questions throughout this book you will have ample time and exposure to solidify your understanding. What is appropriate now is that you are aware of ISA’s many facets and can therefore consider them as you approach the next chapters on preinstallation configuration, installation, and migration.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER
39
A P P LY Y O U R K N O W L E D G E
Review Questions 1. The firewall service, firewall client and application filters work together to handle requests for connections with non-HTTP applications over the Internet. There is no firewall client software for Unix and Macintosh systems, yet they need to use SOCKS applications. How can SOCKS connections be handled through ISA Server? 2. The XYZ company does not want to add additional client software to their systems, yet they would like the benefits of Web caching on their network. Can ISA Server perform this function? 3. Chalmers Expediation Corp. would like increase availability, efficiency, and protection for their Web site. How can this be accomplished with ISA Server? 4. How can ISA Server be tuned to assure that updated information from commonly used Web pages is readily available from the cache?
Exam Questions 1. Access to the Internet is provided to a large number of people in your company. IT is centralized and all caching servers are required to be located in the same location at your single geographical site. Which type of caching is best for you? A. Scheduled caching B. Reverse caching C. Chaining D. Forward caching E. Distributed caching
2. In your large company, users are arranged in convenient workgroups. The company mandate requires that resources be as close to user communities as is possible. What type of caching will be best for you? A. Scheduled caching B. Reverse caching C. Chaining D. Forward caching E. Distributed caching 3. The following servers would be good candidates for ISA Server Hosting Services. A. A public Web server B. An intranet server only used by employees at the office C. An intranet server available to all employees D. Exchange Server 4. In a highly distributed environment where departments manage their own IT resources, some departments require stricter control of inbound and outbound access to network resources. The best solution in this case is A. An Enterprise policy that does not allow Array policies to further restrict it. B. An Enterprise policy that does allow Array policies to further restrict it. C. An Array policy that does not allow Enterprise policies to further restrict it. D. An Array policy that does allow Enterprise policies to further restrict it.
40
Par t I
INSTALLATION AND UPGRADE
A P P LY Y O U R K N O W L E D G E 5. You need to provide server publishing. In what mode should you install ISA Server?
4. Use scheduled caching. See the section, “Scheduled Caching.”
A. Caching B. Firewall C. Integrated D. Mixed 6. Policies can be written that restrict access to Web resources by A. Protocol B. User group C. Bandwidth request D. Client IP address E. Time of day
Answers to Review Questions 1. SOCKS connections are filtered via a SOCKS filter. The filter forwards requests to the ISA firewall service. No additional client software is needed. See the sections “ISA Server Clients” and “ISA Server Is a Multilayered Enterprise Firewall.” 2. Client software does not have to be installed to support the caching of HTTP, FTP, and HTTPS resources. Clients must “point” their browser to the ISA Server. These clients are called Web Proxy Clients. See the section, “ISA Server Clients.” 3. Installing ISA Server in integrated mode and configuring it for reverse caching, Web server publishing, and firewall protection. See the sections “ISA Server Is a Multilayered Enterprise Firewall,” and “Reverse Caching.”
Answers to Exam Questions 1. D, E, A. Distributed caching places a number of ISA Servers in an array and Web requests are cached in a distributed fashion amongst the servers. Forward caching caches Web requests. B is for caching Web pages from a published internal Web server. C allows caching or resources at multiple geographical or workgroup locations. See the section, “ISA Server as a HighPerformance Web Caching Server.” 2. C, D, A. Chaining allows the location of multiple arrays of ISA Servers in a workgroup setting. Each array can forward its request to another in the hierarchy and eventually requests reach the perimeter array. Each ISA Server in the chain will store the content in its cache. See the section, “ISA Server as a High-Performance Web Caching Server.” 3. A, C, D. Public Web sites are perfect candidates. They can be protected and yet external guests can access their resource. Mail servers and intranet servers that need to be available to traveling employees or those that telecommute will also work well as hosted services. B is incorrect, you should not unnecessarily expose any server to the Internet. See the section, “ISA Server Hosting Services.” 4. B. Array polices can restrict Enterprise policies if the Enterprise policy is written to allow this. C and D are incorrect. Enterprise policies restrict array policies, but this is not done with the array policies special consent. A is also incorrect.
Chapter 1
INTRODUCTION: WHAT IS ISA SERVER
41
A P P LY Y O U R K N O W L E D G E See the section, “ISA Server Provides Integrated, Centralized Management and Control.” 5. B, C. Firewall mode provides server publishing capabilities. Integrated mode would also provide this. (Web publishing is available in either firewall or caching mode.) A is incorrect. Caching mode alone will not provide server publishing. D is incorrect, there is no such thing. See the section, “ Firewall, Caching or Integrated Modes.”
6. A, B, D, E. Protocol, user group, IP address, and time of day (schedule) can all be used to restrict access. C is incorrect. Users cannot “request” an amount of bandwidth. See the section, “PolicyBased Access Rules.”
Suggested Readings and Resources 1. “Features Overview” a white paper at http://www.microsoft.com/isaserver/ productinfo/features.htm.
2. “Microsoft’s New Firewall: Just Where Do You Think You’re Going Today?” a GIGA Information Group document by Steve Hunt available at http://www.microsoft.com/isaserver/productinfo/ISAGiga.pdf.
P A R T
INSTALLATION
AND
UPGRADE
2 Plan Before Acting: Preinstallation Activities 3 Installing ISA Server 4 Upgrading Microsoft Proxy 2.0
I
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the “Installing ISA Server” section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam. Preconfigure network interfaces.
. Verify Internet connectivity before installing ISA Server. . Verify DNS Name resolution. If the ISA Server installation is to succeed, preinstallation issues must be resolved. If this server is to control access between the Internet and the private network, it makes sense to configure Internet connectivity prior to installing ISA Server. Not only will this allow easier post-installation configuration, but also it will eliminate the potential problem of non-Internet connectivity from consuming your post-installation troubleshooting time. If you cannot access the Internet through the ISA Server after installation, you do not want to be concerned that the related issues of network connectivity and name resolution are the problem. By verifying these items prior to installation, much time and trouble can be saved.
C H A P T E R
2
Plan Before Acting: Preinstallation Activities
OUTLINE
S T U DY S T R AT E G I E S
Introduction
47
Network Design and Planning
47
Network Size User Needs Installation Options ISA Server Mode and Array Considerations Active Directory Integration Needs Interoperation with and Requirements for Other Services Making Hardware Choices Minimum System Requirements Estimating Cache Requirements Estimating Publishing Requirements Network Card Requirements Hard Disk Requirements Additional Hardware Requirements for VPNs Microsoft Deployment Example Remote Administration Needs Client Considerations
48 48 48 49 50 51 53 53 54 54 55 55 56 56 56 56
Windows 2000 Installation and Configuration
57
Preinstallation Network Configuration
58
Server Placement Verify Network Connectivity TCP/IP Network Card Configuration Testing Connectivity Verify Internet Connectivity Connectivity Requirements Establishing a Connection Verify Name Resolution
58 58 61 62 62 62 63 63
Chapter Summary
64
Apply Your Knowledge
65
Exercises Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions
65 65 65 67 68
. If you are not comfortable with Windows 2000 DNS dependencies, this is a good time to assure your understanding. If the Windows 2000 system selected for the ISA Server installation cannot access Web sites on the Internet, what makes you feel that it will be able to after installation? . The ISA Server has multiple Windows 2000 requirements and suggested setup guidelines. This is the time to make sure you are familiar with them. . Approach preinstallation guidelines with an eye to creating your own checklist. Include network, client, and server preparation steps. . Think about the differences that a large installation would create. In a large enterprise, much more planning will go into such a major network connectivity change. Do you understand why?
Chapter 2
PLAN BEFORE ACTING: PREINSTALLATION ACTIVITIES
INTRODUCTION There is a lot more to installing any software product than just the installation. The wise administrator plans thoroughly so the actual installation process goes smoothly. Then, like a pilot before take-off she performs a preflight check. Assured that all the necessary steps have been taken, she will find installation to be effortless, results, in most cases, excellent, and any troubleshooting made easier by firm knowledge of the system and network. Finally, post-installation configuration and client setup will be swifter if planning has been precise. This chapter documents the network, and system requirements to be met before installing ISA Server. Client concerns are discussed, but a full discussion on client configuration and/or the configuration of auto-discovery is discussed in Chapter 13, “Planning and Deploying Clients.”
NETWORK DESIGN
AND
PLANNING
ISA Server can be used in multiple ways. Prior to installation you should have determined the role(s) it will play, and mapped a strategy for its installation and implementation. Your planning should encompass not just the installation of the product, but also consider:
á Network size á User needs á Installation options á ISA Server mode and array considerations á Active Directory integration needs á Interoperation with, and requirements for, other services á Hardware choices á Changes that must take place for clients
47
48
Par t I
INSTALLATION AND UPGRADE
Network Size You must have a good idea of the size of the network to determine client needs, and the anticipated usage of publishing servers. This helps you determine how many ISA Servers you will need to deploy. If you have Web-caching servers, firewalls or hosting servers in place, collect usage information from them. If not, while it is difficult to anticipate needs, you must make estimates.
User Needs What types of software do users use? If a current firewall or caching server is in place, what ports are open, what rules are in place? Are there current issues of problems that need to be resolved? In the absence of current products to evaluate, what types of communication are now being used? In a typical environment perhaps up to 97 percent of all required Internet communications (notations on Microsoft Web site, experience) will be HTTP. However, the other 3 percent may represent critical functions on which the business is dependent for survival and/or incidental communications that can be eliminated or can be lived without for a short period of time. If you insert a firewall into an environment where users are used to free and rampant access to any and all Internet connectivity, you can expect some issues to surface. By evaluating actual business needs and planning for their continuance before implementation, you can avoid many problems.
Installation Options During installation there are choices to be made. Specifically, you can install:
á ISA Management only. Can be installed on Windows 2000 Professional
PLAN BEFORE ACTING: PREINSTALLATION ACTIVITIES
á ISA Server Services. Firewall service, H.323 Gatekeeper service, Web Proxy service á ISA Server Extensions. Message screener and H.323 administration tool After installation, the installation program can be run again to modify these options. If the Identd simulation service is required, a special post-installation procedure must be performed. Information on this procedure is included in Chapter 14, “Installing and Configuring Client Options.”
ISA Server Mode and Array Considerations What will be the role of the ISA Server? Will it act as a firewall, Web caching server, publishing server, H.323 Gateway, or a combination of these features? When you consider the role of the ISA Server, go beyond the three basic role choices of firewall, caching, and integrated and explore features that each will allow. Will several ISA Servers be installed into an array? Into multiple arrays? Are ISA Server or Microsoft Proxy Server 2.0 systems or arrays already in place? Will Proxy Server 2.0 be replaced? Expected to coexist? Will multiple arrays need to be arranged into hierarchical or distributive caching arrays? Who will be responsible for determining the access policy that will be implemented? And who will implement and maintain it? What is the anticipated load on the ISA Server? These types of questions need to be asked long before installation. The preceding chapter and ISA Server review guidelines can help you explore the possibilities and make selections for the ISA server role. Table 2.1 lists role options that impact hardware choices and preinstallation processes.
NOTE
Chapter 2
Identd When a client operates behind a firewall it cannot respond to some types of requests for identification from Internet servers. The Identd simulation service, when installed on an ISA Server can respond to the Internet server on behalf of the client.
49
50
Par t I
INSTALLATION AND UPGRADE
TABLE 2.1
ISA S E R V E R R O L E
AND
P R E I N S TA L L AT I O N A C T I V I T Y
Role/ Feature
Client Issues
Network Issues
System/Hardware Issues
Web-proxy
Client browsers will need configuration
Internal network Cache size name resolution?/ name resolution on Internet
Firewall
Firewall client installation?
Connectivity/ name resolution on Internet
Minimum of two interfaces
Application proxy
Firewall client/ SOCKS filter
Name resolution on Internet
Cache size
Enterprise edition
Same
Same
Requires Enterprise Admin, Schema Admin to modify AD schema for ISA Server.
Web hosting
None
Same
Cache size (for reverse caching needs)
Server hosting
None
Same
None
Active Directory Integration Needs If multiple ISA Servers will be installed, is Active Directory integration part of the plan? The dual benefits of centralized administration and using distributed and/or hierarchical caching provide ample reason to do so. However, it is not necessary to integrate ISA Server in an Active Directory domain to benefit from its use. ISA Server can be installed as a standalone server without AD integration. Domain membership of the Windows 2000 server on which ISA Server will reside is not necessary if ISA Server will be installed as a standalone server. However, if the Windows 2000 server is a domain member, this will not prevent the installation of ISA Server in a standalone mode.
Chapter 2
PLAN BEFORE ACTING: PREINSTALLATION ACTIVITIES
If Active Directory integration is desired, two factors affect your planning and preinstallation activity:
á First, you must have Schema Admin and Enterprise Admin membership before you can use the ISA Server Active Directory Initialization utility. á Second, you must wait until the schema modifications replicate to all domain controllers. It is only necessary to apply the utility once in the enterprise, but it may take some time before changes are replicated throughout the forest. A good practice to follow is to initialize the Active Directory well before beginning installation of ISA Server. This allows the schema modifications to replicate to all domain controllers in all domains in the forest well before your installation of ISA Server. The modification to the schema has no impact on your current ability to access the Internet. If you do not currently have a Windows 2000 domain installed in your network, but want to take advantages of the features that are only available with Active Directory integration you can install a Windows 2000 domain in order to do so. You should be aware, however, that client usage of ISA Server features may be limited where Active Directory domain based authentication is not instituted.
Interoperation with and Requirements for Other Services Part of the planning process must be to investigate ISA Server interoperability with services that may already be employed in the network. The following services, applications, servers and so on should be considered.
á Windows NT 4.0 domains. ISA can be installed on a standalone Windows 2000 server in a Windows NT 4.0 domain. á ISA Server arrays in a Windows NT 4.0 domain. An ISA Server array requires a Windows 2000 domain. However, this domain can be joined in a trust relationship with a Windows NT 4.0 domain in order to provide services to Window NT 4.0 clients.
51
52
Par t I
INSTALLATION AND UPGRADE
á Routing and Remote Access. ISA server provides remote connectivity and extends RRAS. ISA can use the dial-up entries configured for RRAS (RRAS can run on the ISA Server). You should allow ISA packet filtering to replace RRAS packet filtering and allow the ISA server to provide remote connectivity for internal clients. á IIS Server. IIS server is not required on an ISA Server. It can run on one. However, you should configure Web-publishing rules if you want to allow public users to access the Web server. Set the IIS Server to listen on a port different than port 80, as ISA Server listens for inbound Web requests on that port. á Internet Connection Sharing (ICS). ISA Server replaces the need to run Internet Connection sharing. á IPSec. ISA Server can be configured as an IPSec/L2TP VPN server. á Terminal services may be installed on the ISA Server for remote administration purposes.
WA R N I N G
á SNMP may be installed if required to support network management devices.
Un-un-ah!! Incidentally, the article also suggests disabling the telephony service. Do not do this! The ISA Server services are dependent on the telephony service. The Microsoft roll-out was done with beta ISA Server and perhaps the telephony service dependency was not there.
á Other applications and services. Running other applications on the ISA server can be done by creating packet filters that allow their services access. However, if the ISA server is acting as a firewall, you should avoid statically opening ports (i.e. via creating packet filters). In most cases it is not a good idea to enable additional applications on the ISA Server. According to a Microsoft publication, “Deployment of ISA Server at Microsoft: Planning, Deploying and Lessons Learned” available at http://www.microsoft.com/isaserver/techinfo/itgdeploy.htm the following services should be disabled on the ISA Server because they are not necessary. Disabling unnecessary services is a good security practice.
á Computer browser á Fax service
Chapter 2
PLAN BEFORE ACTING: PREINSTALLATION ACTIVITIES
á License logging á Distributed file system á Distributed link tracking To disable services, follow Step by Step 2.1.
STEP BY STEP 2.1 Disabling Services 1. Open Start\Programs\Administrative Tools\Services. 2. Select the service you want to disable.
4. After the service stops, right-click the service and select Properties.
TIP
5. In the Startup Type drop-down box, select Disable.
EXAM
3. Right-click the service you selected and click Stop.
6. Click OK.
Making Hardware Choices Choosing the correct hardware for your ISA Server will depend on the server mode and features that you intend to use and the anticipated usage of the system. You should be aware of minimum system requirements, estimating guidelines, and potential specialized hardware that will improve performance. The following sections help you determine your system’s needs.
Minimum System Requirements Use the following minimum system requirements as the starting point in determining the actual hardware specifications for your ISA Servers
á 256MB RAM (ISA Server will install at much less) á 20MB of hard disk space (does not include space for cache)
IE on ISA If you must run IE on the ISA server, configure the browser to use the IP address of the internal network adapter. Should you use the computer name or DNS name, they will resolve to the external adapter name and access will be denied.
53
54
Par t I
INSTALLATION AND UPGRADE
á 300MHz Pentium II compatible CPU á Windows 2000-compatible network adapter for communication with the internal network á Modem, or other type of adapter for communications with the Internet á Hard disk volume formatted with NTFS (required for Web cache—more secure)
Estimating Cache Requirements For Web-caching servers additional hard drive space is required. To estimate space, use Table 2.2 and see the section, “Configuring the Cache” in Chapter 3. It is preferable to have a separate disk for cache from the system drive.
TABLE 2.2
E S T I M AT I N G C A C H E D I S K R E Q U I R E M E N T S # of Users
Disk Space for Caching
# ISA Servers
1,000
10GB per 1,000 users
1 per 1,000 or add additional processors/larger processors/ more RAM
Estimating Publishing Requirements You should estimate publishing requirements by using the expected requests per second from external users. For a single ISA Server computer the recommended system configuration is included in Table 2.3.
Chapter 2
PLAN BEFORE ACTING: PREINSTALLATION ACTIVITIES
TABLE 2.3
E S T I M AT I N G P U B L I S H I N G R E Q U I R E M E N T S Hits/Second
Server Configuration
RAM*
250
Add another processor or another computer for each 250 hits per second
256
* RAM is based on the amount of cacheable content. The best scenario is to enable the entire cached content to be available in memory.
Network Card Requirements It is not necessary to have two network cards installed in the Windows 2000 computer prior to installing ISA Server. However, if you want to use the ISA Server as a firewall. you must provide two network cards. One network card becomes the interface on the external (Internet) and the other becomes the interface on the internal (private) network.
Hard Disk Requirements In addition to estimating hard disk size, consideration should be given to the number of drives and the ability to locate different items on separate drives. Specifically, consider the following:
á Acquiring RAID arrays for performance and redundancy. á Separation of ISA Server logs and Web cache to improve fault tolerance. á Mirroring the operating system (RAID level 1). á Providing a RAID level 5 (striping with parity) array for the logs. á Providing Web cache space on multiple drives provided strictly for their use will allow the ultimate in fault tolerance. Should one of the drives holding the cache crash, the only loss is that drive’s cached data. Other cache drives can continue to function and support the Web-caching service.
55
56
Par t I
INSTALLATION AND UPGRADE
NOTE
Additional Hardware Requirements for VPNs Keep Your Cake and Eat, Too Purchase special NIC cards to offload IPSec encryption thus reducing the demand on the CPU and thus avoiding the purchase of more expensive dual processor systems to increase throughput. Find information on the 3COM 10/100 NIC with 3XP processor at
Encryption of data tunneled through a Virtual Private Network requires substantial processing power. While the tunnel endpoint should have sufficient processing power, you may be able to offload some of the processing to special network cards which have onboard processors suited to perform the encryption. 3COM and Intel, for example, both have such cards which can perform IPSec encryption.
http://buydirect.3com.com/iom_dcm s/b2c/catalog/detail.html?SKU=3CR 990SVR97&SM=. Information on Intel’s card is at http://www.intel.com/network/products/pro100s_srvr_adapte r.htm. More
importantly, the results of testing the throughput of these cards can be found at http://www.intel.com/net-
Microsoft Deployment Example The results of deploying ISA Server during beta testing used the following servers and hardware configuration (see Table 2.4). These results are published on the Microsoft Web site.
work/documents/pdf/intel_ipsec_fin
TABLE 2.4
al.pdf.
D E FA U LT S E C U R I T Y G R O U P F I L E P E R M I S S I O N S CPUs/ server
Memory Disk
Disk Space/ Cache
Concurrent Users/Array
Servers/ Servers/Array
2
128MB
36G
1,500
2
2
128MB
54G
5,000
4
4
256MB
63G
40,000
9
Remote Administration Needs Remote administration can be accomplished by installing the administration program on Windows 2000 Professional. It is not necessary to provide a high-end system for this purpose.
Client Considerations Installing ISA Server might require changes to other computers on your internal network. While you cannot reconfigure clients to point to the ISA server until the server has been installed and configured, you should have a plan in place for doing so. The following questions should be asked:
Chapter 2
PLAN BEFORE ACTING: PREINSTALLATION ACTIVITIES
á Which clients will be come Web proxy clients? Their browsers will need to be configured to point to the ISA Server. á Will the ISA server be configured to allow automatic discovery? Client systems configuration should reflect this.
WINDOWS 2000 INSTALLATION CONFIGURATION
AND
Microsoft ISA Server can only be installed on a Windows 2000, sp 1 or above computer. Server, Advanced Server or Datacenter server is acceptable. Prior to installing ISA server, you should install Windows 2000 Server on the appropriate hardware. You need to consider the following additional Windows 2000 options:
á Service Packs and hotfixes. Service Pack 1 is the current requirement. You should check the Microsoft Web site for recommendations on additional hotfixes that may be useful, recommended, or required. á SMTP service. In order to install the ISA Server Message screener option, you need to install the Windows 2000 SMTP service. á IIS. Generally, you should not install IIS on the Windows computer on which you will be installing ISA Server. IIS is not required for ISA Server. á Domain membership/ server role. It is recommended that ISA Server not be installed on a Windows 2000 domain controller. The issue is not with functionality, but with the need to protect the domain controller. If you take advantage of array membership and enterprise policies, you should install ISA Server on a Windows 2000 server that is a domain member. ISA Server can be installed in as a standalone server on a Windows 2000 standalone server or domain member.
NOTE
á Which clients will need the firewall client installed? Preparations and a schedule for implementation should be made.
Release Time Hotfix Rollup At the time of product release, a hotfix rollup was recommended. The hotfixes included in the rollup known as “Windows 2000 Post Service Pack 1 Update for Internet Security and Acceleration Server” (Q275286_W2K_SP2.exe) More information is available in Knowledge Base article Q275286. The hotfix includes three fixes described in articles: • Q270921 Windows 2000 Quality of Service Packet Scheduler Service Does Not Filter and Flow Forwarded Traffic • Q270923 Windows 2000 QoS Packet Scheduler Sends Packets with Wrong Checksum on Network Adapters that Enable Hardware Checksum • Q271067 Client Computer with High Connect Rate Opens Many Sockets You should review these hotfixes and apply them if the need to do so has not been replaced by Service Pack 2 for Windows 2000, or some other documentation which indicates otherwise. Visit www.microsoft.com and search on the Q numbers listed previously to read the most current articles.
57
58
Par t I
INSTALLATION AND UPGRADE
PREINSTALLATION NETWORK CONFIGURATION Preconfigure network interfaces.
Prior to installation, decisions on server placement and preinstallation network configuration should be accomplished. Particular attention should be paid to the Windows 2000 server’s network configuration and the testing of connectivity between this server, the internal network and the Internet.
Server Placement Two major site placement areas should be considered. First, for firewall placement, the ISA server should be placed at Internet access points to assure traffic is routed through the firewall prior to entering the private network (see Figure 2.1). Second, if the ISA Server is to be used in Web-caching mode, two alternatives are possible:
á Perimeter arrays. Collections of several ISA servers arranged for distributed caching (see Figure 2.2). á Hierarchical caching, or chains of ISA servers.So that caches are located close to workgroups that use them (see Figure 2.3). Of course, some combination of distributed caching and hierarchical caching can be used (see Figure 2.4). The placement of multiple ISA Servers or arrays in a large distributed network will ultimately be affected by the placement of Datacenters and Internet portals.
Verify Network Connectivity Prior to installing ISA Server, you should verify that the network interface to both networks is working.
Chapter 2
PLAN BEFORE ACTING: PREINSTALLATION ACTIVITIES
Internet
FIGURE 2.1 Firewall placement.
ISA Server Array
FIGURE 2.2 Perimeter array for distributed caching.
59
60
Par t I
INSTALLATION AND UPGRADE
Internet
ISA Server
ISA Server ISA Server
FIGURE 2.3 Hierarchical caching.
Internet
ISA Server Array
ISA Server Array
ISA Server Array
FIGURE 2.4 Combination hierarchical and distributed caching.
Chapter 2
PLAN BEFORE ACTING: PREINSTALLATION ACTIVITIES
TCP/IP Network Card Configuration Only the external adapter should be configured with the IP address of the default gateway. The internal network adapter requires a permanent, reserved IP address and appropriate subnet mask for the local network. DHCP should not be used as it attempts to reset the default gateway configured for the ISA Server adapter. Microsoft recommends that the following be disabled on the external network card:
á Client for Microsoft networks á File and printer sharing á Register this connection in DNS á NetBIOS The steps for this are listed in Step by Step 2.2.
STEP BY STEP 2.2 Modifying External Network Card Properties 1. Open the Properties page of the External network card connection. 2. In the Components Checked Are Used By This Connection window, uncheck File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks. 3. In the same window, select Internet Protocol (TCP/IP) and click the Properties button. 4. On the Internet Protocol (TCP/IP) Properties page, click the Advanced button. 5. Click the DNS tab. 6. Uncheck the box for Register This Connection’s Addresses in DNS. 7. Click the WINS tab. 8. Click the radio button Disable NetBIOS over TCP/IP. 9. Click OK twice.
61
62
Par t I
INSTALLATION AND UPGRADE
Testing Connectivity Use ping or another tool to verify that the ISA Server computer can be reached from the internal network. Do this from another computer on the same internal segment, and do so before installing ISA Server software. If you will be publishing internal Web servers or other servers, verify connectivity between these servers and the ISA Server computer prior to installing ISA Server. These servers should also have static IP addresses.
Verify Internet Connectivity Verify Internet connectivity before installing ISA Server.
ISA Server does not create a connection to the Internet; it modifies what happens when that connection is in use. You must establish and test Internet connectivity prior to installing and configuring ISA Server.
Connectivity Requirements ISA Server can be connected to the Internet through a direct link, xDSL, cable modem, T1, ISDN, or regular dial-up modem to your Internet service provider. You must provide the appropriate external network adapter or modem, router, and so on. An Internet accessible IP address is required for the ISA Server. This can be obtained from the ISP along with the ISP’s default gateway and other necessary configuration information such as ISP DNS server IP addresses and specific hardware configuration settings. Web servers, mail servers, and other Internet accessible servers must have associated Internet addressable IP addresses. However, you may decide to use that address in different ways. Either the computer may be located on a protected perimeter network (demilitarized zone or DMZ) and use the address, or the address may actually reside on your ISA Server. (The ISA Server can be used in a reverse caching scenario.)
Chapter 2
PLAN BEFORE ACTING: PREINSTALLATION ACTIVITIES
You need to know or arrange for name resolution for these servers either by hosting your own DNS servers or outsourcing name resolution with your ISP. If you will be managing your own DNS servers for purposes of Internet name resolution, be sure that you have taken the appropriate steps to establishing those DNS servers connectivity with the Internet.
Establishing a Connection After you have configured the Windows 2000 server on which you will be installing ISA Server, test Internet connectivity. You may be able to ping your ISPs router from the server, or request that the ISP provide you with other tools or evidence of connectivity.
Verify Name Resolution Verify DNS name resolution.
Finally, use a browser to test name resolution to the Internet. From a browser on the Windows 2000 server, enter a Web site URL. If the home page is loaded, you are successfully reaching the Internet and DNS is providing name resolution. Routing rules on the ISA Server will configure and secure routing between the external network and servers on the internal network. If the ISA Server IP address is registered in external DNS server, you should test name resolution from the Internet to the ISA server. Although the ISA server is not installed and configured to forward requests to internally published server, you can verify that the server URL is resolving to the address of the ISA Server.
63
64
Par t I
INSTALLATION AND UPGRADE
CHAPTER SUMMARY KEY TERMS • Identd • Schema Admin • Enterprise Admin • Internet Connection Sharing • IPSec • L2TP • SNMP • Computer browser service • Fax service • License logging service • Distributed file system service • Distributed link tracking service • SMTP service
Computer spec’d, configured, and installed? Internet connectivity established and tested? Preparations for a smooth transfer locked and loaded? This chapter detailed the steps to do so. Head on to the next Chapter to install ISA.
Chapter 2
PLAN BEFORE ACTING: PRE-INSTALLATION ACTIVITIES
65
A P P LY Y O U R K N O W L E D G E
Exercises 2.1
Install and Configure Windows 2000
As this chapter emphasized, there are several steps to take prior to installing ISA Server. You will want to follow the recommendations detailed in this chapter to setup Windows 2000 to server as the ISA Server host. Don’t forget to verify network and Internet connectivity. You might want to scan ahead to the exercises in Chapter 3 and prepare more than one server in order to be ready for those tasks. Estimated Time: 60 minutes 1. Install Windows 2000 Server or Advanced server and apply Service Pack 1 (or current service pack). 2. Apply any recommended hotfixes. 3. Configure networking using recommendations from this chapter. 4. Verify network connectivity. 5. Verify Internet name resolution.
5. You want to provide an IPSec/L2TP VPN tunnel on the ISA Server. Management speculates that this will produce a bottleneck. What will you say?
Exam Questions 1. The following services should be enabled on the Windows 2000 server which will host the ISA Server. (The message screener option is required.) Choose two correct answers. A. World Wide Web B. SMTP C. Telephony D. Computer browser 2. The following steps should be taken prior to installing ISA Server. Choose two correct answers. A. Install Windows 2000/ sp1. B. Join the Windows 2000 server to a Windows 2000 domain. C. Test network connectivity.
Review Questions 1. Why should you disable unnecessary services? 2. What will be the impact of disabling File Sharing on the external network card be? 3. Should RRAS be configured on the ISA Server computer? 4. You can select RAID for the ISA Server. How will you use them?
D. Configure the network cards via either DHCP or static IP addresses. 3. The ABCD Company is preparing a Windows 2000 computer for the installation of ISA Server on its network. Required Result: The ISA Server computer will provide firewall and server hosting services.
66
Par t I
INSTALLATION AND UPGRADE
A P P LY Y O U R K N O W L E D G E Optional Desired Results:
Optional Desired Results:
The ISA Server will be part of a centrally managed array of ISA Servers.
The ISA Server will be part of a centrally managed array of ISA Servers.
The ISA Server will provide Web caching services.
The ISA Server will provide Web caching services.
Proposed Solution:
Proposed Solution:
Service Pack 1 for Windows 2000 is applied to the Windows 2000 standalone server. The external network card is configured with an Internet addressable static IP address. Connectivity with the Internet and the internal network is tested. Hard drives are formatted with the FAT file system. Recommend services are disabled or available and working as prescribed.
Service Pack 1 for Windows 2000 is applied to the Windows 2000 standalone server. The server is joined to a Windows 2000 domain. The external network card is configured with an Internet addressable static IP address. Connectivity with the Internet and the internal network is tested. Hard drives are formatted with the FAT file system. Recommend services are disabled or available and working as prescribed.
Evaluation of Proposed Solution: Which results(s) does the proposed solution produce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results. C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result. 4. The ABCD Company is preparing a Windows 2000 computer for the installation of ISA Server on its network. Required Result: The ISA Server computer will provide firewall and server hosting services.
Evaluation of Proposed Solution: Which results(s) does the proposed solution produce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results. C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result. 5. The ABCD Company is preparing a Windows 2000 computer for the installation of ISA Server on its network. Required Result: The ISA Server computer will provide firewall and server hosting services.
Chapter 2
PLAN BEFORE ACTING: PRE-INSTALLATION ACTIVITIES
67
A P P LY Y O U R K N O W L E D G E Optional Desired Results: The ISA Server will be part of a centrally managed array of ISA Servers The ISA Server will provide Web caching services.
C. Operating System on C, ISA on C., Cache on F, Logs on G. D. Operating System on D, ISA on C, Cache on E, Logs on G.
Proposed Solution:
Disk 0
(C:) NTFS
Service Pack 1 for Windows 2000 is applied to the Windows 2000 standalone server. The server is joined in a Windows 2000 domain. The external network card is configured with an Internet addressable static IP address. Connectivity with the Internet and the internal network is tested. Hard drives are formatted with the NTFS file system. Recommend services are disabled or available and working as prescribed.
Disk 1
(F:) NTFS
Disk 2
(G:) NTFS
Evaluation of Proposed Solution: Which results(s) does the proposed solution produce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results. C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result. 6. Figure 2.5 represents the disk arrangement on computer A. Which of the following hard disk arrangements would be preferable for an ISA Server computer? A. Operating System on C, ISA on D, Logs on E. B. Operating System on C, ISA on F, Cache on G, Logs on D.
(D:) NTFS
(E:) NTFS
FIGURE 2.5 Disk drive selection.
Answers to Review Questions 1. Removing unnecessary services improves efficiency and reduces the possibility of successful attack. Every additional service has its own vulnerabilities. See the section, “Interoperation with and Requirements for Other Services.” 2. Disabling File Sharing on an external network card will prevent external connection to the file system of the ISA server. If an external client can connect directly to the ISA Server file system, there is a possibility that damage could be done to the server or the network it protects. See the section “TCP/IP Network Card Configuration.” 3. The RRAS service is compatible with ISA, in fact ISA extends this service. However, the ISA Server services should be used to create Virtual Private Networks, provide remote connectivity and packet filtering features. Network address translation should be configured in ISA. The Internet
68
Par t I
INSTALLATION AND UPGRADE
A P P LY Y O U R K N O W L E D G E Connection Sharing service should not be configured on the ISA Server. See the section, “Interoperation with and Requirements for Other Services.” 4. Configure RAID level 1 (mirror) for the operating system partition to provide redundancy. Configure RAID level 5 (striping with parity) for the logs to provide increased read performance. See the section, “Hard Disk Requirements.” 5. Special network cards are available which can offload the IPSec encryption to their onboard processors. Card manufacturers test results show excellent throughput when these cards are used. IPSec/L2TP VPNs are more secure. See the section, “Additional Hardware Requirements for VPNs.”
Answers to Exam Questions
unless you require Active Directory integration. D is wrong. You should not configure the network cards via DHCP. See the sections, “Windows 2000 Installation and Configuration” and “TCP/IP Network Card Configuration.” 3. A. Although the server may require additional steps to make it a more secure firewall, there is nothing in the initial configuration that will prevent ISA Server from installing and being configured to provide firewall services. However, the two optional results cannot be met. First, because the ISA server is not a member server in a Windows 2000 domain, centralized management of an array of ISA servers cannot be accomplished. Second, because the file system is FAT, Web caching services cannot be configured. See the sections, “Making Hardware Choices,” and “Windows 2000 Installation and Configuration.” 4. B. Now the computer is joined in a domain, Active Directory Schema modification and the installation of ISA Server in an array can be accomplished. However, Web caching services cannot be provided until NTFS formatted disk space is available. See the sections, “Making Hardware Choices,” and Windows 2000 Installation and Configuration.”
1. B, C. SMTP is necessary prior to the installation of the message screener service. The firewall and Web proxy services are dependent on the Telephony service. A is incorrect. While you can install IIS on the ISA Server computer, it is not necessary. D is incorrect. This service is not necessary. See the section, “Windows 2000 Installation and Configuration,” and “Interoperation with and Requirement for Other Services.”
5. C. Now all requirements are met. See the sections, “Making Hardware Choices,” and Windows 2000 Installation and Configuration.”
2. A, C. Service Pack 1 is required. Network connectivity should be tested. B is wrong. Although you may want to join the Windows 2000 server to a Windows 2000 domain, it is not necessary
6. C. Placing the operating system on a drive separate from the cache or logs provides a greater chance of recovery. No other configuration here does that. See the section, “Hard Disks.”
Chapter 2
PLAN BEFORE ACTING: PRE-INSTALLATION ACTIVITIES
A P P LY Y O U R K N O W L E D G E Suggested Readings and Resources 1. Information on licensing and pricing at http://www.microsoft.com/isaserver/productinfo/pricing.htm.
2. Deployment of ISA Server at Microsoft: Planning, Deploying and Lessons Learned at http://www.microsoft.com/isaserver/techinfo/itgdeploy.htm.
3. Lee, Thomas, Microsoft Windows 2000 TCP/IP Protocols and Services Technical Services. Microsoft Press, 2000. 4. Lieu, Cricket, et all, DNS and Bind. O’Reilly & Associates, Third Edition, 1998, ISBN: 1565925122.
69
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Installing ISA Server section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Install ISA Server. Installation modes include integrated, firewall, and cache.
. Construct and modify the Local Address Table (LAT). . Calculate the size of and configure the cache. There are two versions of ISA Server: . Standard. This version can only be installed on a standalone or member server. It cannot be part of an array. . Enterprise. The Enterprise edition can be part of an array and take advantage of the Active Directory to share policies. Each version can be installed in one of three modes: . Firewall. ISA Server will be a dedicated firewall. . Caching Server. ISA Server will be a caching server. Requests from the private network for access to public network services are filtered through ISA server’s rules and policies. Approved requests (unless they are SSL or HTTPS or otherwise configured will be cached on the ISA Server. Subsequent approved requests for this material are served from the ISA Server. Additional access to the Internet is not necessary. In caching mode, the ISA server can also be configured to forward requests from the public network to Web servers on the private network. The requested pages can be cached on ISA Server and served to the public network.
C H A P T E R
3
Installing ISA Server
OUTLINE . Integrated. In integrated mode, ISA Server is both a firewall and a caching server. In addition to the preinstallation determinations, you must understand how the ISA Server is to be used, and configure two major parameters during installation. These parameters are the local LAT and the cache. When ISA Server is used as a caching server, the size of the cache will have important implications for performance and operation. In the firewall mode, the LAT, or Local Address Table defines for ISA server which TCP/IP addresses are considered to be on its local or private network, and which subnets are considered to be on the public network. Improper LAT configuration can prevent access to the private network from the local network. More importantly, it can be a severe security liability allowing penetration of the private network from the public network. Troubleshoot problems that occur during setup.
. No installation process is without possibility for failure. While the ISA Server installation process is relatively smooth and easy, there are areas where possible problems can occur. Many of the problems can be avoided if the installer is aware of the problem areas. Many of the installation failures can be corrected with the proper application of knowledge.
OUTLINE Introduction
6
Installation Processes Common to Several Configurations 6 Constructing and Modifying the Local Address Table (LAT) 7 LAT Problems 8 Configuring the LAT Configuring the Cache Cache Placement Calculating Cache Size Allocation of Memory for Caching
Installing ISA Server
9 9 11 12 12
12
Installation Defaults
13
Standard Edition Generic Instructions
14
Enterprise Edition
17
Installing the ISA Server Schema in the Active Directory
17
Install ISA Server Enterprise Edition Firewall/Integrated Mode: Configuring the LAT Integrated/Caching Mode— Configuring the Cache
27
Unattended Setup
29
Installing Additional ISA Servers in an Array
32
Troubleshooting the Installation Failed Installation Can’t Install in Existing Array Installation Fails to Complete—You Cannot Run the Uninstall Program
20 26
35 36 36 36
Was Installation Successful? 37 Verification Process 37 Event ID 14111 The ISA Server Cache Could Not Start 38
S T U DY S T R AT E G I E S
OUTLINE Event ID 14176, 14164, 14172 The Disk Cache Failed to Initialize and Is Disabled Event ID 14010, 14063 The Firewall Service Did not Start Due to Corrupt Data A Generated LAT Is Not Correct You Are Unable to Access Internet Resources Users Can Access Sites on the Internet
38
38 39 39 39
Uninstalling ISA Server
39
Chapter Summary
41
Exercises
43
Review Questions
47
Exam Questions
48
Answers to Review Questions
54
Answers to Exam Questions
55
. Recognize that there are two important parts to installing ISA server: • Placement of the server • Choices made during installation . Install ISA multiple times. Before you decide that, in your case, this is not necessary, consider the possible choices that must be made during installation. You have to choose whether to install in Caching mode, Firewall mode, or both. You must make decisions about the Local Address Table and the cache. In addition, if this ISA Server is to participate in an array, you must select the appropriate hierarchical or lateral array. . During your installations, vary the options that you select. You will, of course, need multiple systems for this exercise. If you have limited practice systems, a good approach is to make your systems dual boots of Windows 2000 and install a different configuration of ISA Server on each boot so that you can return to them to compare differences on future exercises. . Be especially sure to make two of your installation exercises (one for caching and one for firewall) involve the Enterprise edition and install an array. If you leave these two servers installed at the finish of this chapter, you will be set to configure enterprise policies. The chapter review questions will test your knowledge of installation issues. . Understand which choices made during installation will impact the configuration choices you can make after installation, as well as determine if the server will meet the needs it was purchased to meet. . Realize a haphazard installation can leave the network more vulnerable to attack than before. (Additional risks can be added, the company thinks it is secure when it is not and thus does not follow previous good security practices.)
74
Par t I
INSTALLATION AND UPGRADE
INTRODUCTION If you understand the design principles behind determining where to place the server, this will lead to the proper preconfiguration of the server. The previous chapter presented various alternatives for firewall and caching server placement and the network configuration process that follows that choice. This chapter concentrates on the actual ISA Server installation steps. Because there are two versions of ISA Server, and three modes, six possible scenarios exist. You should know how all of them work. Although client issues are covered in another chapter, you should be aware that none of the six scenarios impact whether non-Microsoft clients can benefit from the introduction of an ISA Server. The ISA Server must be installed on a Windows 2000 Server, but clients of all operating system types can benefit from the firewall.
INSTALLATION PROCESSES COMMON TO SEVERAL CONFIGURATIONS Install ISA Server. Installation modes include integrated, firewall, and cache. • Construct and modify the local address table (LAT). • Calculate the size of and the cache and configure it. • Install ISA Server as a member of an array.
Although there are many ways that ISA Server can be installed, each installation has processes in common with the others. Table 3.1 lists these common installation processes that all, or some, installations may require.
Chapter 3
INSTALLING ISA SERVICE
75
TABLE 3.1
W H I C H I N S TA L L AT I O N R E Q U I R E S W H AT ? Process
Firewall
Caching
Integrated
Configure the LAT
Yes
No
Yes
Configure the initial cache
No
Yes
Yes
Update Active Director Schema prior to installation
Enterprise version
Enterprise version
Enterprise version
Configure an Enterprise Policy
Enterprise version
Enterprise version
Enterprise version
ISA Server firewall uses the Local Address Table (LAT) to determine which addresses are in the internal or private network and which addresses are outside, in the public network. The LAT should contain all IP address ranges that exist in the private network. It might also contain the private IP address ranges assigned by the Internet Assigned Numbers Authority (IANA) and detailed in RFC 1918. This information is important information for these reasons:
á The firewall uses this list to determine which IP addresses are within its private network, and which IP addresses are public, and thus how to interpret its access rules. á The firewall client periodically downloads and always uses a copy of the LAT to determine which address to forward to the firewall, and which to request directly. á SecureNAT clients do not have a copy of the LAT. Their requests are forwarded to the ISA Server, which makes external requests for them. If you install ISA Server in either firewall mode or integrated mode, you must configure the LAT.
NOTE
Constructing and Modifying the Local Address Table (LAT) IANA Private Address Ranges The three private address ranges identified by IANA are specified in RFC 1918. (RFCs, or Requests for Comments, are collaborative documents that attempt to define rules and standards to be used on the Internet. For more information, or to look up RFC 1918, visit www.ietf.org.) The private address ranges listed in this RFC are never used on the public Internet. They are 10.0.0.0 to 10.255.255.255 (a single Class A network) 192.168.0.0 to 192.168.255.255 (16 contiguous Class B networks) 172.16.0.0 to 172.31.255.255 (256 contiguous Class C networks. )
76
Par t I
INSTALLATION AND UPGRADE
Addresses are added to the LAT in several ways:
á ISA Server constructs the LAT based on the Windows 2000 routing table of the network card you identify during setup as being on the private network. á Adding the private address ranges from RFC 1918. á Manually adding the private address ranges from your network that are not present in the routing table.
LAT Problems If the routing table is not constructed correctly, the LAT will be wrong. If the LAT is incorrect, requests for internal objects may be routed to the Internet and vice versa. This is annoying at the least, and can provide a security vulnerability.
Configuring the LAT To configure the LAT, perform the steps outlined in Step by Step 3.1.
STEP BY STEP 3.1 Configuring the LAT 1. During installation click the Configure the LAT button. After installation, right-click the Local Address Table object in the ISA Management console (Servers and Arrays\name\network configuration\Local Address Table). 2. To add IANA private address ranges, click the Add the Following Private Ranges check box. 3. To add addresses using the computers routing table, click the Add Address Ranges Based on the Selected Computer’s Windows 2000 Routing Table check box. 4. In Select Computer, click the desired computer. 5. Select the check boxes for the NIC whose address ranges are needed. Skip step 6. 6. To add entries click New, and then click LAT Entry. Add from and to addresses to specify a range.
Chapter 3
Configuring the Cache If the ISA Server is to be used as a caching server (Caching or Integrated mode), adequate disk space must be reserved to hold data acquired by the server and held for use by internal clients. Space may also be needed if the ISA Server is to be used for reverse proxy (caching of internal Web pages for the use of external clients). Three considerations are important:
á Cache placement á Cache size á Allocation of memory to be used for caching Although there are general suggestions from Microsoft on calculating cache size, the ISA Server documentation provides specific requirements as listed in Table 3.2 for forward caching. This information will help you plan ISA Server arrays by recognizing the appropriate requirements for computer hardware, RAM, and cache size. The best information will be information collected by monitoring your current configuration over time and applying this information to tune your ISA Servers.
TABLE 3.2
FORWARD CACHING REQUIREMENTS Less than 500 Users
500–2,000 Users
More than 2,000 Users
Computer configuration
Pentium II, 300 MHz
Pentium III, 550 MHz
Pentium III, 550 MHz computer for each 2,000 users
RAM
256MB
256MB
256MB for each computer (for each 2,000 users)
Cache disk space
2–4GB
10GB
10GB for each computer (for each 2,000 users)
INSTALLING ISA SERVICE
77
78
Par t I
INSTALLATION AND UPGRADE
Cache Placement The initial drive location for the cache and its minimum size are determined by the following:
á Volume must be NTFS. á Drive must be a local, not a network drive. á A minimum of 5MB must be set aside for the cache or installation will fail. á If a minimum of 150 free MB is available during installation, a minimum cache of 100MB will be suggested. á Best performance will be gained if the cache drive is different from the ISA Server installation drive. á Drives are selected during installation, but can be modified afterward.
NOTE
á Multiple drives can be configured to hold part of the cache. Convert to NTFS If you do not have a drive formatted with NTFS and need to do so but do not want to lose data already on the drive, you can convert the drive from FAT to NTFS. The command is CONVERT volume /FS:NTFS Volume represents the drive letter of the volume you want to convert. The /V switch can be added at the end to provide verbose comments on drive conversion.
Calculating Cache Size A minimum of 5MB must be available for the cache, but what is the best size to set aside for superior performance? The current recommendation is to start with a minimum of 100MB and a minimum of 0.5MB per Web proxy client, then round this up to the nearest MB. Of course, if more space is available that can also be allocated. Thus, a user community of 1,005 using one ISA server configured in caching mode would require a minimum of: 1,005 × 0.5MB + 100MB = 502.5MB + 100MB = 602.5MB = 603MB
Chapter 3
Allocation of Memory for Caching You can configure the amount of memory used for caching in the Advanced tab of the Cache Configuration Properties box. Allocation memory for caching is important because it affects the performance of the system.
INSTALLING ISA SERVER Prior to installing a new product, it is helpful to view step-by-step instructions. The sections that follow detail installation defaults and list steps for installing ISA Server. The instructions are divided into three parts:
á First, information on installation defaults and a general set of instructions, one that does not go into detail where there are diverging paths, is listed. á Next, individual instructions are listed for each of these options. á Finally, additional steps are provided for installation issues such as installing additional array members, uninstalling ISA Server, and unattended setup. Table 3.3 displays the important installation choices allowed by the various versions and modes of ISA Server.
TABLE 3.3
ISA S E R V E R I N S TA L L AT I O N C H O I C E S Mode
Standard
Enterprise
Caching
Single server, no Active Directory
Must have Active Directory in order to place servers in an array and utilize Enterprise Policies.
Firewall Integrated
INSTALLING ISA SERVICE
79
80
Par t I
INSTALLATION AND UPGRADE
Installation Defaults After installation the following settings are in place:
á Access Control. A default site rule (Allow Rule) allows all clients access to all content on all sites at all times. However, there is no protocol rule so no traffic can pass through the server. á Alerts. The “All port scan attack,” “Dropped packets,” “Protocol violation,” and “UDP bomb attack” alerts are not active. All others are. á Caching (caching or integrated mode). Cache size is set to a size specified during setup. Active caching is disabled. HTTP and FTP caching are enabled. á Local Address Table (firewall or integrated mode). Consists of those entries made during installation. á Packet filtering. In Firewall mode and Integrated mode, this is enabled. In Caching mode, this is disabled. á Publishing. No publishing. Requests are discarded. á Policy (enterprise addition; arrays). Default policy installed. Enterprise policy sets the policy. Arrays do not restrict the policy.
Standard Edition Generic Instructions The installation of a Standard edition ISA server is reasonably straightforward (see Step by Step 3.2). Two areas of configuration might be necessary: cache size (Integrated and Caching modes) and LAT (Integrated and Firewall modes). Detailed information on these modes is provided in the Enterprise edition installation instructions later in this chapter.
Chapter 3
INSTALLING ISA SERVICE
STEP BY STEP 3.2 Standard Edition Generic Setup 1. If you have not updated your installation to Windows 2000 Service Pack 1 (or current service pack and/or appropriate hotfixes), do so before continuing. 2. Insert the Standard Edition CD-ROM. 3. From the Autostart menu that appears, select Install. 4. From the Welcome screen, click Continue. 5. At the Enter Product Key screen, enter the product key. 6. Read the EULA and select I Agree if you agree to the EULA, I Decline if you do not accept the terms and conditions outlined there. (If you select I Decline the installation the process stops.) 7. Select the type of installation (Table 3.4 defines the installation options). • Typical • Full • Custom
TABLE 3.4
I N S TA L L AT I O N C H O I C E T A B L E 1 Typical
Full
Custom (defaults) (Figure 3.2 displays the choices.)
ISA
Yes
Yes
Yes, by default, but your choice
Add-ins
No
Yes
Yes, by default, but your choice
H.323 Add-ins
Your choice No
Message Screening No Administration Tools
Yes
Yes, if SMTP service installed prior to installing ISA
Your choice
Yes, by default, but your choice
continues
FIGURE 3.1 Installation choices.
81
82
Par t I
INSTALLATION AND UPGRADE
continued 8. If Custom was selected, select the choices required. 9. From the Setup Window select Firewall Mode, Cache Mode, or Integrated Mode and proceed to the section later in this chapter on the specific mode. Figure 3.3 displays the choices. 10. Services are stopped. 11. If Integrated or Cache Mode was chosen, select the NTFS drive for the cache and configure the cache size. FIGURE 3.2 Custom choices.
12. If Integrated or Firewall Mode was chosen, set up the LAT. 13. Files are added, services are stopped, and then restarted. 14. Clear the option to start the Getting Started Wizard.
Enterprise Edition Installing the Enterprise installation consists of two parts:
á ISA Server Enterprise Initialization á Installing the ISA Server In order to install the Enterprise edition and incorporate the ISA server in arrays, the ISA Server classes and attributes must be added to the Active Directory. A separate process, the ISA Server Enterprise Initialization, is used for this.
FIGURE 3.3 ISA Server mode setup screen.
After successful completion of this schema modification, the ISA installation process can be started.
The installation program is contained on the Enterprise edition ISA Installation CD-ROM. To run the program, you must be a member of the Enterprise Administrators and Schema Administrators groups in the forest. Step by Step 3.3 details the process.
EXAM
Installing the ISA Server Schema in the Active Directory
TIP
Chapter 3
INSTALLING ISA SERVICE
SMS 1.0 Based Questions The location of the SMS.INI file was the root of the C:\ drive in SMS version 1.0, which has been changed in version 1.2.
After the Active Directory schema has been modified, the additional objects and attributes cannot be removed. However, no additional modifications are necessary to install additional ISA Servers or arrays in this forest.
STEP BY STEP 3.3 Adding ISA Modifications to the Active Directory Schema 1. Update Windows 2000 to the current service pack (currently at least Service Pack 1). 2. From the Microsoft ISA Server Setup screen, select Run ISA Server Enterprise Installation. or From the command line, type Path\isa\i386\msisaent.exe
Path is the path to the ISA Server installation files (either the CD-ROM or a network location). or From the CD-ROM, run the ISAautorun.exe file and follow the instructions. 3. If this is the first ISA Server in the forest, the message The ISA Server schema will be installed to the Active
FIGURE 3.4
Directory. This action is not reversible. Do you
Confirm that you are installing the schema.
want to continue?
appears (see Figure 3.4). Click Yes. continues
83
84
Par t I
INSTALLATION AND UPGRADE
continued 4. The ISA Enterprise Initialization window appears and presents enterprise level policy choices (many of which can be modified after installation):
FIGURE 3.5 Enterprise policy choices.
• Selection for applying enterprise policy. This choice allows you to select whether to use an array policy (only affective within the particular array) or an enterprise policy (effective across the enterprise in several arrays). The default in your first installation is “Use this enterprise policy” and the title “Enterprise Policy 1” is supplied in the text box. You can enter a name of your choice. If ‘Use this Enterprise Policy” is selected, the option to “Allow array-level access rules that restrict enterprise policy” is an optional check box. It is not selected by default. Figure 3.5 displays the choices. 5. Click OK. 6. The Please
wait while Setup installs ISA Server
classes and properties in Active Directory. This may
message appears until the process is complete (see Figure 3.6). The Cancel button allows exiting the installation process. take several minutes.
7. The ISA
Enterprise Initialization Tool successfully
imported the ISA Server schema into Active Directory …
message appears (see Figure 3.7). Click OK.
Install ISA Server Enterprise Edition
FIGURE 3.6
After the Active Directory schema has been updated, you can install ISA Server arrays and servers within them. Step by Step 3.4 provides the details.
Enterprise initialization.
STEP BY STEP 3.4 Installing ISA Server Enterprise Edition, Generic Instructions 1. Select Install ISA Server.
Chapter 3
INSTALLING ISA SERVICE
2. The Microsoft ISA Server (Enterprise Edition) Setup Welcome window appears. Click Continue. 3. In the Microsoft ISA Server (Enterprise Edition window) enter the 10-digit CD key and click OK. The number should be in a sticker on the back of the CD case. (The ISA server license allows installation on a single server. For each additional ISA Server, you will need an additional license.) 4. Record the product identification number that appears on your registration card. 5. Setup indicates it is searching for installed components and then displays the Microsoft ISA Server Setup windows with the ISA Server EULA. Read the EULA and, if you agree, click the I Agree button. If not, click I Decline. (Clicking the I Decline button ends the setup.) 6. The setup window displays setup choices and the opportunity to change the installation folder. To change the installation folder, click the Change Folder button and browse to the desired folder. The default folder is \Program Files\Microsoft ISA Server. Setup choices are • Typical Installation • Full Installation • Custom Installation Table 3.5 defines the operations that will occur for each choice. Select the Custom Installation to select the options you require for this installation.
TABLE 3.5
ISA S E R V E R I N S TA L L AT I O N C H O I C E S Installation Choice
Description
Typical Installation
Most commonly used options.
Full Installation
All components are installed.
Custom Installation
You select the options.
continues
FIGURE 3.7 Completion window and warning
85
86
Par t I
INSTALLATION AND UPGRADE
continued 7. The Custom Installation window displays the Options defined in Table 3.6.
TABLE 3.6
C U S T O M I N S TA L L AT I O N C H O I C E S
FIGURE 3.8 Establishing the array that identifies this as an Enterprise installation.
Options
Description
ISA Services
Control access of network services for traffic between networks. This is checked by default.
Add-in services
Components can be installed as part of ISA Server or separately. Possible options presented at installation are: Install H.324 Gatekeeper Service and Message Screener. The H.323 Gatekeeper Service Allows NetMeeting calls from private (Internet or other network) to reach hosts within the public network. The Message Screener is a content filter for SMTP traffic that reaches the ISA Server. Neither choice is checked by default.
Administration tools
Two choices are available. The default choice is to install the ISA Server administration tools. Installing these tools allows the central management of ISA Servers in the enterprise. The management of add-ins may or may not be possible with these tools. A separate administration tool is necessary for the H.323 Gatekeeper service and this may be installed during the installation process. It is not checked by default.
NOTE
8. When all choices are made, a total of the disk space necessary is indicated as well as the available space. Click OK.
Critical Installation Point If you do not chose Yes, the server is installed as a standalone server. While you can promote the standalone server to array membership, this is an extra step that must be done postinstallation.
9. The setup window gives you the choice to install the ISA server as an array member (see Figure 3.8). Click Yes. 10. If this is the first server in the array, the New Array window appears and has the name of the computer as the name of the array (see Figure 3.9). You can change the default name. 11. Select the enterprise policy. This window (see Figure 3.10) is similar to the window in step 4 of Step by Step 3.3 (refer to Figure 3.6) in which the choice for the initial Enterprise policy in made during modification of the AD
Chapter 3
INSTALLING ISA SERVICE
Schema. The default here is Use Default Enterprise Policy Settings. Table 3.7 describes the choice you can make here. Basically, you can select an enterprise policy other than the default and make some array configuration choices. FIGURE 3.9
TABLE 3.7
Naming the first array.
CUSTOM POLICY SETTINGS Choice
Can Be Combined With:
If This Is Selected, You Can Also Select:
#
Use array policy only
The enterprise policy is not used. Each array has its own policy.
4 and 5
1
Use this enterprise
Select a created enterprise policy.
3, 4, and 5
2
Allow array level access rules that restrict enterprise policy
The enterprise policy is applied to all arrays, however, array policies may contain and enforce more restrictive settings.
2
3
1 and 2
4
Packet filtering will be 1 and 2 used to restrict entry. By default, no access is allowed until rules and policies are configured.
5
Allow publishing rules Publishing rules can be created to allow access to internal Web servers from the public network. Force packet filtering on this array
FIGURE 3.10 Use of enterprise policy
12. Click Continue. 13. Select the ISA Server mode. Possible modes are • Firewall mode • Cache mode • Integrated mode continues
87
88
Par t I
INSTALLATION AND UPGRADE
continued Table 3.8 defines the modes.
TABLE 3.8
EXAM
TIP
I N S TA L L AT I O N M O D E S
ISA Listens at Port 8080 ISA Server listens for client requests on port 8080. (It listens for Web server requests on port 80). If an ISS Server is present on the same machine and has not been configured to use different ports, there will be possible conflicts. In addition, Web Proxy clients will either need to do auto discovery, or be configured to use port 8080. (Proxy Server 2.0 listened on port 80 for client requests.) This is also why, during installation, if an IIS is installed on the same machine, its WWW publishing service is stopped. After installation, the IIS should be removed or its listening port changed before the service is restarted. (An IIS on the ISA server can be published via the Web publishing rules or by using IP packet filters.)
Mode
Description
Firewall
Secure network communications with rules. Publish internal servers.
Cache
Improve network performance, save bandwidth by storing (caching) common objects close to user. Multiple Internet requests for objects can obtain them from the network-based caching server.
Integrated
Both firewall and cache mode abilities are available.
14. If the IIS server is present on this system, services are stopped. IIS publishing service (W3SVC) will be stopped. The message After setup is completed, uninstall IIS or reconfigure all IIS sites to not capture port 80 or 8080
will be displayed.
15. If Integrated or Cache mode is chosen, follow the steps in Step by Step 3.6 to configure the cache. 16. If Integrated or Firewall mode are chosen, follow the steps in Step by Step 3.5 to configure the LAT. 17. Services are stopped, ISA COM objects are registered, files copied, and services are restarted. 18. The Launch ISA Admin Tool window appears informing you about the Getting Started Wizard that can be used to configure array and enterprise policies. You have the choice to ignore this message. 19. The successful installation message box appears. Click OK.
Chapter 3
INSTALLING ISA SERVICE
Firewall/Integrated Mode: Configuring the LAT Installing in Firewall or Integrated mode requires configuration of the LAT. Step by Step 3.5 details the process. You can modify the LAT post-installation by using the folder for the LAT underneath the Network configuration node. This folder is not present when the server is installed in Cache mode, as no LAT configuration is necessary. FIGURE 3.11
STEP BY STEP
LAT Configuration.
3.5 Configure the LAT 1. On the LAT configuration screen, enter the IP address ranges for the internal network address space, or click the Construct Table button to create a LAT based on the routing table of the computer (see Figure 3.11). 2. If Construct Table button is clicked, the Local Address Table window appears and indicates the addition of the IANA private ranges and the NIC card IP address (see Figure 3.12). Either check box can be cleared. You must check the box associated with the network interface of the card on the internal network. 3. Click OK after reading the warning message. The message is displayed in Figure 3.13. 4. Examine the LAT for accuracy and click OK.
FIGURE 3.12 LAT window.
Integrated/Caching Mode—Configuring the Cache If the ISA Server is to be used as a caching server, you must configure the cache. You can change this later, but you must identify at a minimum, 5MB of an NTFS volume. Step by Step 3.6 lists the details. FIGURE 3.13 Warning.
89
90
Par t I
INSTALLATION AND UPGRADE
STEP BY STEP 3.6 Configuring the Cache 1. Select the drive in the Drive window (see Figure 3.14). 2. Enter the maximum cache size in MB on that drive in the Cache size (MB) text box. 3. If you want to specify other cache locations on other drives repeat steps 1 and 2. 4. Click the Set button.
FIGURE 3.14
EXAM
TIP
NOTE
Cache configuration.
NTFS—YES! Cache drives must be placed on NTFS volumes. Volumes should be formatted prior to installation of ISA server. The cache must be located on the hard drive or drives of the server running ISA server. (Network drives cannot be used.) Cache can be modified after setup. This is critical: If you do not click Set button, information is not saved
A Minimum Cache Is Required If caching is enabled, a minimum of 5MB must be set aside for caching on at least one drive.
Unattended Setup Follow the steps in Step by Step 3.7 to configure and run an unattended setup of ISA Server. The msisaund.ini file contains the configuration information and may be modified to customize the unattended setup process. Information on this file is found later in this chapter.
STEP BY STEP 3.7 Unattended Setup 1. Create the msisaund.ini file (see Table 3.9) and place in the root directory of the first fixed drive of the setup computer. 2. From the command prompt run: path\ISA\setup/qt /k”PID_number path is the path to the ISA server installation files and PID_number is the product number, sans the dashes. The setup switches and others that are available are defined in Table 3.10.
Chapter 3
INSTALLING ISA SERVICE
91
TABLE 3.9
T H E M S I S A U N D. I N I F I L E Section
Possible Entry
Default
Information
[Install]
Install Dir
First disk drive with enough space;
Where should the ISA Server be installed? Use the format: Drive:\folder
\ Program Files\Microsoft ISA Server
[Install]
Override Existing Configuration
0
0—Retains existing configuration (set in past installation). Ignores data in the rest of the file. If set to 1, overrides existing configuration.
[Install]
Don’t Migrate Proxy 2 Settings
0
0—Try to migrate Proxy configuration. 1—Don’t attempt.
[Array membership]
Join existing array
If this or Create New Array and Join is not specified, then installs as a standalone server.
Does not initialize schema. That must be done prior to running unattended setup.
[Array Membership]
Create new array and join.
If this or Join Existing Array is not specified, then installs as a standalone server.
Name of array to create and join.
[Features]
Installation Option
No default.
Mode of installation. The three options are: Firewall_And_Cache, Firewall Cache
[Firewall LAT Config]
Includes Ranges From All Cards
If no value in one of these three, installation will fail, but no default is provided.
0—No 1—Yes—All ranges are on internal network. Assumes a dial-up modem connection to the Internet.
[Firewall LAT Config]
Include Private Ranges
No default.
0—No 1—Yes—All private address ranges are included.
[Firewall LAT Config]
Range1, Range2…
No default.
Defines local table IP ranges explicitly. Syntax is Range1=x.x.x.x y.y.y.y, Range2=
[Proxy Setup Cache Config]*
Drive=drive size_min size _max
First NTFS partition with enough space for caching. (Min_max sizes default to 100MB).
Lists disk drives used for caching and size.
* If Firewall only mode, omit the [Proxy Setup Cache Config] section.
92
Par t I
INSTALLATION AND UPGRADE
TABLE 3.10
I N S TA L L AT I O N S W I T C H E S Switch
Definition
/Q
Unattended setup
0
The exit dialog box displays when setup is done
1
The exit dialog box is not displayed
T
No dialog boxes are displayed
/R
Unattended reinstall
/U
Unattended uninstall
The following issues may arise when attempting to perform an unattended setup:
á If the LAT section of the msisaund.ini file does not specify the IP address of at least one of the internal NIC cards of the setup computer, the installation will fail. á If there is no NTFS partition large enough to support the minimum cache size (100 MB), installation will fail.
Installing Additional ISA Servers in an Array One of the benefits of ISA Server is the ability to create arrays of caching servers or firewalls. Arrays of caching servers can assist in load balancing and provide redundancy. Arrays of firewalls and caching servers reap the benefits of enterprisewide access policies. Policies can be created once and utilized in a consistent manner across the enterprise. More information on this process can be found in Chapter 11, “Manage ISA Servers in the Enterprise.” The Microsoft ISA Server Enterprise Edition must be used to install ISA Server arrays. The first server installed creates an array if the decision is made to integrate the server with the Active Directory and the Active Directory schema modifications have been made. (The Enterprise edition of ISA server can also be installed as a standalone server.) Subsequent servers can join this array, or create additional arrays.
Chapter 3
INSTALLING ISA SERVICE
NOTE
The process is simple and is detailed in Step by Step 3.8.
STEP BY STEP 3.8 Installing Additional ISA Servers in the ISA Server Array
Don’t Confuse It! You should not attempt to install more than one server in an array at a time; that is, complete the installation of a server in an array before starting the installation of another server into the same array.
1. If the Windows 2000 Server is not joined in the domain, then join it. 2. Start the ISA setup program. 3. Click Continue at the Welcome screen. 4. Enter the CD key and click OK. 5. Setup searches for installed components and then presents the EULA screen. Select I Agree. 6. Select Custom. 7. Verify that the options required have been selected or deselected; for example, you might not want the administration program to be applied to every installation in the array. 8. Select Continue. 9. The message box, Do
you want to install ISA Server
appears. If you do not, select Yes and the ISA server will be installed as a standalone server. Select Yes. as an array member?
10. The installation program searches for arrays and displays the names of the arrays it finds. 11. Select the array to join and click OK (see Figure 3.15). 12. Select the drive and size of the cache and click OK. 13. A progress window indicates that setup is registering COM objects and then starting the services. Files are copied and a final window indicating successful setup is presented. Click OK.
FIGURE 3.15 Selecting the array.
93
94
Par t I
INSTALLATION AND UPGRADE
R E V I E W
B R E A K
. Two versions of ISA Server are available: Standard (standalone) and Enterprise. . Three modes of installation are available for either version: Caching, Firewall, and Integrated. . By default, all clients are allowed access to all content on all sites at all times; however, there is no default protocol rule so no traffic can occur. . Packet filtering is only available for Firewall or Integrated mode installation. . Before the first Enterprise Edition ISA server can be installed in the forest, modifications must be made to the AD Schema. . An Enterprise Edition ISA Server must be installed into an array or it is installed as a standalone server. . The default Enterprise policy is configured to use an Enterprise policy and not to allow array policies to restrict Enterprise policy. . ISA listens at port 8080 for client requests. . A minimum cache of 5MB on an NTFS volume must be configured during setup for caching or integrated mode servers. . Unattended setups always do a full installation.
TROUBLESHOOTING
THE INSTALLATION
Troubleshoot problems that occur during setup.
Like most modern installations, installation succeeds. However, it is possible to have a failed installation, one that does not complete successfully, or one that appears to complete successfully and yet does not work. These issues are categorized in the sections that follow.
Chapter 3
Failed Installation Most installations of ISA Server will proceed normally and without error. Most installation problems will be due to minor operator errors, typos, and so on. However, even the most careful administrator can have an aborted installation. Here are some issues that may be the cause.
Can’t Install in Existing Array When installing multiple ISA servers in an array, you receive the error This computer is not a member of a site and cannot be installed in an array. Windows 2000 computers joined in a domain may be found in multiple physical locations. As you know, the Window 2000 site can be used to model the physical network. The default site is created when the first domain controller in the forest is installed. This domain controller automatically becomes a member of this site. Additional sites can be created and the original site can be renamed. Within each site, the appropriate subnets that represent the subnets at that physical location are entered. This maps the physical network to the active directory object–site. Domain controllers are added to sites as they are installed on the system. Their site location can be changed to indicate their true physical location. Member servers are automatically part of an Active Directory site if the appropriate subnets have been entered and assigned to the site. You might need, however, to add the member server computer object to the appropriate site within Active Directory Sites and Services. If the previous error is received, check to see that the subnet has been added to the site and that the server does have an IP address within the same subnet as the first array member.
Installation Fails to Complete—You Cannot Run the Uninstall Program If your attempted installation fails, it might be because some MMC with related ISA administration or help information has not finished closing, even though it has disappeared from the screen. If this is the
INSTALLING ISA SERVICE
95
96
Par t I
INSTALLATION AND UPGRADE
case, simply ending the attempt at uninstallation, clearing all windows and waiting a couple of minutes before trying again, will usually resolve the issue. If this fails, you can uninstall the program by using the Control Panel/Add Remove Programs applet. If this fails, use the ISA Server CD-ROM provided Rmisa.exe program.
Was Installation Successful? Immediately after the ISA Server is installed, you should verify the installation. To do so, follow the steps of the Verification Process section. If they show your installation to be less than perfect, review the section on known issues.
Verification Process If the installation process ends successfully, how do you know it actually is working correctly? Before you spend hours configuring the system and then find it not to be working, it makes sense to do a little testing. This way, if there are problems after configuration, you can limit your troubleshooting to the configuration process and not wonder if something went wrong during installation. To verify the installation: 1. Examine the Event log for errors. If there are no error messages, or they can be resolved, continue the verification process. Likely installation error messages are detailed below. 2. Set up one local client as a Web proxy client; the Web browser application is configured to use the ISA Server. 3. In the client’s Web browser, navigate to any page on the Internet. 4. The default installation will not allow access and the 502 proxy error should be the result. 5. Create a protocol rule that allows use of all protocols by all clients.
Chapter 3
6. Create a routing rule that routes the request to the Internet (if directly connected) or to an upstream proxy server or ISA Server. 7. On the client, navigate to the same site. You should be able to access the page. You might then want to remove these routing and protocol rules if you require more restrictive rules. Remember, the goal here is merely to test the installation before making major configurations. In this manner you know that the installation is good.
Event ID 14111—The ISA Server Cache Could Not Start The ISA Server Cache can’t start because it’s configured incorrectly. Stop the Web Proxy Service, and then use ISA Management console or the Registry to correct the problem (\arrays\name\cache configuration\HTTP tab – select restore defaults) and then attempt to restart the service. The problem might be incorrect configuration (does not meet minimum size, drive too small) or a conflict with other settings. If the condition cannot be resolved in this manner, run setup again and select Reinstall.
Event ID 14176, 14164, 14172—The Disk Cache Failed to Initialize and Is Disabled Check other events (improper configuration, disk cannot be used for cache, disk configuration is wrong) and correct the problem, then restart Web Proxy service.
Event ID 14010, 14063—The Firewall Service Did Not Start Due to Corrupt Data Corrupt data in the Registry (14063) or in the Active Directory prevents the service from starting. Waiting a short while before
INSTALLING ISA SERVICE
97
98
Par t I
INSTALLATION AND UPGRADE
attempting to start the service may work. Otherwise, you must uninstall and reinstall ISA. The ISA Server configuration will be lost.
A Generated LAT Is Not Correct Manually adjust the LAT from the ISA Management console.
You Are Unable to Access Internet Resources This is expected. The default installation blocks all traffic through the ISA Server to the Internet.
Users Can Access Sites on the Internet The LAT is incorrectly configured.
UNINSTALLING ISA SERVER The uninstallation process is simple and automated. To do so, follow the steps in Step by Step 3.10. Changes made to the Active Directory Schema cannot be removed.
STEP BY STEP 3.10 Uninstall ISA Server 1. If the Event Viewer is open, close it. Otherwise some ISA files may not be removed. 2. From the ISA Server Setup Window, run Install ISA Server. 3. Setup searches for installed components and then displays the setup window choices (see Figure 3.16):
FIGURE 3.16 Uninstallation choices.
• Add/Remove—Additional components can be added, such as adding Firewall mode to a caching only ISA Server. • Reinstall—The last installation will be repeated, missing files and settings will be restored. • Remove ALL—Uninstall ISA Server.
Chapter 1
CHAPTER TITLE GOES HERE
99
4. To remove the ISA Installation, select Remove All. 5. On the Are
you sure you want to remove Microsoft
ISA Server? message box, click Yes. The program reports that it is stopping services.
6. On the Do
you want Uninstall to remove the logs and
FIGURE 3.17 Remove the logs.
configuration backup files generated by Microsoft ISA
7. The program will report that it is removing ISA COM objects, stopping relevant services, deleting files, and updating the system, and then restart or start the relevant services. 8. At the Microsoft
NOTE
Server? message box (see Figure 3.17), click Yes to remove all information.
Internet Security and Acceleration
Server Setup was completed successfully
message box,
click OK.
rmisa.exe If you cannot uninstall ISA Server by this method, you might be able to uninstall it by using Control Panel/Add Remove Programs. An uninstall program, rmisa.exe, is also supplied in the \ISA\I386 folder on the Installation CD-ROM. This program completely removes ISA Server.
C A S E S T U DY : S E C U R I T Y S Y N D I C AT E ESSENCE OF THE CASE
SCENARIO
Here are the essential elements in this case study:
Midwest-based security consultant Security Syndicate has two new customers with firewall/caching server needs. One customer, Davison & Davison is an accounting firm with traditional small network protection needs. A public Web server and minimal Web browsing needs require perimeter protection. The other customer, Fujedenchee, is a leading supplier of innovative communications solutions. Web access, and usage is considered to be out of control and they are seeking reduced cost, improved performance, and security. Fujednechee currently has a mixed client environment. A Windows 2000 migration project is in the implementation stages. Not all clients or servers will be moved to W2k.
. Perimeter protection required . Load balancing for large amounts of Web access . Control and protection of NetMeeting sessions . Public Web server . Multiple client OSs . Control, cost, and performance issues
continues
100
Par t I
INSTALLATION AND UPGRADE
C A S E S T U DY : S E C U R I T Y S Y N D I C AT E continued
A N A LY S I S Two seemingly different customer’s needs can be met by one product, ISA Server. Implementation, configuration, and usage patterns will be different. Security Syndicate has decided that ISA Server firewall mode, should be installed and
configured to protect Davison & Davison’s network. An array of ISA Enterprise edition servers in Integrated mode will be deployed for Fujedenchee. Because both projects will use the same product, but operate in different areas and at different scale, an ISA team is assembled. You are part of that team.
CHAPTER SUMMARY Installing ISA Server is not a difficult process. Although there are multiple possibilities, there are few choices that once made, cannot be changed. An option can be installed (changing a Firewall mode to an Integrated mode) or a configuration updated, after the original installation. The biggest issues of installation for all versions and uses, is the planning decision on how the product is to be used, and where in the network it needs to be placed. This chapter has outlined the installation process and elaborated on three installation processes:
á Making the Active Directory schema modifications. á Determining the size of the initial cache. á Configuring the Local Address Table (LAT). If you will spend some time with the review questions, key terms, and complete the hands-on exercises, you will be ready to proceed with the next chapter on upgrading Microsoft Proxy Server 2.0 to ISA Server.
KEY TERMS • Local Address Table • Caching mode • Firewall mode • Integrated mode • Internet Assigned Numbers Authority (IANA) • Request for Comment (RFC) • Private address ranges • Active Directory Schema • H.323 Gateway Service • Enterprise policy • ISA COM objects • ISA management • msisaund.ini file • Site
Chapter 3
INSTALLING ISA SERVICE
101
A P P LY Y O U R K N O W L E D G E
Exercises 3.1
Installation of a Standard Edition ISA Firewall
This exercise allows you to see the operation of the standalone server install and also your first insight into the differences in the install process and the resulting ISA administration interface. If at all possible, save this installation (perhaps by making your practice installations dual-boot.) You will need to complete further exercises using a standalone ISA Server. Estimated Time: 20 minutes 1. If you have not configured a Windows 2000 standalone server as specified in Exercise 2.1, please do so before continuing. This server requires two network cards: one on the public network and one on the private network. The system should be a clean install of Windows 2000 (current Service Pack) standalone server. 2. Verify connectivity to both networks. If you are using the Internet as your public network, verify connectivity by accessing any Internet site via the browser. If you are using an internal subnet as your public network, verify access to systems on that network. 3. Install ISA Server Standard edition. Install using the Custom option and be sure the administration and server modules are chosen. Do not select any add-ins. (For detailed instructions see Step by Step 3.2.)
3.2
Modification of the Active Directory Schema
Before you can install an Enterprise ISA Server in an array, you must modify the Active Directory schema. The process is simple, and need only be done once for the forest. The program you will need to run is only provided on the ISA Server Enterprise edition disk. Estimated Time: 20 minutes 1. If you have not installed your test-domain domain controller, two member servers and Windows 2000 Professional system as per instructions in Exercise 2.1, please do so. The test-domain systems should all be updated to the current Service Pack. At least one of the member servers should have two network cards configured with one on the public network and one on the private network. DO NOT PERFORM THESE LABS IN A PRODUCTION SYSTEM. 2. Verify your test network. You should be able to logon from all systems. You need to be a member of the Enterprise Admins. group. 3. Verify connectivity with the public network. 4. Modify the Active Directory Schema for ISA by running the ISA Server Enterprise Installation program from the ISA Server CD-ROM. Detailed instructions are in Step by Step 3.3 3.3
Installation of an Enterprise Edition ISA Server—Integrated Mode
After you update the AD Schema, you are ready to install ISA Server, Enterprise edition. There are
102
Par t I
INSTALLATION AND UPGRADE
A P P LY Y O U R K N O W L E D G E differences in the interface and the features of this edition from the standalone edition. This exercise is your first exposure to them. In your test lab scenario, you can immediately follow the schema modification exercise with this one. In the real world, however, you may need to wait until the changes to the schema have replicated to all domain DC’s in the forest. Although in your test you may want to install the first ISA server on the DC (to reduce the number of computers you need to use), never do this on a product DC. Please note that the first server installed creates the first array. It is an array of one server. You must retain, and have available on the network, this first installation in order to complete Exercise 3.4. Estimated Time: 20 minutes 1. Log on to the two NIC Windows 2000 member server. 2. Install ISA Server Enterprise edition in Integrated mode. (Detailed instructions are in Step by Step 3.4.) The following installation configurations choices should be made: • Do not select any add-ins. • Select the default Enterprise policy. • Use the Create the LAT button and be sure to select the appropriate NIC card to include the private network subnet in the LAT along with the default private address ranges. • Do not install the ISA Management console. 3. Log on to and install the ISA Server Management console on the Windows 2000 Professional system. 4. Review the installation via the ISA Server Management console.
3.4
Installation of a Second Array Member Enterprise Edition ISA Server— Integrated Mode
This exercise helps you understand the different processes followed when adding ISA Servers to an array. You will need to be sure the system on which you are doing the install can connect to the AD and locate the schema. If it cannot, you will not be able to install this server to the array. Retain both of these servers in their array configuration—you will need them for further exercises. Estimated Time: 20 minutes 1. Log on to the second member server. 2. Install ISA Server Enterprise edition in Integrated mode as a member of the array created in Exercise 3.3. 3. The following installation configuration choices should be made: • Do not select any add-ins. • Create the server as a member in the same array as the previous installation. • Use the Create the LAT button and make sure to select the appropriate NIC card to include the private network subnet in the LAT along with the default private address ranges. • Do not install the ISA Management console. 4. Log on to and install the ISA Server Management console on the Windows 2000 Professional system. 5. Review the installation via the ISA Server Management console.
Chapter 3
INSTALLING ISA SERVICE
103
A P P LY Y O U R K N O W L E D G E
Review Questions 1. You are required to provide a firewall solution for a non-Windows shop. Can ISA Server fit this bill? If so, what version would you install? 2. A Fortune 500 company requires an Internet access control solution. They are looking for load balancing, fault tolerance, performance, and the capability to control hours of access, users, and systems. What selections would you make during installation of ISA Server? 3. This same company realizes it must use more than one server. Which version of ISA Server must they use? 4. What action must be taken prior to installing the first ISA Server in the forest? Why is this necessary? 5. Which clients can benefit from an installation of ISA Server in caching mode? 6. Installation proceeds smoothly and indicates that it was successfully accomplished. It’s late in the day. In the morning, you attempt to verify the installation and get an error messaging stating that a service cannot start. What is wrong? What should you do? 7. You would like to provide forward caching services for a company with 10,545 employees. What configuration would you recommend? (How many servers? Mode? RAM? Other specs?)
Exam Questions 1. The first ISA server in an array has been successfully installed and verified. You attempt to install the second array member but during installation get an error message that the Windows 2000 server is not a member of a site and will be installed as a standalone server. What could be wrong? (Select all that apply.) A. The Windows 2000 server is not a domain member server. B. The Windows 2000 server is not a member of the original array server’s domain. C. You have used the Standard edition ISA Server CD-ROM. D. The Windows 2000 server is not a member of the same site as the server which is the first member of the ISA server array. E. The Windows 2000 server is not a member of the same subnet as the server, which is the first member of the ISA server array. It is a member of the same site. F. The Windows 2000 Server has not been configured as a member of the same site, or the information has not been updated in the Active Directory. 2. The ISA Server will be used when first installed as a firewall. It may be required to provide forward caching in the future. You should: A. Install the server in Firewall mode. If it is required to also provide forward caching, the caching service can be added at a later date.
104
Par t I
INSTALLATION AND UPGRADE
A P P LY Y O U R K N O W L E D G E B. Install the server in Integrated mode. You cannot add a service without uninstalling and reinstalling at a later date because you would lose configuration information. C. Install in Firewall mode. When you need to add forward caching services later, you can export the configuration information and then uninstall, reinstall in Integrated mode, and import the configuration information.
A. Select 500MB on the D: drive. B. Select 5MB on the C: drive. C. Cancel the install. D. Convert the D: drive to NTFS. E. Reconfigure the cache using ISA Management.
D. Install in Caching mode. Caching mode also allows configuring the firewall service. If caching is not configured, no caching will occur. 3. The first ISA server in an array has been successfully installed and verified. You attempt to install the second array member but during installation get an error message that the Windows 2000 Server is not a member of a site and will be installed as a standalone server. Which two steps should you take? A. Continue the installation. B. Configure the standalone ISA server to be an array member after installation. C. Cancel the installation. D. Solve the problem and then begin the installation again. 4. During installation of ISA Server in Caching mode, you must configure the cache. You have determined that you will require 500MB of space for the cache. At the cache configuration point during installation, you are presented with the display in Figure 3.18. Which steps should you take? (Select as many steps as apply.)
FIGURE 3.18 Where to put the cache?
Chapter 3
INSTALLING ISA SERVICE
105
A P P LY Y O U R K N O W L E D G E 5. Figure 3.19 is a network diagram for Johnson Cake Candle company. It will be using ISA Server to protect access to their internal network while allowing employees to access the Internet. The diagram shows subnets on both sides of the proposed ISA server and the network card addresses of both NICs in the server. Use the table that follows to indicate how you would configure the LAT.
Private (accounting and other financial) 208.56.5.0 208.56.4.0 208.56.3.0
Other subnets in company: 208.56.6.0 208.56.7.0 208.56.8.0 208.56.9.0
FIGURE 3.20 ABC Company network information.
LAT Contents
LAT Contents
7. An analysis has determined that five ISA servers will be arranged in a single array to handle forward caching. This array will serve 9,465 users. What size should the cache be on each server?
Internal Network 192.168.4.0
Internet
A. 10GB per server. B. 100GB per server.
FIGURE 3.19 Johnson Cake Candle Company network information.
6. Figure 3.20 is a network diagram for ABC Company. The ABC Company will be using ISA Server to protect access to several subnets that require additional security. These subnets include computers in the finance, marketing, and administration departments. The diagram shows subnets on both sides of the proposed ISA server and the network card addresses of both NICs in the server. Use the table that follows to indicate how you would configure the LAT.
C. 9GB per server. D. 2GB per server
106
Par t I
INSTALLATION AND UPGRADE
A P P LY Y O U R K N O W L E D G E 8. A single ISA server will provide forward caching for 328 users. What is the minimum cache size for the array? A. 2GB B. 264MB C. 164MB D. 2.6GB 9. You mistakenly installed your test Enterprise edition ISA Server in an array in a production domain. There are no other ISA Servers in the entire forest. You must remove your test system. Your goal is to totally remove any indication that the ISA Server was ever there. The following steps should be taken. (Select all that apply.) A. Run the uninstall ISA Server program. B. Verify that all Registry entries for ISA Server and all files that were added are gone. C. Run the Remove ISA Enterprise Installation program to clean the Active Directory schema. D. Remove the test server from the domain. 10. John has installed ISA Server but the verification process fails to allow him to access a Web site. He asks for your help. You think that perhaps the LAT is not configured correctly. You open the ISA Management console to verify the LAT and navigate to the Network Configuration node and expand it. Your screen looks like Figure 3.21. What’s the next step you take?
FIGURE 3.21 Where to configure the LAT?
A. You’re in the wrong place, move to the Computer node, expand it, and open the Local Address Table (LAT) folder. B. Expand the Routing folder and open the Local Address Table (LAT) folder. C. You must have installed the ISA Server in caching mode. Caching mode does not require configuration of the LAT, therefore the Local Address Table (LAT) does not exist. Tell John to run the installation program and add the firewall module. D. Right-click the Routing node and select Configure LAT. The LAT will automatically be correctly configured from the routing table on the system.
Chapter 3
INSTALLING ISA SERVICE
107
A P P LY Y O U R K N O W L E D G E
Answers to Review Questions 1. Yes. The ISA server must be installed on a Windows 2000 system, but clients can be of any type. See the section, “Introduction.” 2. Install Enterprise edition, caching mode, array. Use multiple servers in the array to provide the necessary load balancing and fault tolerance. See the sections, “Introduction,”and “Install ISA Server Enterprise Edition.” 3. Enterprise edition. See the section, “Install ISA Server Enterprise Edition.” 4. Modify the Active Directory Schema. This must be done to provide the objects and attributes necessary. Active Directory is necessary to provide centralized management of multiple ISA Servers. No Active Directory, no arrays, no centralized management. See the section, “Installing the ISA Server in the Active Directory.” 5. All types of clients can benefit. See the section “Introduction.” 6. One possibility for the service not starting is that there is not adequate cache space. A minimum of 5MB on an NTFS partition must be provided. Although you would have to have configured adequate caching space during installation, if the drive on which it was configured becomes corrupt, or crashes, adequate space is not available, and the service will stop and not start. You need to check the Event log for messages to determine if this might be the case and then prepare another drive. See the section, “Failed Installation.” 7. Enterprise edition, caching mode. At least six servers in array(s). At least 256MB RAM per server. Pentium III. See the section, “Configure the Cache.”
Answers to Exam Questions 1. A. If the server is not a member of a domain it cannot be installed as an Enterprise server in an array. B is incorrect. Although the server must be a member of the other server’s domain it can be a member of another domain and still be installed in an array, just not in this one. C is incorrect. If you use the standard edition CD-ROM, you will not be given any opportunity to install in an array, but this error message will not occur. D is incorrect. If the server is a member of any site, you will not get this error. E is incorrect. The server can be in another subnet. F is correct. Even if the server is a member server, if the information of its membership in some site is not in the Active Directory, the installation program will give this answer. See the section, “Failed Installation.” 2. A. You can run the install program and add modules. B is therefore incorrect. You could go ahead and install the server in Integrated mode but the reason for doing so is incorrect. C is incorrect. You cannot export and import configurations. You can backup a configuration, but restoring it would overwrite what is currently there. D is incorrect. Caching mode installation will not include the ability to configure the firewall. See the section, “Installation Procedures Common to All Server Configurations.” 3. C, D. A and B are incorrect. Continuing the installation will install the server as a standalone server. You can promote a standalone server to array membership, but in this case, you will still have the same problem so that will not be possible. C and D are correct, after canceling, solve the problem then run the installation program again. See the section, “Failed Installation,” “Install ISA Server: Enterprise Edition.”
108
Par t I
INSTALLATION AND UPGRADE
A P P LY Y O U R K N O W L E D G E 4. B, D, E. During installation you must configure a cache. 5MB is the minimum and is available on drive C. After installation you can provide more space on a NTFS formatted or converted drive and then reconfigure the cache. A is incorrect. The D: drive is FAT. The cache requires an NTFS volume. C is incorrect. You could do this but it is not necessary. In addition, the necessary steps to complete the assignment are not listed. F is incorrect. You cannot place the cache on a network share. See the section, “Configuring the Cache.”
See the section, “Constructing and Configuring the Local Address Table (LAT).” 7. A. B would be okay, but probably overkill. C and D would not provide adequate caching space. See the section, “Configure the Cache.” 8. B. While recommendations for this number are 2GB, the request was for the minimum. C is too small, B is thus correct (see the following calculation) and all others are too large. See sections, “Configuring the Cache” and “Calculating Cache Size.” 328 × 0.5MB + 100MB
5. LAT Contents
= 164MB + 100MB
Private ranges
= 264 MB
10.0.0.0 to 10.255.255.255. 192.168.0.0 to 192.168.255.255 172.16.0.0 to 172.31.255.255
See the section, “Constructing and Configuring the Local Address Table (LAT).” 6. LAT Contents 208.56.5.0 to 208.56.5.255 208.56.4.0 to 208.56.4.255
9. A, B, D. C is incorrect. Once the Active Directory schema has been modified, the added classes and attributes cannot be removed. See the section “Uninstalling the ISA Server.” 10. C. The Local Address Table (LAT) folder is present when the server has been installed in Firewall or Integrated mode. It is one level under the Network Configuration node. It is not present when the ISA server is installed in Caching mode. A, B, and D are incorrect. See the section, “Constructing and Configuring the Local Address Table (LAT).”
208.56.3.0 to 208.56.3.255
Suggested Readings and Resources 1. Sections in ISA Server Help. 2. ISA Server Installation Guide.
3. The sample msisaund.ini file from the ISA folder on the ISA Server CD-ROM. 4. ISA Server release notes.
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Installing ISA Server section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Upgrade a Microsoft Proxy 2.0 Server computer to ISA Server.
. Back up the Proxy 2.0 Server configuration. Microsoft Proxy Server is ISA Server’s predecessor. Although Proxy Server does not have the extensive firewall services of ISA, Proxy Server has extensive caching services and packet filtering capability. Like ISA Server, Proxy Server 2.0 can be installed and arranged in hierarchical chains as well as loadbalancing arrays. The Cache Array Routing Protocol (CARP) made its first appearance in Proxy Server 2.0. A Proxy Server 2.0 installation can be upgraded to ISA Server. The Windows NT 4.0 system, on which the Proxy Server is installed, must be upgraded to Windows 2000 first. There is no upgrade path from Proxy Server 1.0.
C H A P T E R
4
Upgrading Microsoft Proxy 2.0
OUTLINE
S T U DY S T R AT E G I E S
Introduction
111
Reasons for Upgrading
111
The Migration Process
112
Back Up the Proxy Server Configuration Stop and Disable Proxy Server Services Upgrade to Windows 2000 and Install ISA Server Review the Setup Logs Array Migration
114 115 116 117 118
Proxy Configuration Migration Results
120
Predetermined Migration Effects Impact of Proxy 2.0 Array Membership and ISA Installation Selections on Migration Post Migration Necessities
120
121 122
Migrating the Mindset
123
Chapter Summary
125
Apply Your Knowledge
126
Exercises Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions
126 126 126 128 129
. Do an upgrade! By now you know the mantra: “The best way to study what happens and how to proceed, is to actually do the procedures.” You should upgrade a Proxy 2.0 Server to ISA. If you can, do it at least twice: once with the upgrade moving from a Proxy 2.0 array to a ISA Server array, and once moving Proxy 2.0 standalone to ISA Server standalone. . Prior to performing the upgrade, be sure there are extensive configuration changes on the Proxy 2.0 installation so that you can see what migrates. . The section “Proxy Configuration Migration Results” lists for you the items which migrate, and when. Study this list and also understand that the migration outcome depends on these issues as well as the role you play during the install. (Are you an Enterprise admin? Domain admin?) . Be sure that you understand how to backup the Proxy 2.0 configuration and what to do with it if the upgrade fails! . Finally, be prepared to consider the steps to take to determine if the upgrade netted you the result you wanted. It would not be a good idea to risk network security because of an upgrade problem or misunderstanding. Take the time to learn what can go wrong and what to do to set it right.
Chapter 4
UPGRADING MICROSOFT PROXY 2.0 SERVER
INTRODUCTION ISA Server is, in many ways, a totally new product. In other ways, it’s hard, on the conceptual side, to distinguish it from its predecessor, Proxy Server. ISA Server is a full-featured firewall but, like Proxy, offers distributed and hierarchical caching. Although Proxy Server can be retained in a Windows 2000 network, indeed, mixed arrays of Proxy Server and ISA Server are possible, many will want to upgrade their current Proxy 2.0 installations to ISA Server. This process, while simple, must be studied, planned and the results tested for compliance with security policy. Considerations are
á Reasons for upgrading á The migration process á Proxy configuration migration results á Migrating the mindset
REASONS
FOR
UPGRADING
Occasionally, you get to move to the latest and greatest just because you can, but that is rarely the case. It is important to understand the why behind the upgrade; it helps smooth out the bumps, prevents us from re-creating problems we had with the original installation, and gives us an opportunity to create an environment in which the migration will have difficulty failing. The following reasons for upgrade may or may not be the reason that a particular upgrade is taking place:
á Need a H.323 Filter (Microsoft NetMeeting) Gatekeeper á Want email-content screening á Want a firewall client á SSL traffic inspection á Improved, more-secure publishing á Advanced authentication á SecureNAT (client transparency) á Smart application filters
111
112
Par t I
INSTALLATION AND UPGRADE
á Integrated Intrusion Detection (licensed ID from ISS) á Integrated VPN á System hardening templates á Like the idea of stateful inspection á ISA is a multilayered firewall á Improved performance on proxy existent features such as • RAM caching • Optimized cache • Improved SMP support • Improved distributed and hierarchical caching • Services independent from IIS services
á Require centralized, integrated management available with Enterprise edition • Policy-based access control • Tiered policy (can establish Array policies that restrict Enterprise policy) • Integrated with Windows 2000 Active Directory
THE MIGRATION PROCESS Upgrade a Microsoft Proxy 2.0 Server computer to ISA Server.
You may migrate Proxy Server 2.0 to ISA server. The Proxy server installation may be on Windows NT 4.0 or Windows 2000. There is no direct migration path from Proxy Server 1.0, Small Business Server, or BackOffice. The migration path you follow depends on several variables. Table 4.1 identifies these variables and discusses the extra steps that may need to be taken.
Chapter 4
UPGRADING MICROSOFT PROXY 2.0 SERVER
TABLE 4.1
M I G R AT I O N P AT H V A R I A B L E S Variable
Steps to Take
Is the Proxy Server a member of an array?
Remove the Proxy Server from the array prior to the migration.
Is the Proxy Server on a standalone system?
No additional steps necessary.
Will you be installing the server into an array?
You must have appropriate permissions to install into the array.
What is your role in Windows 2000 administration? (Are you a Domain Admin or Enterprise Admin?)
Membership in the Enterprise Admin and Schema Admin group is necessary to modify the AD Schema.
Will the ISA Server system be a domain member?
Join the Windows 2000 system to the proper domain.
Does the Proxy 2.0 NT 4.0 computer meet minimal and appropriate specification for Windows 2000?
If the Proxy 2.0 system does not meet the minimum requirements for Windows 2000, you will need to upgrade the hardware prior to continuing the migration.
These details will be discussed during the migration instructions. The general process is outlined in Step by Step 4.1.
STEP BY STEP 4.1 Upgrading Proxy 2.0 to ISA Server 1. Disconnect the computer from the Internet. 2. Backup the Proxy 2.0 Server configuration. 3. If hardware upgrades are necessary, perform them. 4. If migrating an array of Proxy Servers, remove the servers from the array prior to beginning the migration process. The array rules and network and monitoring continues
113
114
Par t I
INSTALLATION AND UPGRADE
NOTE
continued Windows 2000 Error Message If, during the upgrade process, you receive an error message that Proxy Server 2.0 won’t work in Windows 2000 (see Figure 4.1), you can ignore the message. You will be installing ISA Server shortly and do not want Proxy Server to work under Windows 2000. (For Proxy Server 2.0 to run on Windows 2000, The Proxy Server 2.0 Update Wizard for Microsoft Windows 2000 must be applied) Visit the Proxy Server home page at www.microsoft.com/proxy.
configurations will be retained by each Proxy Server and can be migrated to the new array if required and allowed by policy. 5. Stop and disable Proxy Server Services. 6. If Proxy 2.0 is installed on Windows NT 4.0, upgrade to Windows 2000/SP1 (or current service pack). 7. Begin ISA Server Setup. 8. If migrating to an existing array, choose the array during setup. 9. If migrating a Proxy Server array, create the array with the first installation, then join each succeeding installation/migration to the new array. 10. Review the isasupgrade.log (placed in the installation directory).
During the ISA Server installation process, you will have the opportunity to install the new server in an array member or as a standalone server. Most rules and configuration settings will be retained when migrating to a standalone server. However, when migrating to an array, the ISA Enterprise policy settings will determine what is migrated from Proxy Server 2.0.
Back Up the Proxy Server Configuration FIGURE 4.1 Windows 2000 install error message.
Back up the Proxy 2.0 Server configuration.
Migrating from Proxy Server 2.0 to ISA Server is really more a migration of Proxy Server configuration information than a simple upgrade. You backup the configuration, however, so that you can return to Proxy server functionality if migration fails and cannot be repaired. You can even use the Proxy configuration file to configure a fresh Proxy installation on Windows 2000 Server. To backup the configuration, follow Step by Step 4.2.
Chapter 4
UPGRADING MICROSOFT PROXY 2.0 SERVER
STEP BY STEP 4.2 Backing Up Proxy Server Configuration 1. Open Internet Services Manager. 2. Double-click the computer name next to any of the Proxy Server services. 3. Open Server properties. 4. On the Service tab, click Server Backup (see Figure 4.2). 5. Type a valid path (or use the default c:\msp\config) in the Directory field (see Figure 4.3). 6. Click OK. The configuration information is stored in the MSPIyyyymmdd.mpc file. (A copy of a Proxy 2.0 backup is located in Appendix A, “Microsoft Proxy Server 2.0 Configuration Backup.” )
FIGURE 4.2 Finding the backup and restore utilities.
A restore can be made from the same interface by choosing the Server Restore button.
Stop and Disable Proxy Server Services Proxy Server Services must be stopped in order for the upgrade to Windows 2000 to proceed smoothly. You can stop them by using the net stop servicename command. The names of the Proxy Server Services are listed in Table 4.2. If you are migrating from Proxy Server 2.0 on Windows NT 4.0, you should also disable these services. When the system completes its upgrade to Windows 2000, the services will attempt to restart, but will not be able to do so. They will continue to attempt to start causing a potential consumption of resources, which can prohibit, or at least slow, the rest of your migration process.
FIGURE 4.3 Choosing a backup folder.
115
116
Par t I
INSTALLATION AND UPGRADE
TABLE 4.2
PROXY SERVER SERVICES Service
Service Name
World Wide Web Publishing
W3svc
Microsoft Winsock Proxy Service
Wspsrv
Microsoft Proxy Server Administration
Mspadmin
Proxy Alert Notification Service
Mailalrt
Upgrade to Windows 2000 and Install ISA Server
FIGURE 4.4 Viewing the Proxy Services.
If your migration path is from Windows NT 4.0, after upgrading to Windows 2000, you will find (as forecast by the error message in Figure 4.1) that Proxy Server 2.0 does not work. Immediately after installation, World Wide Web Publishing service, Proxy Alert Notification Service, Microsoft Proxy Server Administration Service, and Microsoft Winsock Proxy Service are present, but fail to start (see Figure 4.4). (If you followed instructions and disabled these services before upgrading to Windows 2000, you will find that you cannot start them.) Don’t forget to apply Service Pack 1 for Windows 2000 before installing ISA Server. Starting the installation of ISA Server locates configuration information from the Proxy Server (see Figure 4.5) although it identifies it as an older version of ISA. Be sure to not change the folder at this screen, or you will lose Proxy 2.0 configuration settings. You can change the folder location later during setup. You will be asked if you want to migrate existing policies and settings to an ISA Server policy (see Figure 4.6), and an upgrade log file (isasupgrade.log), will be created.
FIGURE 4.5 Proceeding with the migration.
Chapter 4
UPGRADING MICROSOFT PROXY 2.0 SERVER
The LAT is configured as it was for the Proxy Server installation and will appear onscreen for modification during setup (see Figure 4.7). However, if you did not check network card addressing after the Windows 2000 upgrade, you might find that you are prevented from continuing. The problem may be that the upgrade process detected a different driver for your network card and configured it with the automatic IP address assignment. The range 169.256.0.0 to 169.254.255.255 (see Figure 4.8) would automatically be put in the LAT by the default ISA Server installation, but not by the upgrade. The solution, of course, is to construct the table and, if necessary, reconfigure the LAT after installation.
117
FIGURE 4.6 Do you want to migrate settings?
Setup will proceed. Place the installation files in either the original proxy folder or the new one chosen during setup.
Review the Setup Logs Two logs are created during ISA setup:
á isas.log á isasupgrade.log Both can be found in the ISA installation directory. The isas.log contains information on ISA setup and a listing of what Proxy 2.0 definitions are evaluated. A copy of a log from a Proxy 2.0 migration can be found in Appendix B, “ISA Setup Log.” Examine this log to note that the existence of the Proxy Server is recorded early in the log. A clean installation (not a migration) would, of course not show this. This information may be useful in troubleshooting an ISA Server installation done by someone else. The log also lists in great detail the steps taken during setup. An easier log to read, however, is the isasupgrade.log.
FIGURE 4.7 The Proxy 2.0 LAT is copied to the ISA LAT.
The isasupgrade.log lists specific steps taken (and their success or failure). This log is the more readable. Items listed include:
á Warnings about items that are never migrated (Web Proxy filters, for example). á Lists of upgraded cache drives (migration retains the location and size of cache, but not the contents).
FIGURE 4.8 Observing automatically assigned addresses.
118
Par t I
INSTALLATION AND UPGRADE
á Client configuration information (including proxy port 8080 and auto configuration). á Protocols upgraded and their ports (including those protocols defined on Proxy, but not present by default on ISA). á Proxy domain filters upgraded to Rules. á Upgraded packet filters. á Log configuration.
NOTE
á Cache configuration.
Migration Footprints The files in Appendixes A (isas.log), B (isasupgrade.log), and C (MSP20010102.MPC) were created during the same migration process.
A sample isasupgrade.log is available in Appendix C, “ISA Upgrade Log.” Be sure to examine the log and note how discovery and success of configuration migration is noted in the file along with warnings about items that are not migrated by design. This log can answer many questions about the migration process. Instead of complaining that migration was faulty, an administrator should examine the log for information on what settings were and what was migrated, as well as what is not migrated by design. Keeping a copy of the backup configuration made just prior to the migration will also allow easy verification on what was set on the Proxy before migration.
Array Migration Proxy Server 2.0 servers in an array can be migrated to a standalone ISA Server configuration, to an existing ISA Server array, or to a new ISA Server array. The preparation process is the same for any of these choices: Remove the Proxy 2.0 server from its array. The array settings are saved to the individual Proxy Server and are thus available for migration. How they will be migrated depends on the choices made during ISA Server installation. See Table 4.4 in the next section, “Proxy Configuration Migration Results” for more help.
Chapter 4
UPGRADING MICROSOFT PROXY 2.0 SERVER
The migration process depends on the intended result as well.
á Array member to standalone ISA Server. Because the Proxy Server has been removed from its array, this situation is the same as if it were a standalone server to begin with. Proceed with the normal migration path. á Array member to existing ISA Server array. The Proxy Server has been removed from its array and configuration settings are saved. First, determine if these settings need to be migrated. The policy of the existing ISA Server array will determine whether they will be migrated. If settings are important, examine the policy settings of the existing ISA Server array and make modifications as necessary. á Array member to new ISA Server array. If a new array will be created, it is possible to migrate all settings that would normally be migrated. If this is the first ISA Server in the enterprise, and thus no other arrays exist, all migratable settings will migrate from the Proxy array to the new ISA Server array. However, if other ISA servers, and thus other ISA Server arrays exist, then the Enterprise policy of the ISA Server enterprise will determine whether array settings can be different. If they can be different, then Proxy Server array settings will migrate. If not, then they won’t. The Active Directory Schema must be modified for ISA and then the installation can proceed. The first array policy becomes the settings for the Enterprise policy and the array. You will have to decide if you want to allow other arrays to have more restrictive settings, or if this will be your only array. For more information on Enterprise and array settings see Chapter 3, “Installing ISA Server” and Chapter 11, “Manage ISA Server in the Enterprise.”
119
120
Par t I
INSTALLATION AND UPGRADE
PROXY CONFIGURATION MIGRATION RESULTS Migration results are impacted by three things:
á Proxy 2.0 array membership á ISA Server installation process array and policy choices á Predetermined migration paths
Predetermined Migration Effects Each piece of documentation on Proxy Server to ISA migration uses the words “most Proxy Server 2.0 configuration/array settings migrate.” What does that mean? It means that, due to differences between the products and how they operate, not all Proxy Server 2.0 items are compatible with, or would even make sense to migrate to ISA Server. For example, the arrangement of the ISA caching environment is radically different from that of Proxy Server 2.0. In addition, it wouldn’t make sense to migrate cached data that will go out of date and can and must be refreshed from its source anyway. Other differences between Proxy 2.0 and ISA Server mean configuration changes as well:
á Proxy 2.0 listens for HTTP on port 80 while ISA Server listens on port 8080. á Web Proxy Service Permissions are not migrated. á Proxy Server 2.0 integrated and anonymous authentication is enabled by default. ISA Server defaults to integrated Windows authentication. á Proxy Server style intra-array authentication between array members does not have to be configured on ISA Server arrays. Kerberos is used. What can migrate is further impacted by array and enterprise policy setting considerations. However, presuming that effect to be negligible for a moment, the possible setting migrations are listed in Table 4.3.
Chapter 4
UPGRADING MICROSOFT PROXY 2.0 SERVER
TABLE 4.3
P R O X Y 2.0 M I G R AT I O N C O N F I G U R AT I O N S Category
Proxy Setting
Proxy Rules/Properties Domain filters
Network settings
Migrated to ISA Setting Site and content rules
Publishing properties
Web publishing rules
Winsock permission settings
Protocol rules
Web proxy routing rules
Routing rules
Static packet filters
Allow or block IP Packet filters
LAT
LAT
Automatic dial Monitoring Configuration
Rejected packets Protocol violations Disk full Log settings
Authentication
Basic and integrated windows default
Only retains integrated windows
Impact of Proxy 2.0 Array Membership and ISA Installation Selections on Migration Premigration variables and ISA installation options determine which Proxy Server 2.0 settings will migrate. Premigration variables have the effect indicated in Table 4.4.
121
122
Par t I
INSTALLATION AND UPGRADE
TABLE 4.4
P R E M I G R AT I O N V A R I A B L E E F F E C T C O N F I G U R AT I O N M I G R AT I O N
ON
PROXY
Install to Existing ISA Array
Install to New ISA Array Array
Install ISA Standalone Server
Proxy Server 2.0 standalone
ISA Enterprise configuration determines final configuration
ISA Enterprise configuration set during installation determines final configuration
Retains most Proxy Server 2.0 configuration
Proxy Server 2.0 Array member
ISA Enterprise configuration determines final configuration
Can use array settings from Proxy Server 2.0 array
Because Proxy Server was removed from array before installation, most settings from array.
FIGURE 4.9 Proxy packet filter.
To learn more about the impact of Enterprise configuration on array-based policies, see Chapter 11.
Post Migration Necessities Keep in mind that migration is not an upgrade. You will have postmigration work to do on the ISA Server and in your network before you can bring the ISA Server online and make it a useful member of your security team. In addition, you can expect reduced performance at start up due to the necessity of rebuilding the cache. Specifically,
á Because ISA Server and Proxy Server listen on different ports for HTTP requests, downstream browsers will have to be reconfigured. á All network configurations on the ISA Server should be checked for correctness. FIGURE 4.10 Proxy packet filter 2.
á Web publishing under ISA Server doesn’t require changes to the published server; however, the server may have had changes configured that now need to be removed.
Chapter 4
UPGRADING MICROSOFT PROXY 2.0 SERVER
á SOCKS rules from Proxy Server 2.0 are not migrated, ISA Server uses SOCKS application filters. You may need to configure, or adjust these. ISA Server listens on port 1080 for SOCKS requests. This can be changed. á ISA Server installs with only Windows integrated authentication. This means that previously supported requests from nonIE/browsers are rejected. You need to configure basic authentication for Web requests. Information on how to do many of these post-installation configuration items is located in Chapter 5, “Outbound Internet Access,” and Chapter 6, “ISA Server Hosting Roles.” You will find that between the isasupgrade.log file and an examination of the interface, you can quickly establish the status of migrated configurations. Many of these settings are even labeled as Proxy 2.0 related settings. Figures 4.9–4.13 show examples of migrated settings displayed in the ISA Server interface.
MIGRATING
THE
FIGURE 4.11 Proxy DomainFilter.
MINDSET
Proxy Server 2.0 and ISA Server use slightly different names for similar processes. Part of the migration process is that it is necessary for the administrators to get used to the new system. Two items need to be contended with:
á Different names and locations for similar concepts á New features and configuration processes New features and their configuration processes can be learned by using this book and practicing with the interface on a test network. The hardest thing about migrating to a new system is learning how to do what you already know how to do. Like most major product evolutions, ISA Server requires you to learn a new vocabulary and interface to just do what Microsoft Proxy Server 2.0 allowed you to do with a less fancy toolset. ISA Server, however, also adds an incredible array of new features and a granularity of effect that was not possible with Microsoft Proxy Server 2.0. Of course you can’t expect the same dashboard on an F-111 fighter as you find on your SUV. With a little bit of help and a little bit of patience, you can
FIGURE 4.12 Proxy DenySitesSet.
123
124
Par t I
INSTALLATION AND UPGRADE
learn to maneuver in either and the new interface will soon feel like home. Table 4.5 can assist with vocabulary translation.
TABLE 4.5
P R O X Y - T O -ISA-D I C T I O N A R Y Proxy Server 2.0 ISA Server
Comment/Where
Domain filter
Restrict domain-site access by clients/
Site and content rules
For array policies: /Servers and Arrays/name/access policy/site and content Rules For enterprise policies: /enterprise/policies/enterprise policy/site and content rules
FIGURE 4.13
Publish HTTP sites
Create Web publishing rules
Proxy site rules.
/Servers and Arrays/Name/Publishing/Web Publishing Rules
Restrict protocols Create protocol rule For array policies: /servers and arrays/name/access policy/protocol rules For enterprise policies: /enterprise/policies/enterprise policy/protocol rules Create packet filters
Create IP packet filter
Servers and arrays/name/access policies/IP Packet filters
Create alerts
Create an alert
Servers and arrays/name/monitoring configuration/alerts
Configure routing Configure Web Proxy Service routing
Servers and arrays/name/network configuration/routing
Configure LAT
Configure LAT
Servers and arrays/name/network configuration/Local Address Table
Configure cache
Configure cache
Servers and arrays/name/cache configuration
Chapter 4
UPGRADING MICROSOFT PROXY 2.0 SERVER
CHAPTER SUMMARY Understanding the migration process from Proxy Server 2.0 has been the goal of this chapter. Although the actual process is straightforward, numerous variables can combine to alter the expected result. It is always wise to understand the possibilities and plan for the operation rather than subject users to longer periods of downtime. Specifically, the following items were addressed:
á The migration process á What’s migrated and what’s not á Post-migration activities á Helping Proxy administrators adjust to ISA Server This completes Part I, “Installation and Upgrade.” Part II, “Configuring and Troubleshooting ISA Server Services” covers the implementation, configuration, and troubleshooting of the following:
á Outing Web access á Hosting roles á The H.323 gatekeeper á Remote access á Virtual Private Network integration
KEY TERMS • Stateful inspection • Migration • Upgrade • Domain filter
125
126
Par t I
INSTALLATION AND UPGRADE
A P P LY Y O U R K N O W L E D G E
Exercises 4.1
Migrate a Windows NT 4.0/Proxy Server 2.0 to ISA Server
This exercise will help you understand the upgrade path from Proxy Server 2.0 to ISA Server. By completing it, you will be better prepared to plan and complete a migration from Proxy Server 2.0 to ISA Server. By configuring the Proxy 2.0 Server with domain filters, packet filters, and other settings, you will be able to see the transfer of configuration information from Proxy 2.0 to ISA Server. Estimated Time: 30 minutes 1. Remove the Proxy Server from the Internet and backup its configuration. 2. Disable and stop the Proxy services. 3. Install Windows 2000, SP 1 (or relevant SP) and any hotfixes. 4. Install ISA Server. Note progress reports and error messages.
Review Questions 1. You currently have five Microsoft Proxy Server 2.0 systems in an array and need to upgrade them to ISA Server. Can you migrate this array while still maintaining caching services for Internet Access? How? 2. The ABC Carpet Company has a single Proxy Server 2.0 system running on Windows NT 4.0. They would like to know the preliminary steps
they can do to get ready for migration. They want to minimize downtime when the actual migration takes place. What would you suggest? 3. Windows 2000 and the Active Directory have been deployed. The Proxy 2.0 system has been upgraded to Windows 2000 and the Proxy 2.0 upgrade has been installed so that Proxy 2.0 is now running correctly on a Windows 2000 server in a workgroup. What steps should be taken to upgrade the Proxy 2.0 Server to ISA Server? 4. Proxy 2.0 has been successfully upgraded to ISA Server. Where would you look to determine which configuration settings migrated? 5. Why is it important to backup the Proxy 2.0 configuration prior to beginning the migration process? 6. Why do you need to be a member of the Enterprise Admins group in order to migrate an array of Proxy 2.0 Servers to ISA Servers? 7. In the appendixes of this book are backup files and log files created during the migration of a Microsoft Proxy Server 2.0 system to ISA Server. Examine the logs and determine at least one specific setting that did not migrate.
Exam Questions 1. Three reasons to carefully check the newly migrated ISA Server before placing it back into service are A. Packet filters do not migrate, you will need to re-create them. B. Domain filters will need to be re-created as site and content rules.
Chapter 4
UPGRADING MICROSOFT PROXY 2.0 SERVER
127
A P P LY Y O U R K N O W L E D G E C. Network configuration might have changed during the upgrade to Windows 2000. D. SOCKs rules from Proxy Server 2.0 are not migrated. E. Some alerts that are part of Proxy Server 2.0 are not part of ISA Server. 2. Your policy is to require all users to authenticate before accessing the Internet. Prior to migrating to ISA Server from Proxy 2.0 users using Netscape Navigator on Unix systems, could access the Internet. After migration, they cannot. How should this problem be resolved? A. Upgrade the Unix users to Windows 98. B. Modify ISA Server authentication to include “basic authentication.” C. Install the firewall client on the Unix systems. D. Modify ISA Server authentication to include “Digest Authentication.” 3. John is migrating six Proxy Server 2.0 systems to ISA Server. All Proxy Servers are in an array. These servers will be the first ISA Servers installed on his network. John will be creating a new array. He has initialized the Active Directory Schema with the ISA elements. He removes the a Proxy Server 2.0 system from the Proxy Server array, upgrades the system to Windows 2000, and installs ISA Server into a new array. The process completes successfully. John checks the new ISA Server to find out how its settings compare to those he configured for the Proxy Server 2.0 array. He finds the following: A. None of the Proxy Server 2.0 array settings have migrated to the new ISA Server array.
B. The Proxy Server array settings have migrated to the ISA Server array (with the usual exceptions). C. Only packet filter configuration migrates to the new array. D. Only packet filters and domain filters migrate to the new array. 4. Sally is getting ready to migrate the standalone Proxy Server 2.0 to ISA Server. Her first step is to backup the Proxy Server configuration. To do so, she A. Uses msbackup to backup the entire Proxy Server 2.0 system. B. Uses RDISK to backup the Registry because the configuration settings are in the Windows NT 4.0 Registry . C. Uses her third-party back-up system to do a backup. D. Uses the Proxy 2.0 back-up program from the Web Proxy service properties page. 5. Select the answer that lists (in the correct order) the steps to be taken to migrate from Proxy Server 2.0 to ISA Server. A. Back up Proxy Server configuration, upgrade server to Windows 2000, apply Service Pack 1, stop Proxy services, install ISA Server. B. Back up Proxy Server configuration, stop Proxy services, upgrade server to Windows 2000, install ISA Server. C. Back up Proxy Server configuration, stop Proxy services, upgrade server to Windows 2000, apply Service Pack 1, install ISA Server.
128
Par t I
INSTALLATION AND UPGRADE
A P P LY Y O U R K N O W L E D G E D. Stop Proxy services, Back up Proxy Server configuration, upgrade server to Windows 2000, install ISA Server, apply Service Pack 1. 6. Nancy migrates Proxy Server 2.0 to ISA Server. She examines the newly migrated ISA Server and it appears to her that none of the Proxy Server settings migrated. What two things might be the issue? A. Sometimes the settings just don’t migrate. No one knows why. It’s just a feature. B. When asked if she wanted to migrate existing policies and settings to an ISA policy, she clicked the No button. C. The ISA Server was migrated to an existing ISA Server array. The Enterprise policy selected for this array does not allow array settings to vary from those selected at the enterprise level. D. Immediately after migration, before putting the server back online, you must select the Use Migrated Settings option from the ISA Server Properties/General page. Nancy hasn’t done this yet. 7. After migration to an ISA server in cache mode, no users can access the Internet (they could prior to migration). What needs to be done to correct this situation? (Select all correct answers.) A. Upgrade all users to I.E. 5.0. B. Install the ISA Server firewall client on all systems. C. If the ISA Server is configured to allow discovery, be sure clients are configured to discover.
D. Change the port for the Proxy Server in the properties of the client browsers from port 80 to port 8080.
Answers to Review Questions 1. To maintain caching services for Internet Access during the migration process, take one Proxy Server offline at a time and migrate it. Remove one Proxy Server from the array. Remove its access to/from the Internet. Back it up and prepare it for migration. Initialize the AD Schema for ISA Server. Upgrade the server to Windows 2000 sp1. Install this server as the first ISA Server in a new array. Verify settings and place the array on-line. Begin migrating clients to this new array. Continue to migrate Proxy Server’s one at a time to the new array, and switch clients as more server’s come on-line. See the section, “Impact of Proxy 2.0 Array Membership and ISA Installation Selections on Migration.” 2. ABC can do three things to minimize migration downtime. • Determine if the hardware on the existing
machine will support Windows 2000. If necessary, upgrade any hardware or move the Proxy server to a new hardware platform and stabilize it prior to upgrading to Windows 2000. This prevents server upgrade issues from meaning large downtimes during the migration process. • Carefully examine their configuration settings
and the data on which settings will migrate. This way, they are better prepared to quickly examine and do any necessary configuration after migration.
Chapter 4
UPGRADING MICROSOFT PROXY 2.0 SERVER
129
A P P LY Y O U R K N O W L E D G E • Configure current clients for auto discovery.
After migration, configure the ISA Server to allow discovery. (These steps avoid the large amount of time right after migration that would be used to modify browser settings.) See the sections, “Post Migration Necessities” and “The Migration Process.” 3. Backup the Proxy configuration, stop Proxy services, install ISA Server. See the section, “The Migration Process.” 4. You can examine the ISA Server interface. You can also examine the isasetup.log file. See the section, “Examine the Setup Logs.” 5. You backup the Proxy 2.0 configuration for two reasons. One, if something happens and the migration fails, you can install Proxy 2.0 and restore the saved settings. Two, you can inspect the configuration backup to determine what Proxy 2.0 configuration settings were, this will aide you in determining if the settings that you need have migrated or additional work needs to be done. See the section, “Backup the Proxy Server Configuration.” 6. To migrate an array of Proxy 2.0 servers to an array of ISA Servers requires you to first modify the Active Directory Schema. You need to be a member of the Enterprise Admins group, and the Schema modification group to modify the Active Directory Schema. See the section, “Migrating an Array.” 7. Alert Disk Full, ICMP Ping Query packet filter. See the section, “Review the Setup Logs.”
Answers to Exam Questions 1. C, D, E. To enable SOCKs applications to work through ISA Server you will use application filters—the SOCKs rules, therefore, do not migrate. Alerts do migrate, but not all Proxy Server 2.0 alerts are configurable on ISA Server. A is incorrect, packet filters do migrate. You should check them for correctness, however, A states they do not migrate, so this is not the reason to check. B is incorrect, domain filters will be migrated to site and content rules on their own. See the sections, “Post Migration Necessities” and “Predetermined Migration Effects.” 2. B. Proxy Server 2.0 can be set to allow both Basic authentication (can be used by all Web browsers) and Windows Integrated authentication (can only be used by Windows clients). Authentication settings after migration are set to allow only Windows Integrated Authentication. To enable Unix systems to once again access the Internet, you must modify authentication settings to allow basic authentication. Although A would also work, it is not the best answer and is not practical in most environments. C is not correct because there is no Microsoft ISA Server firewall client product for Unix. D is not correct because Digest Authentication, while more secure is only useful for Windows 2000 domain members. See the section, “Post migration necessities.” 3. B. The array settings can be migrated to the new array from the old. Therefore A is incorrect. C and D are incorrect because more than packet filters and domain filters will migrate. See the section, “Predetermined Migration Effects.”
130
Par t I
INSTALLATION AND UPGRADE
A P P LY Y O U R K N O W L E D G E 4. D. Proxy Server 2.0 provides its own configuration backup program that is accessible from the properties page of any of its services. A and C are incorrect as they will backup the entire server; this is not necessary and may also not end up with the proxy configuration information necessary for a restore. B will backup the registry, but you only need the Proxy configuration information. See the section, “Backup the Proxy Configuration.” 5. C. A is incorrect. Proxy Server services should be stopped before upgrading to Windows 2000. B is incorrect. SP1 for Windows 2000 is required for installation of ISA Server. D is incorrect. SP1 should be applied before installing ISA Server. See the section, “The Migration Process.” 6. B, C. The option to not migrate existing policies is available during migration. When migrating the Proxy Server to an ISA array, the Enterprise
settings that are active in the array will affect the migration of settings from Proxy. A is incorrect; settings do migrate. D Settings either migrate, or they don’t—there is no post-installation switch. See the sections, “Upgrade to Windows 2000 and Install ISA Server” and “Impact of Proxy 2.0 Array Membership and ISA Installation Selections on Migration.” 7. C, D. ISA Server listens on port 8080 for client Web requests. Proxy listens on port 80. Client browsers must be adjusted. While installing the firewall client is correct, it is not necessary. A is incorrect. Upgrading the browsers is not necessary and will not change the identified port. B is incorrect, the firewall client is used for accessing Winsock applications through the firewall and is not supported in caching mode. (The firewall client is not necessary for Web browsing.) See the section, “Post Migration Necessities.”
Suggested Readings and Resources 1. The following items from the ISA Server Help: • Checklist: Migrating from Microsoft Proxy Server 2.0, from the Help system of ISA Server • Migrating Microsoft Proxy Server 2.0 configuration • Microsoft Proxy Server 2.0 array considerations • Migration process • New ways to do familiar tasks
2. Run Microsoft Proxy Server 2.0 on Windows 2000—Microsoft white paper at http://www.microsoft.com/proxy/Support/win 2kwizard.asp?
3. “Why Migrate from Microsoft Proxy Server” http://www.microsoft.com/isaserver/productinfo/whymigrate.htm
4. Knowledge Base Article “Q251143 Problems Installing Proxy Server 2.0 Update in Windows 2000”, http://support.microsoft.com/support/kb/ar ticles/Q251/1/43.ASP
P A R T
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
5 Outbound Internet Access 6 ISA Server Hosting Roles 7 H.323 Gatekeeper 8 Dial-Up Connections and RRAS 9 ISA Virtual Private Networks
II
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Configuring and Troubleshooting ISA Server Services section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Configure and troubleshoot outbound Internet access.
Whether ISA Server has been installed as a firewall, caching server, or both, it is designed to allow outbound Internet access—if configured to do so. By default, no outbound access is allowed. What must be done to allow access? Can this access be restricted? How do you go about giving access to authorized users and yet protecting the network from unauthorized external access? This objective is primarily about providing authorized access in a fashion that follows corporate policy. However, it’s also about doing so in a manner that keeps in mind network protection.
C H A P T E R
5
Outbound Internet Access
OUTLINE Introduction
136
Post Installation Default Settings
136
ISA Server Object Permissions Who Can Configure Policies? Limiting Read Permissions Configuring Permissions Service Permissions Local Access Table (LAT) Policy Settings Packet Filtering Routing Caching Publishing Alerts
137 138 138 140 141 142 142 143 144 145 145 146
Configuring Access Rules and Tools
146
Understanding and Configuring Outgoing Web Request Properties Listeners Connections Authentication Methods How Are Rules Evaluated? Creating Policy Elements Configuring Site and Content Rules Configuring Protocol Rules Authentication and Rules Custom HTML Error Messages Default Error Messages Configuring Custom Messages
147 147 147 148 149 149 153 154 158 158 159 159
Configuring a Single System Versus an Array
160
Configuring Caching
161
Standalone Cache Configuring Hierarchical Access Configuring CARP
161 161 163
Configuring Network Settings
163
Bandwidth Rules LAT and Local Domain Tables Configuring Routing Rules Configuring ISA Server Chains
164 166 167 168
Troubleshooting Client Access Problems 169 A Protocol Rule Exists for a Protocol Definition, But Clients Cannot Use It Clients Can’t Use a Specific Protocol Clients Cannot Browse External Web Sites Clients Receive a 502 Error Every Time They Attempt to Browse the Web Clients Can Still Use a Protocol After the Rule for this Protocol Has Been Disabled All Other Errors Including Intermittent Issues
169 170 170 171
171 172
Chapter Summary
173
Apply Your Knowledge
174
Exercises Answers to Exercises Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions
174 175 175 177 179 179
S T U DY S T R AT E G I E S . If you are aware of how Internet access is restricted in your company, use this knowledge to outline your study attack. Create W2K groups and token users of the types you will need to work with. Can you configure ISA to allow them the access they need yet restrict others? . If you do not have a real-world scenario (and even if you do), examine the exercises at the end of this chapter. A varied list of users and groups is included along with the accesses they need. Use this information as you begin your studies. What are the steps you would follow to complete the job? . Put those examples (real world and exercise) into practice.
. What if some new need comes along? Do you have a strategy for figuring out what comes next? Use the resources presented in this chapter to develop a checklist for designing new access scenarios. . Will the ISA Server mode vary or restrict your choices in developing Internet access paths? Remember that it might not always be the plan to cache Web resources. The ISA Server installation may be only made in firewall mode. Study each access option with this question in mind. . What differences will distributed caching or hierarchical caching make on your implementation plans? Before you consider these issues, thoroughly explore and implement access using one ISA Server. Then learn how to implement CARP and chaining and test the results.
136
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
INTRODUCTION Configure and troubleshoot outbound Internet access.
It can be frustrating to install a perimeter security device and find that not only have you protected your network from intrusion, but you have blocked all users from accessing the Internet. However, far from being a problem, this result should be reassuring. You want a security device to restrict access, and you would like to know that all access is under your control. If ISA Server installed with wide-open access, how would you ever know if you had closed all the doors? That would be like renting a new house and arriving to find the doors unlocked and the windows wide open. Although you can lock things up, how could you be sure that an intruder is not already inside? ISA Server is one place where administrators will not be able to merely pick and choose from the GUI to fashion functionality. This is as it should be. To set up appropriate access, you must first determine what is needed and then
á Understand the default post-implementation status á Configure access rules and tools á Configure a single system versus an array á Configure caching á Configure ISA network settings á Troubleshoot access issues
POST-INSTALLATION DEFAULT SETTINGS If you followed the installation and verification exercises in the previous chapters, you found that the default settings on ISA Server do not allow any access to the Internet. After testing the ISA Server installation, you should always remove the test settings and appropriately configure the server to provide the access that your company requires.
Chapter 5
Before examining how to apply these settings, it is a good idea to understand the default installation settings. You should consider permissions, policy settings, packet filtering, publishing, alerts, and routing. If ISA Server was installed in firewall or integrated mode you should also examine the Local Access Table (LAT). If it was installed in caching or integrated mode, you should also examine the default cache settings.
ISA Server Object Permissions Permissions can be assigned for multiple ISA Server objects including the server, arrays, alerts, H.323 gatekeeper, enterprise polices, and sessions. To examine the default settings, right-click the object in the ISA management console and select the Security tab. Table 5.1 lists the objects and indicates the permissions for the Enterprise edition. Table 5.2 does the same for the Standard edition.
TABLE 5.1
D E FA U LT E N T E R P R I S E ISA O B J E C T P E R M I S S I O N S Object
Local Admins
Domain Admins
Enterprise Admins
SYSTEM
Authenticated Users
Server
Full Control
None
None
Full Control
None
Arrays*
Full Control
Full Control
Full Control
Full Control
Read
Alerts
Read Read Alerts Alerts Information Information
Read Read Read Alerts Alerts Alerts Information Information Information
Reset Alerts Permission
Reset Alerts Permission
Reset Alerts Permission
Reset Alerts Permission
Read
Full Control, Modify, Read
Full Control, Modify, Read
Full Control, Modify, Read
Full Control, Modify, Read
Read
Read
Full Control
Full Control
Read
Gatekeeper
Enterprise N/A Policy Session
Read Read Sessions Sessions Information Information
Read Read Read Sessions Sessions Sessions Information Information
Stop Sessions
Stop Sessions
Stop Sessions
Stop Sessions
*When a new array is created, it will adopt the default enterprise policy settings.
OUTBOUND INTERNET ACCESS
137
138
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
TABLE 5.2
D E FA U LT S E C U R I T Y ISA S E R V E R O B J E C T S — S TA N D A L O N E Object
Local Administrators
SYSTEM
Authenticated Users
Server
Full Control
Full Control
N/A
Arrays
Full Control
Full Control
None
Alerts
Read Alerts Information
Read Alerts Information
Read
Reset Alerts Permission
Reset Alerts Permission
Gatekeeper
Full Control, Modify, Read
Full Control, Modify, Read
Read
Sessions
Read Sessions Information
Read Sessions Information
Read
Stop Sessions
Stop Sessions
Who Can Configure Policies? The settings in Tables 5.1 and 5.2 show that on a standalone ISA Server, the local Administrators group can configure array policy. In the Enterprise, members of the Domain Admins and Enterprise Admins groups can configure policies.
Limiting Read Permissions To further restrict permissions on ISA objects, you may use the instructions in the following section. In many environments, it would be wise to narrow the broad read access given to all authenticated users on ISA objects. A user does not need “read” access on ISA Server objects to access the Internet through it. Internet access is controlled by other means. To immediately restrict Authenticated Users read access, you should create groups within Active Directory Users and Computers and assign permissions using those groups. Step by Step 5.1 shows how to do this.
Chapter 5
STEP BY STEP 5.1 Limiting Read Permissions 1. Open the Active Directory Users and Computers console. 2. In each domain, create a global group to contain all the ISA Servers in that domain. Microsoft suggests the name “ISA Domain Servers.” 3. In each domain, create a global group for each ISA Server array. Each group name should include the array name of the array. Microsoft suggests the name “ISA array_name Array Servers.” 4. In the root domain, create a local group for those approved to access the ISA Server objects. Microsoft suggests the name “ISA Enterprise Readers.” 5. Give the groups created in Step 2, the ISA Servers in the domain, membership in ISA Enterprise Readers. 6. Also make the Domain Admins group from each domain a member in this group. 7. Open the ISA Management console and visit each ISA object shown in Tables 5.1 and 5.2 and remove permissions for Authenticated Users. Refer to Step by Step 5.2 for instructions on how to do this. 8. For each array, give Read permissions to the ISA array_name group created in Step 3. (Only the group that contains the servers in the array should be given read permissions on the array.) 9. At the enterprise level, give read permission to the ISA Enterprise Readers group. 10. Give read permission to the default enterprise policy to the ISA Enterprise Readers group. 11. If additional enterprise policies are present, assign read permission to arrays that use them by assigning read permission to the respective ISA array_name Array Servers group.
OUTBOUND INTERNET ACCESS
139
140
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Configuring Permissions To configure permissions on arrays, follow Step by Step 5.2. Table 5.3 directs you to the location of the Security tab for each object.
STEP BY STEP 5.2 Configuring Permissions on Arrays 1. Right-click the Object and select Properties. 2. Select the Security tab. 3. To deny permissions, select the user or group and click Remove. 4. To change permissions, select the user or group and modify permissions as necessary. 5. To add a new group or user, use the Add button to display a list of users and groups then select the group and apply permissions.
TABLE 5.3
NOTE
L O C AT I O N S
Don’t be Fooled It’s easy in the ISA Server Interface to find yourself at the wrong location. For example, in the Table 5.3, note that to set permissions on Alerts you must find the Alerts folder underneath the “Monitoring” node, not the “Monitoring Configuration” node. Figure 5.1 displays the path to both. (The open folder is the correct location.)
FOR
ISA O B J E C T S E C U R I T Y T A B
Object
Location
Alerts
ISA console root\Servers and Arrays\name\Monitoring\Alerts
Arrays
ISA console root\Servers and Arrays\name
Enterprise
ISA console root\Enterprise
Enterprise Policy
ISA console root\Enterprise\Policies\Enterprise Policy
Gatekeeper
ISA console root\H.323 Gatekeepers\H.323 gatekeeper server
Sessions
ISA console root\Servers and Arrays\name\Monitoring\Sessions
Chapter 5
OUTBOUND INTERNET ACCESS
Service Permissions ISA Server services run under the context of the local systems account. Many server applications running on Windows NT 4.0 often run under the context of a user account to provide them with access to resources on other servers. In Windows 2000 the local systems account can be used. Should you need to troubleshoot ISA service permission issues, Table 5.4 lists OS rights and resource permissions that must be available to ISA Server services. TABLE 5.4
D E FA U LT P E R M I S S I O N S R E Q U I R E D SERVICES
BY
ISA S E R V E R
Permission/Right
Purpose
Service
Read this key and descendents HKLM\Software\Microsoft\Fpc
Read product settings
All
Read this and descendant objects CN=Fpc, CN=Services, CN=Configuration, DC=...
Read product enterprise settings
All
Read this key and all descendant objects CN=Fpc,CN=System,DC=...
Reading product domain settings
All
Write this directory, subdirectory and files %programdir%\ISALogs
Write log files
All
Log on as a batch job
Execute as a service
All
Manage auditing and security log privilege
Create and use cryptography objects
All
Write directory, subdirectory and files %programdir%
Write settings log summaries
Control
Which alerts folder?
Restore files and directories
Back up and restore
Control
Generate security audits
Write events to security logs
Control Firewall Web Proxy
Read, list files, delete this directory and subdirectories and files
Reset cache storage
Control
Read and write cache storage
Web Proxy
Reading settings
Scheduled cache content download
X:\urlcache Full control this directory and subdirectories and files X:\urlcache Read HKLM\CurrentControlSet\ Services\W3Proxy\Parameters
FIGURE 5.1
141
142
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Local Access Table (LAT) If ISA Server is installed in firewall or integrated mode, the LAT must be configured. The LAT enables the ISA Server firewall service to identify which communications are from its internal or private network, and which are from its external or public network. This means that an improperly configured LAT can prevent authorized Web requests from reaching the Internet, and inadvertently compromise the ISA Server and the network it is protecting. In order for the firewall service to determine whether a communication can pass in either direction, it checks to see where the destination address lies. Thus, if a request from an internal client is addressed to a network that exists in the LAT, the ISA Server will believe that the address is local and thus does not need to pass through to the external network. In a more complicated scenario, one that also includes a perimeter network, the LAT does not contain addresses on the perimeter network even though they represent machines that are not on the public network. In either case, our goal is to have the correct addresses in the LAT. Unfortunately, the LAT is configured during installation by the installer, and not by ISA Server. Thus, its default settings might be set incorrectly for its current network. You should keep this in mind when troubleshooting access issues. You can modify the LAT after installation. See Step by Step 5.12 later in this chapter.
Policy Settings Access policy is determined by a combination of protocol rules and site and content rules. Site and content rules specify which sites and types of content clients on the private network of an ISA Server can access. Protocol rules determine which protocols can be used to access these sites. Site and content rules and protocol rules are available for firewall and cache modes. However, in caching mode only HTTP, FTP, and secure HTTP protocol rules are available. By default, a site and content rule, the Allow Rule, is created during setup. This allows all clients all access to all sites always. (During installation, Enterprise settings can be configured to prohibit arraylevel allow rules. If this is done, the default site and content rule is not created.) Figure 5.2 shows the default site and content rules.
Chapter 5
OUTBOUND INTERNET ACCESS
143
FIGURE 5.2 The Allow Rule.
No default protocol rule is created during installation. Because both a protocol rule and a site and content rule must be evaluated before access can be granted, the default ISA Server configuration denies access to the Internet from all clients.
Packet filters allow control over which protocols are allowed both inbound and outbound. By default, packet filtering is enabled in firewall mode and in integrated mode, but not in caching mode. When packet filtering is enabled, all packets on the external interface are dropped unless they are specifically allowed by packet filters, access policy, or publishing rules. By default, several packet filters do exist on ISA Server; five of them are Internet Control Message Protocol (ICMP) rules. Although ICMP messages are commonly used to communicate information on an ethernet network, they can be used in a planned attack. Some messages, however, are necessary to enable ISA Server to determine Internet network conditions. Note that the ISA Server can send all outbound ICMP messages, but is restricted to four types of ICMP inbound messages. The ICMP rules are
á ICMP outbound. Allow all ICMP outbound from the ISA Server’s default IP addresses on the external interface to all remote computers. (The ISA computer can send ICMP messages.)
WA R N I N G
Packet Filtering Any Monkey Can Installation programs, GUI interfaces—put any monkey at a keyboard and sooner or later he can have any product up and running. Unfortunately, the product may be running wrong. Case in point: Don’t enable routing on ISA Server without enabling packet filtering. Should you do this you have just established ISA Server as a router and all inbound Internet packets will be routed to your internal network.
144
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
á ICMP ping response(in). To the default IP address on the external computer from all remote computers. (The ISA Server can receive inbound ping responses.) á ICMP source quench. From outside to the default IP addresses on the external interface. (The ISA Server will receive instructions to slow its packet sending rate.) á ICMP timeout (in). To the default IP address on the external interface computer from all remote computers. (The ISA Server can receive messages relating to timeouts, for example of ping requests.) á ICMP unreachable. To the default IP address on the external interface from all remote computers. (The ISA Server can receive notice of an unreachable address.) Two other default rules exist:
á DHCP Client. Allows the external interface to act as a DHCP client. This rule is disabled by default. á DNS filter. DNS lookup. (Requests for DNS lookup can pass.)
Routing Routing is the process that allows and determines the path of requests. A default routing rule is configured to retrieve Web proxy client requests directly from the Internet (see Figure 5.3). This rule can be configured to direct these requests to upstream servers or to alternative sites. Additional rules can be configured to apply such actions to explicit destinations, or with the cache.
Chapter 5
OUTBOUND INTERNET ACCESS
FIGURE 5.3 Default routing rule.
Caching During setup, the size of the cache is configured. The following configurations are made by default:
á HTTP. Enabled á FTP. Enabled á Active caching (the ability of ISA Server to determine algorithmically which objects are popular and request them on its own before they expire). Disabled
Publishing By default, no internal servers are published. There can be no access to internal servers by external clients. There is a default Web publishing rule that discards all requests (see Figure 5.4). No default Server publishing rules exist.
145
146
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
FIGURE 5.4 Default Web publishing rules.
Alerts Many default alerts exist, but not all are active by default. The following alerts are not active after installation:
á All port scan attack á Dropped packets á Protocol violation á UDP bomb attack
CONFIGURING ACCESS RULES TOOLS
AND
The ISA Server defaults to a closed system; there is no communication between the public and private networks. You will need to configure access to allow internal clients to access the Internet. To do so, you must create access rules; specifically, you must:
á Understand and configure outgoing Web request properties. á Understand how rules are evaluated. á Create policy elements. á Configure site and content rules.
Chapter 5
á Configure protocol rules. á Understand authentication and rules. á Configure custom HTML messages to respond to users.
Understanding and Configuring Outgoing Web Request Properties The first step in properly configuring access is to configure the server’s outgoing Web Request properties. These properties are located on the Outgoing Web Request page of the Server Property pages. Incoming and outgoing Web requests are separate and distinct and properties can be different (such as authentication) in both directions. These properties establish:
á Which IP addresses and ports on the server listen for internal requests (determining listeners). á The number of connections allowed. á Which authentication method is used when authentication is required.
Listeners When servers have multiple IP addresses, which addresses can be used for requests? Why would you want to have multiple addresses? A multi-homed server (one with multiple IP addresses) may be desirable if different authentication methods are needed, and also so that different server certificate requirements are allowed. Server certificates are used when clients use HTTPS to request objects from internal servers. More information on certificates, SSL bridging, and so on, can be found in Chapter 6, “ISA Server Hosting Roles. ”
Connections Connection settings determine the maximum number of concurrent outgoing connections as well as how long a connection can be inactive before it is closed. If the ISA Servers is in an array, the “maximum number of concurrent outgoing connections” stands for all
OUTBOUND INTERNET ACCESS
147
148
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
servers in the array. The minimum setting is 1 and the maximum is “Unlimited.” The Connection Timeout is configured in seconds.
Authentication Methods ISA Server can be configured to require specific authentication methods, and/or allow anonymous access. This section explains how authentication works with rules. Be sure to determine if client Web browsers can use the authentication method(s) that you configure ISA Server to require. Internet Explorer 5.0 and above supports all ISA Server authentication methods. Other browsers may not. Authentication method choices are pictured in Figure 5.5 and defined here:
á Basic authentication. User information is sent in easily readable characters. Passwords and names are encoded by the client, but not encrypted. The ISA Server matches the information with its user database or with a trusted domain. á Certificates. Secure Sockets Layer (SSL) can be used to identify the server to the user and vice versa. The server requests and the user’s Web browser submits encrypted digital identification (the certificate) which can be checked by the server because some trusted organization produces the certificates. Mutual authentication can be accomplished as the server sends its certificate to the client and thus identifies itself as the ISA Server. For more information see “SSL Bridging” in Chapter 6. á Digest authentication. Client credentials are hashed using a one-way process into a message digest. The message digest cannot be decrypted. Instead, it is compared to a message digest created on the server using the same client credentials.
FIGURE 5.5 Configuring authentication methods.
á Integrated Windows authentication. Integrated Windows authentication uses the network authentication protocols that would be used in any other client/server Windows to Windows authentication process. If the client is a Windows 2000 system, and the ISA Server is a domain member, Kerberos can be used for authentication.
Chapter 5
How Are Rules Evaluated? Every outgoing request is examined against the backdrop of existing site and content rules, protocol rules, and routing rules. If a protocol rule and a site and content rule allow the request, and no rule exists which specifically denies it, then the request is allowed. Any request must meet the conditions of a site and content rule and a protocol rule or it is denied. The default configuration of ISA Server uses this algorithmic absolute to prevent egress, while making it easy to allow external access. Because a default rule that allows access to all sites and all content exits, all that has to be done is to configure a protocol rule. When multiple rules exist they are processed in the following manner: 1. First, protocol rules are examined to determine if the protocol being used is defined in one of the rules. If it is, and the protocol is allowed, not denied, processing continues. 2. Next, site and content rules are applied. Does a site and content rule exist which matches the request and no other site and content rule denies it? Processing continues. 3. Third, IP Packet filters are checked to determine if a blocking filter exists. Is the communication protocol used blocked explicitly? 4. If all answers have been affirmative, ISA Server checks its routing rules or its firewall chaining setup to find out how the message should be sent. In reality, you should configure combinations of rules that meet your security policies. Instead of the quick verification rule configured in Chapter 3, which allowed all protocols to be used, you will need to carefully consider possible combinations. Once decisions are made, use the following instructions to configure the rules.
Creating Policy Elements The configuration of many policy types relies on the use of predefined policy elements. Before you can configure granular site and content rules and protocol rules, you must define a subset of these
OUTBOUND INTERNET ACCESS
149
150
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
elements. Think of policy elements as the components that can be selected to create rich rules for every circumstance with a minimum of work. Once policy elements are defined, they can be reused again and again. Available policy elements are defined in Table 5.5. Instructions for how to configure those that are used by site and content rules and protocol rules and for which no default policy elements exist are referenced in the table. This enables you to configure protocol rules and site and content rules in the exercises for this chapter. More information on all policy elements and how they can be used to configure policies is included in Chapter 12, “Access Control and in the Enterprise.” TABLE 5.5
POLICY ELEMENTS Policy Element
Definition
Used By
Schedules
Identifies the hours of the day and the days of the week that the rule is in effect. (Step by Step 5.3.)
Protocol rules, site and content rules, bandwith rules
Bandwidth Priorities Identifies an inbound and outbound priority number from 1–200. The numbers establish a relative percentage of the available bandwidth that can be applied to the traffic identified by the rule.
Bandwidth rules
Destination Sets
Identifies the computers and potentially the directories and files on those computers which can or cannot be accessed (Step by Step 5.4).
Site and content rules, bandwidth rules, Web publishing rules, routing rules
Client Address Sets
A collection of one or more computers identified by IP address (Step by Step 5.5).
Protocol rules, site and contest rules, bandwidth rules, server publishing rules, Web publishing rules
Protocol Definitions Characteristics that define available protocols via port, protocol type, and direction (Step by Step 5.6).
Protocol rules, server publishing rules, bandwith rules
Content Groups
Arranges content definitions by MIME type or extension (Step by Step-5.7).
Site and content rules, bandwith rules
Dial-up Entries
Specific dial-up information such as account information.
Routing rules, firewall chaining
Chapter 5
OUTBOUND INTERNET ACCESS
STEP BY STEP 5.3 Configuring Schedules 1. Navigate to the Schedules folder at ISA Server Console Root\Servers and Arrays\name\Policy Elements. 2. Right-click Schedules and select New Schedule. 3. Enter a name for the New Schedule. 4. Enter a description. 5. Use the schedule table to define the hours and days of the schedule. Clicking a cell selects that hour of that day. Clicking a day selects the entire day. Clicking an hour on the top selects that hour for every day (see Figure 5.6). 6. Click active to enable activity on this schedule’s hours or click inaction to disable activity on this schedule’s hours.
FIGURE 5.6 Making a schedule.
STEP BY STEP 5.4 Configuring Client Address Sets 1. Navigate to the Client Address Sets folder at ISA Server Console Root\Servers and Arrays\name\Policy Elements (see Figure 5.7). 2. Right-click on Client Address Sets and select New Set. 3. Enter a name for the Client Address Set. 4. Enter a description. 5. Click Add. 6. In the From box, enter an IP address for the lowest IP address in the range. 7. In the To box, enter the IP address of the highest IP address in the range. Click OK. 8. Click OK.
151
152
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
FIGURE 5.7 Configuring client address set.
STEP BY STEP 5.5 Configuring a Destination Address Set 1. Navigate to the Destination Address Sets folder at ISA Server Console Root\Servers and Arrays\name\Policy Elements. 2. Right-click the Destination Sets folder and select New Set. 3. Enter a name for the New Destination Set. 4. Enter a description. 5. Click Add. 6. In the Add/Edit Destination dialog box, enter information on destination and directories to be included. 7. To specify a destination enter a domain name (to include all computers in the peachweaver domain enter *.peachweaver.com), or browse to the domain (see Figure 5.8). Alternatively, a range of IP addresses might be entered. 8. If desired, a specific directory path or file name may be entered. Do not use the UNC path, instead use the fully qualified domain name (FQDN). For example, the proper
Chapter 5
OUTBOUND INTERNET ACCESS
path for the tickets directory on the computer PUFF in the peachweaver.com domain is puff.peachweaver.com/tickets/*. Click OK. 9. Click OK.
Configuring Site and Content Rules Each site and content rule requires the configuration of multiple elements. Some elements, such as action (allowed or denied) are configured directly on the property pages of the rule. Others, such as destination sets, are developed and stored for use with more than one type of rule. The process for configuring site and content rules consists of determining each element and either filling in blanks or utilizing the unique, preconfigured policy elements. You should create policy elements before starting the Rule wizard. Step by Step 5.6 details the process.
FIGURE 5.8 Configuring destination address sets.
STEP BY STEP 5.6 Configuring Site and Content Rules 1. Navigate to the Destination Address Sets folder at ISA Server Console Root\Servers and Arrays\name\Access Policy\Site and Content Rules. Right-click on the folder and select New Rule. 2. In the New Site and Content Rule Wizard Welcome page, enter a name for the rule, and click Next. 3. On the Rule Action page of the wizard, select the response to client requests (see Figure 5.9). Choices are allow or deny. Denied requests can be redirected to another site. 4. On the Rule Configuration page, select the application of the rule. Will it apply to destinations? Schedules? Clients, or all three? (See Figure 5.10.) 5. Depending on the answer to Step 4, the next screen(s) allow selection of specific policy elements. continues
FIGURE 5.9 Defining the rule action.
153
154
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
continued 6. If the choice is destination sets, the choices are • All destinations • All internal destinations • All external destinations • Specified destination set (you must have created the set prior to configuring the rule) (see Figure 5.11). • All destinations except selected set FIGURE 5.10 Rule configuration.
7. If the choice is Schedule, the Schedule page allows the selection of a schedule. 8. If the choice is Clients, the Client Type page allows the selection of specific computers (client address set), or specific users and groups, or the default of “Any Request.” 9. If the choice is Custom, any of these elements may be defined as well as others: • Destination • Schedule • Client address sets • Content Groups (Applications, Documents, Audio, and so on [see Figure 5.12])
FIGURE 5.11 Destination choices.
• All destinations except selected set 10. Enter the choice and click Next. 11. On the Finish page, click OK.
After configuring site and content rules, you should examine the Property pages to ensure that they have the proper setup. Changes to the rule can be implemented from this interface.
Configuring Protocol Rules FIGURE 5.12 Content groups.
Protocol rules are defined to allow or deny access via specific protocols. This is useful because it allows you to control the type of access to the Internet. You might want to allow Web access and thus configure a rule that enables HTTP. You might want to allow only this
Chapter 5
OUTBOUND INTERNET ACCESS
type of access. If you have configured only this one protocol rule, by default, no other access can occur. Thus, once a policy is established as to what protocols may be used, the process is clear—you configure protocol rules that allow approved protocols. The absence of a rule for other protocols will prevent their usage, however, you may explicitly deny its use by writing a deny rule. When multiple protocol rules are present, the following conventions apply:
á The absence of a protocol rule prevents that protocol from being used. Therefore, the use a protocol can be explicitly or implicitly denied. á Rules can be defined to apply to all IP traffic, to specific definitions, or to all IP traffic except those protocols defined. á In caching mode, the only protocol rules allowed are those that restrict HTTP, HTTPS, Gopher, and FTP. á In firewall and integrated modes, protocol rules can be applied to all IP protocols. á Rules are present for well-known protocols, but rules can be configured for any IP protocol. Figure 5.13 illustrates multiple protocol rules. If you examine the rules, you will see that they allow HTTP, HTTPS, and FTP access to the Internet while explicitly denying telnet. In this example, a separate rule is written for each protocol. A single rule can be written that encompassing all the Allow protocols by selecting Selected Protocols on the Protocols page of the wizard and then marking the protocols that you want to allow (see Figure 5.14). To configure protocol rules, follow Step by Step 5.7.
FIGURE 5.13 Understanding protocol rules.
155
156
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
STEP BY STEP 5.7 Configuring Protocol Rules 1. On the ISA console, navigate to the Protocol Rules container. 2. Right-click Protocol Rules and select New. 3. On the New Protocol Rule Wizard, enter a name for the new protocol rule, and click Next. FIGURE 5.14 Using one rule for multiple protocols.
4. On the Rule Action page, select Allow or Deny and click Next. 5. On the Protocols page, select the type of traffic (all IP, Selected Protocols, or All IP Traffic Except Selected). 6. If Selected Protocols is selected, a Protocols box appears. Select the protocols to block or allow (see Figure 5.15). 7. Select the schedule for the rule. (The rule will be enforced during the hours indicated in the schedule.) Click Next. 8. Select the Client Type. Client types are client address sets, specific users and groups, or may be represented by all users (see Figure 5.16). It is important to note that user can be defined by Windows 2000 users and groups (see Figure 5.17). 9. Click Next. At the wizard Finish screen, click Finish.
FIGURE 5.15 Selecting protocols.
See Step by Step 5.8 to modify existing rules.
STEP BY STEP 5.8 Modifying Protocol Rules 1. Select the Protocol Rules folder. 2. On the View menu, be sure the Advanced item is checked. If it is not, click it to select. (Protocol rules cannot be modified in Task Pad View.) FIGURE 5.16 Choosing client types.
Chapter 5
OUTBOUND INTERNET ACCESS
157
3. In the Details pane, right-click the protocol rule to modify, and choose Properties. 4. Select the tab for the item you want to modify. 5. Make the change necessary (see Table 5.6).
TABLE 5.6
MODIFY PROTOCOL RULES Property Tab
Item to Modify
FIGURE 5.17
General
Name, description, enable, or disable
Applying protocol rules via Windows groups.
Action
Allow or deny
Protocol
Select protocols
Schedule
Select a new schedule or create one for this protocol (see Figure 5.18). If a schedule is defined, you can make it active or inactive. This feature allows you to temporarily test a new schedule or remove it without losing the definition.
Applies to
Select who this rule applies to; either all requests, or specific client address sets or Windows 2000 user and groups.
FIGURE 5.18 Creating a new schedule for a protocol rule.
158
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Authentication and Rules Client authentication before a requested access is granted is required in the following circumstances:
á When rules are configured to require membership in specific groups, or the participation of specific users, the ISA Server requires client authentication so it can determine if access is allowed by that user. á If the HTTP protocol is requested by Web proxy or firewall clients, ISA Server determines if the rule allows anonymous access. If this is so, and no other configuration blocks the access, then access is allowed. á However, if no rule allows anonymous access to HTTP, the ISA Server requires authentication. á If a firewall client requests access to some other protocol and rules have been configured that require membership in a group, or access is specific to certain users, then authentication is required. á ISA Server has been configured to always require authentication (see Figure 5.19). Additionally, if a firewall client requests HTTP access, the request is passed through the HTTP redirector (if it is enabled and configured) to the Web Proxy service. The client’s authentication information is not passed to the Web Proxy service. If ISA is not configured to allow anonymous access, the attempt will fail.
Custom HTML Error Messages
FIGURE 5.19 Require authentication for all users.
If a client attempts Web access and an error message is returned, where is the message coming from? If the client is going through the ISA Server, the error messages are returned from the ISA Server. A set of error message HTML files is stored in \ErrorHtmls folder on the ISA Server. You can develop custom error messages by modifying HTML pages provided for that purpose.
Chapter 5
Custom error messages can be created for both incoming and outgoing requests. Messages for outgoing requests (from internal clients) should have the files named error#.htm. Messages for incoming requests should be titled error#R.htm.
Default Error Messages Default error messages are available for 26 common errors including the following:
á 10060. Specified Web server cannot be contacted. á 11001. Specified host could not be found. á 11002. The DNS name server for the specified host could not be contacted. á 11004. Host not found.
Configuring Custom Messages Custom messages are created by using default HTML files provided in the \ErrorHtmls folder. You might want to include company information, graphics, or create a more friendly or specific error message. To create a custom message follow Step by Step 5.9. Figure 5.20 displays the section of the default file that must be modified.
STEP BY STEP 5.9 Creating a Custom Error Message 1. Open the \Program Files\Microsoft ISA Server\ErrorHtmls\default file. (default.htm for internal client errors and defaultR.htm for external client errors.) 2. Replace [ERRORNUM] with the error code. 3. Replace [ERRORTEXT] with the message you want to display. 4. Replace [SERVERNAME] with the name of the server that will return the html page. continues
OUTBOUND INTERNET ACCESS
159
160
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
continued
FIGURE 5.20 Modifying the default.htm file.
5. Replace [VIAHEADER] with the Via header message string that the ISA Server computer receives for that error message. 6. Add any inline graphics by using fully qualified URLs to .gif or .jpg files in the error messages. (You must store these files in a separate, shared directory on the ISA Server.) 7. Save the file in the error#.htm or error#R.htm format in the \ErrorHtmls folder.
CONFIGURING A SINGLE SYSTEM VERSUS AN ARRAY ISA Server is available in Standard and Enterprise editions. The Standard edition is designed to be used as a standalone single server system. Polices cannot be centrally configured for multiple ISA Servers, and caching arrays cannot be configured. An Enterprise edition ISA Server can be installed as a standalone server.
Chapter 5
All access control methods described previously in this chapter are available to configure access through the ISA Server standard edition and Enterprise editions. The difference is, on the Enterprise edition, you configure Enterprise and Array polices, while on the standard edition, you configure polices for the single server. Techniques for configuring enterprisewide and arraywide polices for access control and other processes will be more specifically address in Part III “Configuring, Managing, and Troubleshooting Policies and Rules.”
CONFIGURING CACHING Caching can only be configured for caching or integrated mode ISA Servers. The size of the cache is first set during installation but may be modified afterward. The basics of configuring hierarchical and distributed caching is found here for more detailed information; see Chapter 11, “Manage ISA Server in the Enterprise.” Three types of forward caching are possible:
á Standalone cache á Hierarchical caching á Distributed caching—the Array (CARP)
Standalone Cache The Standard Edition of ISA Server allows configuration of cache. The ISA Server can never be part of an array, but can providing caching services.
Configuring Hierarchical Access Hierarchical, or chained caching access is achieved by configuring an ISA Server to send requests from clients to another ISA Server instead of directly to the Internet. ISA Servers can be chained as individual servers, or as arrays.
OUTBOUND INTERNET ACCESS
161
162
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Each server in the chain between the requesting client and the Internet stores a copy of the retrieved object in its cache. The closest ISA Server that has the object in its cache fills the next request for the object. In addition, you can configure Web Proxy routing rules to conditionally route requests. For example, you might want to have a local ISA Server make requests of geographically close Web servers, while forwarding other requests for information on distant Web servers to ISA Servers at a location closer to them. This way, for example, an ISA Server in New York, while chained to one in San Francisco, would not forward a request for a partner’s Web site located in New Jersey to the San Francisco ISA Server. Instead, the New York ISA Server could fulfill the New Jersey request by directly accessing the Internet. Figure 5.21 illustrates this issue. In the figure, a request for newjerseysbbq.com is directly retrieved from the nearby site, while a request for seattlesbestjellybeans.com is forwarded to the ISA Server in San Francisco for retrieval. To place an ISA Server in a hierarchical chain and to learn to use Web Proxy routing rules see the “Configuring Network Settings” section that follows.
San Franciso ISA Server
I want NewJersyBBQ.com
I want www.seattlesbestjellybeans.com
Client in NY
Seattlesbestjellybeans.com New York ISA Server NewJerseyBBQ.com
FIGURE 5.21 Finding the backup and restore utilities.
Chapter 5
Configuring CARP Cache Array Routing Protocol (CARP) is configured by default for all servers in the array for outgoing Web requests. Only Enterprise edition ISA Servers can be configured in an array. By joining an ISA Server to an array, you are subjecting it to the array policies for Internet access. Arrays can be chained to provide hierarchical caching as well as distributed caching.
CONFIGURING NETWORK SETTINGS Network settings determine a user’s access to bandwidth, indications as to internal or external location for addresses, and specific routing topologies to be used by the ISA Server. Bandwidth rules are configured in the Bandwidth Rules node underneath the server or array node of the ISA Server console. The Network Configuration folder of the ISA Server console potentially contains three distinct configuration areas. The existence of these nodes is dependent on installation mode. Table 5.7 describes them and is followed by configuration instructions.
TABLE 5.7
D E FA U LT S E C U R I T Y G R O U P F I L E P E R M I S S I O N S Network Configuration
Description
Modes
Routing
Indicates, by destination, the action to be taken including where to retrieve the requested object, the type of object to search the cache for, and bridging instructions for SSL.
All
Local Address Table
Specifies which network addresses are in the private network versus those that are in the public one.
Firewall; integrated
Local Domain Table
Specifies the domain names Firewall; integrated that are in the internal network. Name resolution requests for these domains is not sent to external DNS servers.
OUTBOUND INTERNET ACCESS
163
164
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Bandwidth Rules Bandwidth rules enable you to manage the priority of requests that pass through the ISA Server. Rules are configured by specifying protocol definitions, users or IP addresses, destination sets, schedule, content types, and bandwidth priority. These elements should be preconfigured prior to creating the bandwidth rule. All the elements except bandwidth priority serve to match the request to the rule. Bandwidth priority assigns a number between 1 and 200 to the ingoing or outgoing request. The percentage of bandwidth allotted to this request is proportional to its priority as compared to the priority of other current requests. You can therefore use bandwidth rules to assign priority to requests from associated users, computers, and so on. To configure bandwidth priority, see Step by Step 5.10. To configure a bandwidth rule, see Step by Step 5.11. Instructions for configuring other policy elements that can be used are explained in previous sections.
STEP BY STEP 5.10 Configure Bandwidth Priorities 1. Navigate to the Bandwidth Priorities folder of the ISA Server console\Servers and Arrays\name\Policy Elements node. 2. Right-click the folder and select New Bandwidth Priority. 3. Name the bandwidth priority (see Figure 5.22). 4. Enter a description for the bandwidth priority. FIGURE 5.22 Configuring bandwidth priority.
5. Enter the Outbound and Inbound bandwidth. 6. Click OK.
If a number of bandwidth rules are present, they are ordered with the default bandwidth rule processed last. If a request matches a rule, the rule is applied otherwise—processing continues. The order matches the order in the interface and can therefore be changed. Step by Step 5.11 details how to configure the rules.
Chapter 5
OUTBOUND INTERNET ACCESS
STEP BY STEP 5.11 Configuring Bandwidth Rules 1. Navigate to the Bandwidth rules folder underneath the ISA Server console\Servers and Arrays\name\. 2. Right-click on the Bandwidth Rules folder and select New Rule. 3. Name the rule. 4. Enter a description and click Next. 5. Choose either Apply This Rule to All IP Traffic Selected protocols or All IP Traffic Except Selected Protocols. 6. If necessary, identify the selected protocols by clicking check boxes. Click Next. 7. Select a schedule. 8. Select a Client Type. Client type can be either “any request,” client address sets, or user and groups. Click Next. 9. Select destinations to which the rule applies. Destinations can be All Destinations, All Internal Destinations, All External Destinations, Specified Destination Set, or All Destinations Except the Selected Set. 10. If necessary, select the destination set. Click Next. 11. Select content groups. Content groups can be either All Content Groups or Selected Content Groups. Click Next. 12. Select Bandwidth Priority (see Figure 5.23). Select either default (outbound and inbound priority is set to 100) or custom.
FIGURE 5.23 Selecting bandwidth priority.
165
166
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
LAT and Local Domain Tables The LAT is configured during installations but may be modified afterward. The Local Domain Table is empty at install and is modified using Step by Step 5.12. If the entries that need to be modified are not in the LAT folder, they can be reset by right-clicking the LAT folder and selecting Construct LAT.
STEP BY STEP 5.12 Modifying the LAT
FIGURE 5.24 Modifying the LAT.
1. Navigate to the\Local Address Table (LAT) folder underneath ISA Server console\Servers and Arrays\name\Network Configuration and double-click on the entry you want to change (see Figure 5.24). 2. Change the From, To, or Description settings. 3. Click OK.
The Local Domain Table is used to identify computers on the inside of the firewall. Entering local domains in this table (Step by Step 5.13) prevents the ISA Server from using DNS lookup on external DNS servers to locate objects in these domains.
STEP BY STEP 5.13 Configuring the Local Domain Table 1. Right-click the ISA Server console\Servers and Arrays\name\Network Configuration\Local Domain Table (LDT) folder and select New LDT Entry (see Figure 5.25).
FIGURE 5.25 Adding an LDT entry.
2. Enter the name of the domain or the name of the computer. 3. Click OK.
Chapter 5
OUTBOUND INTERNET ACCESS
Configuring Routing Rules Routing rules tell the ISA Server where to send approved requests. For example, a routing rule would indicate the destination for HTTP requests for an internal, published Web server. Writing the rules allows the specific destination set to be linked to the request (Step by Step 5.14).
STEP BY STEP 5.14 Configuring Routing Rules FIGURE 5.26
1. Right-click on the Internet Security and Acceleration Server\Servers and Arrays\name\Network Configuration\Routing folder.
Request action.
2. Select New Rule. 3. Enter a name for the rule and click Next. 4. On the Destination Sets page, select a destination set and click Next. 5. On the Request Action page (see Figure 5.26), select how requests from clients should be processed and click Next. • Retrieve them directly from specified destination— Go get directly. • Route to specified upstream server—Follow the chain.
FIGURE 5.27 Cache retrieval.
• Redirected to hosted site—A request results in the client being sent to another site. • Use dial-up entry—Dial server or ISP. 6. On the Cache Retrieval Configuration page (see Figure 5.27), select how the rule will search the cache). 7. On the Cache Content Configuration page (see Figure 5.28), select if the object should be stored in the cache and click Next. 8. Review configuration and click Finish.
FIGURE 5.28 Cache content.
167
168
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Configuring ISA Server Chains Each routing rule can be configured to route requests to another ISA Server. Chaining can therefore be controlled and requests for local Web sites can be left for direct access. To configure the routing rule for chaining, follow Step by Step 5.14.
STEP BY STEP 5.14 Configuring an ISA Server Chain 1. Navigate to the ISA Server console root\Servers and Arrays\name\Network Configuration\Routing folder. 2. Select the folder and in the Details pane right-click the default routing rule and click Properties. FIGURE 5.29 Creating a caching chain.
3. On the Action tab, select Routing Them to a Specified Upstream Server (see Figure 5.29). 4. For the Primary Route, click the Settings button. 5. On the Upstream Server Setting dialog box (see Figure 5.30), enter type, or browse to the selected ISA Server. (Proxy Server 2.0 can also be configured as part of a chaining hierarchy.) 6. Polling for array configuration is pointed to this server automatically. Change the array URL if necessary. 7. Set authentication by checking the Use This Account box and Using the Set Account button to select the account for authentication. 8. Choose Basic or Integrated Windows authentication. Click OK. 9. Repeat for the Backup Route.
FIGURE 5.30 Selecting primary and backup routes.
10. Click OK.
Chapter 5
TROUBLESHOOTING CLIENT ACCESS PROBLEMS An on-going chore in the management of any caching server/firewall is troubleshooting client access problems. It’s not that the system or the policy is innately flawed. It’s just that demands for ever increasing flexibility, and the right to use a variety of access protocols coupled with the complexity of the product require you to continue to provide new access routes, and to determine why previously available access is no longer available. In other words, life was simple when all we could do is use HTTP or FTP to access the Web. Access controls were simply configured and troubles diagnosed either if you had access or not. That’s not the status today. Client access problems can be roughly divided into six types:
á A protocol rule exists for a protocol definition, but clients cannot use it. á Clients can’t use a specific protocol. á Clients cannot browse external Web sites. á Clients receive a 502 error every time they attempt to browse the Web. á Clients can still use a protocol after the rule for this protocol has been disabled. á All other errors including intermittent issues.
A Protocol Rule Exists for a Protocol Definition, but Clients Cannot Use It Application filters might have originally provided a definition for the protocol. If the application filter is disabled, the protocol definition is unavailable, however, a protocol rule may still exist that references it. The solution to this dilemma is to enable the application filter. You may have to re-create the protocol rule.
OUTBOUND INTERNET ACCESS
169
170
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
You might also create your own protocol definition for the protocol; however, in most cases, this will not exactly replace the definition provided by the application filter. For example, the FTP access filter provides the following features that cannot be configured in a user defined protocol definition:
á A read-only FTP protocol definition which can distinguish between read and write permissions—This allows more granular tuning of access permissions. á Dynamic opening of ports for the secondary FTP connection. á Protection of SecureNAT clients by using address translation required for the second connection.
Clients Can’t Use a Specific Protocol This is the default status when an ISA Server is first installed between clients and the Internet. If all clients cannot access the Internet, and the ISA Server has just been installed, then this is probably the reason why. To resolve the issue you must configure IP packet filters or rules to allow the use of particular protocols. If, on the other hand, only some clients are having difficulty with a particular protocol, you must suspect improperly configured site and content rules, or protocol rules, or perhaps that the clients are not supposed to be using that specific protocol.
Clients Cannot Browse External Web Sites If rules have been configured to allow client access to the Internet, and a client cannot do so, the first possibility to check is the configuration of the client browser. The browser must be pointed to the ISA Server computer or array and the proxy port must be set to 8080. ISA Server listens at port 8080 for client access requests. If this is an upgrade from Proxy 2.0, clients might be configured to use port 80.
Chapter 5
OUTBOUND INTERNET ACCESS
To fix the situation, you have some choices. You can individually set each browser to look to the ISA Server at port 8080, or you can enable automatic discovery on the ISA Server and set or reset the client systems to discover the ISA Server. Figure 5.31 shows the ISA Server property page location for enabling automatic discovery. Client configuration is discussed in Chapter 14, “Installing and Configuring Client Options.”
Clients Receive a 502 Error Every Time They Attempt to Browse the Web Several possibilities for the 502 error message are possible. First, you may not have a site and content rule or protocol rule configured. Second, authentication may be required by the rule, but authentication methods have not been configured for listeners. There may also be a mismatch of authentication requirements, or the user may simply not be authorized to access the site. Double-check that authentication has been configured appropriately.
Clients Can Still Use a Protocol After the Rule for this Protocol Has Been Disabled If a rule is disabled, clients that are currently engaged in a session using the protocol this rule enabled will not be disconnected. To prevent the use of this protocol by these clients, you will need to disconnect them. To disconnect current sessions, follow the steps in Step by Step 5.15.
FIGURE 5.31 Enabling automatic discovery.
171
172
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
STEP BY STEP 5.15 Disconnecting Clients 1. Locate the Services folder of the ISA Management Tree. It is in the ISA Server console root\Servers and Arrays\name\Monitoring folder. 2. Be sure that Advanced is selected on the View menu. 3. Right-click the session to disconnect in the Details pane. 4. Click Stop.
All Other Errors Including Intermittent Issues You can successfully troubleshoot additional client access issues if you will remember the four principles of troubleshooting and apply them to the Web access problem:
á Narrow the problem. When does it occur? To whom? What are they trying to do? What protocol is being used by whom, to go to which site, when? You may find that someone is attempting access that is not allowed. á When you think you know the issue, look for a specific solution. (Is a rule provided for the protocol? If not, configure one if this type of access is approved.) á Test one thing at a time and keep proper records. Don’t take rash steps and make multitudinous modifications—you won’t know what solved the problem, if you did solve it. You may create additional problems to boot. More than one carelessly made change has opened up a security hole, or knocked out a system. á Above all, do no harm. If you have no idea what the problem is, do nothing, and get some help.
Chapter 5
OUTBOUND INTERNET ACCESS
173
CHAPTER SUMMARY Security from the get-go is a two-edged sword. On the one hand, by installing in a “block-all” traffic mode, ISA Server assures that every installation starts from a known closed state. On the other hand, administrators must learn how to gradually open each specific path as required to fulfill their security policy. In my opinion this is a good thing. In this chapter, all the elements necessary to begin that process were discussed. Follow the exercises to take this knowledge from the theoretical to the practical.
KEY TERMS • The Allow Rule • Internet Control Message Protocol (ICMP) • Active caching • Web publishing rules • Server publishing rules • Policy elements • Schedule • Destination sets • Client address sets • Protocol definitions • Content groups • Dial-up entries • Site and content rules • Protocol rules • Local Domain Table (LDT) • Bandwidth rules • Bandwidth priorities • Encoded • Message digest • Digest authentication • Basic authentication • Windows Integrated Authentication
174
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E
Exercises 5.1 Writing Site and Content Rules
In this chapter you learned that site and content rules can become quite granular by using predefined Policy Elements. In this exercise you will use your knowledge to create site and content Rules. This experience, and that in Exercise 5.2 gives you some practical knowledge of what can be done. This will serve you well in designing and implementing a broad strategy for your real world ISA Server deployments. Where specific definitions are lacking, use information that will fit in your test network, and prepare additional policy elements if necessary. Remember, the end result should be something you can test. Estimated Time: 30 minutes
5.2 Writing Protocol Rules and Test
In order to complete access requirements, protocol rules should be written. To test the site and content rules created in Exercise 5.1 and to help you understand how site and content rules work in tandem with protocol rules, you need to complete the following exercise by writing protocol rules and then testing access to the Internet and amazon.com. Estimated Time: 30 minutes 1. Read the rest of the steps and determine if you need to create additional policy elements or other items. Create these policy elements. 2. Write a protocol rule that allows HTTP traffic during the hours of 8:00 a.m. to 6 p.m. for all users.
1. Create Windows 2000 user groups so that parttime workers can be selected versus full-time workers.
3. Write a protocol rule that allows HTTP traffic 24 hours a day, 7 days a week for supervisors and managers.
2. Define two destination sets. One should specify all sites within the amazon.com domain. The other should include a range of IP addresses.
4. Write a protocol rule that restricts access to HTTPS to the computers in the accounting department. All computers in the accounting department are in the range 192.168.15.25 to 192.168.15.50. (Change this address range if necessary to match addresses in your test network so you can test the rule.)
3. Define a schedule for part-time help. Part-time help works from 9 a.m. to 2 p.m. 4. Define a site and content rule that specifies that part-time workers may not access amazon.com ever. 5. Write a site and content rule that allows parttime workers access to the Internet during their working hours.
5. Test your rules by logging on as a member of the part-timers group and attempting to access amazon.com. Were you successful? 6. Test your rules by logging on as a member of the supervisors group, after hours, and attempting to use the Internet. Log on as a part-timer. Can you access the Internet? 7. Log on from a computer in the address range identified in Step 4 and attempt to use HTTPS.
Chapter 5
OUTBOUND INTERNET ACCESS
175
A P P LY Y O U R K N O W L E D G E Were you successful? Log on from a computer not in that address range and attempt to use HTTPS. Were you successful?
Answers to Exercises 1. In Step 4 you will use a predefined schedule that defines all hours, 7/24. In Step 5, use the schedule you have created. Remember that Windows 2000 users and groups can be selected during site and content Rule definition. 2. Step 2 requires a new schedule element that defines these hours. Step 3 requires new Windows 2000 user groups. Step 4 requires the creation of a client address set that includes this IP address range. Step 5 should not be successful. Step 6 should be successful for supervisors, but not for part-timers. Step 7 should be successful if the IP address of the computer you are using is within the IP address range specified earlier. It should not be successful if the IP address range is outside of that.
Mary and Peter are Users in the IRAS domain. They are not members of any other Windows 2000 security groups. The ISA Server site and content rules and associated policy elements displayed in Figures 5.32, 5.33, 5.34, and 5.35 can be used to answer the next three questions. 2. Why can’t Mary access mysoaps.com? 3. Can Peter use the amazon.com secure server to purchase books? 4. Will the public be able to access the company Web site? 5. Examine Figures 5.36 and 5.37. Why is Dave getting the error in Figure 5.38?
Review Questions 1. Dave has successfully set up several Standard edition ISA Servers at other company locations. In New York, he sets up an Enterprise edition ISA Server. To test it, he creates a protocol rule that allows the usage of all protocols outbound. He points a Windows 98 I.E. 5.0 browser to use the ISA Server as a proxy using the ISA Server’s IP address and port 8080. He cannot browse the Internet. Why? What should he do? FIGURE 5.32 Question 2a.
176
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E
FIGURE 5.33 Question 2b.
FIGURE 5.34 Question 2c.
FIGURE 5.37 Question 2e.
FIGURE 5.35 Question 2d.
FIGURE 5.36 Question 2d.
FIGURE 5.38 Question 2f.
Chapter 5
OUTBOUND INTERNET ACCESS
177
A P P LY Y O U R K N O W L E D G E 6. You are given the following information and access requirements. Groups: Administrators: Mary, Sue : can go everywhere; have access to any Web site, all protocols. Users: Have access to all Web sites for HTTP, and HTTPS. Auditors: Can poke around on the ISA Server but not change anything. Part-timers: John, Fred, Joe, and Bob (work 9 a.m to 12 p.m) only have access to HTTP and HTTPS while at work. To enable the access indicated here you would:
Exam Questions 1. After installation, John writes a site and content rule that allows all users to access all sites. He then wants to configure caching so that requests are cached for others to use. He has no special needs for fetching Web pages before users request them, nor does he have any idea of what will make the system more efficient, he just wants to set up caching to make Web access more efficient. Which of the following must he do? Select all answers that apply. A. Enable the cache. B. Configure active caching. C. Configure reverse caching. D. Configure negative caching. E. Do nothing.
2. Place the following rules in the order in which they will be considered. 1. A routing rule which forwards requests for X to site J. 2. An allow protocol rule for POP3. 3. A packet filter that blocks SMTP. 4. A site and content rule that allows all users to access peachweaver.com. A. 2, 3, 4, 1 B. 2, 4, 3, 1 C. 4, 1, 3, 2 D. 1, 3, 4, 2 3. The Psalt Funnel Factory has branch offices in St. Louis, Columbia, and Jefferson City, MO, and Kansas City and Wichita, KS, and is headquartered in Kirksville, MO. They would like to manage Web access but prevent local Web site access from being channeled through remote sites. Which of the following strategies would best meet these needs? A. Each location has its own ISA Server installed in caching mode. B. Each location has its own ISA Server installed in caching mode. Each ISA Server is chained to another ISA Server in another location with the only direct Internet access being done in Kirksville, MO. C. Each location has its own ISA Server installed in caching mode. Each ISA Server is placed in an array with the ISA Server in Kirksville, MO.
178
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E D. Each location has an array of ISA Servers, which is then hierarchically chained to another ISA Server array. E. A hierarchical chain of ISA Servers is used, but local Web sites are accessed via the local ISA Server and requests for these sites are never forwarded to other ISA Servers. Use the Figures 5.39, 5.40, and 5.41 to answer the next two questions.
Internet
208.43.67.12
Peachweaver.com is at 208.43.67.12
192.168.5.6 192.168.5.100
Destination set = 192.168.5.100
DNS
FIGURE 5.41 Questions 4 and 5.
FIGURE 5.39 Questions 4 and 5.
4. Chip works in the Accounting department. When he visits the library, he can access MSNBC. From his office, he cannot. What is the reason for this? A. The client address set included in the blocking rule includes computers in the Accounting department. B. Chip is a member of a group that is blocked. C. The MSNBC site is down. D. No protocol rule has been written for HTTP. E. A destination set, including MSNBC, is not included in the site and content rule for the Accounting area. 5. The CEO is on a trip and attempts to access the company Web site from his hotel room. He is unable to get to the site. What is the problem? A. The site is down. B. The publishing rule is configured incorrectly on the ISA Server. C. The destination set used in the publishing rule includes the wrong IP address.
FIGURE 5.40 Questions 4 and 5.
D. The packet filter does not allow HTTP traffic to cross the ISA Server.
Chapter 5
OUTBOUND INTERNET ACCESS
179
A P P LY Y O U R K N O W L E D G E
Answers to Review Questions 1. During the Enterprise edition installation, you can select to prohibit array-level allow rules. If so, the default site and content rule is not created. Therefore, Dave will have to write a site and content rule before he will be able to access the Internet. See the section, “Policy Settings.” 2. A site and content rule prevents access to this site. See the sections, “Policy Elements” and “Configure Site and Content Rules.” 3. A protocol rule only allows HTTPS usage by the “Financial” and “Marketing” groups. Peter is not a member of these groups. See the sections “Policy Elements” and “Configure Site and Content Rules.” 4. Yes, a publishing rule exists which publishes the Web site. See Chapter 6, “ISA Server Hosting Roles.” 5. A 403 error can be the result of authentication requirements on a site and content rule and no authentication configuration made for listeners. See the section, “Troubleshoot Client Access Problems.” 6. Create a schedule for the user group “part-timers” covering all hours except the hours 9 to noon Monday through Friday. Make sure there is a user group “Parttime” with those users as members. Create a site and content rule that blocks access and use this schedule. Create a rule that allows access to HTTP and HTTPS for the Users group. Create a group as recommended to modify access to properties of ISA Server. Give read access to the Auditors group. See the section “Configure Access Rules and Tools.”
Answers to Exam Questions 1. E. The cache is configured during installation and does not need to be enabled. While other types of caching can be configured, they don’t seem to be indicated in this case. See the section, “Caching.” 2. B. First protocol, then site and content, then packet filter, then routing. See the section, “Understand How Rules Are Evaluated.” 3. E. ISA Servers can be hierarchically chained while allowing each server in the chain to directly access any Web site. Local sites are good candidates for sites that will not be accessed via the normal hierarchy. See the section, “Configure Hierarchical Access.” 4. A. A client address set includes Accounting computers and is used in a blocking rule. Even though as a member of the User’s group Chip is allowed access to HTTP, the blocking rule will override this. See the section, “Understanding How Rules Are Evaluated.” 5. C. Destination sets are destinations from the orientation of the request. For external requests, destinations are the internal systems. However, because the internal systems are not directly accessible to the outside world, the destination set for an internally published Web site cannot be the IP address of the Web server. See the section, “Creating Policy Elements.”
180
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E Suggested Readings and Resources 1. ISA Server Installation and Deployment Guide at http://www.microsoft.com/isaserver/techinfo/ISAdeploy.htm
2. ISA Server Help • Create and Modify Policy Elements • Configure Access Policy
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Configure and Troubleshoot ISA Server Services section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Configure ISA Server Hosting Roles.
. Configure ISA Server for Web publishing . Configure ISA Server for server proxy . Configure ISA Server for server publishing To best protect Web servers, mail servers, and other servers that must be reachable from the Internet put them behind a firewall. The paradox is how do I allow access through the firewall to these hosts without compromising security? Setting up hosting services on the ISA Server is one good way.
C H A P T E R
6
ISA Server Hosting Roles
OUTLINE
S T U DY S T R AT E G I E S
Introduction
183
Configuring ISA Server for Web Publishing
184
Configuring Destination Sets Configuring Listeners Creating Web Publishing Rules Enabling CARP Configuring Server Certificates and Authentication Methods Redirecting HTTP and SSL Requests
186 186 187 188 189 190
Configuring ISA Server for Server Proxy 193 DNS and Mail Proxy The Mail Server Security Wizard Content Filtering
Configuring ISA Server for Server Publishing Creating Server Publishing Rules Publishing Servers on a Perimeter Network
194 194 195
197 197 199
Chapter Summary
200
Apply Your Knowledge
201
Exercises Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions
201 201 201 203 203
. Focus your attention on providing Internet-based access to a Web site while protecting it from attack and minimizing risk to other internal hosts. Then expand this knowledge to include other types of servers. . After completing the exercises, back out and see if you can figure out another way to provide access to the site. Which way affords more protection? Is there any reason to do it any other way? . The steps to implement hosting are not difficult. Don’t be lulled into thinking that’s all there is to it. You need to understand why you are doing it this way—and how to figure out what information goes where.
Chapter 6
INTRODUCTION I can remember when Web servers were not placed behind the corporate firewall. The rationale was that to do so would compromise the security of the internal network. Companies risked site attacks and possible downtime rather than create potential chinks in their firewall armor. The Internet was a simpler beast then, and few were fielding Business to Business (B2B) or Business to Consumer (B2C) sites. Things have changed. Now, no Web master worth her salt would dream of leaving her baby bare and exposed. The challenge then becomes, how do I protect the Web site, or other exposed servers, allow access to it, and yet not allow hackers entrance into my internal network? There are four potential answers:
á First, a Web server sits on the internal network behind the firewall. The firewall is configured to “host” the Web site, or act as the decontamination chamber, so to speak, for all communications between the Web server and the rest of the world. á Second, a separate arrangement, where the Web server sits behind a firewall but is not connected to anyone’s private network. The hosting methodology explained in this chapter will be as useful in this scenario as it is in the first. á Third, while the Web server sits on the internal network behind the firewall, instead of hosting, appropriate ports are opened on the firewall to allow traffic to flow to the Web site. á Finally, a separate perimeter or demilitarized zone (DMZ) is created to act as the network for all Internet accessible hosts. A three-pronged approach (the firewall has three NIC cards) or a separate, internal firewall is used to protect the internal network. This approach, and the one mentioned previously, are covered in more detail in Chapter 10, “Firewall Configuration.”
ISA SERVER HOSTING ROLES
183
184
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
The best approach, in many cases this will be to host the server using ISA Hosting services. To learn how to do see the following sections of this chapter:
á Configuring ISA Server for Web Publishing á Configuring ISA Server for Server Proxy á Configuring ISA Server for Server Publishing
CONFIGURING ISA SERVER PUBLISHING
FOR
WEB
Configure ISA Server for Web publishing.
Most security experts would agree: To protect a public Web server, place it behind the firewall, and allow access in the most secure manner to prevent unauthorized and malicious access. ISA Server offers two ways to do this: Either configure packet filters and protocol rules, which allow access to the Web server by permitting Web protocols through the firewall and directing them to the Web server, or configure Web publishing rules on the firewall. To configure packet filters and protocol rules to allow access to an internal Web server, see Chapter 10. However, to follow a more secure process, configure Web publishing rules. To allow access to the internal server via Web publishing, perform the actions listed in Table 6.1.
Chapter 6
TABLE 6.1
CONFIGURE WEB PUBLISHING Action
Instructions
Mandatory?
Configure Web site domain resolution.
Assure that the public Web server address is registered in DNS with the address of the ISA server that will perform the Web hosting.
Yes
Configure destination sets to identify the ISA Servers that will be configured for publishing.
The destination set includes the external IP address or names of ISA Servers that will route the request to the internal Web server. Figure 6.1 illustrates this configuration. You can choose to use more general terms instead of explicitly identifying the firewall.
No
Configure a listener on the external interface of the firewall.
See Step by Step 6.1.
Yes
Configure client access types to restrict access.
Client types include ranges of IP addresses and specific user accounts.
No
Create a Web publishing rule.
Follow Step by Step 6.2.
Yes
Where is www.peachweaver.com? Web ISA
Server
Internet
206.66.66.71
192.168 208.43.67.12
192.168.2.10
Peachweaver.com is at
Destination set =
Ò208.43.67.12Ó
208.43.67.12
DNS
FIGURE 6.1 Identifying the destination set.
ISA SERVER HOSTING ROLES
185
186
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
EXAM
TIP
Configuring Destination Sets The Destination Is Not the Web Server! When configuring destination sets for Web publishing rules, it is important to understand that you are identifying the destination of the request from the perspective of the client. In this case, the client is on the public network, therefore, the destination is the external address of the ISA server(s), which will reroute the request. A common mistake is to configure destination sets with the internal Web server addresses. This will not work.
When the Web publishing rule is created, you use the defined destination sets, client address sets, and rule actions to set its parameters, conditions, and actions. Destination sets indicate that a request for Web services received at these IP addresses meet that condition in the rule. Client address sets are composed of the address of clients who may be allowed to make requests for Web objects. Rule actions define what happens if these conditions are met. Possibilities include:
á The request is discarded (configure to explicitly prevent all access to internal Web servers, or more likely to explicitly deny access to people(s) identified in client address sets). á The request is redirected to an internal server. á The requested object is retrieved from the server cache.
Configuring Listeners Listeners are the specifications that allow ISA server to link ports on a particular external interface with the internal Web server. The “listener” identifies which network interface (IP address) is the active location identified as the source for Web access to the external world.
STEP BY STEP 6.1 Configuring a Listener for the Web Site 1. Open the Property page for the ISA Server by right-clicking on the Server in the Management console and selecting Properties. 2. Select the Incoming Web Requests tab (see Figure 6.2). 3. If desired, click the radio button Configure Listeners Individually per IP Address. FIGURE 6.2 Identifying the Web listener.
4. Click Add. 5. Choose the server from the Server drop-down box.
Chapter 6
ISA SERVER HOSTING ROLES
6. Choose the external IP address to listen on from the IP Address drop-down box. 7. Enter a friendly name for a display name. 8. Configure to use server certificates (optional). 9. Configure Authentication (optional). 10. Click OK. 11. Review your choices and click OK. 12. Select whether to save changes and restart the service, or save changes but not start the service (see Figure 6.3). Changes will not take place until the service is restarted. 13. Click OK. FIGURE 6.3 Saving changes.
Creating Web Publishing Rules After the elements (listeners, destinations, and Web servers) are present, a Web publishing rule can be created to specify what action will be taken if a request is made. The rule identifies the clients that can access the site, the destination for the request (the IP address of the external interface where the “listener” sits), and the clients that might use it.
STEP BY STEP 6.2 Configuring Web Publishing Rules 1. Navigate in the ISA Management console to Servers and Arrays\name\Publishing\Web Publishing Rules. 2. Note that the default Web publishing rule discards all requests. 3. Right-click on the Web Publishing Rules folder and select New Rule. continues
187
188
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
continued 4. Enter a name for the rule and click Next. 5. Select a preconfigured destination set or leave the default All Destinations in place. Click Next. 6. Specify the client type. Client type can be used to selectively allow Web site access by business partners, telecommuters, or traveling employees. The choices are • Any request • Specific computers (client address sets) FIGURE 6.4 Selecting a rule action.
• Specific users and groups 7. Click Next. 8. Indicate the rule action (see Figure 6.4). 9. Click Next. 10. Review configuration and click Finish.
Enabling CARP Cache Array Routing Protocol (CARP) can be enabled for outgoing and incoming Web requests. Outgoing Web requests are cached by CARP by default. You can, however, configure CARP to cache incoming Web requests. This process allows more efficient handling of frequent requests and removes the strain from busy Web servers. You saw this feature for a single server when configuring the cache retrieval configuration step of the routing rule for the Web publishing steps in Step by Step 6.2. In arrays, you want CARP configured to act the same way. To enable incoming CARP, open the Property pages for the array and on the Incoming Web Requests page, check the box labeled Resolve Requests Within Array Before Routing. Members of the array can be configured to have different loads so that requests can be spread more heavily on servers with more disk resources, for example. For more information on configuring CARP see Chapter 11 “Manage ISA Server in the Enterprise.”
Chapter 6
ISA SERVER HOSTING ROLES
189
Configuring Server Certificates and Authentication Methods To secure access to internal Web servers, authentication methods can be configured. Authentication methods include:
á Requiring server authentication via server certificates á Basic authentication á Digest authentication
The last three types of authentication are client authentication and were defined in Chapter 5, “Outbound Internet Access.” Authentication of outbound access can restrict, control, and make auditable employee access to the Internet. Authentication of inbound access establishes credentials for users who want to access internal resources. These users might be employees who are traveling or who work from home, business partners who require access to internal servers, and customers who must establish identity before accessing specific data on internal Web sites. Server authentication, on the other hand, can be used by the ISA Server to identify itself as the internal Web server. Clients seeking secure access to internal Web sites will request server authentication via Secure Sockets Layer (SSL) certificates. To prove its identity, the ISA Server must be able to fulfill this request. To configure the ISA Server to use certificates for Web requests follow Step by Step 6.3.
STEP BY STEP 6.3 Configuring Server Certificates 1. In the ISA Server Management console, right-click the array or server and click Properties. 2. Select the Incoming Web Requests tab. 3. Select the listener that requires a certificate. 4. Click Edit to display the listener properties. continues
NOTE
á Windows Integrated Authentication
Certificates Certificates are encrypted digital identification. They provide the capability to perform secure communications between to computers. SSL certificates are used primarily by Web servers to prove their identity to clients. Because the ISA Server often sits between the Web server and the client, he must be able to perform server authentication using SSL and participate in a secured (encrypted) communication with the requesting client.
190
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
continued 5. In the “Add/Edit Listeners” dialog box, check Use a Server Certificate to Authenticate to Web Clients. 6. Click Select. 7. Select the server certificate to use. (Server certificates must be previously installed on the server in the server certificate store. For instructions on how to do so, please ask the party from whom the certificate is received. In many cases, it may be a simple button click after the certificate is received. In others, it requires using the Certificates snap-in. 8. Click OK twice. 9. Select Save the Changes and restart the service(s). Click OK.
Redirecting HTTP and SSL Requests When the ISA Server serves as the endpoint for the external client connection, you might need to configure SSL so the server can authenticate to the client. You must also configure what will happen to the client communication once its received. This is done by configuring a Routing Rule. Routing rules determine where incoming and outgoing requests are redirected. Step by Step 6.4 explains how to configure a rule to redirect HTTP and/or SSL requests.
Chapter 6
ISA SERVER HOSTING ROLES
191
STEP BY STEP 6.4 Redirecting Incoming Web Requests 1. Navigate to Internet Security and Acceleration Server\Servers and Arrays\name\Network Configuration\Routing. 2. Create a new rule or modify an existing rule. 3. If creating a new rule, use the New Routing Rule Wizard\Request Action page to indicate the internal server, HTTP, and SSL port to direct the request to (see Figure 6.5). Edited rules display these choices on the Action page.
FIGURE 6.5 Redirecting HTTP and SSL requests.
4. If creating a new rule, use the New Routing Rule Wizard\Cache Retrieval Configuration page to select the conditions under which requests will be routed to the Web server. (see Figure 6.6) Edited rules display these choices on the Cache tab. 5. If creating a new rule, use the New Routing Rule\Cache Content Configuration page to indicate the conditions under which caching will occur. Edited rules display these choices on the Cache tab. 6. Click Finish. 7. Double-click the rule to open its property pages. 8. Select the Bridging tab (see Figure 6.7). 9. By default, both Redirect HTTP Requests as HTTP Requests and Redirect SSL Requests as SSL Requests are selected. Additional choices can be made. Table 6.2 explains the ramifications. 10. Click OK to close the Properties page. FIGURE 6.6 Select when to request object from Web server.
192
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
TABLE 6.2
SSL B R I D G I N G C H O I C E S Redirection
Choice
Description
Redirect HTTP requests as:
HTTP requests
No mystery here.
SSL request
Use this choice to secure HTTP communications between the ISA Server and the internal Web server (see Figure 6.8).
HTTP request
The SSL secure channel ends at the ISA Server. Communications between the ISA Server and the Web server would be unencrypted (see Figure 6.9).
SSL request
While the SSL channel terminates at the ISA Server (the client conversation is secured between itself and the ISA Server.), this option requires a new SSL channel be established between the ISA Server and the Web server (see Figure 6.10).
Redirect SSL requests as:
FIGURE 6.7 Specifying bridging requirements.
Require secure channel (SSL)
No conversation will take place if SSL cannot be established. Requires 128-bit encryption
Use a certificate to authentication to the SSL Web Server
The ISA Server must have the high encryption pack for Windows 2000 installed in order to use this feature. If an SSL channel is required between the ISA Server and the Web server, check this box and identify the certificate to be used.
ISA
Web Server
Internet HTTP
FIGURE 6.8 Redirect HTTP as SSL.
Redirect HTTP Requests as SSL
SSL
Chapter 6
ISA
ISA SERVER HOSTING ROLES
Web Server
Internet HTTP
SSL
FIGURE 6.9 Redirect SSL Requests as HTTP
Redirect SSL as HTTP.
ISA
Web Server
Internet SSL
SSL
FIGURE 6.10 Redirect SSL as SSL.
Redirect SSL Requests as SSL
CONFIGURING ISA SERVER SERVER PROXY
FOR
Configure ISA Server for server proxy.
ISA Server can act as a mail server proxy if configured to “publish” the mail server. The mail server can reside on the proxy server, although this is not recommended. Mail clients that use the following protocols can be accommodated:
á Post Office Protocol 3 (POP3) á Internet Message Access Protocol 4 (IMAP4) á Messaging Application Programming Interface (MAPI) á Network News Transfer Protocol (NNTP) á Secure NNTP
193
EXAM
TIP
194
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
What’s Special About Mail Servers That Reside on the ISA Server? If the mail server resides on the ISA Server computer, packet filters, not protocol rules, are configured.
It is easiest to complete this configuration by using the Mail Server Security Wizard.
DNS and Mail Proxy So that clients can resolve the mail server name to the ISA Server computer, a DNS entry for the mail server should be made that points to the ISA Server. MAPI clients, HTTP clients, POP3, and IMAP4 clients can then resolve the address of the ISA Server.
The Mail Server Security Wizard The Mail Server Security Wizard enables you to easily configure the ISA Server to proxy requests for e-mail server access. As a result, it creates server publishing rules and protocol rules. These rules, which can be identified by the “Mail Wizard Rule Preface” can be found in the Publishing\Server Publishing Rules folder. To configure mail proxy, see Step by Step 6.5.
STEP BY STEP 6.5 Configuring Mail Proxies 1. Right-click on Publishing\Server Publishing Rules and select Secure Mail Server. Click Next. 2. On the Mail Server Security Wizard\Mail Services Selection page check the protocols to publish and indicate if default and/or SSL authentication is required (see Figure 6.11). Click Next. 3. On the Mail Server Security Wizard\ISA Servers External IP address, enter the ISA Server’s IP address and click next. 4. On the Mail Server Security Wizard\Internal Mail Server, enter the IP address of the mail server or select On the Local Host if the mail server is located on the ISA server. Click Next. 5. Review the configuration, and then click Finish.
Chapter 6
ISA SERVER HOSTING ROLES
195
Content Filtering An SMTP filter, when properly configured, allows content filtering. To filter all incoming mail, you must install the SMTP filter, enable and configure it, then select this feature when running the Mail Server Security Wizard.
If the message screener is installed, the SMTP filter can also filter messages by looking for configured keywords, size, name, or type of content. Installation of the message screener component, you must install SMTP services on the ISA Server computer. You can do so by using Control Panel\Add Remove Programs. The SMTP service running on the ISA Server acts as a virtual server. It can be used to filter content received on port 25 on the external interface of the ISA Server, and then relay the mail to the internally published SMTP mail server. To set up the message screener requires four steps:
á Installing the SMTP service on the ISA Server. Use Add Remove Programs. á Installing the message screener component. Use the ISA Server installation program. á Publish an internal SMTP mail server to the ISA Server. See the section, “Configuring the Mail Server Security Wizard” earlier in this chapter. á Configure the SMTP\service and the SMTP filter. See Step by Step 6.6.
FIGURE 6.11 Choosing supported protocols.
NOTE
The SMTP filter intercepts SMTP traffic on port 25 and determines, based on your configuration, whether the traffic should be passed on, generate an alert, and so on. The filter provides filters by recipient; it compares the recipient to a list of users who communications will be rejected. In addition, the SMTP filter can check for buffer overrun attacks.
SMTP Buffer Overrun Attacks These are created by issuing an SMTP command with a parameter that exceeds the size of the value that is normally entered for that parameter. If the programmer of the code does not code in checks to handle this type of problem, the application can crash and potentially leave the system vulnerable to damage or other types of compromise. The SMTP filter attempts to deal with this problem by checking the size of parameter values before the command is actually run.
196
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
STEP BY STEP 6.6 Configuring the SMTP Service and Filter 1. Run the ISA Mail Server Security Wizard and specify the use of Incoming SMTP mail and Outgoing SMTP mail. 2. When running the ISA Mail Server Security Wizard, select Apply Content Filtering. 3. On the ISA Server, use the IIS console, open the IIS Default SMTP virtual server properties page, and:
FIGURE 6.12 Preventing relay.
• On the Access tab, click Relay and select All Except the List Below (see Figure 6.12). This prevents mail spammers from using the virtual SMTP service as a relay. • On the Delivery tab, click Advanced, and enter the real name of the mail server in the Smart Host box (see Figure 6.13). This configures the real mail server as the real mail server. 4. Install the ISA Server Message screener. 5. If the ISA Server computer is a standalone installation on a standalone Windows 2000 Server or the Message Screener is installed on a computer that is not a member of the same AD forest as the ISA computer, you must: • Run the SMTPCred.exe utility from the ISA Server installation CD-ROM\i386 folder and enter the name of the ISA Server, the time for information retrieval, and valid user credentials for the ISA Server. • Configure Distributed Component Object Modeling (DCOM) on the ISA server computer to allow the Message Screener to access the ISA Server. Information on configuring DCOM can be found on the ISA Server installation disk.
FIGURE 6.13 Identifying the real mail server.
6. Configure the SMTP filter with the list of users and domains to reject (see Figure 6.14).
Chapter 6
ISA SERVER HOSTING ROLES
7. Configure the SMTP filter to check for attachments (see Figure 6.15) and keywords; size, name of type of content to hold, delete, or forward to the administrator.
CONFIGURING ISA SERVER SERVER PUBLISHING
FOR
Configure ISA Server for server publishing.
Besides publishing internal mail servers and Web servers, ISA server can redirect requests for specific services to internal servers. You configure publishing rules to do so. Although packet filters could also be used to provide access to internal server services from the public network, publishing rules are considered to be more secure because their application filters can be more specific. However, sometimes IP packet filters must be used, fore example, when you are pulsing servers that are on a perimeter or DMZ network, or when publishing services that exist on the ISA Server.
FIGURE 6.14 Rejecting users.
Creating Server Publishing Rules Running the publishing wizard creates server publishing rules. Your options are described in Step by Step 6.7.
STEP BY STEP 6.7 Configuring Server Publishing Rules 1. Right-click Publishing\Server Publishing Rules and select New Rule. FIGURE 6.15
2. Enter a name for the rule and click Next.
Rejecting attachments.
3. On the New Server Publishing Rule Wizard\Address Mapping page, enter the IP address of the internal server and the IP address of the ISA server and click Next (see Figure 6.16). continues
197
198
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
continued 4. On the New Server Publishing Rule Wizard\Protocol settings, choose the protocol to be published and click Next (see Figure 6.17). Available protocols are • Exchange RPC Server • Any RPC Server • FTP Server • RTFP Server • PMN – Real Networks Server • MMS – Windows Media Server FIGURE 6.16 Identifying the server address mapping.
• DNS Query Server • DNS Zone Transfer • HTTPS Server • IMAP4 Server • IMAPS Server • Microsoft SQL Server • NNTP Server • NNTPS Server • POP3 Server • POP3S Server • SMTP Server • SMTPS Server • Telnet Server 5. On the New Server Publishing Rule Wizard\Client Type page, select all requests or client address sets and click Next.
FIGURE 6.17 Selecting a protocol to map.
6. If client address sets were selected, select Client Address Sets or Defining New Ones and click Next. 7. Review configuration and click Finish.
Chapter 6
Publishing Servers on a Perimeter Network Packet filters must be configured to publish servers that exist on a perimeter network. To do so follow Step by Step 6.8.
STEP BY STEP 6.8 Publishing Perimeter Network Servers 1. Open the \Internet Security and Acceleration Server\Servers and Arrays \Name\Access Policy\ folder. 2. Right-click the Packet Filters Folder and select New Filter. 3. After giving the filter an appropriate name click OK. On the New IP Packet Filter Wizard\Filter Mode page, select Allow Packet Transmission, and click Next 4. On the New IP Packet Filter Wizard\Filter Type page, select a filter from the drop-down box, or choose Custom. Predefined Filter Types include: • DNS lookup • ICMP all outbound • ICMP ping response • ICMP ping query • ICMP source quench • ICMP timeout • ICMP unreachable • PPTP call • PPTP receive • SMTP • POP3 • Identd • HTTP server (port 80) • HTTPS server (port 443) • NetBIOS (WINS client only) • NetBIOS (all) continues
ISA SERVER HOSTING ROLES
199
200
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
continued 5. On the New IP Packet Filter Wizard\Local Computer page, identify the IP address for the perimeter computer. 6. On the New IP Packet Filter Wizard\Remote Computer page, list any specific external computers the rule should apply to. 7. Review configuration settings and click Finish.
CHAPTER SUMMARY KEY TERMS • Demilitarized zone (DMZ) • Three-pronged approach • Listener • Certificates • Bridging • Post Office Protocol 3 (POP3) • Internet Message Access Protocol 4 (IMAP4) • Messaging Application Programming Interface (MAPI) • Network News Transfer Protocol (NNTP)
Protecting servers that must be accessed from the Internet is a job well-suited to the publishing capabilities of ISA Server. Instead of configuring packet filters and worrying that additional exposure has occurred, administrators can set up secure Web hosting access, which hides the identity of the server and provides an auditable list of those who access the server.
Chapter 6
201
ISA SERVER HOSTING ROLES
A P P LY Y O U R K N O W L E D G E
Exercises 6.1
Publishing a Web Site or Server
This is really easy to do. Knowing how to do it will help you troubleshoot problems when you run into the setups that others have done. Attempting the more detailed configurations is instructive as well. Estimated Time: 30 minutes 1. Prepare a Web server. This doesn’t have to be fancy, just a single page that says anything that sits on an separate system from the ISA Server. 2. Place the Web server behind the ISA Proxy server on the same network as the internal network card of the ISA server.
Exam Questions 1. Examine Figure 6.18. In this scenario, you want to publish the internal Web server. Enter addresses in the destination set; in the client address set A. Destination set: 208.43.67.12 client set: 206.66.66.71 B. Destination set: 192.168.2.10 client set: 206.66.66.71 C. Destination set: 208.43.67.12 client set: 192.168.2.10 D. Destination set: 192.168.2.10 client set: 208.43.67.12
3. Configure Web hosting for the internal server. 4. From a system on the external network, use your browser to access the published Web site.
Where is www.peachweaver.com? Web
5. Repeat the process, but this time publish an internal FTP server.
ISA
Server
Internet
206.66.66.71
192.168.2.6 208.43.67.12
Review Questions 1. Describe why you would use client address sets and how they would be configured. 2. What filters are available for filtering mail? Can these be extended? 3. Can you restrict access to an internal media server? 4. When configuring server publishing on a perimeter network use the _____________.
Peachweaver.com is at Ò208.43.67.12Ó
DNS
FIGURE 6.18 Can you dig this?
192.168.2.10
202
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E 2. Consider Figure 6.18 again. This time, you want to secure traffic between the ISA Server and the Web server. The client is connecting using SSL. If the client connection begins at IP address 206.66.66.71, where does it terminate? A. 208.43.68.12 B. 192.168.2.10 C. 208.43.67.12 D. 208.43.67.12 3. Look at Figure 6.18 again. If SSL is used from end to end, how many certificates will be required? A. 1 B. 3 C. 4 D. 2 4. Examine Figure 6.19. In this scenario, you will use the Mail Proxy wizard to make the internal mail server available for external clients to access their mail. At what IP address should the MX record for the mail server be placed? What address should be in the MX record? A. MX record at: 192.168.2.10; MX record is: 208.43.67.12. B. MX record at: 208.43.67.12; MX record is: 208.43.67.12. C. MX record at: 208.43.67.12; MX record is: 192.168.2.10. D. MX record at: 192.168.2.10; MX record is: 192.168.2.10.
5. The cache on the ISA Server can be configured to cache inbound requests as well as outbound requests. Choose all the correct answers. A. Web pages requested by Internet clients can be saved in the cache and the cache can be used to serve future Internet requests. B. This would be a security issue if Mail proxy was also used. You would not want e-mail to be saved in the cache where it might potentially be read by others. C. Reverse caching is a good way to take the load off a busy Web server, especially if several ISA Servers are in an array and the array is configured to publish the Web site. D. Unlike forward caching, reverse caching is available in firewall mode. 6. In order to use the SMTP content filter, you must: A. Install the SMTP filter. B. Select it when running the Mail Server Security Wizard. C. Enable and configure it. D. Have the SMTP service running on the ISA Server.
Chapter 6
ISA SERVER HOSTING ROLES
203
A P P LY Y O U R K N O W L E D G E Where is www.peachweaver.com? Exchange ISA
Server
Internet
206.66.66.71
192.168.2.6 208.43.67.12
192.168.2.10
3. An internal media server can be published and access restricted to internal clients, external clients, or some combination, by using destination sets. Access can also be restricted by client address sets. See the section, “Configure ISA Server for Server Publishing.” 4. Packet filters. See the section, “Publishing Servers on a Perimeter Network.”
Peachweaver.com is at Ò208.43.67.12Ó
DNS
FIGURE 6.19 Mail proxy.
Answers to Review Questions 1. Client address sets can be used to limit the clients that are authorized before to access the published servers. You configure them before publishing the internal site. They can be collections of IP addresses or specific Windows groups or users. During publication the client address sets are selected in the interface. After publication, changes can be made to their membership. See the section, “Configuring ISA Server for Web Hosting.” 2. The SMTP filter can reject mail from a list of users and check for SMTP buffer overrun attacks. If message screening is installed, you can screen messages by keywords, size, name, or type of content. Third-party filters can be purchased to extend these filtering capabilities. See the section, “Content Filtering.”
Answers to Exam Questions 1. A. The destination set always includes the external IP address of the ISA Server. The client set includes clients that are authorized to access the site. See the section, “Configuring Destination Sets.” 2. D. The SSL connection from the client always terminates at the ISA server. See the section, “Redirecting HTTP and SSL Requests.” 3. D. One certificate for the Web server, and one for ISA Server. See the section, “Redirecting HTTP and SSL Requests.” 4. B. The DNS server lists the MX record, which should contain the IP address of the external address of the ISA Server. See the section, “Configuring ISA Server for Server Proxy.” 5. A, C. Reverse caching is not available in firewall mode so D is wrong. E-mail is never cached on the ISA Server so B is wrong. See the section, “Configuring ISA Server for Server Proxy.” 6. A, B, C. The SMTP service will be running on the mail server. See the section, “Content Filtering.”
204
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E Suggested Readings and Resources 1. “Content Security—Policy Based Information Protection and Data Integrity”, An IDC white paper by Christian A. Christiansen at www. “contenttechnowledges.com/products/ collateral/pdfs-/idcreport.pdf
2. The following Web sites are references for third-party products that can be used with ISA Server to provide additional content or virus screening: • www.antivirus.com/products/isv2/ isaserver
• www.gfi.colm/languard/lanccfeatures.htm • www.finjan.com/isaserver
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Configuring and Troubleshooting ISA Server Services section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Configure the H.323 Gatekeeper for audio and video conferencing.
. Configure Gatekeeper rules. Rules include telephone, email, and Internet Protocol (IP). . Configure Gatekeeper destinations by using the Add Destination Wizard. You may think that audio and video conferencing is not a component of your internal network. Yet, NetMeeting conferencing may be an integral part of your user’s work day. Whether it is used for proper business communications or casual conversation, it needs to be controlled and appropriately managed. The ISA Server H.323 Gatekeeper service can provide that control. To use it, you need to understand how to install and configure it.
C H A P T E R
7
H.323 Gatekeeper
OUTLINE Introduction
208
What Is an H.323 Gatekeeper?
208
What Is the H.323 Protocol? Where Does T-120 Fit In? What’s the Difference Between a Gatekeeper and a Gateway? How Does the Gatekeeper Work? Gatekeeper Service H.323 Protocol Filters The Registration Database Registration Admission and Status The Registration Process Rule Processing—What Happens When a Request Is Received? H.323 Gatekeeper Limitations and Other Considerations
209 210 211 211 212 212 212 213 214 215 216
How to Add an H.323 Gatekeeper to ISA 217 Enabling and Configuring H.323 Protocol Access Enabling H.323 Protocol Access Establishing Protocol Rules Configuring DNS Adding the H.323 Gatekeepers Enabling Fast Kernel Mode and Data Pumping Gatekeeper Administration
218 218 219 220 221 222 222
Configuring Gatekeeper Call Routing Rules
223
Configuring Destinations Configuring Phone Number Rules Configuring Email Address Rules Configure IP Address Rules
224 224 225 226
H.323 Gatekeeper Scenarios
227
Chapter Summary
230
Apply Your Knowledge
231
Exercises Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions
231 231 232 233 233
S T U DY S T R AT E G I E S . First things first. Learn something about H.323 and T-120 standards. . Work with NetMeeting, both in making calls to Internet Locator Servers (ILS) on the Internet and in hosting calls on your system. . Install and configure the H.323 Gatekeeper module of ISA Server. . Study implementation strategies. . Set up H.323 Gatekeeper to forward calls to the Internet.
208
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
INTRODUCTION Configure the H.323 Gatekeeper for audio and video conferencing.
Widespread high-volume audio, video, and data conferencing may not be a factor in every network, but some form of H.323/T-120 conferencing is available on every desktop. Products like NetMeeting and RealAudio provide end users a way to tune in to streaming media broadcasts or to host whiteboard and desktop sharing sessions with others in their local network or around the world. Blocking all H.323 communications across a firewall is not the answer. Instead, enlightened companies want to benefit from the increased value that this type of multipoint communication has to offer. However, they should insist on controlling this function. Widespread, uncontrolled proliferation of these transmissions can result in chaos, increased security risks, and rapid increase in requirements for increased bandwidth that are unjustified. (Do you really want to pay large amounts of money so that employees can tune in to their favorite radio station over the Internet?) The ISA Server H.323 Gatekeeper provides a way to manage and control video, audio, and data conferencing across a private network or across the Internet. Before you can benefit from its features, you must understand:
á What Is an H.323 Gatekeeper? á How to Add the H.323 Gatekeeper Service to ISA Server á How to Configure Call Routing Rules and Destinations Finally, you should consider possible H.323 Gatekeeper scenarios from which your company may benefit.
WHAT IS
AN
H.323 GATEKEEPER?
The H.323 Gatekeeper provides communication capabilities for H.323–registered clients. H.323 clients are clients that use H.323 Gatekeeper compliant applications, such as NetMeeting 3.0 or later. Communications can be directed from or to clients and can occur on the local area or wide area network and across the Internet.
Chapter 7
Client requests are received by the Gatekeeper and, if authorized, are intelligently routed to the proper address. If clients are registered in the database, the Gatekeeper can also be used to route requests to them so they can participate in video, audio, and data conferencing if these applications are compliant with the Gatekeeper. Prior to installing and working with the H.323 Gatekeeper, you should know the answers to the following questions:
á What is the H.323 Protocol? á Where does the T-120 standard fit in? á What’s the difference between a Gatekeeper and a gateway and a H.323 proxy? á How does the Gatekeeper work? á What are H.323 Gatekeeper limitations and other considerations?
What Is the H.323 Protocol? Users connect to audio and video resources all the time (television, radio, and telephone) without thoughts of compatibility because existing standards have been in force for a long time. Product manufacturers know that unless they follow these standards, their products will be rejected in the marketplace. What about real-time audio and video conferencing? H.323 is a standard that specifies how this information is formatted and transmitted over networks. It is an International Telecommunications Union (ITU) standard and specifies how multimedia equipment, computers, and services should work over a network. The standard recognizes that these networks may not provide a guaranteed quality of service, but nevertheless can carry real-time video, audio, and data. Two Internet Engineering Task Force (IETF) standards: Real-Time Protocol (RTP) and RealTime Control Protocol (RTCP), as well as additional protocols form the base of the H.323 standard. In addition, the protocol specifies how different types of networks, such as IP and Public Service Telephone Networks (PSTN) can work together to provide the best of both worlds.
H.323 GATEKEEPER
209
210
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A number of codecs (formal definitions) describe how the data is formatted and transmitted, including how the data is compressed. The H.323 standard recognizes the availability of various codecs and incorporates within the specification required codecs (H.245 and Q.931) and the ability for codec negotiation between H.323 devices and applications. The goal here is for users to be able to participate over the Internet or other networks in these types of conversations without worrying about what equipment they have on the desktop. Although this standard is not so widespread that all applications and equipment can interoperate freely, you already have application-level software that does provide these types of communications. Microsoft NetMeeting can be used for streaming audio and video content, and for data sharing across an IP network, based on the H.323 standard.
Where Does T-120 Fit In? H.323 is a standard for audio and video conferencing; T-120 is the ITU standard for real-time, multipoint data connections and conferencing. T-120 can be used alone, or in combination with H.323. In fact, the H.323 standard includes specifications for how video and audio conferencing products can work along side T-120 equipment, or incorporate it within themselves. Two components of T-120 exist networking and applications. The networking component, T-122, T-123, T-124, and T-125 describe standards for
á Sending and receiving data over a variety of connections á Establishing and maintaining conferences regardless of platform á Managing multiple participants/programs Application-level standards T-126 and T-127 apply to functions such as electronic whiteboards, file transfer, and program sharing work regardless of platform. Microsoft NetMeeting was designed to meet the T-120 standards.
Chapter 7
What’s the Difference Between a Gatekeeper and a Gateway? Microsoft NetMeeting is considered an H.323 terminal. The H.323 standard also describes additional elements:
á Gateway. Terminals on a LAN are made available to H.323 terminals on a WAN or another H.323 gateway. Gateways translate one product’s implementation of H.323 to another or to some other communication device. An example of this would be the ability to allow telephone-based communication participation in a NetMeeting conference. á Multipoint Control Unit (MCU). A conferencing server. Three or more H.323 terminals can connect to an MCU. Although NetMeeting can host meetings on a desktop and manage several connections from other NetMeeting clients, an Internet Locator Service server is built to handle large number of conferences and callers. á Gatekeeper. Network service providers. Clients register with Gatekeepers to be able to send and receive calls. Gatekeepers control clients according to a structured set of rules that permits some calls and denies others. The ISA Server H.323 Gatekeeper service provides these services. ISA Server also provides an H.323 Proxy. The H.323 application filter allows compliant calls from applications to the H.323 Gatekeeper service across firewalls.
How Does the Gatekeeper Work? The following elements work together to provide the ISA Server H.323 Gatekeeper function:
á Gatekeeper service á H.323 protocol filters á Registration database—A compilation of all H.323 clients who have registered with the Gatekeeping service á Registration, Admission, and Status (H.323 RAS) protocol— Used to register clients
H.323 GATEKEEPER
211
212
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
á The registration process á Rule processing algorithms These elements are discussed in the following sections.
Gatekeeper Service The H.323 Gatekeeper service is installed as a separate component of ISA Server. Once installed and configured, it provides H.323 Gatekeeper services for registered clients.
H.323 Protocol Filters H.323 protocol filters are used to create call-plans. Call-plans route client’s calls based on the called party address. That is, the filters identify an address as being that of a computer or other device at some location. When the address is used, nothing more in the way of identification is necessary—the filter allows the call to be delivered where it needs to go. For example, an email address can be used to register a NetMeeting client as the host for a NetMeeting session. Entering that email address in another NetMeeting client can link the two, as a filter can match email addresses to computer IP addresses and the session can be connected.
The Registration Database The registration database holds the aliases and their matching IP addresses and allows the H.323 Gatekeeper to translate between the two. Connections to those addresses registered in the database are controlled and managed by the Gatekeeper using rules defined for the service. You do not need to use the H.323 Gatekeeper or the registration database to access H.323 services through the ISA Server. However, clients must be registered in the registration database for two types of H.323 communication:
á First, to receive inbound calls through the Gatekeeper service to a well-known alias. (A well-known alias can be an email address.)
Chapter 7
á Second, if translation services are needed to place outgoing calls. Translation services provide the capability to reference H.323 services that may not have a registered DNS address. For example, a personal email address, a Plain Old Telephone System (POTS) device phone number, and so on. Think of this powerful capability as a sort of name resolution for the rest of us. Here’s how it works: 1. You use NetMeeting 3.0 to place a call to me at [email protected]. Neither one of us has a valid, Internet routable IP address, nor will our internal addresses be exposed on the Internet. 2. NetMeeting connects with your in-house H.323 Gatekeeper. 3. The Gatekeeper knows that peachweaver.com is not an internal address and so forwards the request to ISA Server. 4. ISA Server looks up the address for peachweaver.com and sends the query over the Internet to peachweaver.com. 5. The ISA Server at peachweaver.com receives the request for [email protected] and contacts its internal H.323 Gatekeeper. 6. The H.323 Gatekeeper translates the alias into a network address. 7. The ISA Server at peachweaver.com sends notice to your ISA Server and creates the connection. 8. The ISA Server holds the link open. Restrictions can be set within the ISA Server Gatekeeper to prevent or allow video, audio, T120 data (real-time multipoint data connections and conferencing standard), and application sharing and to limit the hours this service is available. These restrictions are set on the Property pages for the H.323. Gatekeeper.
Registration Admission and Status H.323 communications are origination end-point to destination end-point (usually client). These end-points should be registered with the Gatekeeper using the H.323 Registration, Admission and
H.323 GATEKEEPER
213
214
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Status (H.323 RAS) protocol. Although you can add static registrations (always active and cannot receive inbound calls) using the H.323 Gatekeeper, you should only do this for those endpoints that cannot use the H.323 RAS protocol. H.323 RAS alias addressing supported by the H.323 Gatekeeper is of three types from two versions of the protocol (see Table 7.1). Aliases consist of a type and a name.
TABLE 7.1
H.323 RAS A L I A S A D D R E S S I N G
FIGURE 7.1 Example of H.323 RAS alias address types.
Types
Format
H.323 RAS Version
E-Mail-ID
Internet type email addressing
Two
H.323-ID
DNS strings, email addresses, account names, computer names
One
E164
Phone number addressing— characters 0–9
One
An example of some of these types of addresses can be seen by rightclicking the Properties page of the active terminal in the ISA Management Console and displaying the Properties page (see Figure 7.1).
The Registration Process Endpoints can be a H.323 client, such as a Proxy server (ISA Server), or a client running NetMeeting, or a H.323 gateway. Registration includes:
á Endpoint Q931 (IP address plus port) addressees á H.323 RAS addresses for the endpoint á List of aliases Client registration to the database is often done by simply entering the Gatekeeper IP address in the client application. For example, in Microsoft NetMeeting, the Tools, Options, Advanced Calling dialog box has a place to enter registration information (see Figure 7.2). The H.323 protocol then contacts the H.323 Gatekeeper and registers the client automatically.
Chapter 7
H.323 GATEKEEPER
Rule Processing—What Happens When a Request Is Received? You must define Gatekeeper rules in the ISA Server Gatekeeper service management snap-in. To do so, you first define destinations, and then phone, email, and IP address rules. Each type of request, either inbound call or outbound call, follows its own processing algorithm.
Inbound Calls When an inbound call is received, the following processing takes place: 1. The type of alias is identified (email, H.323, or E164). 2. The alias is compared to its rule database.
FIGURE 7.2 Registering the NetMeeting client.
3. Rules matching the pattern are added to an ordered rule list. 4. Rules are then sorted by metric from lowest to highest. 5. The rules are processed until the request either is resolved or fails. 6. A confirmation or rejection is sent to the requesting client.
Outbound Calls Outbound calls are calls that are received by the H.323 Gatekeeper from internal clients. They might be resolvable to other internal client addresses or to other domains. When outbound calls are made to the local domain, the following processing takes place: 1. A registered client places an outbound call. 2. An admission request is sent to the H.323 Gatekeeper and includes the destination alias. 3. If the Gatekeeper finds an address for the destination alias, an admission confirmation is sent to the client that includes the destination address. 4. If the Gatekeeper does not find and address for the destination alias, it continues to process it rules to attempt a resolution. 5. If no resolution is found, the request fails.
FIGURE 7.3 H.323 Gatekeeper active terminal.
215
NOTE
216
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Use Rules as Tools Create rules for foreign domains to make their use easier for internal clients. For example, the fully qualified domain name of an ILS server can be quite long, such as ils.public.techtopics. Microsoft.mythoughts.peachweaver.co m. Quite a mouthful, or should I say handful, to be typed. Instead, create a rule for the domain MStopics or some other useful acronym) that will then resolve to the FQDN. Users need only to type in “MStopics” to reach the ILS server.
If the request is for another domain the H.323 Gatekeeper searches its list of rules and returns a weighted list. The list is processed until it finds either a specific rule for that domain or, if none exists, a rule to manage all other domains (the domain identification information is empty). (Domain specific rules may simply contain the fully qualified domain name for an alias.) The ISA Server will use DNS to find the IP address of the domain.
H.323 Gatekeeper Limitations and Other Considerations While the features and services provided by the H.323 Gatekeeper service are awesome, you should also be aware of some of its limitations and issues:
á No security features are provided by the H.323 protocol. However, features included in the ISA Server H.323 Gatekeeper service can be used to reduce the risk incurred by allowing the use of this protocol through a firewall. Allowing audio, video, and data conferencing through a firewall requires the opening of multiple ports. The H.323 application filter manages dynamic opening and closing of these ports, which is preferable to static packet filters. However, ports are still opened. Gatekeeper rules are routing rules, not security rules. However, you can configure the H.323 filter to limit the types of H.323 communications, such as data, and this may primarily be used to limit bandwidth requirements. It will also reduce vulnerability by reducing the range of ports that are open. Ports used in H.323 communications are listed in Table 7.2. á Clients internal to an H.323 Gatekeeper cannot register with an H.323 Gatekeeper on the Internet. (No signaling, or the transfer of RAS style H.323 registration, is supported across an ISA server.) á Uniqueness of aliases in general is not enforced; however, Q931 addresses must be unique. á An H.323 Gatekeeper running on an internal network cannot exchange location messages with one running on the Internet. (No signaling is supported across ISA server.)
Chapter 7
á Clients may register using one alias from multiple locations because the Gatekeeper uses the most recently active terminal for an alias.
TABLE 7.2
H.323 P O R T S Port
Use
1720 (TCP)
H.323 call setup
1731 (TCP)
Audio call control
Dynamic (TCP)
H.323 call control
Dynamic (RTP over UDP)
H.334 streaming
389 (TCP)
Internet Locator Server
522 (TCP)
User Location Service
1503 (TCP)
T.120
HOW TO ADD AN H.323 GATEKEEPER TO ISA Not every ISA Server will want to serve as an H.323 Gatekeeper. The H.323 Gatekeeper can be added during installation or at a later time. To add a H.323 Gatekeeper to ISA, follow these steps: 1. Enable and configure H.323 protocol access. 2. Configure DNS. 3. Add H.323. Gatekeeper to ISA Server. 4. Enable fast kernel mode.
H.323 GATEKEEPER
217
218
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Enabling and Configuring H.323 Protocol Access Before you can use the H.323 Gatekeeper service, you must enable and configure H.323 protocol access. The first step in doing this is to enable H.323. You will also want to fine-tune this access by creating protocol rules.
Enabling H.323 Protocol Access
FIGURE 7.4 Enable this filter.
An application filter for H.323 is provided with ISA Server. This is separate from the H.323 Gatekeeper service and is used to filter the H.323 protocol. H.323 protocol access is disabled by default on an ISA Server that is installed without the H.323 Gatekeeper service. (When the H.323 Gatekeeper service is installed, protocol access is enabled. ) Because the Gatekeeper service may not be installed on every ISA Server, but you may want to pass H.323 traffic through other ISA Servers in your enterprise, you will want to enable H.323. protocol access on these ISA Servers. If the Gatekeeper service was not installed, use Step by Step 7.1 to enable the filter. In addition, you will want to select appropriate call access control.
STEP BY STEP 7.1 Enable the H.323 Protocol Rule 1. In the ISA Management Console Internet Security and Acceleration Server/Servers and Arrays/name/Extensions/Application Filters, right-click H.323 filter and click Properties. 2. On the General tab (see Figure 7.4), click Enable This Filter. 3. On the Call control tab (see Figure 7.5), make the selections to configure the type of overall control you desire. Granular control over access is accomplished by using protocol rules. Table 7.3 lists the overall options and explains them. Click OK. FIGURE 7.5 Configuring call control.
Chapter 7
H.323 GATEKEEPER
TABLE 7.3
C O N F I G U R I N G H.323 C A L L C O N T R O L Option
Explanation
Use this Gatekeeper
Specify a Gatekeeper to use. Enter the FQDN of the ISA Server that hosts the service.
Call direction
Indicate direction of call allowed.
Allow incoming calls
People from other organizations will be allowed to call your people.
Allow outgoing calls
People in your organization will be allowed to call other people over the Internet.
Use DNS Gatekeeper lookup and LRQs for alias resolution
Look up aliases using the Gatekeeper.
Media Control
Control the type of media allowed.
Allow audio
Allow audio.
Allow video
Allow video.
Allow T120 and application sharing
Allow this protocol.
Establishing Protocol Rules To fine-tune the access to the H.323 services, write protocol rules. Step by Step 7.2 describes the process.
STEP BY STEP 7.2 Creating H.323 Protocol Rules 1. If necessary, create policy elements, such as schedule, before creating the rule. 2. In the ISA Management console, right-click Protocol Rules and select New Rule. 3. Enter a name for the rule and click Next. 4. Select the Allow or Deny check box and click Next. 5. On the New Protocol Rule Wizard/Protocols page in the Apply This Rule To drop-down box, select Selected Protocols. Then use the Protocols drop-down box to select the H.323 protocol, and click Next (see Figure 7.6). continues
FIGURE 7.6 Select the H.323 protocol.
219
220
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
continued 6. On the New Protocol Rule Wizard/Schedule page, use the drop down box to select the schedule that represents the hours and days you will allow or deny protocol access (see Figure 7.7) and click Next. 7. On the New Protocol Rule Wizard/Client type page select whether to grant or deny access to clients by IP address, user name, or group, then click Next. 8. Review configuration and click Finish. FIGURE 7.7 Select the schedule for allowed access.
Configuring DNS In order for H.323 proxies outside your organization to locate the ISA Server, which hosts the H.323 Gatekeeper service, you must configure a DNS service location resource record. Instructions follow (see Step by Step 7.3) for creating this record on a Windows 2000 DNS Server. To create these records in other DNS systems, follow the instructions for creating resource records in those systems.
STEP BY STEP 7.3 Creating a DNS Service Location Resource Record 1. From Start, Programs, Administrative Tools, select DNS. 2. In the DNS console select dnsserver/Forward Lookup Zones/the zone the ISA server is in. 3. Right-click the zone and choose Other New Records. 4. In the Resource Record Type dialog box, click on a resource record type, and then select Service Location. 5. Click the Create Record button (see Figure 7.8). FIGURE 7.8 Configuring the resource record.
6. On the New Resource Record/Service drop-down box, select or type Q931.
Chapter 7
H.323 GATEKEEPER
7. In the Protocol box, select _tcp. 8. In Port Number, type 1720. 9. In Host Offering This Service, type the external FQDN of the ISA Server Computer that hosts the H.323 service (see Figure 7.9). 10. Click OK. Click Done. The Resource record is added to the _tcp folder of the forward lookup zone (see Figure 7.10). Click Done and close the DNS Console.
Adding the H.323 Gatekeepers When the Gatekeeper service is installed a local Gatekeeper is added to the ISA Server. If you want to manage Gatekeepers from this server, you can add them by right-clicking the H.323 Gatekeeper folder, selecting Add Gatekeeper, and choosing the target machine by entering the FQDN of the other system.
FIGURE 7.9 Configuring the resource record.
FIGURE 7.10 Resource record location.
221
222
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Enabling Fast Kernel Mode and Data Pumping Several protocols require secondary connections. H.323 is one of them. Because ISA Server maintains and processes this information as part of NAT, there is some delay while the access rights of the secondary connection are processed. However, in most cases, this extra permission check is really unnecessary, as the secondary connection is never initialized until the primary connection has been accomplished. If the primary connection is approved, there is no need to perform secondary authorization for the secondary connection. You can allow ISA Server to skip this step and therefore improve throughput by enabling IP routing. This process is known as fast kernel mode or data pumping. Because data on secondary connections is maintained for NAT clients in kernel mode performance, gains can be significant. While caution would seem to indicate that one should not allow IP routing on a firewall, IP routing in ISA Server is not allowed unless packet filtering is enabled. By first enabling packet filtering, no packets that are not allowed via a packet-filtering rule will be routed. An application filter for the protocol must be installed on the server. To enable fast kernel mode, open the Properties page of the IP Packet Filter folder and on the General tab check boxes for Enable Packet Filtering and Enable IP Routing.
Gatekeeper Administration In addition to establishing the Gatekeeper and identifying call control, an administrator can restrict its usage by creating Gatekeeper rules (see the section, “Configure Gatekeeper Rules” later in this chapter), and by setting parameters in the Gatekeeper Property pages, as defined in Table 7.4.
Chapter 7
H.323 GATEKEEPER
TABLE 7.4
S E T T I N G G AT E K E E P E R P R O P E R T I E S Property Page
Item
Explanation
Figure
Network
Network Adapters
Select the network adapters that the Gatekeeper service uses.
7.11
Advanced
Expiration Times/ Registration expiration time
Set time limit on the registration. How long will registered clients remain in the database?
7.12
Expiration Times/ Active Call expiration time
Set time limit on active calls.
Registration Configured at Database/Database Gatekeeper creation. file size Registration database/Compact Database
FIGURE 7.11 Selecting network adapters.
Compact database.
CONFIGURING GATEKEEPER CALL ROUTING RULES Configure Gatekeeper rules. Rules include telephone, email, and Internet Protocol (IP).
Gatekeeper call routing rules define routing for phone numbers, email addresses, and IP addresses. They are configured on a perGatekeeper basis. When a request is received, these rules tell the Gatekeeper service how to process the request and to what destination (proxy, Gatekeeper, ISA Server) to send the request. Prior to creating call routing rules, you must use the Add Destination Wizard to create destinations to be used in the rules. In general, to create new call routing rules, right-click on the type of rule you want, and select New Rule.
FIGURE 7.12 Advanced features.
223
224
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Configuring Destinations Configure Gatekeeper destinations by using the Add Destination Wizard.
Destinations specify the locations available to be used in Call Routing rules and need to be created before the rules are created. To add a new destination using the Add Destination Wizard, follow Step by Step 7.4.
STEP BY STEP FIGURE 7.13 Choosing a destination type.
7.4 The Add Destination Wizard 1. Right-click on the H.323 Gatekeeper/name/Call Routing/Destinations folder and select Add Destination. 2. On the New Destination Wizard/Destination Type page, select one of the options displayed (see Figure 7.13) and click Next. 3. On the New Destination Wizard/Destination Name or Address page, enter the IP address or DNS name for the Gatekeeper to use for this destination (see Figure 7.14) and click Next. 4. On the New Destination Wizard/Destination/Destination Description page, type a description and click Next. 5. Review configuration and click Finish.
FIGURE 7.14 Adding a destination address.
Configuring Phone Number Rules Phone number rules provide a way to determine how all requests that include a specific prefix on the phone number, or that include a specific phone number, are routed. For example, all requests with the prefix 9 (a common prefix to obtain an outside line) might be routed to an ISA Server on a perimeter network. Further routing rules on this ISA Server might route specific requests to an ISA Server Gatekeeper service at another location. When the ISA Server Gatekeeper service at that location received the call, it might route it by using its local registration database. Use Step by Step 7.5 to create phone number rules.
Chapter 7
H.323 GATEKEEPER
STEP BY STEP 7.5 Creating a Phone Number Rule 1. Right-click the Phone Number Rules folder and select Add Routing Rule. Click Next. 2. Enter a name and description for the rule and click Next. 3. Enter a prefix or phone number. This routes all calls within the prefix or for this phone number to a destination. If you enter a single phone number, clear the Route All Phone Numbers Using This Prefix check box (see Figure 7.15). Click Next.
FIGURE 7.15 Enter prefix or phone number.
4. On the New Routing Rule Wizard/Destination Type page, select the destination to be used by this rule. Inapplicable destination types will be grayed out (see Figure 7.16). Click Next. 5. Select the destination name and click Next. Destinations configured on this server appear in the Gateways and Proxy Servers box. 6. On the New Routing Rule Wizard/Change a Phone Number page add a prefix or configure to shorten the number of digits. These operations will be applied to the number dialed before it is routed to the destination (see Figure 7.17). Click Next. 7. Enter a metric and click Next. Metrics are used to help ISA Server determine the order in which routing rules are applied. For more information see the section, “Rule Processing” earlier in this chapter.
FIGURE 7.16 Select destination type.
8. Click Finish.
Configuring Email Address Rules The default email address rule is set to refer all addresses to the Registration database. If you add the DNS domain name to be routed, all aliases for this domain will be resolved using the local registration database. You create additional rules to define where requests with email addresses outside this domain are to be routed
FIGURE 7.17 Change phone number before routing.
225
226
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
(see Step by Step 7.6). For example, you might route all requests with email addresses that include the domain of a business partner to a specific ILS server on your business partner’s network.
STEP BY STEP 7.6 Creating an Email Address Rule 1. Right-click the Email Address Rules folder and select Add Routing Rule. Click Next. 2. Enter a name and description for the rule and click Next. FIGURE 7.18 Choose DNS domain.
3. Enter a Domain Name Suffix. To route all calls within that DNS domain name suffix check the box route all email addresses that include this general dns domain name (see Figure 7.18). Click Next. 4. On the New Routing Rule Wizard/Destination Type, select the destination to be used by this rule. Inapplicable destination types will be grayed out (see Figure 7.19). Click Next. 5. Select the destination name and click Next. Destinations configured on this server appear in the Gateways and Proxy Servers box. Click Next.
FIGURE 7.19 Select destination type.
6. Enter a metric and click Next. Metrics are used to help ISA Server determine the order in which routing rules are applied. For more information see the section “Rule Processing” earlier in this chapter. 7. Click Finish.
Configure IP Address Rules Three default IP address rules exist, one for each private addressing range. These rules deny address translation for the private address ranges on the local network (see Figure 7.20). You will define new IP address rules (using Step by Step 7.7) to specify how requests with IP addressing are routed.
Chapter 7
H.323 GATEKEEPER
STEP BY STEP 7.7 Creating a New IP Address Rule 1. Right-click on the IP Address Rules folder and select Add Routing Rule. Click Next. 2. Enter a name and description for the rule and click Next. 3. Enter an IP address and network mask to indicate a range of IP addresses (see Figure 7.21). Click Next. 4. On the New Routing Rule Wizard/Destination Type page, select the destination to be used by this rule. Inapplicable destination types are grayed out (see Figure 7.22). Click Next. 5. Select the destination name and click Next. Destinations configured on this server appear in the Gateways and Proxy Servers box. Click Next.
FIGURE 7.20 Default IP address destinations.
6. Enter a metric and click Next. Metrics are used to help ISA Server determine the order in which routing rules are applied. For more information see the section, “Rule Processing” earlier in this chapter. 7. Click Finish.
H.323 GATEKEEPER SCENARIOS So, how will you benefit from using the H.323 Gatekeeper service? There are at least three distinct deployment scenarios, and more scenarios can be developed by combining these:
á Intra-enterprise. Internal users register their NetMeeting (or other H.323 compliant) software with the H.323 Gatekeeper service by using an email address (or phone number). They can call each other using this alias and participate in audio, video, and data sharing on the internal network. H.323 communications outside the network may be blocked.
FIGURE 7.21 Enter IP address.
227
228
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
The Gatekeeper service may only be running on an internal ISA Server and not on the firewall (see Figure 7.23).
FIGURE 7.22 Select destination type.
á Inter-enterprise. The Gatekeeper service is installed on the ISA firewall. The application filter is enabled and the Gatekeeper configured to allow outbound and inbound H.323 communications. Other businesses, or other geographic locations for this enterprise also have installed and configured H.323 Gatekeeper services. Users from both organizations and locations register their NetMeeting (or other H.323 software) with their respective Gatekeeper service, using their email address. Users can call each other using an email address and participate in audio, video, and data sharing (see Figure 7.24). á PSTN. PSTN is a network optimized for real-time voice communications. Quality of Service (QoS) can be guaranteed. To incorporate PSTN in H.323 conferencing, you can set up an H.323 gateway to handle data routing and transfer between the H.323 Gatekeeper and the PSTN network. Users register themselves with the Gatekeeper using email addresses or telephone numbers. In this scenario, communications between your networked computers and telephones on the PSTN are managed. Users can call other users by phone number and multiple users, both NetMeeting based users and users with only a telephone, can be linked in an audio conference (see Figure 7.25).
[email protected] [email protected] Registration database
[email protected] [email protected] [email protected]
ISA H. 323 Gatekeeper
Nancy
Fred
John
Joe
FIGURE 7.23 Intra-enterprise.
NetMeeting Clients
Mary
Chapter 7
[email protected] [email protected] [email protected]
H.323 GATEKEEPER
[email protected] [email protected]
Internet ISA
ISA
Mary
Nancy
Joe
Fred
John
FIGURE 7.24 Inter-enterprise.
ISA H.323 Gateway
Mary
Fred
Joe
FIGURE 7.25 PSTN.
229
230
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
CHAPTER SUMMARY KEY TERMS • H.323 • T.120 • H.323 Gatekeeper • H.323 gateway • H.323 proxy • International Telecommunications Union (ITU) • Real-Time Protocol (RTP) • Real-Time Control Protocol (RTCP) • Multipoint Control Unit (MCU) • Registration database • H.323 protocol filters • Alias • Registration, Admission, and Status protocol (RAS) • E-Mail-ID • H.323-ID • E164 • DNS resource record • Fast kernel mode • Data pumping • Internet Locator Server
This chapter presented information on H.323 Gatekeeper functions, the capabilities of the ISA Server H.323 Gatekeeper, and instructions on how to configure it. Who can use H.323 communications, when they can use them, and how requests should be routed should be a corporate policy decision. The implementation of that policy can be easily accomplished by using the Gatekeeper service.
Chapter 7
H.323 GATEKEEPER
231
A P P LY Y O U R K N O W L E D G E
Exercises 7.1 Install and Configure H.323 Gatekeeper
One of the easiest configurations and uses for an H.323 Gatekeeper is to set it up to manage internetwork requests for NetMeeting services. These types of configurations do not usually cause security problems because the H.323 data does not cross the firewall. Instead, it offers greater control on the types of H.323 conferencing on the internal network. Setting up this type of scenario and making it work provides the basis for working with more complex scenarios. It also has the advantage that it only requires one ISA Server and two clients with NetMeeting Installed. Estimated Time: 45 minutes 1. Install the H.323 Gatekeeper service on the ISA Server. 2. Configure the service to manage intranetwork H.323. 3. Configure NetMeeting 3.0 or above on two client machines. 4. Check for client registration in the H.323 registration database. 5. After registry has occurred, start a NetMeeting session between the two clients. 6. End the session and configure the H.323 gateway to prevent this conversation. 7. Test your configuration.
Review Questions 1. The downloading of streaming media content from the Internet has gotten out of hand at DataCot, Inc. While the company debates whether or not to allow such content, you are asked to block it. What do you do? 2. The DataCot, Inc. vice president of Sales is livid. It seems his sales managers use NetMeeting to conference with sales staff out in the field. They do no video or audio communications, just data sharing with the whiteboard and chat features of NetMeeting. You have shut off this vital form of communication. Your management instructs you to do what you have to do to get this running ASAP! What do you do? 3. The Sales vice president at DataCot returns and claims he told you he wanted to also add the capability to do voice conferencing with sales team members who do not have computers. What do you do? 4. You made such a hit with the Sales vice president that now Marketing wants audio, video, and data conferencing. They do not want to communicate with other companies or locations across the Internet. They want localized conferencing within their department and occasional access to other employees at headquarters. They want to restrict the usage of video conferencing to their department only. What do you do? 5. At the Halstrom Cain Manufacturing Company an audio and video conferencing project has been underway for six months. Careful planning has identified the types of conferencing, users,
232
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E products, locations, and other requirements. A lot of work has gone into configuring the ISA Server, and upgrading the network to handle the additional bandwidth requirements. However, the actual process just isn’t happening or sporadically happens. You check the ISA Server and all configurations seems to be correctly done. Computers can ping the Gatekeeper computer and other computer in the network. External connections of other types can be made. What could possibly be the problem?
Exam Questions 1. You are charged with setting up H.323 communications for your internal, private network only. Select all applicable steps. A. Add H.323 Gatekeeper service. B. Configure DNS. C. Add H.323 Gateway. D. Enable and configure H.323 protocol access. 2. You are charged with setting up H.323 communications. You want to communicate with other H.323 Gatekeepers across the Internet. Select all applicable steps. A. Add H.323 Gatekeeper service. B. Configure DNS. C. Add H.323 Gateway. D. Enable and configure H.323 protocol access. 3. You are in charge of setting up H.323 communications. You want to be able to provide clients without computers access to audio conferencing
via their telephones. No communication over the Internet is planned. Select all applicable steps. A. Add H.323 Gatekeeper service. B. Configure DNS. C. Add H.323 Gateway. D. Enable and configure H.323 protocol access. 4. The H.323 Gatekeeper service is installed and correctly configured on ISA Server A. You want to conference between employees in New York and Boston. Choose the operations to perform from the list that follows. A. Enable the H.323 protocol filter on ISA Server A. B. Enable the H.323 protocol filter on ISA Server B. C. Install and configure the H.323 Gatekeeper Service on ISA Server C. D. Enable the H.323 protocol filter on ISA Server C. E. Enable the H.323 protocol filter on ISA Server D. 5. After setting up the above scenario, you find that some clients are able to conference, and some are not. After some study you find that those that cannot conference are registered in the ISA Server A registration database. You must do the following to correct the problem. A. Configure a call routing rule on ISA Server A to route all communications received for external clients to the H.323 Gatekeeper on ISA Server B.
Chapter 7
H.323 GATEKEEPER
233
A P P LY Y O U R K N O W L E D G E B. Configure a call routing rule on ISA Server A to route all communications received for external clients to the H.323 Gatekeeper on ISA Server B. C. Configure a call routing rule on ISA Server D to route all communications received for external clients to the H.323 Gatekeeper on ISA Server B. D. Configure a Routing rule to route all internal destinations to the ISA Server B.
Answers to Review Questions 1. Check firewall configuration. Block ports used by H.323 protocols. See the section, “H.323 Protocol Limitations and Other Considerations.” 2. Set up the H.323 Gatekeeper and the H.323 filter. Use protocol filters to restrict usage to only that required—data sharing. Restrict H.323 usage to the sales teams using Protocol site and content rules. Point the internal sales team computers NetMeeting applications to the ISA Server that hosts the H.323 Gatekeeper. See the section “H.323 Protocol Filters.” 3. Re-enable audio conferencing. Add a H.323 gateway. Configure the H.323 Gatekeeper to route calls to and from the H.323 gateway. See the section, “What’s the Difference Between a Gatekeeper and a Gateway?” 4. Configure a separate H.323 Gatekeeper to route requests among internal users. See the section, “H.323 GateKeeper Scenarios.” 5. Check the configuration of DNS service records. The problem might be one of name resolution. See the section, “Configuring DNS.”
Answers to Exam Questions 1. A, B. You must add the H.323 Gatekeeper service and configure DNS. A H.323 gateway is unnecessary, so C is wrong. The H.323 protocol access filter is also unnecessary. See the section “How to Add an H.323 Gatekeeper to ISA.” 2. A, B, D. Now you need the H.323 filter. See the section, “How to Add an H.323 Gatekeeper to ISA.” 3. A, B ,C. Now you need the gateway. See the sections “How to Add an H.323 Gatekeeper to ISA” and “What’s the Difference Between a Gatekeeper and a Gateway?” 4. A, B, C, D. ISA Server B is the perimeter server/firewall. The filter needs to be enabled here and on ISA Servers B and C. The Gatekeeper Service needs to be installed on ISA Server C. The Gatekeeper service is not running on ISA Server D, so all clients will be registered in the database on Server C. There is no need to enable the protocol filter on ISA Server D. See the section, “Registration Admission and Status.” 5. A. The H.323 Gatekeeper on ISA Server B has most likely been configured to only route requests to its registration database. By routing these types of calls to ISA, Server B has not been configured to route through the Internet client registration database on B does not know about the clients in any other database. See the section, “Configuring Gatekeeper Call Routing Rules.”
234
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E Suggested Readings and Resources 1. Knowledge base article Q279347 “Enable IP Routing on ISA Server to Increase Performance.” http://support.microsoft.com/support/kb/ar ticles/Q279347
2. Microsoft NetMeeting Resource Kit. Microsoft Press. • Chapter 4, “NetMeeting and Firewalls” • Chapter 10, “Understanding the T.120 Standard” • Chapter 11, “Understanding the H.323 Standard”
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Configuring and Troubleshooting ISA Server Services section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Set up and troubleshoot dial-up connections and Routing and Remote Access dial-ondemand connections.
. Set up and verify routing rules for static IP routes in Routing and Remote access. Many companies will want to or need to establish dial-up connections to the Internet and to other ISA Servers at other locations. In some installations you may find a need to establish IP routes to enable the ISA Server to communicate with all clients. You should know how to properly do both of these without compromising the ISA Server and allowing unauthorized access to your private network.
C H A P T E R
8
Dial-Up Connections and RRAS
OUTLINE Introduction
238
Dial-on-Demand Connections
238
Configure Network and Dial-Up Connections Create a Dial-Up Entry Create a Dial-Up Routing Rule Enable Dial-Up Entry in Firewall Chaining Configuration
Managing and Limiting ISA Dial-Up Connections
239 240 240 242
249
Troubleshooting Common RRAS Problems 250
Remote Administration Using ISA Management Console from a Remote Computer Using Terminal Services to Manage ISA Server
253 253 254
Chapter Summary
255
Apply Your Knowledge
256
243
Troubleshooting ISA Server Dial-Up Connections
243
Routing and Remote Access Service Versus ISA Server
245
Routing Connecting Remote Clients Static Routes
Using RRAS for Dial-on-Demand Connections
246 246 247
Exercises Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions
256 256 258 261 262
S T U DY S T R AT E G I E S . Get it clear: When Routing and Remote Access and ISA Server offer similar services (VPN, dialon-demand, packet filtering) you need to use ISA Server. . Configure dial-up access to the Internet and configure ISA Server for dial-on-demand. Even if you can perfectly follow instructions, I’m willing to bet your first attempt will not work. Fixing it helps you learn those “troubleshooting” tricks and traps that you need to know.
. Review how to create destination sets, site content rules, and protocol rules. . Determine what’s done where. What console should be loaded to do a task? What do you need to configure in the Windows 2000 interface, and what in the ISA Management console? . Learn the ins and outs of restricting dial-ondemand interfaces—there’s more to it than meets the eye.
238
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
INTRODUCTION Questions surface when considering dial-up connections, dial-ondemand, and routing and firewalls. First: When should I use ISA Server and when should I use Routing and Remote Access Services? Second: Should routing be enabled on a firewall? These questions have a simple answer: First: Always use ISA Server if ISA Server can do the job. Second: Never configure IP routing on the ISA Server unless packet filtering is enabled. This chapter explains how to:
á Use ISA Server to set up dial-up connections and establish dial-on-demand á Manage and limit dial-up connections á Troubleshoot dial-on-demand connections á Use Routing and Remote Access Services to configure static routes on the ISA Server á Remotely administer ISA Server
DIAL-ON-DEMAND CONNECTIONS Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections.
Not every organization will have direct connections to the Internet. Instead, they will use a dial-up service. Other organizations will require that servers forward requests to upstream servers before Internet access is allowed. In some cases, the access to the upstream server may be a dial-up line. One advantage of using ISA Server is that it can be configured to dial-up only this connection in response to a need to access the Internet or the remote ISA Server. This action might be triggered, for example, when a requested Internet resource is not in its cache. By serving requests from the cache, requests are fulfilled more quickly. By configuring ISA Server for dial-out-ondemand, a less costly solution to Internet access is made available to those who pay by the number of hours they are connected.
DIAL-UP CONNECTIONS AND RRAS
Dial-up access can also be configured as a secondary or backup route. To configure ISA Server to dial this service on demand, complete the following steps: 1. Configure network and dial-up connections . 2. Create a dial-up entry. 3. Create dial-up routing rule. 4. Enable firewall chaining to use dial-up entry.
Configure Network and Dial-Up Connections The first step in configuring dial-on-demand is to be sure the internal network card of the ISA Server computer does not have a gateway set. Next, you must create a network dial-up connection. To do this, use the Windows 2000 Control Panel\Phone and Modem Options (see Step by Step 8.1) .
STEP BY STEP 8.1 Configure a Network Dial-Up Connection 1. Double-click the Phone and Modem Options icon. 2. If you have not already configured the modem, do so now. 3. On the Dialing Rules tab, click New. 4. Enter a name for the location, an area code for the location, and any dialing rules, such as a number for an outside line. 5. Click OK.
NOTE
Chapter 8
239
Upstream Server? As you may recall from Chapter 5, “Outbound Internet Access,” linking ISA Servers like this is called firewall, or hierarchical chaining. You can find more information in Chapter 12, “Managing ISA Servers and Chains.”
240
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Create a Dial-Up Entry A dial-up entry uses an ISA Server policy element that can be used in a routing rule to specify dial-up access to the Internet, or to another ISA Server at another location. To configure a dial-up entry, follow Step by Step 8.2.
STEP BY STEP 8.2 Create a Dial-Up Entry
FIGURE 8.1 Configuring a dial-up entry.
1. In the ISA Management console right-click on Internet Security and Acceleration Server\Servers and Arrays\name\Policy Elements\Dial-up Entries and select New Dial-Up entry. 2. Enter a name for the entry. 3. Enter a description.
EXAM
TIP
4. Select a dial-up connection by clicking Select and browsing to the dial-up connection created for this purpose. On What Account? For dial-up connections to the ISP, the account and password are those given to you by the ISP—not the username and password that authenticates you in the domain.
5. Click Set Account to add the appropriate account and password (see Figure 8.1). 6. Click OK.
Create a Dial-Up Routing Rule Finally, you must create a routing rule that enables the use of the dial-up entry to access the dial-up location. To do so, follow Stepby-Step 8.3. If a user requests a Web object and the rule requires a dial-up connection, ISA Server will dial out to the Internet.
Chapter 8
DIAL-UP CONNECTIONS AND RRAS
STEP BY STEP 8.3 Creating the Dial-Up Routing Rule 1. Right-click the Internet Security and Acceleration Server\Servers and Arrays\name\Network Configuration\Routing folder and select New Rule. 2. Enter a name for the routing rule, click Next. 3. Select Destinations and click Next. 4. Select Retrieve Them Directly from the Specified Destination. 5. Check Use a Dial-Up Entry and click Next (see Figure 8.2) .
FIGURE 8.2 Selecting the dial-up entry.
6. Determine the Cache Retrieval Configuration (see Table 8.1). Click Next. 7. Select the Cache content configuration (see Table 8.1) and click Next, and then click Finished. 8. Open the property pages of the new routing rule by double-clicking on the rule in the Details pane of the Routing folder. 9. Select the Action tab and be sure that the check box Use Dial-Up Entry for Primary Route is checked (see Figure 8.3).
FIGURE 8.3 Setting the primary route.
241
242
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
TABLE 8.1
ROUTING RULE OPTIONS Routing Wizard/ Property Page
Option
Explanation
Cache Retrieval Configuration/Cache
A valid version of the object. If none exists, retrieve the request using the specified requested action.
ISA looks first in the cache but if the object has expired, routes the request.
Any version of the object. If none exists, retrieve the request using the specified request action.
Even expired content is returned before requests are routed.
Any versions of the requested object. Never route the request.
You get the object if it’s there, otherwise, tough luck.
All content, including dynamic objects are be cached.
All downloaded objects are cached.
If source and request headers indicate to cache, the content is cached.
Not all objects are cached.
Cache content configuration/ cache
No content is ever cached. Nothing is cached.
Enable Dial-Up Entry in Firewall Chaining Configuration
FIGURE 8.4 Enable dial-up for SecureNAT and firewall client requests.
It may seem strange to talk about firewall chaining when talking about demand dial-up Internet access, especially when working with a standalone ISA Server. However, firewall chaining properties determine what happens to SecureNAT and Firewall client requests. To refer requests to an up-level ISA Server or use the local connection for these clients, you must configure firewall chaining. The ISA Server firewall chaining properties page is accessed by right-clicking the Networking Configuration folder in ISA Management and selecting Properties. To provide demand-dial, check Use Primary Connection and Use Dial-Up Entry (see Figure 8.4).
Chapter 8
DIAL-UP CONNECTIONS AND RRAS
MANAGING AND LIMITING ISA DIAL-UP CONNECTIONS After you configure ISA Server for dial-on-demand connections, you might want to limit ISA Server connections. Remember that you have the same options for controlling these connections as any others. You can restrict user’s access to sites, reduce available hours for connection, and so on. Several tips for managing and restricting dial-up connections are shown in Table 8.2.
TABLE 8.2
MANAGING
AND
R E S T R I C T I N G D I A L -U P C O N N E C T I O N S
Desired
Action
Limit the time a user can use dial out
(Web access) Create a schedule for the time to deny or allow Internet access, then create a site and content rule using that schedule that denies or allows all access to the Internet. (All requests) Use this schedule in a protocol rule that denies access.
Prevent unnecessary Internet dial-up
List all internal servers in Local Domain Table to prevent Internet based DNS lookups.
Limit active caching
Active caching is configured on the Active Caching page of Cache Configuration properties. If active caching is configured, dial-up occurs when it is necessary to refresh cache content. To reduce automatic recovery of cache refresh, select Less Frequently (see Figure 8.5).
TROUBLESHOOTING ISA SERVER DIAL-UP CONNECTIONS Setup for dial-up connections for ISA Server is fairly simple; nevertheless, problems will occur. Table 8.3 lists some potential trouble spots and what to do about them.
FIGURE 8.5 Reducing active caching refresh.
243
244
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
TABLE 8.3
ISA S E R V E R D I A L -U P C O N N E C T I O N S T R O U B L E S H O O T I N G Problem
Possible Cause
Resolution
The event Dial-on-Demand Failure is recorded in the event log.
The connection could not be created because the line was busy or there is no answer.
Determine why there is no answer or if the line was busy and make necessary changes.
The event Invalid DialOn-Demand Credentials is recorded in the event log.
The credentials are not valid.
Check validity of username and password for the dialed resource. If the dial-up connection is to an ISP, the account to be entered in the dial-up credentials should be this information, not the W2K logon!
The event upstream Chaining Credentials is logged.
The credentials are not valid.
Check validity of username and password for the upstream server; this may be a W2K user account and password.
No user is requesting Internet access and yet the ISA Server periodically dials out to the Internet.
Active caching is enabled.
Active caching attempts to periodically refresh content in the cache. If dial-on-demand has been configured, ISA Server will dials on its own to collect the data. If you do not want it to do so, disable active caching.
A DNS lookup is required to establish whether a request can be granted.
If a rule identifies a Web server by IP address, but a client requests the resource by name (or vice versa), ISA Server cannot tell if the request should be granted. It therefore dials out to the Internet for name resolution or reverse lookup and then again qualifies the request.
A requested server is internal but ISA Server cannot resolve the name to IP address so it dials out to do DNS lookup.
Configure all internal domains in the Local Domain Table that way, the ISA Server does not have to dial-out to determine that the request is for a local resource.
Event 14066
Can’t read dial-up entry configuration configuration can’t be recognized.
The dial-up configuration or the firewall service. Check the dial-up entry configuration
Message 14067
Failed to load rasapi32.dll.
Usually, a result of incorrect system configuration. Manual dial to check the configuration and then restart the failed service.
14136
ISA Server dial-out connection failed.
Manually dial the number to be sure it can be reached.
14142
Dial-out to the Internet failed.
Dial-up attempt failed possible due to authentication. Verify the phone book entry. Verify authentication settings.
Dial-up server hangs even when no dialing activity.
ISA Server is attempting to send requests for DNS lookup to an external DNS server (even for internal requests).
Configure ISA Server to use only internal DNS servers. Configure the DNS server as an ISA Server client. Configure the DNS Server to forward unresolved requests to an external DNS server.
Chapter 8
DIAL-UP CONNECTIONS AND RRAS
245
Problem
Possible Cause
Resolution
Manual dial out works, but ISA Server dial-out doesn’t.
Dial-up entry credentials are not correct.
Reconfigure or modify the ISA Server dial-up entry connections.
ISA Server doesn’t have permission to use the dial-up connection.
Reconfigure the W2K dial-up connection and allow everyone to use the connection.
Dial-up connection is dropped.
Someone inadvertently disconnected the session.
Restart ISA Server services. This automatically reestablishes the connection.
Dial-out failed as another connection is already being dialed.
Another service on the computer is connection.
Wait. ISA tries again after another request is made. Or try restarting services.
ROUTING AND REMOTE ACCESS SERVICE VERSUS ISA SERVER The Routing and Remote Access Service is a service of Windows 2000 that can be used to establish Windows 2000 server as a network router, NAT server, demand dial router, and VPN tunnel endpoint. ISA Server can provide a demand dial Internet connection, SecureNAT services, and act as a VPN endpoint. Routing rules can be defined that direct requests received by ISA. ISA also provides a way to further control these services through policies. You should always use the ISA Server components that are present instead of using other Windows 2000 services. Be especially careful that you do not use the Routing and Remote Access services to make end-runs around the ISA Server firewall service. To do so would be a compromise to network security. It compromises security because enabling a Routing and Remote Access router on the ISA Server and not enabling packet filtering turns the ISA Server into a router and all packets are routed between the Internet and your private network. This is not what you purchased ISA Server to do. (You presumably purchased ISA Server to protect your network, not expose it to uncontrolled access.)
246
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
To control access always choose ISA Server when you provide remote access services via the ISA Server computer. Services you may want to provide and how they can be accomplished are
á Routing á Connecting remote clients á Static routes
Routing
FIGURE 8.6 Enable packet filtering and routing.
By using the ISA routing rules and packet filters, you can route requests appropriately and protect your network. As an added protection, ISA Server-based routing rules cannot be used unless ISA packet filtering is enabled. Packet filtering on ISA Server drops all packets by default that have not explicitly been allowed by IP Packet filters or by access policy or publishing rules. Do not make the mistake of configuring Routing and Remote Access to resolve network access issues. Instead, determine the reason for the problem and resolve it using ISA Server Management tools. Checking a box on the General tab of the IP Packet Filters properties page enables packet filtering. (The IP Packet Filters folder can be found at Internet Security and Acceleration Server\Servers and Arrays\name\Access Policy\IP Packet Filters. See Figure 8.6.) Note that Packet Filtering is not available in cache mode. IP Routing is enabled on the same property page. Note that if you uncheck the Enable Packet Filtering box, the Enable IP Routing check box is grayed out (see Figure 8.7). Remember: Create demand-dial connections, routing rules, packet filters, and VPN endpoints using ISA Server.
Connecting Remote Clients
FIGURE 8.7 Protect and preserve—no routing without packet filtering.
Many employees now work from home, or are frequently on the road. These employees also need access to resources on the corporate private network. In the past, this access was allowed through dial-up connections to a remote access server, perhaps using a Windows NT Remote Access Server. Although it is possible to configure this type of remote access, it is strongly recommended that remote client connections use a VPN connection to the ISA Server. Typical client software (Windows 9x, Windows ME, Windows NT Workstation,
Chapter 8
DIAL-UP CONNECTIONS AND RRAS
and Windows 2000 Professional) includes VPN client capabilities and ISA Server makes an excellent VPN tunnel endpoint. For more informations see Chapter 9, “Virtual Private Networks (VPNs) Access.”
Static Routes Set up and verify routing rules for static IP routes in Routing and Remote Access.
One thing that ISA Server does not do is to provide facilities for creating static IP routes (routes that are manually defined versus being automatically created) on the ISA Server. ISA Server does allow the use of routing rules to specify how received requests should be forwarded, that is, to a specific dial-up connection, to all internal destinations, all external destinations, or to a destination set. Destination sets, which are defined separately from routing rules, can contain IP address ranges. You can create a destination set and use it in routing rules that specify where requests should be routed. However, these rules determine how internal requests for Web Internet access are routed, or how external requests for hosted servers are routed, and are not useful for simple routing from one IP network to another. If you need to define static routes on the ISA , then you must do so using Routing and Remote Access Services or using the route command. Using static routes is not recommended for large routing environments. However, small, single path, static internetworks can benefit. A small internetwork is defined as one composed of two to ten networks. Single path means that there is only one path, or route, for packets to take to get from one endpoint to another. Static, of course, means that the network architecture doesn’t change over time. Several typical small internetwork scenarios are
á A branch office á A small business á A home network For these small internetworks, you may want to configure static routes on the ISA Server. There are two ways to do so:
á Use RRAS. Step by Step 8.4 á Use the Route command. Step by Step 8.5
247
248
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
STEP BY STEP 8.4 Create a Static Route Using RRAS 1. Open the Start\Programs\Administrative Tools\Routing and Remote Access Console. 2. If RRAS has not been enabled, do so by right-clicking on the server icon in the console and selecting Enable Routing and Remote Access Service. 3. Select Routing and Remote Access\name\IP Routing\Static Routes. FIGURE 8.8 Creating a static route.
4. Right-click Static Routes and click New Static Route. 5. In the Static Route dialog box (see Figure 8.8) enter the Interface, Destination, Network Mask, Gateway, and Metric.
STEP BY STEP 8.5 Create a Route by Using the Route Command 1. Open a command prompt.
FIGURE 8.9
WA R N I N G
Using the route command.
Don’t Do This! If you enable RRAS and set up static routes without enabling packet filtering in ISA Server, you have made ISA Server just another router. You compromise your firewall. IP traffic from the untrusted network, that is, the Internet, flows freely into your private network.
2. Type the following command where network is the network address that you want to route to; subnetmask is the subnet mast of network and gateway is the IP address of the network card on the internal network. The –p makes the route persistent (a reboot does not remove the route from the computers routing table ).
Figure 8.9 is an example command where the desired effect is to route all traffic to the 192.168.5.0/24 network through the 192.168.6.15 gateway. route add –p network mask subnetwork gateway
FOR
DIAL-ON-DEMAND
Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections.
While Microsoft recommends that you use ISA Server facilities for configuring dial-on-demand connections, it is also possible to do so using RRAS. Demand dial connections in RRAS are point-to-point and require the configuration of two routers, one at each location (see Step by Step 8.6).
STEP BY STEP 8.6 Using RRAS to Establish Dial-On-Demand Connections 1. On router 1: Create a demand-dial interface called Point1 that specifies the modem on the router and for authentication the username and password of the account created in the other network—DDPoint2.
TIP
USING RRAS CONNECTIONS
DIAL-UP CONNECTIONS AND RRAS
EXAM
Chapter 8
Mixed Signals While vociferously demanding that ISA Server be used to configure dial-on-demand connections for its clients, Microsoft lists an exam objective that requires knowledge of using RRAS to do this. Part of the confusion here is that ISA Server adds policy management and more flexible protection for these types of connections. The ISA Server packet filters and other security implementations can protect dial-on-demand connections and access to this feature can be managed by security policy. So you could read this objective as referring to the ISA Server capabilities alone. However, the wise student of Microsoft will be sure he or she clearly understands the capabilities and configuration of the separate service: Routing and Remote Access Service and how it can coexist with ISA Server.
2. Create a static route that includes an interface name DDPoint1, destination network, and network mask that matches router 2. (Demand-dial connections are point-topoint so you do not configure the gateway IP.) 3. If this static route is to be used to initiate a demand-dial connection be sure the box Use This Route to Initiate Demand-Dial Connections is checked (see Figure 8.10). 4. On router 1: Create a Windows 2000 user account using the interface name, that is, DDPoint1. Be sure to clear User Must Change Password at Next Logon and select Password Never Expires. 5. Grant the user DDPoint1 dial-in permissions through the user interface or through remote access policies. 6. On router 2: Create a demand-dial interface (name it DDPoint2) that specifies the modem on that computer and the authentication credentials of Point1. continues
249
FIGURE 8.10 Use this route!
250
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
continued
Point 1
Point 2
XXXX
Phone number RB945
XXXX
Phone number BR459
192.168.5.50
192.168.4.50
Static route:
Static route:
Network: 192.168.4.0
Network: 192.168.5.0
Interface: DDPoint1
Interface: DDPoint2
Demand Dial Interface:
Demand Dial Interface:
Name: DDPoint1
Name: DDPoint2
FIGURE 8.11
User: DDPoint2
User: DDPoint1
RRAS demand-dial scenario.
Phone number RB459
Phone number RB945
EXAM
TIP
7. On router 2: Create a static route with the interface DDPoint2, destination network and network mask that matches router 1.
What’s In a Name? In order for demand-dial routing to work, the username created must match exactly the demand dial interface name on the opposing router. Examine Figure 8.11 to see how this might be configured correctly. This issue, the matching of username to demand-dial interface is critical.
8. On router 2: Create a Windows 2000 user account using the interface name, that is, DDPoint2. Be sure to clear User Must Change Password at Next Logon and select Password Never Expires.
Figure 8.11 illustrates the configuration described in Step by Step 8.6.
Troubleshooting Common RRAS Problems Configuring RRAS demand-dial connections can be irksome. Creating static routes might be confusing as well. Some of the most common problems and likely answers can be found in Table 8.4.
Chapter 8
251
DIAL-UP CONNECTIONS AND RRAS
TABLE 8.4
T R O U B L E S H O O T I N G C O M M O N RRAS P R O B L E M S No.
Problem
Likely Causes
Solution
1.
A demand-dial connection occurs, but clients cannot reach locations behind the router.
IP routing is not enabled.
Do so on the IP properties page of the router.
No facility has been made for giving the incoming client an IP address on the local network.
Add DHCP or assignment from a static address pool on the router (properties page of router).
The incoming call is interpreted as a router versus a remote access client.
The user credentials must match the demand dial interface.
The correct demand dial interface for the protocol being routed has not been added.
Add the correct interface for the protocol being used.
Routes do not exist on the routers to support this. (No default route is created by a demand-dial connection).
Add static routes.
Packet-filters are preventing traffic flow.
Verify that the connection should occur, then correct the packet filters.
Static routes on the router are not configured correctly.
Correct the static routes.
No routes in the intranet routers of the networks.
Add routes to intranet routers.
IP routing is not enabled
Do so on the IP properties page of the router.
Demand-dial interface is disabled.
To enable, right-click the Routing and Remote Access\name\Routing Interface\name of demand dial interface\and select “Enable.”
Static route does not have correct interface information in it.
Reconfigure the static route.
“Use this route to initiate demand-dial connections” is not selected in the static route.
Select it.
Dial-out hours prevent the connection from initiating.
Dial-out hours are configured by right-clicking the demand-dial interface.
Routing and Remote Access Service is not started on the calling router.
Check services on both routers to be sure they are started.
The router is in an unreachable state.
If RRAS service is started and the connection cannot be completed the router is said to be in an unreachable state. To check the unreachable state, right-click on the demand-dial interface and click Ynreachability Reason.
2.
3.
Demand-dial connection is not automatically made.
Cannot make a demand-dial connection.
continues
252
Par t II
TABLE 8.4
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
continued
T R O U B L E S H O O T I N G C O M M O N RRAS P R O B L E M S No.
Problem
Likely Causes
Solution
Dial-up ports are note-enabled for inbound/outbound demand-dial connections.
Enable dial-up ports in the Routing and Remote Access\name\Ports\ Properties\Devices \Configure Device dialog box.
All ports available for demand-dial are already being used.
Wait, or configure and enable more ports.
Routers do not share a common authentication method.
Check routing policies and add a common authentication method.
Routing is not enabled on the routers.
Enable routing.
Remote access policy settings for the demand-dial account are in conflict with the policy on the router.
Change policies to match.
The user account used by the demand dial-interface requires “User must change password at next logon.”
Clear this check box.
The user account password has expired.
Set the account password to never expire, and follow a regular manual schedule to update passwords.
The user account password does not match.
Obtain the correct password and modify the demand dial configuration.
Remote access policy settings for the demand dial account are in conflict with the policy on the router.
Change policies to match.
Not enough addresses are in the static address pool or the DHCP server has no free IP addresses to lease.
Wait until an address becomes free or modify configuration so that more addresses are available.
If Active Directory accounts are used for authentication: The answering router cannot contact the Active Directory.
Be sure Active Directory is available to the router.
If certificates are used for authentication, the router is not correctly configured.
Configure the router to use certificates.
MS-CHAP v1 is used and the password is over 14 characters.
Reduce the length of the password or use MS-CHAP v2.
Chapter 8
DIAL-UP CONNECTIONS AND RRAS
253
REMOTE ADMINISTRATION It’s not always possible or practical to sit at every ISA Server console in order to administer the server.
While remotely managing an ISA Server or Array, you may generate reports. However, you must have the appropriate permissions to do so. Keep in mind that reports for an array are generated by accessing the logs of all the ISA Servers in the array. You must, therefore, have permissions on all of the servers in the array. You must
á Be a local administrator on every ISA Server in the array. á Be able to access and launch Distributed Component Object Model (DCOM) on every ISA Server in the array. Two methods for remote administration exist:
á Install ISA Management console on another system and connect to the ISA Server(s). á Run Terminal Server client and connect to the ISA Server computer. You can also remotely manage ISA Server by writing DCOM scripts, but that’s just a little outside the scope of this exam.
Using ISA Management Console from a Remote Computer The ISA Management Console can be installed on Windows 2000 Server or Windows 2000 Professional and used to manage ISA Server. If the ISA Server installation CD-ROM is used, however, during the installation, you should choose the Custom installation
NOTE
If you are on the private network side of the ISA Server, you should not experience problems. Connection from the public side of the ISA Server is not recommended.
Like “OLE for Networks” DCOM is a service that allows object communication across a network from one computer to another. Client objects on one computer connect to server objects on another for the purpose of sharing data and instructions. Like a Word document linked to Excel, data changes in one DCOM component can mean updated changes in the other. The capability to use DCOM objects on the ISA Server is managed by applying security permissions. Default permissions are set for the local Administrators group. It is through DCOM that remote administration of ISA Server through the Management console is possible.
254
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
method and only install the management tools. If you need to also manage the H.323 Gatekeeper service on the ISA computer you must install the H.323 management tool as well. You can manage standalone ISA Server computers or arrays (see Step by Step 8.7). You must be a member of the Administrators group on the ISA Server that you will manage, and you must manage it from the same domain or a trusted domain.
STEP BY STEP 8.7 Connecting for Remote Administration by Using the Management Console 1. Open the ISA Server Management Console. 2. Right-click Internet Security and Acceleration Server. 3. Click Connect To. 4. If you want to manage a standalone ISA Server, click Connect to This Standalone Server. 5. If you want to manage an enterprise or an array, click Connect to Enterprise and Arrays. 6. Type the name of the computer to administer (see Figure 8.12). FIGURE 8.12 Connecting to remotely manage ISA Server(s).
7. Click OK.
Using Terminal Services to Manage ISA Server To use terminal services to manage ISA Server:
á The terminal services client must be installed on the client computer. á Terminal server services must be installed on the ISA Server computer. á You must be a member of the Administrators group on the ISA Server Computer.
Chapter 8
DIAL-UP CONNECTIONS AND RRAS
CHAPTER SUMMARY Dial-up connections can be some of the most annoying configurations to create, test, and understand. ISA Server makes this process easy, but the complexity of ISA Server can challenge the unwary with extra dial-up issues. If you are comfortable with your understanding of firewall chaining and routing rule uses of dial-up access, and the requirements of name resolution, you will find this process less of a headache. Although ISA Server is doing several connectivity processes that you have configured under Routing and Remote Access services, you should always choose ISA Server to perform those functions that it can.
KEY TERMS • Dial-on-demand • Firewall chaining • Primary connection • Backup connection • Active caching • Static routes • Single-path internetwork • Unreachable state • Distributed Component Object Model
255
256
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E
Exercises 8.1 Configure ISA Demand-Dial Routing
If you configure demand-dial routing, you will have an appreciation for the issues this process can bring about, as well as its convenience for the small business. If you do not have a modem in your ISA Server test computer, you can still step through the process, and you will probably trigger some connectivity issues similar to those experienced by improperly configured sites and connections that fail to answer. If you take this approach, be sure to limit connections to the ISA Server or you will most certainly find the system extremely slow and possible hang the system as the ISA Server strives to make a connection that it cannot possibly do. Estimated Time: 30 minutes 1. Be sure you have ISA Server Installed in integrated mode. A server with a modem and network card is the best choice. You can use a personal account to dial to your ISP if you want. 2. Test the Internet connection and credentials without using the ISA Server. 3. Configure the ISA Server to dial-on-demand when requests for Internet services are received. Configure a client machine to act as the requesting client. Any system with IE installed is okay. (You are just going to try to browse the Internet through your ISA Server.) 4. Be sure the client is on the same network as the internal NIC of the ISA Server and does not have an alternative route to the Internet.
5. Be sure the ISA Server has a site and content rule and a protocol rule that will allow requests to be retrieved from the Internet (and no rule that might block such requests). 6. Use the client system to access the Internet through the ISA Server.
Review Questions 1. A single, standalone ISA Server is configured to use dial-on demand connection to the Internet as its Primary connection. There is no secondary connection. SecureNAT client HTTP requests are intermittently fulfilled. Web Proxy client HTTP requests are being serviced. What is the most likely cause? 2. No client requests are being made for Internet access and yet the ISA Server is periodically dialing out to the Internet. What is the most likely cause(s)? 3. The Loomis Vacuum Company wants to establish Internet connectivity for Web browsing and Internet email for corporate headquarters and three branch offices. A small number of employees work at the branch offices. They do not want to establish direct Internet access at all offices and want to control the schedule and type of access allowed. What type of a solution would you propose? 4. Frederman Wax company has provided Internet access through a dial-up connection and connection sharing software for the past year. They purchased ISA Server as a replacement for their connection sharing software so they can have more protection for their internal network and
Chapter 8
DIAL-UP CONNECTIONS AND RRAS
A P P LY Y O U R K N O W L E D G E more control over their employees’ access to the Internet. They removed the Internet connection sharing software and configured ISA Server for demand-dial access to the Internet. It’s not working. You inspect their system and, in looking at various property pages you see the following: see Figures 8.13, 8.14, and 8.15. What is causing the problem? What is the solution?
FIGURE 8.14 Question 4, Screen 2.
FIGURE 8.13 Question 4, Screen 1.
FIGURE 8.15 Question 4, Screen 3.
257
258
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E 5. Routing and Remote Access Services have been installed on both sides of a dial-up connection between two offices of the same company. The ISA Server in New York is configured to use the ISA Server in Boston as its upstream server. Connection cannot be made. You ask for and receive the information on the configuration of the two routers (see Table 8.5). What is the problem?
TABLE 8.5
Exam Questions 1. The CTO has doubts about the security of using ISA Server as a firewall and asks you to test the newly configured ISA Server at a branch location. He wants to know if it is truly working as advertised. You attempt to penetrate the private network and are successful. When you check the ISA Server configuration, it appears that it is correctly configured and should have blocked your access. Your next step is A. Tell the CTO he needs to rethink ISA Server acquisitions.
R O U T E R C O N F I G U R AT I O N Configuration
New York
Boston
Interface name
DDNewYork
DDBoston
User account established on this computer
DDNewYork
DDBoston
User credential in demand dial interface
DDNewYork
DDBoston
IP address of internal network
192.168.5.0
192.168.4.0
Static route interface
DDNewYork
DDBoston
Static route network
192.168.4.0
192.168.5.0
B. Tell the CTO the local staff obviously doesn’t know how to configure a firewall as you have just penetrated its defenses. C. Look to see if Routing and Remote Access services has been enabled on the ISA Server.
6. The configuration for demand-dial routing between two Routing and Remote Access Servers appears correct. Modems are in working order, and by monitoring the routers you can see that the connection seems to be made. However, users cannot reach resources behind the routers. List the next steps you will follow to attempt to troubleshoot this issue.
D. Look to be sure that network connections do not present some alternative path around the firewall. 2. The dial-up ISA Server periodically hangs, even though no one is attempting Internet access. Check all the possible reasons for this problem. A. The dial-up configuration is incorrect. B. The ISA Server is accessing the Internet for DNS Lookup for all clients. C. The modem on the ISA Server has stopped working. D. ISA Server routinely checks to see if it is connected with the Internet.
Chapter 8
DIAL-UP CONNECTIONS AND RRAS
259
A P P LY Y O U R K N O W L E D G E 3. Tyronia, Inc. wants to provide Internet connectivity for their employees. They have a small internetwork consisting of three networks. Each network represents a building location. The networks are physically connected by a router. They currently do their own Web site hosting and the company Web server sites on the internal network are unprotected by a firewall. A diagram of the current network and the proposed location of the firewall can be viewed in Figure 8.16.
Optional Desired Results: Do not expose any information about the internal network. Limit employee access to the Internet to normal business hours. Proposed Solution: Install ISA Server where shown. Use static route to route incoming requests for public Web server. Create protocol rule that allows access to Internet for all client requests. Evaluation of Proposed Solution: Which results (s) does the proposed solution produce?
Internet
A. The proposed solution produces the required result but neither of the optional results.
ISA
B. The proposed solution produces the required result and one of the optional results. Web Server
C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result.
FIGURE 8.16 Tyronia network.
Required Result: Provide Internet access to employees. Allow access to the public Web server. Provide protection for private network from Internet-based attack.
4. Tyronia, Inc. wants to provide Internet connectivity for their employees. They have a small internetwork consisting of three networks. Each network represents a building location. The networks are physically connected by a router. They current do their own Web site hosting and the company Web server sites on the internal network unprotected by a firewall. A diagram of the current network and the proposed location of the firewall can be viewed in Figure 8.16.
260
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E this is good and make the following changes, which stop the needless Internet calls and does not create any errors.
Required Result: Provide Internet access to employees. Allow access to the public Web server. Provide protection for private network from Internet based attack.
A. Disconnect the ISA Server from the Internet connection. B. Enter the names of internal servers in the Local Domain Table (LDT).
Optional Desired Results: Do not expose any information about the internal network.
C. Configure the internal servers to point to an external DNS server.
Limit employee access to the Internet to normal business hours.
D. Configure the internal computers to point to an internal DNS server.
Proposed Solution:
E. Configure the internal DNS server to forward to an external DNS server.
Install ISA Server where shown. Publish public Web server using publishing rules. Create protocol rule that allows access to Internet for all client requests. Configure alerting and monitoring.
6. Match the following dial-up errors in Table 8.6 with potential causes from Table 8.7. Put your answer in the third column of Table 8.6.
Evaluation of Proposed Solution: Which results (s) does the proposed solution produce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results. C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result. 5. The ISA Server is dialing the ISP even on the weekend when only you are in the office. You are not using the Internet at the time but are doing routine remote maintenance on internal server, databases, and client systems. You do not think
TABLE 8.6
D I A L -U P E R R O R S #
Error
1.
The event “upstream chaining credentials” is logged.
2.
Dial-out connections fail.
3.
Manual dial-out works, ISA automated doesn’t.
4.
Server hangs. No dialing activity.
5.
“The dial-up connection no-longer exists.”
Possible Cause
Chapter 8
DIAL-UP CONNECTIONS AND RRAS
261
A P P LY Y O U R K N O W L E D G E TABLE 8.7
D E FA U LT S E C U R I T Y G R O U P F I L E PERMISSIONS Letter
Possible Cause
A.
Another service on the computer is using the connection.
B.
A computer user account is used when an ISP account should be.
C.
A ISP account name used when a windows account should be.
D.
ISA Server doesn’t have permission to use the connection.
E.
The modem and phone dial-up configuration may be incorrect.
F.
DNS Lookup Issue
G.
Someone has removed or the dial-up configuration in control panel is corrupt.
Answers to Review Questions 1. Firewall chaining has not been configured. Even though this standalone computer is not chained to another, it is on the firewall-chaining property page that this information is configured and there also a check box there for using a dial-up connection. You must configure this page to allow SecureNAT and Firewall clients routing to the Internet. Web Proxy clients do not need this configuration. SecureNAT clients might be getting intermittent fulfillment as some requests can be retrieved from the cache. See the section, “Enable Dial-up Entry in Firewall Chaining Configuration.”
2. If active caching is enabled, the ISA Server will periodically make requests in order to refresh the cache. If DNS is not configured correctly, ISA Server may be making DNS lookup requests on the Internet unnecessarily. See the section, “Troubleshooting ISA Server Dial-up Connections.” 3. Establish Internet access at corporate headquarters. Install ISA Server at corporate headquarters and at each branch office. At corporate headquarters establish Internet connectivity and configure caching. Configure the branch office ISA Servers to dial-up the corporate ISA Server when Internet access is required. Configure local caching. Configure site and content rules that restrict access times and types of access. Schedules will be checked before dial-up occurs. See the section, “Dial-on-demand Connections.” 4. Screen 1 shows clearly that the account used for the Dial-up Entry references the local Administrator, yet the dial-up scenario clearly indicates the dial-up is to an ISP. The account information necessary here refers to an account name and password that has been provided by the ISP, not a Windows 2000 account. Replace this information with the proper account name and password. See the section, “Configure Dialup Entries.” 5. The user credential in the demand dial interface must match the interface name of the connection it will dial. Thus the user credential in the DDBoston interface must be DDNewYork and vice versa. See the section, “Using RRAS for Dial-on-Demand Connections.”
262
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E 6. Check for proper static routes on the routers. Check for adequate DHCP resources or addresses for the router to use. Checks the availability of resources on other side of the network. See the section, “Using RRAS for Dial-on-Demand Connections.”
4. B. Publishing the Web server using publishing rules allows Internet access to the public Web server while hiding the structure of the internal network. While allowing all types of client requests through might not be the best policy, nor create the best security, using ISA Server is affording some protection to the internal network. See the section, “Routing and Remote Access Service Versus ISA Server.”
Answers to Exam Questions
5. B, D, E. If the ISA Server finds the name of a requested resource in the LDT, it will not do a DNS lookup. If internal resources can do name resolution on an internal DNS server, this prevents these name resolution requests from causing the ISA Server to dial out. See the section, “Managing and Limiting ISA Dial-Up Connections.”
1. C, D. It is possible that an alternative path exists, in fact, by installing Routing and Remote Access services on the ISA Server, this may be just what has happened. It is possible to misconfigure the server so that it now acts as a router, not a firewall. See the section, “Routing and Remote Access Server vs. ISA Server.” 2. A, B, C. If the dial-up configuration is incorrect, that is, directing ISA Server to dial nonexistent devices, for example, and ISA is attempting to register some change to these devices or is stimulated into placing a call, then the system may hang. DNS lookups will cause ISA Server to dialout to the Internet needlessly. A large number of DNS lookups can overwhelm the modem and cause the system to hang. If the modem stops working, a large number of requests to use it can cause the system to hang. See the section, “Troubleshooting ISA Server Dial-Up Connections.” 3. D. Although installing ISA Server should provide some protection for the internal network, the providing of a static route to route traffic to the internal network so the public can get to the Web server, has just made ISA into a router. See the section, “Routing and Remote Access Service Versus ISA Server.”
6. See Table 8.8. Also see the section “Managing and Limiting ISA Dial-Up Connections.”
TABLE 8.8
D I A L -U P E R R O R S #
Error
Possible Cause
1.
The event “upstream chaining credentials” is logged.
C.
2.
Dial-out connections fail.
E, A.
3.
Manual dial-out works, ISA automated doesn’t.
B.
4.
Server hangs. No dialing activity.
F.
5.
“The dial-up connection no-longer exists.”
G.
Chapter 8
DIAL-UP CONNECTIONS AND RRAS
263
A P P LY Y O U R K N O W L E D G E Suggested Readings and Resources 1. Karanjit S. Siyan, Windows 2000 Server Professional Reference, Chapter 18, “Remote Access Service and Routing,” New Riders, 2000; ISBN: 7357-0952-1.
2. Chapter 2 “Routing and Remote Access,” Windows 2000 Server Internetworking Guide (one book of the W2K Resource Kit), Microsoft Press, 2000, ISBN: 1-57231-805-8. 3. “Setting Network Configuration,” from ISA Server Online help.
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Configuring and Troubleshooting ISA Server Services section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Configure and troubleshoot Virtual Private Network (VPN) access.
A Virtual Private Network (VPN) logically connects two physical networks across any number of other physical networks as if they were connecting directly in a point-to-point fashion. To the VPN endpoints the connection appears as if there is no network in-between them, when in reality the data may be routed through many. Figure 9.1 illustrates this point by indicating both the physical path taken through multiple routers and the logical “VPN tunnel” This construction, or tunnel, is often used to route data between two geographically separate parts of the same company, or between a remote worker and his office. Connections can be across leased lines, frame-relay, or public networks such as the Internet. In most cases, but not in all, the data is also encrypted to protect its contents.
C H A P T E R
9
ISA Virtual Private Networks
OBJECTIVES Configure ISA server computers as a VPN endpoint without using the VPN wizard.
VPN
1 Snowflake
2
FIGURE 9.1
The problem comes when the wizards fail, not because of a bug in the wizard, but because of our understanding of what the wizard is supposed to do. We may use wrong information or skip some steps, for example. The problem is that we are so reliant on the wizards, we can’t troubleshoot the problem. All we know is that it doesn’t work, but we haven’t a clue on where to start to fix it. If we have the knowledge and can create the VPN without using the wizards, we stand a better chance of making the connection work, and an even chance of troubleshooting problems that go wrong.
The VPN logical connection.
Configure the ISA Server computer for VPN pass-through.
To some, the logical place for a VPN endpoint is on the firewall. ISA Server is easy to configure as a VPN endpoint. Two wizards can be used to configure a pair of endpoints that will then create a gateway-to-gateway demand-dial interface between two ISA Servers. Any data bound for the network behind the remote computer’s endpoint must traverse the tunnel and thus is protected by encryption and potentially other security practices.
If placing the VPN endpoint on a firewall is not the best solution for you, you may be placing a VPN endpoint behind the ISA Server firewall. To allow security protocols such as PPTP to pass through the firewall, you must create packet filters on the ISA Server to allow the protocols through.
OUTLINE Introduction Configuring VPN Endpoint for VPN Clients Using the VPN Allow Wizard Examining Wizard Results Making Additional Configurations Creating Client Connections and Testing the VPN
Configuring VPN Pass-Through Configuring ISA Server as a VPN Endpoint Using the Wizard Local ISA VPN Wizard—Connection Receiver Remote ISA VPN Wizard—Connection Initiator Without the VPN Wizard Create PPTP Packet Filters Create Demand-Dial Interface
269
269
Configuring Microsoft Certificate Services
289
Install and Configure Root CA Configure Enterprise Root CA
290 291
270 270 272
Configuring the L2TP over IPSec Tunnel 292
272
292 296 297
Requesting Certificates from a Standalone CA Verifying Server Certificates The L2TP/IPSec VPN
274
275 275 276 281 284 286 287
Chapter Summary
298
Apply Your Knowledge
299
Exercises Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions
299 300 301 303 304
S T U DY S T R AT E G I E S . If you do not understand the principals of a VPN, you need to start there first. Use some of the resources at the end of this chapter to gain more knowledge. . Many first attempts at creating a VPN in the test lab fail, not because of a misunderstanding of VPNs, but because the tester does not understand IP routing. Be sure that you understand why static routes may be necessary, and how data is routed (or not) between three subnetworks where no routers are present. . Read RFCs, Microsoft documentation, and other references for specific information about the protocols (PPTP and L2TP/IPSec) used by the
ISA Server to create the VPN. Understanding the protocol’s intimate details is not necessary for setting up the VPN to work, but it does become helpful when troubleshooting why your implementation is not working.
. Read through this entire chapter before following the exercises. . Complete the exercises. Make it work! Many people report large leaps in their understanding when they first can successfully retrieve data from the internal network on the opposite side of the tunnel.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
INTRODUCTION PPTP VPN construction between two ISA Servers is a snap. Wizards create the packet filters, static routes, and other necessities. You can even create a file to send to your counterpart at another office. This file simplifies the creation of the matching endpoint. Even so, VPN creation can cause problems. The wise administrator will ensure her understanding of the technology behind the wizards. To do so, she will investigate fully the options available, research the technology, and create multiple VPN tunnels in a test lab. The areas to be investigated include:
á Configure VPN endpoint for VPN clients á Configure VPN pass-through á Configure ISA Server as a VPN endpoint á Configuring Microsoft certificate services á Configuring the L2TP over IPSec tunnel
CONFIGURING VPN ENDPOINT VPN CLIENTS
FOR
Configure and troubleshoot Virtual Private Network (VPN) access.
Many offices have remote access requirements. Traveling salespeople, employees who are out-of-town on business, telecommuters, and others may occasionally or consistently connect to the office network. Connections may be dial-up or across the Internet; regardless, these connections need to be secured. Configuring the ISA Server as a VPN endpoint to allow client connections can do this. There are four parts to the process:
á Running the wizard á Inspecting results á Completing specifics for your organization á Testing the VPN connection
269
270
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Using the VPN Allow Wizard To run the wizard, follow the steps in Step by Step 9.1.
STEP BY STEP 9.1 Setting ISA Server to Allow VPN Client Connections 1. Right-click Servers and Arrays\name\Network Configuration. FIGURE 9.2 Examining the Details page.
2. Click Allow VPN Client Connections. 3. On the Wizard Intro page, click Next. 4. On the End Wizard page, click the Details button to view what the setup will do (see Figure 9.2). 5. Click Back, then click Finish.
FIGURE 9.3 Start RRAS?
6. A pop-up message about starting the Routing and Remote Access Service appears (see Figure 9.3). Click Yes. 7. Examine the interface and add any requirements for IP address pools, static routes and additional security.
Examining Wizard Results Next up: Examine the results. Running the wizard accomplishes the following:
á Enables and configures RRAS as a VPN server. á Enforces secure authentication and encryption methods. á Opens static packet filters to all PPTP and L2TP over IPSec protocols. á Creates ports to which clients can connect. The number of ports available can be increased.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
It is a good idea to examine RRAS and the ISA Server Management consoles to verify the results. To examine the authentication and encryption methods, open the Properties page of the RRAS server. The security tab indicates the default of Windows Authentication. Clicking the Authentication Methods button displays the default choices of MS CHAP v2 and MS-CHAP. You can make adjustments here if other protocols, such as EAP (to allow smart card authentication), are required. While you are in the RRAS console, check to see that PPTP and L2TP/IPSEC ports are created. To verify packet filters, visit the ISA Server\Servers and Arrays \name\Access Policy\IP Packet Filters folder of the ISA Management Console. The wizard adds four packet filters. Table 9.1 defines them. You will create similar packet filters for VPN gateway connections, but they will specifically identify the Local and Remote computers.
TABLE 9.1
VPN C L I E N T C O N N E C T I O N P A C K E T F I LT E R S Packet Filter
Filter Type
Local Computer
Remote Computer
Allow L2TP protocol IKE packets
UDP protocol number 17; port 500; both directions
Default IP address on external interfaced
All remote computers
Allow L2TP protocol packets
UDP protocol number 17; port 1701 both directions
Default IP address on external interfaced
All remote computers
Allow PPTP protocol packets (client)
Predefined filter: PPTP call; protocol 47
Default IP address on external interfaced
All remote computers
Allow PPTP protocol packets (server)
Predefined filter: PPTP receive; protocol 47
Default IP address on external interfaced
All remote computers
271
272
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Making Additional Configurations The wizard does not do several areas of VPN configuration and you may have to manually complete the job. These are
á Static routes. You may need to configure RRAS static routes to allow external VPN clients to connect to internal resources. á Tighter authentication protocols. You may want to specify different, or additional authentication protocols. á IP address range. The IP Property page of the RRAS server can be used to configure a range of IP addresses for connecting clients to use. á Additional ports may be required. For more specifics on how to complete these chores, see the Step by Steps in the “Without the VPN Wizard” section later in this chapter.
Creating Client Connections and Testing the VPN To test the VPN endpoint, configure a client system to connect to the VPN endpoint and test it. Configure the client using Step by Step 9.2.
STEP BY STEP 9.2 Configure the VPN Client 1. Open Network and Dial-Up Connections. 2. Double-click Make a New Connection. 3. Click Next and select Connect to a Private Network Through the Internet. Click Next. 4. If you have a modem on this system, you will be provided with a dialog box showing dial-up connections. Select Do Not Dial the Initial Connection and click Next. 5. Type the IP address of the ISA Server and click Next.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
6. Click For All Users or Only For Myself (depending on who will be authorized to use this connection on this computer) and click Next. If you select For All Users, you will get a dialog box asking you if you want to select Enable Internet Connection Sharing for This Connection. 7. Type a name for the new connection and click Finish. 8. On the Connect Virtual Private Connection window ,enter your password and click Connect. A pop-up message confirms your connection (see Figure 9.4).
FIGURE 9.4 Connecting.
9. When the connection is made, click My Network Places and browse the Windows network. It is a good idea to have a share prepared on an internal system to test the connection. If you can connect to the share, the VPN is working (see Figure 9.5).
Be sure to use the ipconfig command to see the address assigned to the client computer on the network inside the ISA Server (see Figure 9.6). You can also see this number from the ISA Server by examining the open port in Routing and Remote Access (see Figure 9.7).
FIGURE 9.5 Opening a share.
273
274
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
FIGURE 9.6 Identifying the assigned client IP address.
CONFIGURING VPN PASS-THROUGH Configure the ISA Server computer for VPN pass-through.
If the ISA server will not be the VPN endpoint, or if internal clients need to connect to external VPN endpoints, you must create packet filters, which allow these protocols to pass through the ISA server. You might also want to create specific site and content rules and protocol rules to restrict their use. To create VPN pass-through for PPTP (SecureNAT PPTP Packet Filter, see Figure 9.8), follow Step by Step 9.3
STEP BY STEP 9.3 PPTP VPN Pass-Through FIGURE 9.7 Checking RRAS open ports.
1. Right-click Servers and Arrays\name\Access Policy\IP Packet Filters. 2. Select Properties. 3. Click the PPTP tab. 4. Check the box for PPTP Through ISA Firewall (see Figure 9.9). 5. Click OK.
Chapter 9
CONFIGURING ISA SERVER VPN ENDPOINT
ISA VIRTUAL PRIVATE NETWORKS
AS A
Now that you have an idea of the packet filters that need to be configured, and know some of the RRAS-side configuration issues for VPNs, it’s time to tackle setting up a VPN gateway by using two ISA Server firewalls. Although the stated objective is to do so without using the ISA wizard, using the wizard a time or two will help you define the steps you will need to take to create the VPN gateway without the wizard.
Using the Wizard Using the wizard appears straightforward, but you should understand a few things. Using the Local wizard prepares a file that must be used when running the remote wizard. However, the use of this file to configure the remote gateway is not the only way to configure the VPN. Just as you can configure the VPN gateways, bit by bit, without the wizard, so you can use the Local ISA VPN Server wizard on both gateway computers and make the connection work. You may have to do a little extra preparation, and you run the risk of making an incorrect entry, but this may be easier than figuring out how to securely share the file produced by the local computer wizard. Preparing and sharing the file, assures that user accounts and static route information is transferred correctly. When you load a file, there is less opportunity to make typos. Also, the password for the user account used in the connection is generated by the wizard and remains unknown to the setup person.
FIGURE 9.8 SecureNAT PPTP filter.
However, the wizard cannot anticipate your specific VPN needs. Several configuration items, if left to defaults, may not work in your environment. Finally, using the wizard makes configuration changes in the ISA Management console, as well as in Routing and Remote Access. To understand what the wizard has done, you must investigate both. FIGURE 9.9 PPTP pass-through.
275
276
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
To use the wizard, follow this three-step process: 1. Configure the local endpoint using the Local ISA VPN Wizard (see Step by Step 9.4). 2. Transfer the file to the remote ISA Server. 3. Use the file to configure the remote endpoint using the Remote ISA VPN Wizard (see Step by Step 9.5).
Local ISA VPN Wizard—Connection Receiver To start the VPN endpoint configuration process, run the Local ISA VPN Wizard (see Step by Step 9.4). This wizard attempts to define the interfaces for parts of both connections and ends by producing a file that can be loaded on the remote endpoint to produce the remote endpoint. By default, it becomes the connection receiver, that is, only the Remote VPN Server can initiate the call. This would be appropriate in situations where branch offices use dial-up lines to periodically tunnel to corporate headquarters, but corporate headquarters never needs to start the process. You can complete an additional page in the wizard, however, to define both local and remote endpoints as connection initiators.
STEP BY STEP 9.4 Set Up Local ISA VPN Server 1. Right-click on the \Servers and Arrays\name\Network Configuration folder and select Set Up Local ISA VPN Server. 2. On the first page, click Next. 3. Click OK on the pop-up Routing and Remote Access Service Must Be Started. 4. Name the VPN connection by entering a name for the local connection and a name for the remote connection and clicking Next. The names are appended with a underscore to form a name for the demand-dial connection object that will be created in RRAS (see Figure 9.10).
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
FIGURE 9.10 Naming the connection.
5. Select a protocol, either PPTP or L2TP over IPSec (see Figure 9.11) and click Next. You will have to configure a Certificate Authority or otherwise obtain certificates to set up L2TP over IPSec—however, most agree that L2TP over IPSec is a more secure protocol. (see the section “Configuring Microsoft Certificate Services”).
FIGURE 9.11 Selecting the protocol.
6. If you want both computers to be able to initiate the connection, enter the fully qualified domain name or IP address of the remote computer, as well as its computer or domain name, (see Figure 9.12). Click Next. 7. Enter a range of addresses that will be accessible at the remote machine (see Figure 9.13). A static route that includes this address range will be created automatically. Click Next. continues
277
278
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
continued
FIGURE 9.12 Setting both computers as connection initiators.
FIGURE 9.13 Setting the remote computer range of addresses.
8. Select the address range that will be accessible to the remote VPN endpoint (see Figure 9.14). The entire LAT is displayed. Remove any address ranges that you do not want made available. When the remote VPN endpoint is configured, a static route will be defined using the entries here. Click Next. 9. Browse to a location to store the .vcf file. This file contains the configuration information necessary to configure the remote VPN endpoint using the Remote wizard. 10. Enter a password and confirm (see Figure 9.15). This password will be used to encrypt the configuration file. The administrator installing the remote VPN will need this password to unlock the file during the installation process. Click Next.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
FIGURE 9.14 Set range available on local.
FIGURE 9.15 Configure the file.
11. View the configuration details by clicking the Details button. When you are done, click the Back button and then click Finish.
Before proceeding to the remote computer to install the remote gateway, examine the changes made on the local ISA Server. You will want to examine three areas:
á Computer Management\Users and Groups\Users. Note that a new user has been added with the name of the interface created by the wizard. This new user is configured with Allow Dial-Up Access and Password Never Expires. The User Must Change Password At Next Logon check box has been cleared.
279
280
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
The wizard assigns a strong password to this account and transfers that information to the VPN file.
á Routing and Remote Access. A demand-dial interface is created and named with the interface name created in Step 4 (see Figure 9.16). Inspect the demand-dial interface properties) to verify the remote computer’s IP address is correctly configured. Check the options and see that no callback has been configured. Security is configured behind the Advanced button (see Figure 9.17). Note that in the drop-down box mandatory data encryption is selected. á ISA Server Management Console. Packet filters for PPTP and/or IPSec have been created. Examine each packet filter to see that the appropriate local computer address (the external IP address of the local ISA Server) and the remote computer address (the external IP address of the remote ISA Server) have been entered (see Figures 9.18 and 9.19).
FIGURE 9.16 Demand-dial connections.
FIGURE 9.17 Advanced options.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
FIGURE 9.18 Local computer.
FIGURE 9.19 Remote computer.
Remote ISA VPN Wizard—Connection Initiator After the local ISA Server VPN is configured, the file created during the process can be used to configure the remote ISA Server VPN endpoint (see Step by Step 9.5). The file is encrypted, so be sure and give the administrator on the other end the password used to encrypt the file.
281
282
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
STEP BY STEP 9.5 Set Up Remote ISA VPN Server 1. Transfer the file produced by the Set Up Local ISA VPN wizard to the remote ISA Server computer. 2. Right-click the \Servers and Arrays\name\Network Configuration folder and select Set Up Remote ISA VPN Server. 3. Click Next on the Wizard Start screen. FIGURE 9.20 Finding the file.
4. If the Routing and Remote Access Service start-up notice appears, click OK. 5. Browse to the location of the .vpc file transferred in Step 1. Type the password and click Next (see Figure 9.20). 6. Enter the destination address of the local computer. 7. Enter the IP address and domain name or computer name of the local ISA Server computer. Click Next. 8. View the Details and then click Finish (see Figure 9.21). Make the same inspections carried out after running the Local Wizard. Note that things aren’t exactly the same, but follow the same pattern. Be sure to inspect the user account, packet filters, and RRAS demand-dial settings (see Figure 9.22).
FIGURE 9.21 Viewing the results.
FIGURE 9.22 Inspecting the user account.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
Now you can test the connection by forcing a connection, and by using a client on the private network of the local computer, to access remote resources behind the ISA Server. First, go to the RRAS interface, click on the IP Routing node, and click Connect. After a few seconds, the “connecting” message box closes and the demand-dial interface will show that it is connected (see Figure 9.23). Next use a regular client on the inside of the remote ISA Server to access a resource made available behind the local ISA server. You should be able to access resources that are made available to you. To see the assignment of IP addresses for the remote client, inspect the port interface on the local ISA Server and you may also see this information by issuing ipconfig /all on the ISA Servers (see Figure 9.24).
FIGURE 9.23 Success!
FIGURE 9.24 Finding port assignment info.
283
EXAM
TIP
284
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Duplicate Networks When establishing private network addressing for branch offices, do not use the same network address at different locations. When a VPN tunnel is created between the two locations, the ISA Server will consider the network address on its internal network and never transfer a request across the tunnel.
Without the VPN Wizard Configure ISA server computers as a VPN endpoint without using the VPN wizard.
Configuring ISA Server VPN gateways by using the wizards and examining the ISA Server and RRAS interfaces created illustrates the areas that must be configured to reproduce the same results without using the wizards. You must configure user accounts, ISA Server packet filters, and Routing and Remote Access demand-dial interfaces. Follow the steps in Step by Step 9.6 to complete this task. It uses the same terms, local ISA Server and Remote ISA Server, that the wizards do to describe the endpoints. Table 9.2 lists the configuration information needed for each VPN endpoint. It presumes the IP addresses listed for internal and external interfaces on the two ISA Server systems. You will have to change these addresses where necessary to match your setup. Figure 9.25 illustrates the two networks. If you want to configure two ISA Servers for testing purposes, either be sure to configure routing between the two external interfaces, or place them on the same logical network.
192.168.5.50
192.168.2.50 208.156.183.178
Snowflake
FIGURE 9.25 The ISA VPN tunnel.
208.156.195.178 Angel 192.168.2.25
192.168.5.15
Chapter 9
TABLE 9.2
C O N F I G U R AT I O N D ATA
FOR
VPN E N D P O I N T S
Data
Local VPN Endpoint
Remote VPN Endpoint
Internal Interface
192.168.5.50
192.168.2.50
External Interface
208.156.183.178
208.156.195.178
Computer Name
Snowflake
Angel
Range of remote computer addresses available to local computer
192.168.2.0–192. 168.2.255
Range of local computer addresses available to remote computer
192.168.5.0–192. 168.5.255
Protocol
PPTP
Static Route — network
192.168.2.0
192.168.5.0
Interface
Snow_Angel
Angel_Snow
User account created
Snow_Angel
Angel_Snow
Credentials used in dial-up
Angel_Snow
Snow_Angel
Packet filter PPTP call
Local computer: default external interface.
Local computer: default external interface
Remote computer: 208.156.195.178
Remote computer: 208.156.183.178
ISA VIRTUAL PRIVATE NETWORKS
285
286
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
STEP BY STEP 9.6 Setting Up ISA Server VPN Gateways 1. Create user accounts on each ISA Server. Apply strong passwords. 2. Create the PPTP Call packet filter (see Step by Step 9.7) on the Local computer. Identify the remote computer by using the external interface of Angel. 3. Create the PPTP Receive packet filter (see Step by Step 9.7.) on the Local computer. Identify the remote computer by the external interface of Angel. 4. Create the PPTP Call packet filter on the Remote computer. Identify the remote computer by using the external interface of Snowflake. 5. Create the PPTP Receive packet filter on the Remote computer. Identify the remote computer by the external interface of Snowflake. 6. Create the demand-dial interface (see Step by Step 9.8) on the local computer. 7. Create the demand-dial interface on the remote computer.
Create PPTP Packet Filters You must create packet filters for the protocol being used in the VPN tunnel (see Step by Step 9.7). In this example, because PPTP was selected, the steps for configuring the PPTP call and PPTP Receive packet filters is outlined.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
STEP BY STEP 9.7 Creating PPTP Packet Filters 1. In the ISA Server Management console, right-click on Arrays and Servers\name\Access Policy\IP Packet Filters. 2. Click New, and then select Filter. 3. Enter a name for the IP packet filter and click Next. 4. Leave Allow Packet Transmission checked and click Next. 5. Click the Predefined radio button and select PPTP call from the drop-down list. Click Next. 6. Select the Apply This Packet Filter to This ISA Server’s External Address radio button and enter the address of the interface. 7. On the Remote Computers page, select the Only This Remote Computer button and fill in the IP address. Click Next. 8. Review configuration and click Finish. 9. Repeat Steps 1–8 for the PPTP Receive packet filter. 10. Repeat, and create both packet filters on the remote ISA Server.
Create Demand-Dial Interface A demand-dial interface must be created on each ISA Server (see Step by Step 9.8). Each interface also requires a static route.
287
288
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
STEP BY STEP 9.8 Creating the Demand-Dial Interface 1. Open the Routing and Remote Access console. 2. Right-click on the Routing and Remote Access\server status\Local Server and click Configure and Enable Routing and Remote Access. 3. The Setup Wizard begins. On the Common Configurations page DO NOT SELECT Virtual Private Network (VPN) Server. Instead, select Manually Configured Server. Click Next. 4. Click Finish. 5. At the Routing and Remote Access Service Has Now Been Installed. Do You Want to Start the Service? pop-up, click Yes. 6. When the wizard completes, the RRAS server shows a green arrow indicating the service has been started. Rightclick the Routing and Remote Access\name\Routing Interface and select New Demand-Dial Interface. Click Next. 7. Select a name for the interface. A good name is the name of the remote ISA Server. Click Next. 8. On the Connection Type, click Connect Using Virtual Private Networking (VPN). Click Next. 9. On the VPN Type page, select Point to Point Tunneling Protocol (PPTP). Click Next. 10. Enter the IP address (or name) of the remote ISA Server. Click Next. 11. On the Protocols and Security page, check Route IP Packets On This Interface and Add a User Account So a Remote Router Can Dial In. Click Next. 12. On the Dial-In Credentials page, enter a password for the account. (Note that the name of the interface is used for the account name.) Click Next.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
13. On the Configure The User Name and Password to Be Used When Connecting to the Remote Router, enter the username, domain (or computer name if the computer is not joined in a domain), password, and confirm password. Remember to record this name and use it to identify the remote demand dial interface when configuring it. Click Next. Click Finish. 14. If you will be using an internal DHCP server to supply addresses for connecting clients, configure the DHCP Relay Agent on the external interface. The DHCP relay agent is used to route DHCP client requests and responses between DHCP clients and DHCP servers on different IP networks. (If the DHCP relay agent folder is absent, it can be added by selecting New Routing Protocol after right-clicking the IP Routing\General folder.) 15. If you will be using the demand dial interface to hand out IP addresses, add the range of addresses to be used to the IP properties of the Routing and Remote Access server. 16. If necessary, add a static route by right-clicking on the IP Routing Static Route folder and filling in the Static Route dialog box. The interface should be the demand-dial interface you just created and the IP address range should complement the internal network. In the example, the address range is chosen as part of the internal addresses available to the external world—the 192.168.5.0 network on one interface, and the 192.168.2.0 on the other.
CONFIGURING MICROSOFT CERTIFICATE SERVICES It’s all well and good to limit our activities to the PPTP protocol to learn the steps to creating VPN endpoints on ISA Server. But what about L2TP/IPSec? Setting up VPN tunnels to use this high-security protocol is not that difficult once you understand that certificates must be available for each server that will be an endpoint. You may
289
NOTE
290
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Protect Yourself You will want to protect the Certificate Server that you configure, as its certificates guarantee security between your tunnel endpoints. If someone were able to compromise the CA, your tunnel would no longer be protected. For help in determining how to secure the Certificate Server, see the resources listed at the end of this chapter.
obtain the certificates from a third party, or create them by using Microsoft certificate services. Using Microsoft certificate services for this purpose is a good decision. Certificate services are an alternative part of the Windows 2000 Server and Advanced Server configuration. If you do not have an existing public key infrastructure, you must first install certificate services and create a Certificate Authority (CA) to obtain certificates for tunnel endpoints. You have two choices:
á Install a Standalone Root CA, create certificates, and install them on tunnel endpoints. á Install an Enterprise Root CA, and configure it to automatically provide server certificates for the VPN endpoints. The different models of CAs are specified because the standalone CA can be used in an environment where no Active Directory domains exist, and the Enterprise CA requires the Active Directory.
Install and Configure Root CA Installing and configuring a Root CA is a straightforward process. A Windows 2000 Active Directory is not required for a standalone CA, but a Windows 2000 Server or Advanced Server and IIS 5.0 is. Follow Step by Step 9.9 to Install either CA. You will request and install certificates in the section, “Configuring the L2TP over IPSec Tunnel. The section, “Configure Enterprise Root CA” describes how to auto-enroll servers joined in an Active Directory domain.
STEP BY STEP 9.9 Install the Root CA 1. Double-click the Control Panel’s Add/Remove Programs. 2. Click Add/Remove Windows Components. 3. Select Certificate Services and click Yes on the name/change warning box. Click Next.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
4. To install a standalone root CA click Standalone Root CA. Or, to install an Enterprise root CA click Enterprise Root CA. 5. Fill in blanks by entering the name you have chosen for the CA and other information. You cannot change this information after setup (see Figure 9.26). 6. Specify the Validity duration for the root CA (Valid For text box). This is the length of time this CA can create valid certificates. It can be renewed. This impacts the life of any certificates it produces. Click Next. 7. Specify storage locations for the certificate database, shared folder and database log. Click Next. 8. If the message box that indicates the WWW service will be stopped appears (IIS is already running), click OK.. Click Finish.
Configure Enterprise Root CA An Enterprise Root CA can be configured to automatically enroll (provide with a certificate) servers. If servers being used as VPN endpoints are joined in the domain, these certificates can be used during L2TP tunnel endpoint authentication. To configure the CA to automatically enroll servers, follow Step by Step 9.10.
STEP BY STEP 9.10 Configure the CA to Automatically Supply Server Certificates 1. Open Active Directory Computers and User. 2. Right-click the domain name where the CA is installed and click Properties. 3. Select the Group Policy tab and Edit the Default Domain Group Policy. continues
FIGURE 9.26 Identifying the CA.
291
292
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
NOTE
continued Kicking Group Policy Into Gear Although Group Policy refreshes periodically during the day when changes are made, if you want to push new policies ahead a little, it is a good idea to use the secedit refreshpolicy command.
4. Right-click Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings and click New, then Automatic Certificate Request, and then click Next. 5. Select Computer in Certificate Templates. Click Next. 6. Click your CA, and then click next. 7. Click Finish. 8. Close all windows. 9. At a W2K command prompt type secedit /refreshpolicy machine_policy
CONFIGURING THE L2TP IPSEC TUNNEL
OVER
If you have certificate services available, you can now configure the L2TP over IPSec VPN Tunnel. The first step is to obtain certificates for the server. If you have an Enterprise CA in your Active Directory domain and have configured it to auto-enroll servers, then this is done for you. Be sure that Group Policy has replicated throughout the domain, and the endpoint servers have obtained their certificates before proceeding. If you do not have an Enterprise CA, you can request certificates from a standalone CA and install them manually (see Step by Step 9.11). You can check on the existence of a certificate on a server by using Step by Step 9.12. Finally, in either case, use Step by Step 9.13 to change your PPTP VPN to L2TP/IPSec.
Requesting Certificates from a Standalone CA A standalone CA cannot auto-enroll a server. You must request certificates from the CA for each endpoint using a Web form. The server certificate is then placed in the server’s certificate
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
store\Personal\Certificates folder. You must also acquire a copy of the CA certificate and place it VPN endpoint machine’s certificate store\Trusted Root Certification Authorities. Doing this will allow the endpoint to find a trust path for the certificate issued to the other endpoint. (Each server must have its own certificate, and the issuing CA’s certificate.) The issuing CA’s private key signature on the server certificate can be verified by using the public key provided with the CA certificate.
STEP BY STEP 9.11 Requesting Server Certificates 1. On the VPN endpoint computer, open Internet Explorer and enter the following address: http://servername/certsrv
2. On the Welcome page (see Figure 9.27) select Request a Certificate, and click Next. 3. On the Choose Request Type select Advanced Request, click Next. 4. Select Submit a Certificate Request to This CA Using a Form. Click Next. 5. Complete the Advanced Certificate Request (see Figure 9.28) including selecting the Intended Purpose as Server Authentication certificate. Click Submit. 6. The Certificate Pending notice alerts you to wait for administrative approval and return to the Web site later. 7. Leave the browser open and open the Certification Authority console. 8. Click the Pending Requests folder. 9. Right-click the request you entered (see Figure 9.29) through the browser and select All Tasks\Issue. The request disappears from the Pending folder and reappears in the Issued Certificates folder. continues
293
294
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
continued 10. Close the Certification Authority and switch to the Web browser and revisit http://servername/certsrv. 11. From the Welcome page, select Check on a pending certificate. Click Next. 12. Select the certificate request and click Next. 13. Click the Install This Certificate statement to install the certificate. Close the Web browser.
FIGURE 9.27 Requesting a certificate.
FIGURE 9.28 Filling out an advanced certificate request.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
295
FIGURE 9.29 Finding the pending request.
STEP BY STEP 1. On the VPN endpoint computer, open Internet Explorer and enter the following address: http://servername/certsrv
2. On the Welcome page select Retrieve the CA Certificate or Certificate Revocation List and click Next. 3. Click Install This Certification Path. 4. Click Back. 5. Under Choose File to Download, select the CA certificate, and click Download CA Certificate. 6. Click Open This File From Its Current Location, and then click OK. 7. Click Install Certificate. Click Next. 8. Select Automatically Select the Certificate Store Based on the Type of Certificate. The certificate is installed. Click Finish and click OK twice. 9. Close Internet Explorer.
WA R N I N G
9.12 Obtaining the CA Certificate for Trust Beware! You must visit the certsrv Web site within 10 days to retrieve the certificate and you must use the same browser.
296
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
Verifying Server Certificates In either case, whether you use auto-enrollment or Web requested certificates, you should verify the existence of a certificate.
STEP BY STEP 9.13 Verifying Server Certificates FIGURE 9.30 Opening the certificates console for the local computer.
1. On the VPN endpoint computer, open an MMC console and use Add-Remove Snap-Ins to add the Certificates snap-in. 2. When the This Snap-In Will Always Manage Certificates For: dialog box opens, click the radio button Computer Account and click Next (see Figure 9.30). 3. On the Select Computer dialog box, choose Local Computer. Click Finish. Click Close. Click OK. 4. Expand the Certificates node, right-click Certificates\ Personal. A server certificate from the CA should be present. Examine the certificate to confirm that it can be used to authenticate tunnel endpoint (see Figure 9.31). 5. Close the Certificates console.
FIGURE 9.31 Locating the certificate.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
The L2TP/IPSec VPN After certificates have been obtained, the VPN can be configured to use L2TP over IPSec. Step by Step 9.14 assumes that you have created the VPN endpoint to use PPTP and just need to modify it to use IPSec.
STEP BY STEP 9.14 Creating the L2TP / IPSec VPN 1. Open Routing and Remote Access Services. 2. Right-click the servername\Ip Routing\Routing Interfaces\demand dial interface. 3. Click Properties. 4. On the Networking tab, select the Type of VPN Server I Am Calling drop-down box and select Layer 2 Tunneling Protocol (L2TP) (see Figure 9.32). 5. Click OK. 6. Configure packet filters for L2TP.
FIGURE 9.32 Selecting L2TP.
297
298
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
CHAPTER SUMMARY KEY TERMS • Virtual Private Networks (VPNs) • VPN endpoint • Gateway-to-gateway demand-dial interface • VPN pass-through • Microsoft Certificate Services • Certificate Authority (CA) • Public Key Infrastructure (PKI) • Point-to-Point Tunneling Protocol (PPTP) • Layer 2 Tunneling Protocol over IP Security (L2TP/IPSec) • Connection Initiator • Connection Receiver • Root CA • Certificate • Standalone CA • Enterprise CA
There are many choices to make to complete the installation of a Virtual Private Network. ISA Server makes the configuration of the endpoints quick and painless. It also configures packet filters depending on the protocols chosen. The real issues become understanding why you are doing the configuration and how to do it without compromising security.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
299
A P P LY Y O U R K N O W L E D G E
9.1
Configure Two ISA Servers as VPN Tunnel Endpoints
As simple as the configuration of VPNs on ISA server may be, putting together a tunnel can be a frustrating experience for the unwary. The best way to understand the details that must be configured is to do so in a controlled environment. It is far easier to adjust settings on two computers in the same room, than it is to do so across the Internet.
6. After you have been successful, remove the configuration information entirely and attempt to establish a VPN connection without using the wizards.
NOTE
Exercises
Address Pools? For the client to be able to reach resources on the other side of the tunnel, you may need to configure a static address pool if DHCP is not available. This is done on the IP Properties page of the Routing and Remote Access Server (see Figure 9.33).
Estimated Time: 30 minutes 1. Establish two ISA Server computers on different physical networks with a third network between them. Be sure at least one client machine is available for testing, on the internal network of the ISA Server. This is easy to do with two network cards in each ISA Server and three hubs. For an example arrangement, refer to Figure 9.25. 2. On ISA Server 1, run the Set Up Local ISA VPN Server wizard. Be sure to save the file. 3. On ISA Server 2, use the file created in Step 2 and run the Set Up Remote ISA VPN Server Wizard. 4. In Routing and Remote Access\servername\ Routing Interfaces on ISA Server 2, select the demand-dial connection object and click Connect. 5. Test the VPN by using the client computer on one ISA Server’s internal network to access a resource on the other ISA Server’s internal network.
FIGURE 9.33 Creating static address pools.
300
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E
Review Questions 1. You have enabled ISA Server as a VPN endpoint so that clients can connect using VPN client software. You would like to ensure even tighter security on those connections. What options do you have? 2. In a discussion on a public discussion group, Sam insists that “real” geeks don’t use wizards and attacks Nancy for championing the VPN wizards provided by ISA Server. Sam claims that by not using wizards he is actually making his VPN connection more secure. Is this true? Why or why not? 3. Examine the RRAS interface and diagrams in Figures 9.33, 9.34, and 9.35 When this interface is used to connect a VPN tunnel with another RRAS interface across the Internet the connection is successful but users from the New York office cannot access resources in the Pittsburgh office. Can you determine why? 4. Examine the diagram in Figure 9.36. Assume the actual set up of the VPN endpoints used this information and completed successfully (a connection can be established). However, resources on the opposite side of the VPN tunnel cannot be reached. What’s wrong?
FIGURE 9.34 Question 3.
5. Explain the process necessary to configure your ISA Server computers to use L2TP/IPSec tunnels. 6. Can third-party certificates be used to establish ISA Server L2TP/IPSec tunnels? FIGURE 9.35 Question 3.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
301
A P P LY Y O U R K N O W L E D G E D. Run “Set up Local ISA VPN Server” wizard on ISA Server. Give a copy of the disk created to all sales people. Have the sales people run the Set Up Remote ISA VPN Server wizard on their office servers.
192.168.5.50 192.168.5.25
Branch Office
Corporate
FIGURE 9.36 Question 4.
2. The ALLBritest Foundation already has established a PPTP gateway-to-gateway VPN connection between its two offices. They want to add ISA Server as a firewall at both locations. They want to maintain their existing VPN gateways. They install the ISA Server in a configuration as displayed in Figure 9.37. What do they need to do to continue to use their VPN tunnel?
Exam Questions 1. Johnson Claptrap Co. believes they need a VPN. They have traveling salespeople and only one office location. What steps should they take so that sales people can use a VPN tunnel when communicating with headquarters? (Configure VPN Endpoint for VPN clients.) A. Run the Allow VPN client Connections wizard on the ISA Server. Establish Internet connectivity. Create client-side VPN connector on salespeople’s laptops using built in Windows software. B. Run Set Up Local ISA VPN Server wizard on ISA Server. Give a copy of the disk created to all sales people. Have the sales people run the Set Up Remote VPN wizard on their laptops. C. Run Allow VPN Client Connections wizard on the ISA Server. Establish Internet connectivity. Purchase and run the SafeTNet VPN client on every salesperson’s laptop.
Internet VPN
ISA
ISA
VPN
FIGURE 9.37 ALLBritest VPN.
A. Configure one ISA server as the local VPN. Configure the other as the remote VPN. B. Configure both ISA Servers for PPTP passthrough. C. Do nothing; this will work as is. D. Configure each ISA Server as VPN endpoints and remove the existing VPN gateways.
302
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E 3. After successfully running the local and remote VPN wizards, you must visit each VPN endpoint and configure the following before a tunnel connection can be made. (Select all that apply.) A. Create user accounts on each VPN endpoint and assign passwords.
Evaluation of Proposed Solution: Which results(s) does the proposed solution produce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results.
B. Open the interface for each VPN endpoint connector in RRAS and enter the username for the opposite endpoint.
C. The proposed solution produces the required result and both of the optional results.
C. Enter the passwords in the VPN endpoint connector property pages.
D. The proposed solution does not produce the required result.
D. Add any additional static routes necessary.
5. CrystaBell Productions has hired you to improve communication security between their two locations. Each location has an ISA Server sitting between their internal private network and the Internet.
4. CrystaBell Productions has hired you to improve communication security between their two locations. Each location has an ISA Server sitting between their internal private network and the Internet. Required Result: All communications between the offices must be encrypted. Optional Desired Results: Either office can initiate the connection. The best security algorithms should be used for the job. Proposed Solution: Use the VPN local and remote wizards on the corresponding ISA Servers to create VPN connections. Use all default settings but select PPTP as the tunnel type.
Required Result: All communications between the offices must be encrypted. Optional Desired Results: Either office can initiate the connection. The best security algorithms should be used for the job. Proposed Solution: Use the VPN local and remote wizards on the corresponding ISA Servers to create VPN connections. Fill out the optional form, which identifies the remote computer, otherwise use all default settings but select PPTP as the tunnel type.
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
303
A P P LY Y O U R K N O W L E D G E Evaluation of Proposed Solution:
Evaluation of Proposed Solution:
Which results(s) does the proposed solution produce?
Which results(s) does the proposed solution produce?
A. The proposed solution produces the required result but neither of the optional results.
A. The proposed solution produces the required result but neither of the optional results.
B. The proposed solution produces the required result and one of the optional results.
B. The proposed solution produces the required result and one of the optional results.
C. The proposed solution produces the required result and both of the optional results.
C. The proposed solution produces the required result and both of the optional results.
D. The proposed solution does not produce the required result.
D. The proposed solution does not produce the required result.
6. CrystaBell Productions has hired you to improve communication security between their two locations. Each location has an ISA Server sitting between their internal private network and the Internet. Required Result: All communications between the offices must be encrypted. Optional Desired Results: Either office can initiate the connection. The best security algorithms should be used for the job. Proposed Solution: Obtain server certificates and be sure they are loaded appropriately on the ISA Server computers. Use the VPN local and remote wizards on the corresponding ISA Servers to create VPN connections. Use all default settings, but select L2TP/IPSec as the tunnel type.
Answers to Review Questions 1. Making changes in authentication methods, for example, removing MS-CHAP, or requiring certificates or smart cards. See the sections, “Examining Wizard Results” and “Making Additional Configurations.” 2. Well, Sam could be requiring more restrictive authentication methods and setting up certificates and such. But those things can be done after the wizards. Actually, the wizard does one thing that Sam can’t do. The wizard creates a strong password for the user accounts and does not make this available. Any password that Sam uses must somehow be communicated to the person configuring the remote VPN endpoint. Even if Sam does both connections, he knows the password (the setup person knows the tunnel password). When the wizard creates the password, no one knows it. This is not to say that the wizard can create a stronger password than Sam, or that the password can’t be hacked, just that initially, the tunnel password is not available to anyone. See the section, “Using the Wizard.”
304
Par t II
CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A P P LY Y O U R K N O W L E D G E 3. No static route has been created. See the section, “Without the VPN Wizard.” 4. Each private network is using the same network. Change one of the private networks to something else. See the section, ”Without the VPN Wizard.” 5. You must obtain certificates for the tunnel endpoints. You can do so by setting up MS Certificate Services and installing server certificates on each ISA Server. See the section, “Configuring Microsoft Certificate Services.” 6. Yes. The certificates must be from a source trusted by both endpoints. See the section, “Configuring Microsoft Certificate Services.”
Answers to Exam Questions 1. A. Using Windows VPN client software and configuring the ISA Server to allow client connections is the way to go. B is wrong because client systems cannot use the disk. C is wrong. It is not necessary to purchase third-party software. D is wrong. There are no other offices!
2. B. A is incorrect, there already is a VPN set up and they do not want to change it. C is incorrect, the ISA Server will not allow PPTP to passthrough by default. D is incorrect, they do not want to remove the existing gateways. See the section, “Configure VPN Pass-Through.” 3. D. A is incorrect The wizard creates user accounts and passwords. B is incorrect. The wizard configures RRAS with user accounts. C is incorrect. The wizard does this. See the section, “Configure ISA Server as a VPN Endpoint.” 4. A. B and C are incorrect, the default sets up only the remote VPN as the initiator of the connection. PPTP is not as secure as L2TP/IPSEc. See the section, “Configure ISA Server as a VPN Endpoint.” 5. B. Configuring server info on the alternative page during the wizard allows both sides to initiate a connection. C is wrong because PPTP is not as secure as L2TP/IPSec. See the section. “Local ISA VPN Wizard—Connection Receiver.” 6. C. Adding L2TP/IPSec makes the tunnel more secure. See the section, “Local ISA VPN Wizard—Connection Receiver.”
Chapter 9
ISA VIRTUAL PRIVATE NETWORKS
305
A P P LY Y O U R K N O W L E D G E Suggested Readings and Resources Thaddeus Fortenberry Windows 2000 Virtual Private Networking, New Riders Publishing. 2001. ISBN: 1-57870-246-1. Roberta Bragg. Windows 2000 Security, Chapters 4, 15, and 17; New Riders. 2000. ISBN: 0-7357-0991-2. Microsoft Windows 2000 Server Internetworking Guide, a book in the Windows 2000 Resource Kit, Microsoft Press, 2000. Chapter 6, “Demand-Dial Routing,” Chapter 9, “Virtual Private Networking.” ISBN: 1-57231-805-8. Microsoft Windows 2000 Server Distributed Systems Guide, a book in the Windows 2000 Resource Kit, Microsoft Press, 2000. Chapter 14, “Cryptography for Network and Information System Security,” and Chapter 16, “Windows 2000 Certificate Services
and Public Key Infrastructure.” ISBN: 1-57231805-8. “Virtual Private Networking, an Overview,” white paper at http://www.microsoft.com/ windows2000/library/howitworks/ communications/remoteaccess/vpnoverview.asp.
“Windows 2000 Virtual Private Networking Supporting Interoperability,” a white paper at http://www.microsoft.com/windows2000/library/ howitworks/communications/remoteaccess/l2tp.asp.
“Windows 2000 Virtual Private Networking Scenario,” a white paper at http://www.microsoft.com/windows2000/library/ howitworks/communications/remoteaccess/ w2kvpnscenario.asp.
P A R T
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
10 Firewall Configuration 11 Manage ISA Server in the Enterprise 12 Access Control in the Enterprise
III
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Configuring, Managing, and Troubleshooting Policies and Rules section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Configure and secure the firewall in accordance with corporate standards.
. Configure the packet filter rules for different levels of security, including system hardening. Packet filter rules are written to control communication between networks. The ISA Server, by default, does not allow any communication between its networks until some combination of the following allows access: . Protocol rules and site and content rules— outbound access. . Publishing rules—inbound access. . Packet filters—inbound and/or outbound traffic. . Routing rules—move packets from some interface to another. The security administrator uses these objects to fulfill a security policy developed by management. System hardening consists of applying security features of the underlying operating system and then supporting their configuration by applying appropriate packet filters and other mechanisms that can keep that configuration stable.
10
C H A P T E R
Firewall Configuration
OUTLINE
S T U DY S T R AT E G I E S
Introduction
311
Understanding Packet Filters
312
Configuring Packet Filter Rules
312
Examining Default Packet Filters Configuring New Packet Filters Configuring/Enabling IP Packet Filter Properties
Configuring and Using Application Filters/Extensions FTP Access Filter HTTP Redirector Filter RPC Filter SOCKS V4 Filter
Configuring for System Hardening Pre-Installation Considerations, Lifetime Chores Authentication Rules Outgoing and Incoming Web Requests Authentication Methods The ISA Server Security Configuration Wizard
313 314 316
318 318 319 320 321
321 321 322 322 323 325
Special Considerations for Perimeter Networks
328
Configuring the LAT Publishing Perimeter Network Servers
329 330
Troubleshooting Access
330
Chapter Summary
331
Apply Your Knowledge
332
Exercises Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions
332 332 332 334 334
. If you are not clear on the use of site and content rules, protocol rules, and publishing rules to allow and deny access through the firewall, revisit earlier chapters. . Examine default packet filters and understand their meaning and use. . Examine default application filters and understand their meaning and use. . Keep the following question in your mind: When would I need to use packet filters? . Go further than the exercises, create many packet filters, and test them. Did they respond the way you felt they should? Can you think of another way to obtain the same effect?
Chapter 10
INTRODUCTION Configure and secure the firewall in accordance with corporate policies.
Make no mistake, the ultimate responsibility for information system security lies with management. That’s right. Although IT is charged with securing the information system infrastructure, it does so only at the direction and blessing of management. Management sets the policy; IT puts it into place. It is important to realize this fact and determine the corporate policy for security, before configuring and securing the firewall. What type of access to the Internet does policy allow? What types of externally originating communications are allowed to enter the internal network? If you do not know the answers to these questions, you cannot set the proper filters on the firewall, nor do you know how to set alerts or intrusion detect devices to let you know when attackers are present. You cannot simply use your own judgment as to what communications to block, which to allow and which outside contact to get excited about. Although your knowledge of typical settings, warnings, bells and whistles is paramount to management’s understanding of the problem, it is management directive that colors your implementation. That said, it is important to know how to put management’s plan into action on the ISA Server. Chapter 5, “Outbound Internet Access” described how to use policy elements to construct site and content rules, and protocol rules to allow or deny internal users access to the Internet. Chapter 6, “ISA Server Hosting Roles” illustrated how to provide access for external users to internal resources, in the most secure fashion. This chapter addresses the protection of the internal network from external access and covers these issues:
á Understanding packet filters á Configuring packet filters á Configuring and using application filters and extensions á Configuring for system hardening á Special considerations for perimeter networks á Troubleshooting access
FIREWALL CONFIGURATION
311
312
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
UNDERSTANDING PACKET FILTERS Packet filters are written to allow or block the passage of packets on external interfaces (or perimeter network computers). Decisions are made based on the following information in the packet:
á Protocol and or ports á Direction (inbound, outbound, both) á Which direction? á The remote computer it came from or is directed to These decisions can sometimes be accomplished by other means, and it is desirable to do so; however, there are situations where you must use packet filters:
á Publishing servers in a 3-home perimeter network.
EXAM
TIP
á Running services, such as mail servers and Web servers on the ISA server. Packet filters direct the traffic received for the appropriate port to the service.
IP Routing and Packet Filtering If neither packet filtering or routing is enabled, no rules are applied to incoming packets, and there is no security. Packet filtering alone causes the ISA Server to drop all packets on the external interface unless they are explicitly allowed. You can combine IP routing and packet filtering to route between the Internet and a 3-homed perimeter network. You should never enable IP routing and not enable packet filtering. In this case the ISA Server is no longer a firewall, but a router.
á Running applications on the ISA Server that need to connect to the Internet. You create direct connections to the Internet for these applications. á Using protocols other than UDP or TCP. Web proxy handles HTTP, HTTPS, and FTP. Firewall handles TCP and UDP. All others (examine the ICMP default filters) must be handled by packet filers.
CONFIGURING PACKET FILTER RULES Configure the packet filter rules for different levels of security, including system hardening.
Although packet filters are generally thought of as devices to control access from the outside, in practice, they are used to control the transfer of packets in either direction. They examine the protocol used, and allow or deny (drop the packet) its passage. Packet filtering is enabled by default in Firewall mode and in Integrated mode
Chapter 10
but not in Caching mode. (In Caching mode, access to external sites is managed using protocol rules and site and content rules.) When packet filtering is enabled, all packets on the external interface are dropped unless packet filters, access policy, or publishing rules allow them. To help you understand packet filters and how to use them to control access to your network, the following sections are provided:
á Examining Default Packet Filters á Configuring New Packet Filters á Configuring/Enabling IP Packet Filter Properties
Examining Default Packet Filters Because the default setup of ISA Server drops all packets at the external interface unless it’s configured to do otherwise, several default rules exist, including
á ICMP outbound. The ISA computer can send ICMP messages. á ICMP ping response(in). The ISA Server can receive inbound ping responses. á ICMP source quench. The ISA Server receives instructions to slow its packet-sending rate. á ICMP timeout (in). The ISA Server can receive messages relating to timeouts, for example of ping requests. á ICMP unreachable. The ISA Server can receive notice of an unreachable address. á DHCP Client. The external interface can act as a DHCP client. This rule is disabled by default. á DNS filter. Requests for DNS lookup can pass. These default rules can be enabled or disabled by right-clicking on the rule and selecting Disable or Enable.
FIREWALL CONFIGURATION
313
EXAM
TIP
314
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
Packet Filter or Not? When should packet filters be used? Packet filters statically open ports. It is always preferable to open ports dynamically—when the request arrives. You use ISA Server access policy rules (site and content rules, protocol rules) to allow internal clients access to the Internet and create publishing rules to allow external clients access to internal servers. However, packet filters can be created when it is necessary to route data between networks. The firewall service can forward packets between networks without changing header information. Packet filters create the rules that determine what type of data can be routed where.
Configuring New Packet Filters The New Filter wizard configures new rules. This wizard is run from the Access Policy\IP Packet Filters folder of the ISA Server Management console. To create a new packet filter, follow Step by Step 10.1.
STEP BY STEP 10.1 Creating a New Packet Filter 1. In the ISA Management Console, right-click Servers and Arrays\name\Access Policy\IP Packet Filters. Select New\Filter. 2. Enter a name for the new packet filter and click Next. 3. Select Allow Packet Transmission or Block Packet Transmission (see Figure 10.1). Click Next. 4. Select a predefined filter or a custom filter and click Next. 5. If Predefined is selected, select the filter from the dropdown box. Skip to step 7. Predefined filters are described in Table 10.1. 6. If Custom is selected, complete the Filter Settings page (see Figure 10.2). Choices are listed and described in Table 10.2. Click Next. 7. On the Local Computer page, select the IP address to which the Packet filter is applied (see Figure 10.3). the choices are • Default IP addresses for each external interface on the ISA Server computer. Data traveling through all external interfaces is inspected and the filter applied.
FIGURE 10.1 Allowing block transmission.
• This ISA server’s external IP address. Indicate the IP address of a particular ISA Server in the array, or of one of the ISA Server’s external IP addresses. • This computer (on the perimeter network). If a perimeter network has been set up using a third network interface card, enter the IP address of the computer for which to filter traffic.
Chapter 10
FIREWALL CONFIGURATION
8. Click Next. 9. On the Remote Computers page, select the remote computer whose packets to which you want to apply the filter, either all remote computers, or the IP address of a particular computer. If a single computer is chosen, only packets with a source address of that computer will be blocked or allowed. Click Next. 10. Review your selections and click Finish.
FIGURE 10.2 Complete the Custom Filter page.
TABLE 10.1
P R E D E F I N E D F I LT E R S Filter
Description
Allow or Deny
DNS lookup
UDP 17, Send Receive, remote port 53
DNS lookup queries.
ICMP Query
Inbound.
ICMP ping queries.
PPTP call
Inbound and outbound port 47
Both PPTP call and PPTP receive are necessary when setting up ISA Server VPNs.
PPTP receive
Inbound and outbound port 47
Both PPTP call and PPTP receive are necessary when setting up ISA Server VPNs.
SMTP
Inbound port 25
Access to internal SMTP mail.
POP3
Inbound port 110
Access to internal POP3 servers.
Identd
Inbound port 113
Access to Identd server. An Identd service can be installed on the ISA server.
HTTP server (port 80) Inbound port 80
Access to Web servers listening on port 80.
HTTPS server (port 443)
Inbound port 443
Access to Web servers available for SSL connections on port 443.
NetBIOS (WINS client only)
Both directions
Allows NetBIOS clients to access NetBIOS ports across the ISA Server.
NetBIOS (all)
Both directions
Allows access by all to NetBIOS ports across the ISA Server.
FIGURE 10.3 Determine the IP address.
315
316
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
TABLE 10.2
C U S T O M F I LT E R S E T T I N G S Setting
Description
Choices
IP Protocol
Select the protocol ID.
Custom, Any, ICMP, TCP, UDP.
Number
If the IP Protocol is Custom, enter the protocol ID for the IP protocol. Other choices enter the appropriate number for you.
Enter the correct number if custom. There’s no choice if not.
Direction
In which direction is the packet going?
Both, Inbound, or Outbound
Local Port
Which port on source (the ISA server) will be used?
All ports, Fixed Port, Dynamic (1025–5000).
Port Number
A box exists for both Local Port and Remote Port. Enter the port number if the Fixed port choice is made.
Enter the correct number if Fixed Port is chosen. No choice otherwise.
Remote Port
Which port on the destination computer will be used?
All ports, Fixed Port, Dynamic.
Configuring/Enabling IP Packet Filter Properties Options such as enabling routing, intrusion detection, filtering of IP fragments, and allowing PPTP to pass through the firewall are configured from the property pages of the IP Packet Filter folder. Packet filter properties cannot be configured if ISA Server is installed in Caching mode. Properties and their effect are detailed in Table 10.3.
Chapter 10
TABLE 10.3
IP P A C K E T F I LT E R P R O P E R T I E S Option
Property Page
Default
Description
Enable Packet Filtering
General
Enabled
Use packet filters to control inbound and outbound access.
Enable Intrusion Detection
General
Disabled
Allow the use of preconfigured intrusion detection filters.
Enable IP Routing
General
Disabled
Allow IP routing. Note that this cannot be enabled unless Packet Filtering is enabled.
Enable Filtering of IP Fragments
Packet Filters
Disabled
Allows filtering of IP fragments. All IP fragments are dropped. This blocks a wellknown attack, which sends fragmented packets and then reassembles them in a harmful way. Do not enable if video streaming is allowed through the ISA Server.
Enable Filtering IP Options
Packet Filters
Disabled
Refuses all packets with the words “IP Options” in the header.
Log Packets From “Allow”
Packet Filters
Disabled
All packets that pass through the ISA Server can be logged. Normally, all dropped packets are logged and all “allow” packets are not logged. Selecting this option logs them, creating additional load on the ISA Server resources.
Intrusion Detection Parameters
Intrusion Detection
Disabled
This option is fully described in the section, “Configuring Intrusion Detection” later in this chapter.
Disabled
Allows the PPTP packets to pass through the ISA Server firewall. Use this option to allow packets to and from internal PPTP endpoints to pass.
PPTP Through PPTP ISA Firewall
FIREWALL CONFIGURATION
317
318
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
CONFIGURING AND USING APPLICATION FILTERS/EXTENSIONS Configuring and using application filters and extensions can provide additional control. Third-party extensions can be developed that further extend the interface and are already available for virus and content checking. Standard ISA Server Application filters are provided. Chapter 7, “H.323 Gatekeeper” describes how to configure and use the H.323 filter and the streaming media filter. Chapter 6, “ISA Server Hosting Roles” describes the use of the SMTP filter in content filtering. Filters designed for intrusion detection (DNS Intrusion Detection Filter, POP Intrusion Detection Filter) are defined in Chapter 15, “Monitoring Network Security and Usage.” The remaining filters are listed and defined here:
á FTP access filter á HTTP redirector filter á RPC filter á SOCKS V4 filter
FTP Access Filter SecureNAT clients use this filter when they require access to FTP. You must create protocol rules to allow access to the FTP protocol. If access is allowed, the filter forwards the requests to the firewall service which dynamically opens secondary ports required by the FTP protocol. This filter is enabled by default. The filter also performs address translation for the SecureNAT clients. It uses three predefined protocol definitions:
á FTP download only. Clients can only read data on FTP sites, but cannot write data to these sites. á FTP client. á FTP server. If, instead of using the FTP access filter, you define a protocol definition for FTP, you will not obtain address translation, secondary port handling, or control over read and write FTP operations.
Chapter 10
FIREWALL CONFIGURATION
To limit user rights to FTP read only you create a protocol rule, which allows the FTP client read-only protocol for a client address set. Step by Step 10.2 describes how to do so for the 192.168.5.0 subnetwork.
STEP BY STEP 10.2 Limiting FTP Access to Read Only 1. Create a Client Address Set called FTPro set for the subnetwork 192.168.5.0 (creating client address sets is detailed in Chapter 5). 2. Right-click on Servers and Arrays\name\Access Policy\Protocol Rules and select New\Rule. 3. Give it a name and click OK. 4. Select Allow and click Next. 5. In the Apply This Rule To: box select Selected Protocols and in the Protocol box select FTP Download Only (see Figure 10.4). Click Next. 6. Leave the default Always Schedule in place and click Next. 7. On the Client Type page select Specific computers (Client address set). Click Next, and select the FTPro set. Click Next. 8. Review your choices and click Finish.
FIGURE 10.4
HTTP Redirector Filter The HTTP Redirector Filter (enabled by default) forwards requests from firewall and SecureNAT clients to the Web proxy service. Requests are cached. No authentication information is passed. If requests are redirected to the Web proxy service, firewall client requests are unauthenticated. If you have configured specific rules using user names and groups, these rules will not be followed. If the rules deny access, access will actually be allowed as there is no way to check which user is making the request. If you do not allow unauthenticated access, all requests will be denied.
Selecting the Protocol FTP Download Only.
319
320
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
For example, if two protocol rules are written, one allowing firewall client Peter access to external sites using FTP, and one denying firewall client Fred access to external site using FTP then the following will occur. If unauthenticated access is allowed and a site and content rule exists which allows access, both users, Peter and Fred will be allowed to use FTP. If unauthenticated access is not allowed, both users will not be allowed to use FTP. The HTTP redirector filter has optional configurations available on the Options tab of its properties page (see Figure 10.5). The HTTP redirector can be configured to
á Redirect to local Web proxy service—the default. á If the local service is unreachable, redirect requests to requested Web server. FIGURE 10.5 Configuring HTTP redirector options.
á Send to the requested Web server. á Reject HTTP request from firewall and SecureNAT clients. (Web proxy clients’ requests will not be rejected unless ISA Server rules specify to deny the request.)
RPC Filter The RPC filter (enabled by default) allows publishing of internal RPC servers, thus making them available to external clients. Although the filter is enabled by default, to publish a RPC server you must create a server-publishing rule and apply the RPC protocol. Two protocol definitions are added with the RPC filter:
á Any RPC Server á Exchange RPC Server
Chapter 10
FIREWALL CONFIGURATION
SOCKS V4 Filter The SOCKS filter (enabled by default) forwards SOCKS application requests to the firewall service. Access policy rules must be configured to allow or deny the SOCKS client’s application access to the Internet. The default port for SOCKS request is 1080. To change it, you modify the Port text box on the SOCKS filter Properties\Options page (see Figure 10.6).
CONFIGURING HARDENING
FOR
SYSTEM
It doesn’t make sense to place a firewall between public and private networks if you are not going to make sure the system the firewall sits on is itself hardened. If the underlying operating system can be compromised, any firewall protection can be easily removed. To make sure the ISA Server has a rock solid bed on which to operate and utilizes the OS to support its functions, consider the following options:
á Preinstallation considerations, lifetime chores á Authentication Rules á The ISA Server Security Configuration Wizard
Preinstallation Considerations, Lifetime Chores Chapter 2, “Plan Before Acting: Preinstallation Activities” lists and describes steps to take to secure the underlying OS. You should always be prepared to update these considerations as new security considerations are discovered, or elaborated on. New service packs, hotfixes, and security announcements can modify your preinstallation plans. In addition, your monitoring of security related information on Windows 2000 should not stop once the ISA Server is installed, but should continue for the lifetime of the server. Each new security
FIGURE 10.6 Changing the SOCKS port.
321
322
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
related W2K advisory should be examined to see if it affects the ISA Server, and corresponding changes made to the underlying OS. Monitoring the ISA Server can alert you to other potential security issues that must be addressed.
Authentication Rules Authentication rules determine whether outgoing and inbound requests are authenticated, and if they are, which authentication methods are used. Because authentication can be configured separately for incoming and outgoing requests, to fully understand ISA Server related authentication rules, you must examine authentication in light of the following:
á Outgoing and incoming Web requests á Authentication methods
Outgoing and Incoming Web Requests Authentication for outgoing and incoming Web requests is configured on the Servers and Arrays\name\Properties\Outgoing Web Requests page or Incoming Web Requests page (see Step by Step 10.3) and by writing access rules that specify users and groups that are allowed or denied access to external sites. (Access rules are covered in Chapter 5.)
STEP BY STEP 10.3 Configuring Incoming and Outgoing Web Request Authentication 1. Right-click the Servers and Arrays\name\ and select Properties. 2. Select the Outgoing Web Requests or the Incoming Web Requests page.
Chapter 10
FIREWALL CONFIGURATION
3. If you want to require all clients to authenticate outgoing Web requests (or incoming Web requests) Check the box Ask Unauthenticated Users for Identification on the respective (outgoing or incoming Web requests) page (see Figure 10.7). 4. Click the radio button Configure Listeners Individually per IP address. 5. Click the Add button. 6. On the Add/Edit Listeners dialog box, use the Server drop-down box to select the ISA Server. 7. Use the IP address’ drop-down box to select the IP address. 8. By default the Integrate box is checked. Select the desired authentication method, and/or select Use a Server Certificate to Authenticate to Web Clients if mutual authentication is required. 9. If server certificates are required, click the Select button and select the server certificate to be used. (A server certificate must be obtained and installed prior to making this choice.) 10. Click OK to return to the Property pages, then click OK to close the Property pages. 11. Choose whether to save changes and restart the services and click OK.
Authentication Methods Multiple authentication methods can be configured in support of incoming and outgoing Web requests. The authentication methods, and opportunities are described in Table 10.4. Additional information on the use of certificates and pass-through authentication is also provided.
FIGURE 10.7 Finding the backup and restore utilities.
323
324
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
TABLE 10.4
A U T H E N T I C AT I O N P R O C E S S E S Method
Description
Who Can Use It?
Basic
Credentials sent in encoded text characters (easily read—no encryption).
Users with accounts on the ISA Server computer or trusted domain of the ISA Server.
Digest
Credentials modified with values that identify user, computer, and domain are time stamped and then are hashed to create a message digest. (The result of this oneway encryption process; by one-way, it is meant that the product cannot be decrypted.)
User with accounts in a trusted domain of the ISA Server.
Integrated
Integrated Windows authentication. (Authentication protocol is dependent on OS and client account membership involved.)
Windows user accounts. Can use Kerberos if W2K domain user accounts are being used from a W2K domain member computer. Kerberos cannot be used in a pass-through scenario.
Pass-through
ISA Server can pass a client authentication information to the destination server. See the numbered list in section, “Pass-through Authentication.”
Outgoing and incoming Web requests.
Certificates
Certificate Authority Clients and servers. issued certificates are used for authentication. See the section, “Certificates.”
Pass-Through Authentication If a client needs to authenticate to an external or internal server, the ISA Server can pass the client authentication information to the other server. It works like this:
Chapter 10
1. The client sends a GET request to a Web server and the ISA Server sends it on. 2. The Web server receives the request and returns a 401 error (authentication required). 3. The ISA Server passes this request to the client. 4. The client returns authentication info to the ISA Server. 5. The ISA Server passes this on to the Web server. 6. The client and the Web server communicate directly with each other.
Certificates SSL Server certificates can be used to authenticate the ISA Server to the client when the client requests an object. The server must have a certificate installed and the client must have a copy of the issuing CA’s certificate in its certificate stores. When the client request is received, the server sends a copy of its server certificate to the client. Because the client can recognize the issuing CA signature (by using the copy of the CA’s certificate it holds) on the certificate, the server can be authenticated. The server can request certificate authentication of the client as well. This process of both client and server authenticating to each other is called mutual authentication. The client certificate needs to be issued by a CA that the server recognizes. One solution is to install a Microsoft Certificate Services Enterprise CA. Certificates can be issued automatically to servers and all clients with Active Directory domain accounts can request client certificates.
The ISA Server Security Configuration Wizard Microsoft has provided a Security Configuration Wizard (see Figure 10.8), which allows the automatic configuration of multiple Windows 2000 security features. Three possibilities exist (see Figure 10.9). Selecting Configure Firewall Protection\Secure Your ISA Server Computer from the task pad view (see Step by Step 10.4) can run the wizard. Or by right-clicking on the ISA Server Computer under the Computer folder, and selecting Secure.
FIREWALL CONFIGURATION
325
326
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
Each hardening choice uses one of six (three for domain controllers and three for servers) standard Windows 2000 templates to make security configuration settings (see Table 10.5). Templates ending in “dc” are for domain controllers, and the others are for servers.
TABLE 10.5
SECURITY WIZARD Security Level
Recommended Usage
Security Template
Secure
Other services are running on the ISA Server computer, such as a Web server or mail server.
Basicsv.inf or Basicdc.inf
FIGURE 10.8 The Security Configuration Wizard.
Limited Services ISA Server in Integrated mode or servers as a caching server behind another firewall.
Securews.inf or Hisecdc.inf
Dedicated
Hisecws.inf or Hisecdc.inf
ISA Server as a dedicated firewall.
STEP BY STEP 10.4 Configuring System Hardening with the Security Configuration Wizard 1. Right-click the ISA Server in the Details pane of Servers and Arrays\name\Computers and select Secure. FIGURE 10.9 System hardening choices.
2. Read the warning and click Next. 3. Select the System Security Level and click Next (see Figure 10.9). 4. Review your choice and click Finish. 5. When configuration is completed, you are prompted to restart the system. Click OK. 6. Restart the system.
Chapter 10
To examine the changes made, you can use the Security Configuration and Analysis (SCA) console. This Windows 2000 snap-in tool can be loaded into an MMC console and used to compare any template with the current computer’s configuration. For example, after running the Limited Services choice, you can load the Setup template in SCA and analyze the current settings against it to see the changes made. The Limited Services configuration makes numerous changes to the local security configuration database. Most of the changes are listed here:
á Password history set at 24 passwords remembered. á Minimum password age set at 2 days. á Minimum password length set to 8 characters. á Complexity requirements for passwords set. á Account lockout threshold set to 5 invalid logon attempts. á Auditing configured and set for success and failure on audit account logon events, and audit policy changes. Audit logon events and Audit privilege use are set to audit for failure. á Additional restrictions for anonymous connections are set to Do Not Allow Enumeration of Sam Accounts and Shares. á Digitally sign server communication (when possible) is set to Enabled. á LAN Manager Authentication Level is set to NTLM Only. á Smart card removal behavior is set to Lock workstation. á The maximum security log size is set to 5,120 bytes. á Guest access to the logs is enabled. á Event retention is set to overwrite events as needed. If you decide you do not like the changes made by the wizard, you may need to manually reconfigure all the items modified.
FIREWALL CONFIGURATION
327
328
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
SPECIAL CONSIDERATIONS PERIMETER NETWORKS
FOR
Although the ISA Server can be deployed to serve as a secure gateway to the Internet, it can also serve in more complex, protective roles. The traditional set up requires two network interfaces, one with access to the Internet, the other on the protected, private network. It becomes easy to think of internal and external networks and clients as well as inbound and outbound requests. Other arrangements place the ISA Server as the intermediary between the private network and a midground, or demilitarized zone (DMZ). Sort of a no-man’s land where servers that must be exposed to external access can be walled off from the private network and yet afforded some protection. Two possibilities exist: The ISA Server can have three network cards—one for the external network, one for the internal, and one for the DMZ or perimeter network (see Figure 10.10); or, the ISA Server can be used in tandem with another ISA Server or some other brand of firewall. The firewalls act as boundaries. One firewall incorporates an external interface, the other an internal one, although they both share an interface on the perimeter network (see Figure 10.11). The perimeter network servers are thus walled off from both external and internal networks.
Perimeter Network
Internet Public Network
FIGURE 10.10 The 3-homed perimeter network.
Private Network
Chapter 10
FIREWALL CONFIGURATION
Internet Public Network
Perimeter Network
Firewall
Firewall
FIGURE 10.11 The back-to-back perimeter network.
As you can imagine, these perimeter networks pose some challenges for firewall configuration and management. Issues to resolve are
á Configuring the LAT á Publishing perimeter servers
Configuring the LAT In the back-to-back or two-firewall perimeter configuration, each firewall has an internal and external network. The internal network of the Internet exposed firewall, is the external network of the internally connected firewall. The 3-homed firewall presents a special challenge. For it, only the interface directly connected to the internal network should be included in the LAT. The address of the card connected to the perimeter network should never appear in the LAT. So, both the external interface and the perimeter interface are not in the LAT.
329
330
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
Publishing Perimeter Network Servers In a 3-homed configuration, both the Internet interface and the perimeter network are considered to be external networks. The Web proxy service can route requests from the internal network to the Internet, but to route Internet requests to the perimeter network requires IP routing. You will create packet filters to allow routing for desired traffic to each server in the perimeter network. To put this into perspective, imagine the previous example you configured to “publish” an internal Web server to the Internet. You used the Web Publishing Wizard to set up the forwarding of packets from the external interface of the ISA Server to the Web server. To accomplish the same thing, in the “3-homed” design, the Web server will reside on the perimeter network and a publishing rule will not work. Instead, you will enable IP routing and create an “allow” packet filter to route port 80 traffic to the Web server. In a back-to-back perimeter network, both the perimeter and “real” internal network are considered by the ISA Server to be “internal.” Only the Internet is considered to be external.
TROUBLESHOOTING ACCESS Troubleshooting access problems can be complicated. There are many possibilities for misconfiguration. Untangling intentions and actual settings can get quite involved. You can handle this process in several ways: 1. Determine what should be happening. Is the desired access allowed? If not, then your problems are over. It is amazing how many long troubleshooting sessions can be avoided by asking this one simple question. 2. Classify the request. Is in inbound or outbound? Packet filters, publishing rules, routing rules, extensions, and application filters, may affect inbound requests. Site and content rules, protocol rules, packet filters, application filters, and extensions affect outbound requests. The direction of the request will often clarify which processes to examine.
Chapter 10
FIREWALL CONFIGURATION
3. Detail the circumstances of the request. Where was the request made from? From a particular computer? (Does it work from a different one? What is the difference?) What is the IP address of that computer? What is the user account of the user making the request? In what groups do they have membership? What protocol was used? Where was the request going? The reason for success or failure involves many items. Often a single piece of information will send you directly to the cause. It’s far easier and faster to check one or two possible causes identified by checking these details, then it is to mull over dozens of possibilities suggested by examining the interface. 4. After asking multiple questions you might not find yourself staring at a solution but you might determine that the problem is packet based, or user based. This qualification allows you to proceed in different directions; investigating packet filters and protocol rules on one hand, and user memberships and content groups on the other. In addition to this generic troubleshooting approach to access problems, see the sections, “Troubleshooting Client Connection” in Chapter 5 and “Troubleshoot Access Problems” in Chapter 12.
CHAPTER SUMMARY It’s sometimes refreshing to realize that there are indeed, multiple ways to skin a cat. That is, the tools available in ISA Server allow you to do things multiple ways. However, there are reasons for choosing one over the other, for example site and content rules and protocol rules over packet filters for controlling Internet access. There are some valid reasons for varying from the plan, this chapter has presented them as well.
KEY TERMS • 3-homed perimeter network • Back-to-back perimeter network • Basic authentication • Digest authentication • Integrated • Pass-through authentication • Certificates
331
332
Par t III
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
A P P LY Y O U R K N O W L E D G E
Exercises
2. How can the underlying OS of the firewall be protected?
10.1 Testing Authentication and Packet Filter Creation
3. Why is this necessary?
To understand authentication requirements and their impact on user access, you must test the reaction of clients to requests for authentication. To understand packet filters, create them. Configuring filters for objects you have alternative ways of producing is a good test of your skills. You know that you have had it working, so you know the problem lies with your configuration if it doesn’t work.
4. Why will the default setup of ISA Server drop all packets at the external interface for which there is no rule or filter? 5. Why do several default ICMP packet filters exist? 6. What is the purpose of the DHCP client packet filter? 7. List the authentication methods in order from weakest to strongest.
Estimated Time: 15 minutes 1. Configure the firewall to accept only authenticated requests. Configure two clients. Configure one with the firewall software and make the other a Web proxy client. Write site and content rules that allow and deny access to sites on the Internet. Logon on to each computer in turn, using the same user account and test access. What have you found out? 2. Use the Security Configuration Wizard and select Limited Services. Use the Security Configuration and Analysis Tool to analyze the changes made. (Compare the computer to the basicsv.inf security template.) 3. Configure access to an internal mail server without using publishing rules.
Review Questions 1. Why is it preferable to use application filters and/or publishing rules, protocol rules, and site and content rules instead of packet filters?
Exam Questions 1. Charles is a new administrator at New Wave Ltd. When inspecting the ISA Server configuration, he observes that the firewall is not configured to filter IP fragments. He knows that a common attack can be foiled if the firewall is configured to drop these packets. He seeks out the firewall administrator and advises him to make this change. The firewall administrator brusquely tells him that this change cannot be made on this system. Why did the administrator do this? (See the section, “Configuring/Enabling IP Packet Filter Properties.”) A. The firewall administrator doesn’t like being shown up. B. The firewall administrator never listens to new people. C. The site is streaming video through the firewall. D. The site is way over capacity and turning on this feature would really slow down access to the Internet.
Chapter 10
FIREWALL CONFIGURATION
333
A P P LY Y O U R K N O W L E D G E 2. Information Systems Auditing has asked that a report be made for the next month that includes information on all packets that touch the firewall. What step(s) do you need to take? A. Nothing; ISA Server is already recording information on every packet that touches it. B. Configure the IP packet filter property Log packet from “allow.” The ISA Server normally doesn’t log these packets but using this option makes it do so. C. Make the Registry key entry listed in the help under logging packets. D. Be sure disk capacity supports the increased log size necessary to record these events. 3. You want to configure FTP, download only, access for some SecureNAT clients. (Select the best two.) A. Create packet filters that allow outbound access to ports 21 and 20. B. Only allow access to known sites which restrict access to download. C. Enable the FTP application filter. D. Create a protocol rule that allows the FTP client read only protocol for SecureNAT clients (by client address set). 4. Carrie has configured the firewall client on her system in preparation for doing some testing of the ISA Server. She does not set her browser to retrieve requests from the ISA Server. She has an account in the domain to which the ISA Server computer belongs. She writes rules that deny access to certain sites. However, when she attempts to visit these sites, she finds she can. What is happening? (Select the best two.)
A. She must be logged on using the wrong user account. B. The ISA Server does allow unauthenticated access. C. Because the HTTP filter is redirecting the firewall client, but not passing authentication information, the net effect is that there is no way to check which user is making the request. D. This is a known bug in HTTP access using the firewall client. 5. John has run the Security Configuration Wizard and now many clients that could access resources through the ISA Server cannot. What should he do? A. Reinstall, the wizard is irreversible. B. Examine the changes made by using the Security Configuration and Analysis (SCA) console. He can analyze the current configuration against the default server configuration and possible determine what has been modified that would affect this change. C. Check the LM authentication method in Security Options. The Limited Services options of the wizard change this to use NTLM only. By default Windows 95/98 clients use LM for network authentication. D. Install the AD Client for Windows 9x. 6. To make the authentication process more secure, which authentication method(s) should be avoided? A. Digest B. Certificates C. Integrated D. Basic
334
Par t III
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
A P P LY Y O U R K N O W L E D G E
Answers to Review Questions 1. Packet filters statically open ports. Other methods open the ports dynamically, only when the request is made. It is always preferable to have ports only open when needed. See the section, “Configuring New Packet Filters.” 2. Use standard hardening efforts to secure the OS. Apply service packets, security hot-fixes. Use NTFS. Use strong passwords. Use the Security Configuration Wizard to help harden the system. See the section, “The ISA Server Security Configuration Wizard.” 3. The firewall is only as strong as the system on which it is built. Compromise the underlying OS and you can forget the firewall. See the section, “The ISA Server Security Configuration Wizard.” 4. This is common practice for firewalls. You do not want anything to pass the boundary, unless you have specifically allowed it to do so. See the section “Configuring Packet Filter Rules.” 5. The ISA Server needs to know the status of the network on which it operates. See the section, “Examining Default Packet Filters.” 6. The DHCP client filter allows the ISA Server to accept an assigned IP address from an ISP for its external network interface. See the section, “Examining Default Packet Filters.” 7. Basic, Digest, Integrated, Certificates. See the section, “Authentication Rules.”
Answers to Exam Questions 1. C. Streaming video may include fragmented packets. A and B may also be a problem, or they might not be, we have no way of telling, and we do have another good reason. D is incorrect. This is not a reason to not use this feature. See the section, “Configuring/Enabling IP Packet Filter Properties.” 2. B, D. To capture all packets you must “allow” allowed packets to be logged. You need extra disk space to do this. A and C are incorrect. ISA Server is not recording “allows.” There is no Registry key listed in help. See the section, “Configuring/Enabling IP Packet Filter Properties.” 3. C, D. A and B do not restrict FTP users to download only. You cannot rely on sites to prevent this. See the section, “FTP Access Filter.” 4. B, C. A could be true, but it is the incorrect answer because if she is using her real account the same thing will happen. D is incorrect. See the section, “HTTP Redirector Filter.” 5. B, C, D. He may need to examine the changes made, the SCA will help him do so. It is also reasonable to expect that because Windows 9x clients use LM, that this parameter change is the problem. If LM is the issue, adding the LM client will allow him to configure these clients to use NTLM. A is incorrect. Never reinstall as a first choice when problems occur. See the section, “The Security Configuration Wizard.” 6. D. Basic authentication is not encrypted. See the section, “Authentication Rules.”
Chapter 10
FIREWALL CONFIGURATION
A P P LY Y O U R K N O W L E D G E Suggested Readings and Resources 1. Comer, Douglas. Internetworking with TCP/IP Vol. I: Principles, Protocols, and Architecture. Prentice Hall; ISBN: 0130183806.
2. Lee, Thomas, Davies, Joseph. Microsoft Windows 2000 TCP/IP Protocols and Services Technical Reference. 2000, Microsoft Press; ISBN: 0735605564.
335
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Configuring, Managing, and Troubleshooting Policies and Rules section and the Configuring and Troubleshooting ISA Server Services section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Manage ISA Server arrays in an enterprise.
. Create an array of proxy servers . Assign an enterprise policy to an array A major advantage of ISA Server Enterprise edition is the ability to centrally manage multiple ISA Server computers by placing them in an array or arrays and setting enterprise and array level policies. Each array can have a different policy and, thus, a tiered policy can be created to effectively manage both centralized and decentralized IT environments. Configure multiple ISA Server computers for scalability. Configurations include Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP).
Once servers are combined in arrays, they can be configured for efficiency, scalability, and fault tolerance. Cache Array Routing Protocol (CARP) can create one logical cache out of multiple ISA Server computers in an array and Network Load Balancing can maximize throughput and provide added fault tolerance.
C H A P T E R
11
Manage ISA Server in the Enterprise
OUTLINE
S T U DY S T R AT E G I E S
Introduction
339
Managing and Configuring Arrays
339
Understanding Hierarchical and Distributed Arrays 340 Understanding Enterprise Policy Scope Using Array Policy Only Using This Enterprise Policy
340 341 342
Managing ISA Server Arrays Creating Arrays Creating and Assigning Enterprise Policies Configuring Policies Backing Up Array and Enterprise Configurations Promoting a Standalone Server
342 343
Configuring for Scalability Configuring Cache Array Routing Protocol (CARP) Understanding CARP Enabling CARP—Array Properties Configuring Server Listeners and Load Factors Configuring Network Load Balancing
345 346 347 348
350 350 351 351 352 352
Chapter Summary
355
Apply Your Knowledge
356
Exercises
356
Review Questions
356
Exam Questions
357
Answers to Review Questions
359
Answers to Exam Questions
359
. Haul out the test boxes, dump the standalone ISA Servers, and install at least two systems in an array. . Concentrate your efforts on determining how policies are defined, created, and assigned to an array. . Examine Network Load Balancing in Windows 2000 Help as well as other documentation. If you are comfortable with this software-based clustering feature on its own, you will be better equipped to understand how it can mesh with ISA Server.
Chapter 11
MANAGE ISA SERVER IN THE ENTERPRISE
INTRODUCTION Ever since man has been able to afford two computers been he has looked for ways to make them work as one. There have been many attempts and successes at harnessing the combined power of multiple systems, but many of the most useful, efficient, and least expensive strategies have been software-based algorithms that distribute the workload between systems. These efficient algorithms that seek to scale systems and multiply processing power, also, in many cases, provide fault tolerance for distributed systems. Because the systems are inexorably linked, when one system fails, the other is available. This is achieved for ISA Server by arranging servers in distributed and hierarchical arrays and by utilizing the twin scalability solutions: Cache Array Routing Protocol (CARP) and Network Load Balancing (NLB). To understand and use these algorithms, it is essential to understand the basic policy structure of the Enterprise edition of ISA Server.
MANAGING ARRAYS
AND
CONFIGURING
The basic management element of the Standard edition ISA Server is the server. Policies are developed and used at the server level. There is no way to write one policy and have it impact multiple servers. In the Enterprise edition, multiple tiers of ISA Servers can be arranged and managed comprehensively. The following structures are possible:
á Enterprise level policies are assigned to arrays of ISA Servers. á Multiple enterprise policies and multiple arrays can coexist. á Enterprise level policies determine the ability of array policies to modify enterprise policy at the array level. á Array level modifications can only further tighten security, not reduce it.
339
EXAM
TIP
340
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES
Connect To… It is possible to manage multiple standard edition ISA Servers from one location. In the ISA Server Management console, right-click the Internet Security and Acceleration Server icon and select Connect To, then select the server to manage. You are, however, really only managing one server at a time. You cannot write a policy that controls multiple servers automatically.
Just as the basic level of management and control in the Standard edition is the server, the basic level of control in the Enterprise edition is the array. This is why any study of enterprise policy, is ultimately a study of arrays. This study involves:
á Understanding Hierarchical and Distributed Arrays á Understanding Enterprise Policy Scope á Managing ISA Server Arrays
Understanding Hierarchical and Distributed Arrays For ISA Server two array-based solutions exist: hierarchical and distributed. These array types are distinct. Do not get them confused. Hierarchical arrays are chains of ISA Servers and can be established for Standard and Enterprise edition ISA Servers. It is a simple matter of configuring the server to forward requests to other ISA Servers, instead of directly to the requested source. Chains of distributed arrays are also possible. Hierarchical arrays were discussed in Chapter 5, “Outbound Internet Access.” Distributed arrays are collections of Enterprise edition ISA Servers and are managed by assigning enterprise and array policies. They can only be created using the Enterprise edition of ISA Server. They offer multiple advantages including centralized management, fault tolerance, and improved processing efficiency.
Understanding Enterprise Policy Scope Policies are created at the enterprise level but assigned to individual arrays. The true meaning of any policy exists in its focus of control or scope. To manage and control distributed arrays of ISA Servers:
á Define enterprise policies á Assign enterprise policies to arrays á Write rules and apply filters at the enterprise policy level á If allowed, write rules and apply filters at the array level
Chapter 11
MANAGE ISA SERVER IN THE ENTERPRISE
341
Because multiple enterprise policies can exist, and because the enterprise policy assigned to an array determines what options are available at the array level, it is important to understand the types of enterprise policies that can be developed, and the scope of their power. Three basic policy scopes exist:
á Combined Array and Enterprise Policy. Management is potentially split between enterprise and array level policies. á Array Policy Only. The “enterprise policy” gives control to the managers of array level policy.
The type of policy applied at the array level is first determined during ISA Enterprise Initialization (see Figure 11.1). This policy is applied to the array created during the installation of the first ISA Server in the forest. Because multiple enterprise policies can be created, as well as multiple arrays, the initial policy does not control the final management of policy. After installation, you can create new policies and assign them to arrays as required. By applying a variety of enterprise policies, with and without options for management at the array level, a tiered policy can be developed in which enterprise administrators (those in the Enterprise Admins group) manage the overall policies for all ISA Server controlled access between internal and external networks, and array administrators (those in the Domain Admins group) restrict array level policies further where allowed.
Using Array Policy Only If this enterprise policy is chosen, rules are not written at the enterprise level. All rules are written at the array level. This distributes control of ISA Servers to administrators closer to the area where the ISA Servers are located. This is suitable and desirable in an organization where IT is itself decentralized. No all-encompassing policy or management structure exists to centrally control all ISA Servers, instead, each array can be managed on its own. Management is similar to the management of a single ISA Server, except policies created are applied to all ISA Servers in the array.
FIGURE 11.1 Initial enterprise policy.
NOTE
á Enterprise Policy Only. All policies are set at the enterprise level.
Restricting ISA Server Management You might want to restrict ISA Server enterprise or array management to select administrators. To do so, create Active Directory groups and assign appropriate permissions on ISA Server objects. An outline of the process was described in Chapter 3, “Installing ISA Server.”
342
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES
Using This Enterprise Policy An initial enterprise policy is created and assigned to the first ISA Server array. The first ISA Server array is created during the installation of the first ISA Server in the forest. The first enterprise policy is therefore created during the initialization of the Active Directory schema by the ISA Enterprise initialization tool. During initialization, the following choices can be made:
á A name for the policy. á Allow array-level access policy rules that restrict enterprise policy. Array policy rules can never be weaker than the enterprise policy rules. á Allow publishing rules. Publishing rules are created at the array level. á Force packet filtering on the array. This prevents an array level administrator from configuring IP routing without packet filters. By default, all packets are dropped at the external interface unless rules exist which allow other action.
Managing ISA Server Arrays Manage ISA Server arrays in an enterprise.
All Enterprise edition ISA Servers installed in an ISA Server updated Active Directory have the choice of being installed into an array or acting as a standalone ISA Server. To participate in centralized management, and to benefit from the Active Directory environment, they should be installed in an array. Standalone ISA Servers can be promoted to array membership at a later time. ISA Servers are managed then by:
á Creating arrays á Creating and assigning enterprise policies to arrays á Configuring policies á Storing and backing up array and enterprise configurations á Promoting standalone servers to array membership
Chapter 11
MANAGE ISA SERVER IN THE ENTERPRISE
Creating Arrays Create an array of proxy servers.
During each Enterprise edition ISA Server installation, there is an opportunity to install the ISA Server into an array (see Figure 11.2). You then have the opportunity to name the array (the default is the computer name) or choose an existing array (see Figure 11.3). If you decide to use a new array, you must select an enterprise policy to apply or configure a new one. Only enterprise administrators can use anything other than the default enterprise policy settings. All array members must be installed in the same mode.
FIGURE 11.2 Install in an array?
After installation, new arrays can be created (see Step by Step 11.1) and ISA Enterprise edition servers can be moved between arrays.
STEP BY STEP 11.1 Creating a New Array 1. Right-click on Internet Security and Acceleration Server\Servers and Arrays and select New Array. 2. Enter a name for the array and click Next. 3. Select the Windows 2000 Site in which this server exists (see Figure 11.4). 4. Select the Windows 2000 domain for this server. Click Next. 5. Create a totally new array, or copy the configuration of an existing array (see Figure 11.5). Click Next. 6. If Copy is chosen, skip to the end of Step by Step. There are no further choices to be made. 7. Select Enterprise Policy settings (see Figure 11.6). Click Next. 8. Specify array policy options at the enterprise level (see Figure 11.7). Click Next. 9. Specify array type (see Figure 11.8). Click Next. 10. Review choices and click Finish.
FIGURE 11.3 Assign an enterprise policy.
343
344
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES
FIGURE 11.4 Choosing site and domain.
FIGURE 11.5 Create copy.
FIGURE 11.6 Select enterprise policy.
Chapter 11
MANAGE ISA SERVER IN THE ENTERPRISE
345
FIGURE 11.7 Specify array level policy.
FIGURE 11.8 Specify array mode.
Policies are assigned to arrays during array creation, or from the Arrays Property page of the policy (see Figure 11.9).
EXAM
Assign an enterprise policy to an array.
TIP
Creating and Assigning Enterprise Policies
Array Modes Array modes are selected during the creation of arrays. The first array in the enterprise receives its array mode from the mode selected during that server installation. ISA Servers must be part of arrays that match their installation mode.
346
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES
To create new policies follow, Step by Step 11.2.
STEP BY STEP 11.2 Creating New Enterprise Policies 1. Right-click on the Internet Security and Acceleration Server \Enterprise\Policies node (see Figure 11.10) and select New Policy. 2. Name the policy and click Next. 3. Click Finish. 4. Open the Properties page of the new policy. 5. On the Array page, select the arrays to which to assign this policy (refer to Figure 11.9). FIGURE 11.9 Assigning an enterprise policy to an array.
6. Click OK. 7. A message warns you that configuration has changed and you should back up the policy. Click OK.
Configuring Policies After polices are created and assigned to arrays, how do they influence traffic that wants to cross ISA Server boundaries? First, you must understand that the initial configuration of enterprise policy only determines a limited set of possibilities:
á Will the enterprise policy rule, or are only array policies allowed? á If enterprise policies set the rules, will array policies be allowed to further restrict them? á Are publishing rules allowed? á Is packet filtering forced on the array?
FIGURE 11.10 The policies node.
Chapter 11
MANAGE ISA SERVER IN THE ENTERPRISE
347
After a policy has been assigned to an array, some items may be configured and rules must be written at the enterprise or (if allowed) array level. Chapter 12, “Access Control in the Enterprise” describes the process. Figure 11.11 illustrates the locations used to configure enterprise policy site and content rules and protocol rules and array level access policy.
Backing Up Array and Enterprise Configurations Array and enterprise configuration information is stored in the Active Directory for array members. A backup utility is provided to back up enterprise and array information to files. This requires two separate procedures. Server, specific information, such as cache content, activity logs, reports, and enterprise policy is not backed up. To back up enterprise configuration, right-click the enterprise object in the ISA Management console and select Back UP. Identify the file and path to save the configuration and click OK. Backing up arrays is outlined in Step by Step 11.3. Array configuration information consists of:
á Access policy rules á Publishing rules á Policy elements
FIGURE 11.11 Locating enterprise and array access policies.
á Alert configuration To backup this information to a file, follow Step by Step 11.3. To restore, follow Step by Step 11.4.
EXAM
á Array properties
TIP
á Cache configuration Configuring and Modifying Policies Four opportunities exist for configuring and modifying policies: • The first step in creating enterprise policy is accomplished during the initialization of the schema. • This policy can be modified when arrays are created. • New enterprise policies can be created. • Policies are further defined by writing rules at the enterprise and array level.
348
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES
STEP BY STEP 11.3 Backing Up Array Configuration Information 1. Right-click the array to back up and select Back Up. 2. Enter or browse to the location and name of the file to back up to. FIGURE 11.12 Finding the backup and restore utilities.
3. Enter a comment and click OK (see Figure 11.12). 4. Click OK on the Success message.
STEP BY STEP 11.4 Restoring Array Configuration Information 1. Right-click the array to restore and select Restore. 2. At the warning message, “Are you sure you want to overwrite the existing policy with the back up?” click Yes. 3. Enter or browse to the location and name of the file to back up to. 4. Click OK.
FIGURE 11.13
EXAM
TIP
Backup file information.
Back Up Order Enterprise configuration information may affect array policies and, therefore, should be backed up prior to backing up array configuration.
5. The Backup file information, including your comment, is displayed (see Figure 11.13). Click OK (or click Cancel to cancel the restore). 6. Click OK on the success message.
Promoting a Standalone Server ISA Enterprise edition servers that were installed as standalone servers can be promoted to array membership. The following conditions must be met:
á The standalone server must be Enterprise edition. á The enterprise must be initialized.
Chapter 11
MANAGE ISA SERVER IN THE ENTERPRISE
á The Windows 2000 computer, which hosts the ISA Server, must be a member of a Windows 2000 domain. á The administrator performing the promotion must be an Administrator on that machine to accept the default enterprise policy. á The administrator performing the promotion must be an administrator on the machine and an enterprise administrator to modify the enterprise policy for the array. During the promotion, some polices may be modified. This depends on the status of the enterprise policy that the new array acquires. Table 11.1 defines the potential for change.
TABLE 11.1
A R R AY P O L I C Y M O D I F I C AT I O N D U R I N G P R O M O T I O N Enterprise Policy Setting
Change in Policy
Policy managed entirely by arrays
No changes
Policy managed entirely by enterprise
Delete all array policies
Policy managed by enterprise and array
Delete all “allow” policies
Publishing allowed?—Yes
Publishing rules retained
Publishing allowed?—No
Publishing rules deleted
To promote a standalone server, follow Step by Step 11.5.
STEP BY STEP 11.5 Promoting a Standalone ISA Server 1. Right-click the Servers and Arrays\name, and select Promote. 2. Click Yes. 3. Click OK to confirm the adoption of the default enterprise policy for this array. continues
349
350
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES
continued 4. Or, use the Set Global Policy dialog box to change the enterprise policy applied to this array. (You must be a member of Enterprise Admins.)
CONFIGURING
FOR
SCALABILITY
Configure multiple ISA Server computers for scalability. Configurations include Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP).
ISA Server distributed arrays enable centralized management of multiple ISA Servers, but they also allow Web caching to scale and offer the benefit of fault tolerance. This is done by using additional ISA Server and Windows 2000 algorithms:
á The Cache Array Routing Protocol (CARP) is used to manage cached objects. á The Windows 2000 Network Load Balancing service is used to manage network load on servers in the array.
Configuring Cache Array Routing Protocol When ISA Servers are combined in a single array and caching is enabled, the Cache Array Routing Protocol algorithm (CARP) is used to efficiently locate storage space for and retrieve cached objects. Because multiple servers are involved, more data can be stored and retrieved in a more efficient manner. Throughput increases and the loss of one server does not prevent Web access. Although CARP is enabled by default for outgoing Web requests, there are several elements that can be configured. Before you do so, you need to study the following:
á Understanding CARP á Enabling CARP—array properties á Configuring server listeners and load factors
Chapter 11
MANAGE ISA SERVER IN THE ENTERPRISE
Understanding CARP CARP is a routing algorithm that efficiently determines the best location for a retrieved object. When the object is requested again, the CARP algorithm can be used to locate it. The entire array of ISA caching servers is managed as a single logical array. No object is stored more than once. As servers are added to the array, CARP becomes more efficient. Here’s how CARP works: Array membership is kept in the Active Directory. When new members join the array, array members are notified. Web proxy clients and downstream servers (chained to forward requests to the upstream array) request an array membership list. 1. When the downstream server or a Web proxy client requests an object, they use the membership list and a hash function (over the array member identities and request URLs ) to pick a server to resolve the request (the server is identified by the hash with the highest value). 2. The request is routed to this server. 3. The server determines if it should handle the request. 4. If no, then it forwards it to another member server or Internet host. 5. If yes, then it returns the cached object if present, or retrieves the object and places it in its cache then returns it to the requesting Web proxy client.
Enabling CARP—Array Properties Outgoing Web requests are CARP enabled by default, but incoming requests are not. You can disable or modify the distribution of the load over servers in an array. To enable or disable CARP, open the Outgoing Web Requests or Incoming Web Requests Property page for the array and check or uncheck the Resolve Requests within Array Before Routing box (see Figure 11.14).
FIGURE 11.14 Enable CARP.
351
WA R N I N G
352
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES
Gotcha! Be sure that, for each array member a listener is configured for the IP address specified for the intra-array address property (see Figure 11.15). This is done on each server’s Properties pages.
Configuring Server Listeners and Load Factors CARP is enabled in array properties. However, for CARP to work, listeners on each server must be configured to use an address for intra-array communications. You may also want to balance the load factor on servers within the array. To do this follow Step by Step 11.6.
STEP BY STEP 11.6 Configuring Load on Array Servers 1. Right-click the server icon in the Servers and Arrays\arrayname\Computers folder. 2. Select the Array Membership tab (see Figure 11.15). 3. In the Intra-array Communication box, verify that the IP address chosen is in the LAT. 4. In the Load Factor box, indicate a number from 1 to 100 that indicates the relative cache availability of the server. To determine the best number here, compare the relative processing power, RAM, and drive size of the server to other servers in the array. FIGURE 11.15 Configuring server properties.
Configuring Network Load Balancing Although CARP provides fault tolerance to Web proxy clients, SecureNAT clients do not recognize array names, and so CARP does not provide them with any fault tolerance. However, when ISA Server is installed on Windows 2000 Advanced server, all clients can benefit from the load balancing and fault tolerance properties of Network Load Balancing (NLB). This Windows 2000 feature is a software algorithm, which balances the workload between multiple ISA Servers in a NLB cluster. The solution is purely software based. The clients do not know they are addressing a cluster, and the ISA Server software knows nothing about the cluster either.
MANAGE ISA SERVER IN THE ENTERPRISE
Each ISA Server computer has a unique IP address on the internal network but has in addition, a single IP address that represents the cluster. Client requests are distributed across the hosts. To plan the installation of NLB for ISA Server, use Step by Step 11.7. Table 11.2 lays out the configuration information for a threemember NLB cluster. To use this information to configure an individual server use Step by Step 11.8.
STEP BY STEP 11.7 Planning NLB for ISA Server 1. Verify that ISA Servers in the cluster are installed in the same mode. 2. Assign a unique IP address to the cluster and assign a fully qualified domain name for this address. 3. The primary network address of each ISA Server computer’s internal interface adapter uses this cluster address. All ISA Server computers have the same primary address in the NLB configuration. 4. Assign a unique priority to each machine in the NLB cluster. 5. Set the dedicated IP address to the IP address of the ISA Server’s internal network adapter. (This address can be used to individually address a single server.) 6. If a server has two internal network adapters, the one that receives the dedicated address should have the lower metric value (higher priority) than the adapter with the cluster address. 7. If a server has one internal network adapter, the dedicated address should be ordered first. 8. The default gateway for SecureNAT clients is the cluster IP address. Thus, all SecureNAT requests are handled by Network Load Balancing.
NOTE
Chapter 11
353
Check This Out This discussion is not meant to be a complete tutorial on NLB. There are many other clustering factors, such as whether to use multicasting, how many network cards to use in each system, whether to limit NLB support for specific ports, and how to manage NLB clusters remotely, that should be studied prior to deploying this feature. A number of resources are listed at the end of this chapter.
354
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES
TABLE 11.2
NLB P L A N N I N G D ATA xServers Cluster Parameters
Meaney
Miney
Moe
Cluster (primary IP address)
192.168.7.50
Subnet mask
255.255.255.0
Full Internet name FQDN (be sure to register this with DNS)
ClusterA.peachweaver.me
Network address
(generated by NLB from the cluster IP address)
Host Parameters Priority
1
2
3
Dedicated IP address
192.168.7.5
192.168.7.6
192.168.7.7
Subnet mask
255.255.255.0
FIGURE 11.16 Selecting NLB.
STEP BY STEP 11.8 Configuring NLB Interface 1. Open the properties page for the internal interface network adapter. 2. Click the Network Load Balancing item in the Components Checked Are Used By This Connection:Window (see Figure 11.16). 3. Click the Properties button. 4. On the Cluster Parameters page, fill in the cluster data (see Figure 11.17). 5. On the Host Parameters page, fill in the host data (see Figure 11.18). FIGURE 11.17 Configuring the cluster page.
Chapter 11
MANAGE ISA SERVER IN THE ENTERPRISE
FIGURE 11.18 Configuring the host page.
CHAPTER SUMMARY Combining multiple ISA Servers in an array can have striking results. Not only can multiple ISA Servers be centrally managed, but their efficiency and fault tolerance can be improved as well. You should take note of the additional benefits to be gained by using Network Load Balancing (NLB) and the Cache Array Routing Protocol (CARP).
á Network load balancing á Array mode á Primary network address
355
356
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES
A P P LY Y O U R K N O W L E D G E
Exercises 11.1 Creating a Tiered Enterprise
A tiered enterprise is one in which at least one array exists and policy is partially established at the enterprise level and partially at the array level. Creating such an example in a test environment is a good way to work out your understanding of the various issues involved in such an extended policy. This arrangement also allows you to fail in a limited manner, the only consequence is your time in working through the process, not in denying users access, or in opening holes and compromising security for your company. It’s also certainly a lot easier to do and to troubleshoot in a lab where servers are closely located, versus where they may be located in geographically distinct areas. Estimated Time: 30 minutes 1. Initialize the enterprise. Create a default policy that allows array configurations to restrict enterprise policy, in which publishing is allowed and packet filtering is forced on the array.
7. Investigate the Property pages of each array, first as Enterprise Admins, and then as Domain Admins. Where are enterprise policy properties kept? Can Domain Admins change policy properties? 8. Investigate each policy. Where are site and content rules defined? Where are policy elements defined?
Review Questions 1. Match each Internet access management requirement in column A of Table 11.3 with the appropriate policy scope by writing the scope in column B. If the requirements cannot be met and enforced by one of the scopes enter N/A.
TABLE 11.3
M AT C H I N G P O L I C Y S C O P E
TO
A - Requirement
2. Install an enterprise ISA Server in integrated mode in an array. Accept the default policy.
Individual locations set the policy for their employees.
3. Install a second enterprise ISA Server in the same array.
Corporate sets the policy for all locations. There can be no variations.
4. Create three additional policies. Create one that is array only, one which is enterprise only, and one which does not force packet filtering on the array. 5. Create three additional arrays. (You can create arrays without having additional servers.) Assign the other policies to the new arrays—a different one for each array. 6. Create at least one user account that is in the Domain Admins and local Administrators group but not in the Enterprise Admins group.
REQUIREMENTS B - Scope
Corporate sets the policy. Local organization can on restrict this policy. Corporate allows location to control existence of packet filtering. Corporate allows location to publish servers. Corporate sets the policy, but local organizations can expand this policy to allow special circumstances.
2. The Abscomo Chemical Company requires a distributed Internet access policy. Corporate policy sets the overall policy, but allows each location to
Chapter 11
MANAGE ISA SERVER IN THE ENTERPRISE
357
A P P LY Y O U R K N O W L E D G E manage its own implementation. There is one exception: access from corporate headquarters. This must follow an exact policy as defined by IT. How would you implement this using ISA Server arrays and policies? 3. Examine Figure 11.19. Is this a workable enterprise array structure? Why or why not?
Location: San Francisco Array West includes these servers: ISA5 - array only policy Location: New York
ISA6 - enterprise only policy
Array New York will include the following servers. ISA1 - firewall ISA2 - caching ISA3 - integrated
FIGURE 11.19 Question 3.
Exam Questions 1. After enterprise initialization and creation of an ISA Server array, five additional ISA Servers are added to the array. Six months later, the enterprise policy is creating too much work for the members of the Enterprise Admins Group. Corporate policy does not require absolute centralized control over Internet access. What can be done to alleviate the problem? A. Add new members to the Enterprise Admins group. B. Change the enterprise policy so that Domain Admins can share some of the load. C. Change the enterprise policy so that Server Administrators can share some of the load. D. Create a new group that does not have Enterprise Admins privileges, but can be assigned management tasks on the ISA Servers. 2. To ensure ISA Server recovery and the availability of potential intrusion detection information after a hard disk crash, you should follow this step: A. Back up the enterprise configuration.
4. Are enterprise policies modified after creation? How? 5. John promoted ISA1, a standalone ISA Server, to membership in the Concerto ISA Server array. When he examines the configuration of ISA1 after the promotion, he finds that the publishing rules have been deleted. When he tries to re-enter the rules, he finds he cannot. What is happening?
B. Back up the array configuration. C. Back up the enterprise and the array configuration. D. Back up enterprise and array configuration and ISA logs. 3. John is examining the logs of the company Web server, and comparing statistics with those of a month ago. Two weeks ago the Web server was placed behind an ISA Server array and a publishing rule to route requests to the Web server was
358
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES
A P P LY Y O U R K N O W L E D G E written on the array. John had expected to find a reduction in the number of hits against the Web server because he thought the ISA Server array would perform reverse caching and store the Web server pages in its cache. He calls you in to explain or rectify the situation. You: A. Tell John that only standalone ISA Servers can do reverse caching. B. Fix it by enabling reverse caching. You visit each array member’s property page and check the Enable Reverse Caching statement. C. Fix it by enabling reverse caching. You visit the array property page Incoming Web Requests; and checking the box: Resolve Requests Within Array Before Routing. You also check that a listener for each server is configured to use an intra-array communications address. D. Replace the publishing rule with packet filters. 4. There are seven computers in the Astra ISA Server array. Each server has a different amount of RAM, different amounts of disk space available for cache, and a different processor. To balance the load placed on each server: A. Configure Network Load Balancing. Each computer’s load will be adjusted automatically as NLB discovers the strengths and weaknesses of each computer. B. Configure Network Load Balancing. Manually adjust each computer’s load factor.
C. Configure CARP. Manually adjust each computer’s load factor and point listeners to the address for intra-array communications. D. Configure CARP. Each computer’s load will be adjusted automatically as CARP discovers the strengths and weaknesses of each computer. 5. In the Windows 2000 domain Shazam, an array of ISA Servers has been installed to manage Internet access. All clients are configured as SecureNAT clients. To balance the load across the minimum amount of work, necessary it’s to: A. Configure the array to use CARP. B. Configure the array to use NLB. C. Configure the array to use both CARP and NLB. D. Configure a hardware cluster. 6. Mary is configuring a three-member ISA Server array for NLB. Figure 11.20 shows the configuration. Which address(es) should the SecureNAT clients use as their default gateway? A. 192.168.77.55 B. 192.168.77.50, 192.168.77.51, 192.168.77.52 C. 208.56.83.10 D. 192.168.77 150
Chapter 11
MANAGE ISA SERVER IN THE ENTERPRISE
359
A P P LY Y O U R K N O W L E D G E TABLE 11.4
External addresses:
208.56.83.10, 11, 12
192.168.77.50
192.168.77.51
Internet
192.168.77.52
192.168.7.55 - NLB IP
DNS Server 192.168.77.51
FIGURE 11.20 Question 6.
Answers to Review Questions 1. See Table 11.4. See the section, “Understanding Enterprise Policy Scope.” 2. Create a separate array for each location. Assign the Array Only scope choice. Create an array for headquarters—assign the Enterprise Only scope choice. See the section, “Understanding Enterprise Policy Scope.” 3. Server modes must be the same within an array. Only one policy can be assigned per array. See the section, “Creating Arrays.” 4. Enterprise policies can be modified. You must be an Enterprise Admins to do so. The policy is modified within the properties page of the Array. See the section, “Configuring Policies.” 5. The Concerto ISA Server array must be set to disallow array level publishing rules. See the section, “Promoting a Standalone Server.”
M AT C H I N G P O L I C Y S C O P E
TO
REQUIREMENTS
A - Requirement
B - Scope
Individual locations set the policy for their employees.
Array only
Corporate sets the policy for all locations. There can be no variations.
Enterprise only
Corporate sets the policy. Local organization can on restrict this policy.
Enterprise and array mixed
Corporate allows location to control existence of packet filtering.
Enterprise with force packet filtering not checked
Corporate allows location to publish servers.
Enterprise with publish selection checked
Corporate sets the policy, but local organizations can expand this policy to allow special circumstances.
N/A
Answers to Exam Questions 1. D. A new group can include individuals who are qualified to modify ISA Server rules, but they do not have to be given privileges on other W2K domain items. A is wrong. The number of Enterprise Admins should be minimized. B, C: Although these groups could be used as the group in answer D, these are not the best choice. These groups have a purpose doing other things within the W2K enterprise. See the section, “Understanding Enterprise Policy Scope.” 2. D. The ISA logs are not backed up during enterprise and array configuration backup. A, B, C are
360
Par t III
CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES
A P P LY Y O U R K N O W L E D G E not complete. See the section, “Backing Up Array and Enterprise Configurations.” 3. C. Reverse caching is enabled on the array property pages and by enabling a listener to use the intra-array address. A and B are therefore incorrect. Reverse caching is only possible for Web servers for which there is a Web publishing rule, so D is incorrect. See the section, “Enabling CARP—Array Properties.” 4. C. CARP can be used to adjust the load placed on each ISA Server, but you must manually configure it. Therefore, D is incorrect. A and B have
to do with Network Load Balancing and are incorrect. See the section, “Enabling CARP— Array Properties.” 5. B. SecureNAT clients do not recognize an array name. The only way to balance the load of their requests is to configure NLB. See “Configuring Network Load Balancing (NLB).” 6. A. The NLB primary address should be the SecureNAT client default gateway. B is incorrect. C is the external address of the array and is not correct. D is the DNS server and is incorrect. See the section, “Configuring Network Load Balancing (NLB).”
Suggested Readings and Resources 1. Network Load Balancing; Windows 2000 Advanced Server Help.
5. Windows 2000 Magazine: July 1, 2000. Features: Curt Aubley and Troy Landry.
2. “Network Load Balancing Technical Overview” at http://www.microsoft.com/
6. Cache Array Routing Protocol (CARP) and Microsoft Proxy Server 2.0:
TechNet/win2000/nlbovw.asp.
3. Course: How to Deploy Web-Based Line of Business Applications Using Network Load Balancing in Windows 2000 Advanced Server. Speaker: Vic Gupta. A course now available online at
http://msdn.microsoft.com/LIBRARY/BACKGRND/HTML/CARP.HTM.
7. Windows 2000 Resource Kit: Internetworking Guide, Microsoft Press, 2000. 8. Monitoring Modules and Windows 2000 Network Load Balancing Service.
http://www.microsoft.com/TechNet/events/Sp
http://www.win2000mag.com/Articles/Index.
ring00/TNQ400-06/Netshow/TechNet-
cfm?ArticleID=8859&Key=Monitoring%20and%20
06a/HTML/markers.htm.
Analysis.
4. Configuring Network Load Balancing—a Knowledge Base article at http://support.microsoft.com/support/kb/ar ticles/Q240/9/97.ASP.
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Configuring, Managing, and Troubleshooting Policies and Rules section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Create and configure access control and bandwidth policies.
. Create and configure sites and content rules to restrict Internet access. . Create and configure protocol rules to manage Internet access. . Create and configure routing rules to restrict Internet access. . Create and configure bandwidth rules to control bandwidth usage. ISA Server Enterprise edition installed in an array requires a new approach to the management of Internet access. Depending on the Enterprise level policy assigned to the array, who can create these rules, where they are created, and what can be done with them varies. The knowledge of how, where, and when to create these rules in an Enterprise settings is important. Troubleshoot access problems.
. Troubleshoot user-based access problems
12
C H A P T E R
. Troubleshoot packet-based access problems
Access Control in the Enterprise
OBJECTIVES After all is said and done (all the access rules are written), this is what’s important: Can users access the resources they are supposed to? Are users denied access to resources they are not supposed to see? There can be many reasons for problems with access. Two major categories for investigation are user-based and packet-based. Create new policy elements. Elements include schedules, bandwidth priorities, destination sets, client address sets, protocol definitions, and content groups.
Prior to creating access rules, policy elements must be defined. In the array model, these policy elements can be created at the enterprise level and at the array level. Where do you do that? Who can do that? These are questions that must be answered to plan and maintain access policy.
OUTLINE Introduction
364
Determining Where to Do It: An Access Policy Functional Framework 364 Determining Who Can Do It: An Access Policy Permissions Framework
368
Applying Access Policy: An Access Policy Strategy for the Enterprise
369
Creating Policy Elements
369
Creating Rules
370
Putting Together an Implementation Plan
371
Troubleshooting Access Problems Investigation Via Rule Processing Order
372 372
Identifying the Problem as Being User- or Packet-Based 373 Troubleshooting User-Based Access Problems 374 Troubleshooting Packet-Based Access Problems 374
Chapter Summary
376
Apply Your Knowledge
377
Exercises
377
Answers to Exercise Questions
377
Review Questions
377
Exam Questions
378
Answers to Review Questions
379
Answers to Exam Questions
379
S T U DY S T R AT E G I E S . There is no substitute for hands-on experience here. You must install at least two Enterprise ISA Servers in an array.
. For each Enterprise policy assignment, develop policy elements and access policies, and then test them.
. Try different approaches by creating different types of Enterprise policies and assigning them one at a time to your array.
. When things don’t work as expected, determine why, and test your assumption to prove it works.
364
Par t III
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
INTRODUCTION The Enterprise edition of ISA Server, when integrated in an Active Directory domain, affords new vistas of centralized control and management. You may be well versed in how to create and troubleshoot ISA Server Internet access and be tempted to quickly scan this information. Don’t! Some familiar tasks are restricted, or can only take place at the Enterprise level. Many capabilities are dependent on the Enterprise policy applied to the array, so learning the hows and wheres in one array, might not transfer to another array you’ll visit. Your time will be well spent here, as you need to have a framework on which to hang your hands-on knowledge. Be sure to spend time implementing access policy in an array environment. Organizing your knowledge consists of:
á Determining Where to Do It: An Access Policy Functional Framework á Determining Who Can Do It: An Access Policy Permissions Framework á Applying Access Policy: An Access Policy Strategy for the Enterprise á Troubleshooting Access Problems
DETERMINING WHERE TO DO IT: AN ACCESS POLICY FUNCTIONAL FRAMEWORK The first indication that the rules for access policy creation have changed is the change to the ISA Server management console interface. Figure 12.1 (Enterprise Edition) and Figure 12.2 (Standard edition) illustrate that difference. The Enterprise edition makes available the creation of enterprise level:
á Site and Content Rules á Protocol Rules á Some Policy Elements
Chapter 12
ACCESS CONTROL IN THE ENTERPRISE
FIGURE 12.1
FIGURE 12.2
Enterprise location of rules and policy elements.
Standard edition location of rules and policy elements.
In the Standard edition, it’s pretty straightforward: You create all access rules and policy elements right in one place. In the Enterprise edition, there are two possible places to create policy elements and rules: at the enterprise policy location, and/or the array. Also, the type of policy applied to the array controls whether you can create any of them. Depending on this policy, some things must be created at the enterprise level, some at the array level, and some at both.
365
EXAM
TIP
366
Par t III
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
Which Policy Is Effective? To locate the policy that impacts the server, find the server’s array in the ISA Server Management Console. Right-click on the array object and select Properties. The Policies page lists and defines the policy assigned to this array (see Figure 12.4).
Additionally, some items, such as publishing rules and dial-up entries, can only be created at the server level. Understanding what can be created, and where, is a matter of applying the meaning of the policy to the availability of the object. Table 12.1 lists rules and policy elements and defines where they can be created according to policy scope. The policy names used in the table can be crossreferenced to the policy choices in the following list:
á Array Only: Use array policy only á Enterprise Only: Use this enterprise policy á Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy á Allow Publishing: Allow publishing rules
TABLE 12.1
ACCESS POLICY FUNCTIONAL FRAMEWORK Access Policy or Policy Element
Type of Policy
Site and Content Rules
Array Only Enterprise Only Enterprise with Restrictive Array
No Yes Yes
Yes No Yes (deny only)
Protocol Rules
Array Only Enterprise Only Enterprise with Restrictive Array
Yes Yes Yes
Yes No Yes (deny only)
Schedules
All Choices
Yes
Yes
Bandwidth Priorities
Array Only Enterprise Only Enterprise with Restrictive Array
No
Yes
Destination Sets
Array Only Enterprise Only Enterprise with Restrictive Array
Yes
Yes
FIGURE 12.3 When packet filtering is forced at Enterprise level the choice is grayed out on server.
Create at Enterprise
Create at Array
Chapter 12
Access Policy or Policy Element
Type of Policy
Create at Enterprise
ACCESS CONTROL IN THE ENTERPRISE
Create at Array
Client Address Sets Array Only Enterprise Only Enterprise with Restrictive Array
Yes
Yes
Protocol Definitions Array Only Enterprise Only Enterprise with Restrictive Array
Yes
Yes
Content Groups
Array Only Enterprise Only Enterprise with Restrictive Array
Yes
Yes
Dial-up Entries
Array Only Enterprise Only Enterprise with Restrictive Array
No
Yes*
FIGURE 12.4 Packet filtering controlled at array level—policy.
Routing Rules
Array Only Enterprise Only Enterprise with Restrictive Array
Publishing Rules
Array Only Enterprise Only Enterprise with Restrictive Array Allow Publishing
No
No
No
Yes*
Array Only Enterprise Only Enterprise with Restrictive Array
No if “forced on array.”
Yes, if this is unchecked.
Packet Filters
367
No if “forced on Yes array.” (see Figures 12.3, 12.4, and 12.5)
* Strictly speaking, publishing rules and dial-up entries are created for a server, not for array as a whole, but the “Allow Publishing Rules” distinction allows creating publishing rules at any server in the array.
FIGURE 12.5 The capability to set packeting filtering is now available.
368
Par t III
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
DETERMINING WHO CAN DO IT: AN ACCESS POLICY PERMISSIONS FRAMEWORK The purpose behind this elaborate framework is twofold:
á Provide for centralized control and management of multiple ISA Servers. á Allow delegation of array-level policy.
FIGURE 12.6 Domain admins can’t write enterprise policy elements.
Centralized control is obtained by assigning a policy to each array that meets the needs of the enterprise. Decentralized IT functions are met by the choice User Array Level Policy Only. Centralized IT functions are given all-powerful control by Use This Enterprise Policy. Arrays that need more restrictive polices can do so with Allow Array-Level Access Policy Rules That Restrict Enterprise Policy. A combination of enterprise and array management polices can be fulfilled by creating multiple arrays and assigning different enterprise policies. The second issue in an enterprise model is the capability to assign administrative chores in a manner that provides the power to do what is necessary and allowed, without being able to overstep the boundaries. This can be obtained in a straightforward manner through the standard permission set at the enterprise and array level, or by creating custom groups and applying administrative permissions at the level desired.
FIGURE 12.7 Domain admins can’t write enterprise rules.
In the default implementation of ISA Server Enterprise edition, only the Enterprise Admins group has full control. If a Domain Admin attempts to write enterprise policies (policy elements and rules), she will be denied access at the enterprise level (see Figure 12.6 and Figure 12.7). At the array level, the local computer Administrator, Domain Admins, and Enterprise Admins have full control. Keep in mind that before a Domain Admin can create an access rule, the capability to create rules at the array level must be specified in the policy.
Chapter 12
ACCESS CONTROL IN THE ENTERPRISE
369
APPLYING ACCESS POLICY: AN ACCESS POLICY STRATEGY FOR THE ENTERPRISE The actual act of creating policy elements and rules to manage Internet access varies little from that described previously. The difference in an Enterprise deployment is not in the “how to” but in the “where” and “who”. While the previous sections of this chapter detailed the overall rules which determine the where and who, this section presents some rule and element specifics and describe a strategy to take advantage of the strengths of each policy type. Specifically, it will look at:
á Creating Policy Elements á Creating Rules á Putting Together a Implementation Plan
Creating Policy Elements Create new policy elements. Elements include schedules, bandwidth priorities, destination sets, client address sets, protocol definitions, and content groups.
FIGURE 12.8 Only enterprise policy elements are available for enterprise rules.
To create policy elements, follow the same general instructions described in the Step by Step sections detailed in Chapter 5, “Outbound Internet Access.” To determine where to create them, you must both consider where they will be used and where they can be created. Remember that enterprise level rules can only use policy elements created at the enterprise level, while array level rules (if allowed) can use enterprise and policy elements. An example of this is displayed in Figures 12.8 and 12.9. The “Enterprise Morning” schedule was created at the enterprise level, and the “Array Evenings” schedule was created as the array level. Both captures were taken during a Site and Content Rule wizard schedule choice. (Figure 12.8 at the enterprise level, and Figure 12.9 at the array level). This arrangement makes sense. Array level policy elements are probably only relevant at the array level. If they are required at more than one array, then they can be created at the enterprise level.
FIGURE 12.9 Enterprise and array level policy elements are available at the array.
370
Par t III
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
Remember, policy elements in themselves do not allow or restrict access, they merely form the building blocks that can be used in rules that do. Two policy elements can only be created at the array level: bandwidth priorities and dial-up entries. Dial-up entries are specific to the server on which the modem is installed, so there is no need for an enterprise level policy. Bandwidth priorities are only used in creating bandwidth rules. Bandwidth rules are only created at the array level.
Creating Rules Create and configure access control and bandwidth policies.
á Create and configure sites and content rules to restrict Internet access. á Create and configure protocol rules to manage Internet access. á Create and configure routing rules to restrict Internet access. á Create and configure bandwidth rules to control bandwidth usage.
FIGURE 12.10 Kansas City policy—allow or deny access.
To create site and content, protocol, bandwidth, and routing rules, follow the instructions in the Step-by-Step sections detailed in Chapter 5. To determine why you might want to create them in a specific , consider the section, “Putting Together an Implementation Plan” later in this chapter. You should also keep in mind that the capability to create site and content rules and protocol rules at the array level is only allowed in two cases:
á If the “Use array policy only” policy applies, rules can be either “allow” or “deny” access rules. (In the Kansas City array, this is the policy; see Figure 12.10). á If the “Use custom enterprise policy settings” policy applies, rules can only be “deny” rules. (This is the policy in the Grain Valley arrays; see Figure 12.11).
Chapter 12
ACCESS CONTROL IN THE ENTERPRISE
Bandwidth rules are created at the array level and this can only be done if array policies are allowed. Routing rules are also created at the array level, and only if publishing rules are allowed when specified by enterprise policy, or array level rules are allowed.
Putting Together an Implementation Plan If you are an administrator who has inherited policies configured by others, then you may be limited to following the rules as they are set. However, if you are the one architecting the implementation of ISA Server policies in your enterprise then you need to combine your knowledge of the policy types that are available and the needs and requirements for access control in your environment. Here are some helpful hints on how to design a structure that’s right for you. 1. If your IT administration is decentralized, then create a policy that specifies “Use array policy only.” Arrange ISA Servers in arrays that represent locations that manage their own IT function. 2. If your IT administration is highly centralized, create a policy that uses enterprise policy. 3. If you need to diversify your policies and allow the capability to restrict enterprise policies in some or all arrays, use the feature to “Allow array level access policy rules that restrict enterprise policy.” 4. If an array needs to use Web and server publishing rules, open that possibility by checking “Allow publishing policy.” 5. Design backward. Now that you know what’s possible, what does your environment need? Do local administrators need to create restrictive site and content rules, or all types of rules? Do you have multiple areas to manage and are they all different? Break it down even further: Do users at some locations have different needs than users at other locations? Determine the need for an array based on your knowledge or user needs, management policy, and administrative delegation. The easiest way to get a grip on large diverse environments is to plot the requirements first, then determine which policy model fits your requirements.
FIGURE 12.11 Grain Valley policy—deny access only.
371
372
Par t III
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
TROUBLESHOOTING ACCESS PROBLEMS Troubleshoot access problems.
á Troubleshoot user-based access problems á Troubleshoot packet-based access problems When information can’t flow where it is supposed to, or rules and procedures can be thwarted to give unrestricted access where it is not allowed, there is a problem. In either case you need to determine the reason for the problem and correct it. Although many configuration elements that need to be checked, you can often reduce the time this takes by:
á Examining logs for specific information on ports, protocols, source, and destination information. á Investigating configurations in the order in which rules are processed. á Identifying the problem as being user- or packet-related. Although the logs are an excellent source of information on the traffic denied access, they primarily provide information that tells you that a request was blocked. They can be helpful in identifying that the request reached the ISA Server, however, and should be a point of reference during troubleshooting. Information on understanding the logs and how they may be used to assist in troubleshooting access can be found in Chapter 15, “Monitoring Network Security and Usage.”
Investigation Via Rule Processing Order When a client makes a request, rules are processed in the following order: 1. Protocol rule 2. Site and content 3. Packet filter
Chapter 12
ACCESS CONTROL IN THE ENTERPRISE
4. Routing rule (if client is Web proxy) 5. Firewall chaining (if client is SecureNAT or Firewall) Keep in mind, however, that the presence of a deny rule anywhere along the path will result in a denial. To troubleshoot access, look for these items in the following order: 1. By default, all protocols are blocked. Check protocol rules to determine if a rule exists that would allow access and to be sure there is no protocol rule that would deny access. 2. If Step 1 does not identify the problem, check Site and Content Filters to make sure the site is not blocked, the time of the request is not the issue, and the user and computer used are not blocked. 3. If the problem is still not resolved, check packet filters. While packet filters are usually used to allow or block access of inbound requests, they can be configured to block outbound requests. Make sure that no blocking packet-filter exists. 4. Finally, determine the type of client being used. If the client is a Web proxy client, then examine routing rules. If the client is a SecureNAT or Firewall client, then examine Firewall chaining rules.
Identifying the Problem as Being Useror Packet-Based Identifying problems as being user-based or packet-based can go a long way to reducing the time it takes to troubleshoot the problem. For example, if you can determine that the request uses a particular protocol, say, SMTP and your ISA Server has not been configured to allow SMTP to pass, then you know immediately why the request was unsuccessful. You can then determine if SMTP should be allowed to pass, for whom when, and take the appropriate action. In another case, if you know that other users are successful in using a particular protocol, or in accessing a particular site, then you can probably assume that the cause of the problem is user-related and narrow your investigation to those rules that stipulate user-related information.
373
374
Par t III
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
Troubleshooting User-Based Access Problems Many specific user-based access problems and troubleshooting techniques are covered in section, “Troubleshooting Client Access Problems,” in Chapter 5. More information on specific client-related issues having to do with the way clients are treated, and the client configuration are covered in Part IV, “Deploying, Configuring, and Troubleshooting the Client Computer”. In summary, troubleshooting user-based access problems involves resolving the following issues:
á If the client is a Web proxy client, is the Web browser appropriately configured? (Are other sites accessible?) á If the client is a firewall client, is the client configuration correct? á Is there a site and content rule that allows the user access?
EXAM
TIP
á Is there any site and content rule that denies the user access?
When Is All Not All? In caching mode protocol rules, even though you might select “all protocols,” only HTTP, HTTPS, Gopher, and FTP are selected.
á Have both enterprise and array level site and content rules been reviewed? á For SecureNAT and firewall clients, is the HTTP redirector filter enabled? á If client is a SecureNAT client, remember that a rule that is defined to apply to all IP protocols will only apply to all “defined protocols.” á If authentication is required, can the client process authentication successfully?
Troubleshooting Packet-Based Access Problems To troubleshoot packet-based access problems, you must examine the following areas that control access:
á Installation mode á Protocol rules á Packet filters
Chapter 12
ACCESS CONTROL IN THE ENTERPRISE
á Protocol definitions á Application filters It is important to realize the installation mode of the ISA Server. Installing the ISA Server in firewall or integrated mode expands possibilities for client access as well as your opportunities for troubleshooting failed access. Installing ISA Server in caching mode restricts client access in the following ways:
á Protocol rules only apply to HTTP, HTTPS, Gopher, and FTP. á Packet filter properties cannot be configured in caching mode. á Firewall clients are not supported in cache mode. This effectively limits client access only via HTTP, HTTPS, Gopher, and FTP. If a client attempts to use other protocols, then the answer is clear: This type of access is not allowed. If ISA Server is installed in firewall or integrated mode, you will need to look closely at protocol rules, and packet and application filters. Be sure to check array level and enterprise level policies. Follow this approach: 1. Is there a protocol rule that denies access? End of story. 2. Is there a protocol rule that allows access? Either way, continue. 3. Is there a packet filter that denies access? End of story. 4. Is there a packet filter that allows access? Either way, continue. 5. Is there an application filter enabled which denies access? End of story. 6. Is there an application filter enabled which allows access?
375
376
Par t III
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
CHAPTER SUMMARY Understanding ISA Server access policies in an enterprise can be a daunting challenge. There maybe several levels of policy to design, or if already implemented—to understand. Enterprise level access policy is established by Enterprise Admins and assigned to arrays that are managed by Domain Administrators. Protocol rules and site and content rules can be created at both levels, if enterprise policy dictates, or may be restricted to only
one. Within an enterprise, all three scenarios may exist. This chapter has concentrated on the “where” and “by whom,” instead of the “how to.” Finally, troubleshooting client access must involve investigation of access policy at both levels and concern itself with packet-based and user-based issues.
Chapter 12
ACCESS CONTROL IN THE ENTERPRISE
377
A P P LY Y O U R K N O W L E D G E
Exercises 12.1 Examining Access Policy in a Tiered Enterprise
The best way to understand the diversity available in a tiered enterprise is to write new policy elements and rules in different policy implementations. Estimated Time: 25 minutes 1. Continue working with the arrays established in Chapter 11, Exercise 11.1. Select the array that specifies “array only” access policy. 2. As Enterprise Admin, write new policy elements, protocol rules, and site and content rules. Where did you write them? 3. As Domain Admin, write new policy elements, protocol rules, and site and content rules. Where did you write them? Can you write both allow and deny rules? 4. Select the array that does not have packet filtering forced. As Domain Admin, can you enable and disable packet filtering? 5. Select an array that forces packet filtering. As Enterprise Admin, can you enable and disable packet filtering on the array? As Domain Admin, can you? 6. Log on as Domain Admin. Select the “enterprise only” policy array. Can you write allow rules? Can you write deny rules? Select the “enterprise and array policy” array. Can you write allow rules? Can you write deny rules?
Answers to Exercise Questions 2. Allow and deny in array policy. 3. Allow and deny in array policy. Yes. 4. Yes. 5. Yes. No. 6. No. No. No. Yes.
Review Questions 1. John is a Domain Admin. Sally is an Enterprise Admin. Figure 12.12 displays the Policy on the ISAArray2 array. Can Sally prevent John from disabling packet filters? 2. John is a Domain Admin. Sally is an Enterprise Admin. Figure 12.13 displays the Policy on the ISAArray3 array. Can John create a site and content rule to prevent Domain Users from accessing Ubid.com? 3. John is a Domain Admin. Sally is an Enterprise Admin. Figure 12.14 displays the Policy on the ISAArray3 array. Can Sally write a protocol rule that allows passage of telnet traffic? 4. When would it be advantageous to allow array level administration of packet-filters? 5. Why are publishing rules created at the server level?
378
Par t III
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
A P P LY Y O U R K N O W L E D G E
FIGURE 12.12
FIGURE 12.13
Question 1.
Question 2.
Exam Questions 1. John is configuring ISAArray2. This array is installed in HomeDomain2. His enterprise encompasses multiple domains and arrays. He needs to prevent HomeDomain2 Users from using IRC chat but not restrict users for other domains. He should A. Create an enterprise level client address set that includes the HomeDomain2 users. Write a site and content rule at the enterprise level blocking this client address set from using IRC.
FIGURE 12.14 Question 3.
B. Create an array level client address set that includes the HomeDomain2 users. Write a site and content rule at the array level blocking access to IRC for this client address set.
Chapter 12
ACCESS CONTROL IN THE ENTERPRISE
379
A P P LY Y O U R K N O W L E D G E C. Create an array level protocol rule that blocks the use of IRC by HomeDomain2 Users. D. Create an enterprise level protocol rule that blocks the use of IRC by HomeDomain2 Users. 2. Jan wants to provide backup routes for ISA Servers in ISAArray3. He installs modems in these servers and arranges for dial-up access to the Internet. Then he A. Creates dial-up entries in the enterprise policy. B. Creates dial-up entries in the array policy. C. Creates dial-up entries at each server in the array. D. Creates dial-up connections at each server in the array. 3. Users are having trouble connecting to the company Web site that resides on the ISA Server. You examine the ISA Server interface and find the following: Packet filtering is enabled. An array rule has been set up to allow traffic inbound to this server on port 80. Automatic discovery has been enabled. A blocking rule has been set to block FTP and HTTPS. To correct the situation and allow users to access the Web server you (Select all that apply.) A. Delete the blocking filter for HTTPS. B. Delete the blocking filter for FTP. C. Disable automatic discovery. D. Set automatic discovery to listen on port 8080.
Answers to Review Questions 1. No. Because packet filtering is not forced on the array, the Domain Admin, John, can manage packet filtering. See the section, “Determining Where to Do It: An Access Policy Functional Framework.” 2. Yes. In this policy restrictive array rules can be written. See the section, “Determining Where to Do It: An Access Policy Functional Framework.” 3. Yes. Even though Sally is an Enterprise Admin and policy is managed entirely by array, the Enterprise Admin can create policies at this level. See the section, “Determining Who Can Do It: An Access Policy Permissions Framework.” 4. When there are widely varying needs for packet filters. See the section, “Applying Access Policy: An Access Policy Strategy for the Enterprise.” 5. Publishing rules are created at the server level because of the need to control which servers in the array will allow access to a Web site behind the array. See the section, “Determining Where to Do It: An Access Policy Functional Framework.”
Answers to Exam Questions 1. C. Protocol rules block or allow protocol use. This should be done at the array level because there is a stated requirement for not blocking all users in all domains. See the section, ”Determining Where to Do It: An Access Policy Functional Framework.” 2. C. Dial-up entries are created at the server level. The modems exist at that level. See the section, “Determining Where to Do It: An Access Policy Functional Framework.”
380
Par t III
CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES
A P P LY Y O U R K N O W L E D G E 3. C, D. By default, automatic discovery listens at port 80. Automatic discovery could also be changed to listen at a different port. If a Web server resides on an ISA Server, this will cause a problem. HTTPS and FTP have nothing to do
with whether users can reach a Web site unless that Web site requires SSL (HTTPS) or they are attempting FTP access. See the section, “Determining Where to Do It: An Access Policy Functional Framework.”
Suggested Readings and Resources 1. “Configuring Protocol Definitions,” ISA Server Help.
2. Deployment of ISA Server at Microsoft, paper at http://www.microsoft.com/isaserver/techinfo/itgdeploy.htm.
P A R T
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
13 Planning and Deploying Clients 14 Installing and Configuring Client Options
IV
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Deploying, Configuring, and Troubleshooting the Client Computer section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Plan the deployment of client computers to use ISA Server services. Considerations include client authentication, client operating system, network topology, cost, complexity, and client function.
. To deploy any new system in the most cost-efficient and least-disruptive fashion requires careful planning. Knowing how to configure and install clients is only a small part of the total picture. Of what good is knowledge of how to install the firewall client if it is determined that this client will not be used in the network? Of what use is the “least cost/least complexity” dogma, if no one knows the potential advantages of deploying clients that require more time and effort to deploy? . Client choices can also impact network infrastructure design. If services required by clients are not in place, more changes to the current network infrastructure might have to be made. You must know the current status, as well as client requirements and plan needed changes so that the process is the least disruptive possible.
13
C H A P T E R
Planning and Deploying Clients
OUTLINE
S T U DY S T R AT E G I E S
Introduction
385
Considering Current Infrastructure Issues
385
Introducing ISA Server Client Types SecureNAT Client Web Proxy Client Firewall Client
386 386 387 388
Using Multiple Clients on a Single Computer
389
Migrating Proxy 2.0 Clients
389
Considering Cost and Complexity
390
Considering Authentication Issues Client Requirements Knowledge Requirements Infrastructure Changes
390 391 391 391
Assessing General Client Needs
392
Evaluating Network Infrastructure Changes 393
Chapter Summary
394
Apply Your Knowledge
395
Exercises
395
Review Questions
395
Exam Questions
395
Answers to Review Questions
396
Answers to Exam Questions
397
. Get firmly entrenched in your mind the difference between client types. . Learn the relationship between requiring authentication of all users, the use of user groups to control access, and the client type. . Study each client type separately, and the impact of a single computer becoming more than one client type at a time.
Chapter 13
PLANNING AND DEPLOYING CLIENTS
INTRODUCTION Plan the deployment of client computers to use ISA Server services. Considerations include client authentication, client operating system, network topology, cost, complexity, and client function.
Allowed access to the Internet should be transparent to users. That is, in visiting nonrestricted Web sites, using email, or a other nonprohibited services across the Internet, no user should be aware that a firewall or caching server sits between him and the actual source. On the other hand, you should be able to configure the firewall to successfully block and allow access as dictated by policy, and these rules should operate as expected. This is possible with ISA Server but its implementation is dependent on understanding the client types and how rules affect them. To plan the deployment of clients, you must spend time:
á Considering current infrastructure issues á Considering cost and complexity This chapter discusses issues pertinent to planning client deployment, including network infrastructure changes and configuration. Detailed client, ISA Server and network infrastructure configuration is covered in Chapter 14, “Installing and Configuring Client Options.”
CONSIDERING CURRENT INFRASTRUCTURE ISSUES Before deciding what systems should be implemented as which type of ISA Server client, you should take the time to understand the client types, determine the appropriate options available to each current client system, and determine the network infrastructure changes that might have to be made. To do so consider:
á ISA Server client types á Using multiple clients on a single computer á Proxy 2.0 client migration
385
386
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
Introducing ISA Server Client Types The first step in planning deployment of client types is to match ISA Server client capabilities with your user requirements and policy dictates. The second step is to match ISA Server client availability with your client operating systems. Where these two matching decisions cannot be both resolved, that is, where you’d like to use a particular ISA Server client but you can’t with the current client OS, you must make a decision regarding accepting less functionality, or upgrading or changing the client OS. There are three ISA Server client types:
á SecureNAT client á Web proxy client á Firewall client Table 13.1 summarizes the ISA Server client types.
SecureNAT Client
NOTE
Every client computer on the internal network that does not have the firewall client installed and can access the Internet through the ISA Server is a SecureNAT client. This includes servers that are published through ISA Server publishing rules. SecureNAT clients are not supported in Caching mode. Although the SecureNAT client does not allow for user-level authentication, many of the benefits afforded to Firewall and Web proxy clients are also available to them. Specifically, NAT Versus SecureNAT The name SecureNAT was chosen because it extends Windows 2000 NAT by enforcing ISA Server policies. SecureNAT hooks into the Windows 2000 NAT service.
á HTTP requests are cached affording faster retrieval and efficient use of Internet access. á Most access control features. HTTP requests are passed to the Web proxy service for site and content rule application. á ISA Server Applications filters can be used to access complex protocols.
Chapter 13
PLANNING AND DEPLOYING CLIENTS
387
TABLE 13.1
DISTINGUISHING CLIENT TYPES Client Type
Client Configuration Necessary
Protocols That Can Be Used to Access Internet Resources
Client OS Required
Requirements
ISA Server Mode
SecureNAT
Possible—client default gateway set to ISA Server internal interface
Requires ISA Server application filters
Any
TCP/IP; Internet requests are routed to ISA Server;
Firewall, Integrated
Web proxy
Configure browser
HTTP, HTTPS, FTP, Gopher
Most any
Web application can Caching, be configured to use Integrated proxy
Firewall
Install client
Winsock applications
Win32
Configuration file
Changes to the network infrastructure to support SecureNAT clients are minimal. You must ensure that all requests for Internet access from the client are routed to the internal network interface of the ISA Server. This might mean router changes, or changes to the client network configuration.
Web Proxy Client Potential Web proxy clients are those that run Web access applications, such as a Web browser, that can be directed to a proxy server. There are no special network infrastructure changes due to the use of Web proxy clients. However, several techniques can be used to reduce the efforts necessary to configure Web proxy clients. Configuration can be done by:
á Visiting clients and manually modifying browser configuration. á Using ISA Server Management to set automatic configuration for firewall clients (the Web proxy configuration is downloaded during installation of firewall client software). á Using Group Policy I.E. settings to manage Web proxy configuration.
Firewall, Integrated
NOTE
388
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
Not Just for Browsers Any application that accesses the Internet is potentially a Web proxy client. It must, however, have the capability to use a proxy server and be compliant with Hypertext Protocol 1.1. You can determine if your application can use a Web proxy by investigating if it has a place to input the IP address of a Web proxy server. If it does, configure the application with the internal network IP address of the ISA Server and the 8080 port and attempt access to the Internet.
á Using ISA Server Management to enable automatic discovery and modifying Web browsers to use automatic discovery. If the ISA Server cannot respond directly to client requests, DHCP servers and/or DNS servers can be configured to provide Web proxy Autodiscovery Protocol (WPAD).
Firewall Client A client can only be a firewall client if they have ISA Server firewall client software installed. This client runs Winsock applications that use the ISA Server firewall service. The firewall client is not supported in cache mode. Firewall clients software is installed from a network installation share and may be installed on Windows operating systems, including:
á Windows 2000 á Windows NT 4.0 á Windows ME á Windows 98 á Windows 95 Support is available for 16-bit (Windows NT 4.0 and Windows 2000 only) and 32-bit Winsock applications. Firewall clients will first determine the location of the object they need by looking at a copy of the ISA Server LAT. If the computer on which the object is located is itself located in the internal network, then the client will access it directly; if not, it will forward its request to the ISA Server. Installing the firewall client installs several components:
á mspclnt.ini. Client configuration file and copy of the local domain table (LDT). á msplat.txt. Copy of LAT. This file is updated regularly so that it matches the ISA Server LAT. á The firewall client application.
Chapter 13
PLANNING AND DEPLOYING CLIENTS
Using Multiple Clients on a Single Computer Multiple ISA Server clients can be used on a single computer. This allows the ISA Server client to obtain the best benefits of all the clients. Configuring the client computer as a SecureNAT client enables basic Web access and caching, as well as allows the client to utilize application filters to access other objects on the Internet. Although the SecureNAT client cannot provide authentication, access rules can restrict client access by IP address, schedule, protocol, and destination requested. Adding the Web proxy client information to the Web browser provides more direct, efficient access to the Web proxy service. (SecureNAT clients use the firewall service and Web protocols are then passed to the Web proxy service.) Web proxy clients can also provide authentication information if required to do so by the ISA Server. By installing the Firewall client, authentication will always be passed to the ISA Server, and the client can directly inform the firewall service of the needs of the application it is using. (Ports required for Firewall client access can be dynamically opened and closed; ports required by SecureNAT client requests must be statically configured.)
Migrating Proxy 2.0 Clients Proxy 2.0 clients either used the Proxy 2.0 Web proxy service or the Proxy 2.0 Winproxy service. Winproxy clients required the installation of the winproxy client application. Web proxy clients had their browsers pointed to the Proxy 2.0 server. If Proxy 2.0 Winproxy clients were configured for automatic discovery, then it may not be necessary to reconfigure these clients to enable them to use the ISA Server, or to install the Firewall client. You may only need to assure that the ISA Server is configured correctly and that Winproxy clients are able to locate the server. Web proxy clients may need to have their browsers specially pointed at the ISA Server and reconfigured to use port 8080.
389
390
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
You might also want to upgrade Winproxy clients by installing the Firewall client. This provides a more efficient processing of requests and the capability to use information in the LDT.
CONSIDERING COST COMPLEXITY
AND
One of items that must be considered in the deployment of ISA Server is the impact of client deployment and network configuration. We have already noted the different types of clients and commented on the configuration issues for each, as well as the changes that might be necessary to network infrastructure. Now that you have some knowledge of the possibilities, how do you make sound choices that ensure that client choices meet your needs while reducing the cost and complexity of the roll out? To assess client requirements, consider these three areas:
á Authentication issues á General client needs assessment á Network infrastructure changes
Considering Authentication Issues Requiring client authentication is generally used to ensure that only qualified individuals can access Internet resources, and/or to ensure that a detailed log of who accessed what can be kept. Although this provides important control over user access, it increases complexity and thus the potential cost of deployment and management. The fallout will be felt in several areas:
á Requirements for the use of specific ISA Server clients. á Increased knowledge of and implementation of user rules and ISA Server configuration to support the authentication methods and clients chosen. á Potential infrastructure changes to provide services required.
Chapter 13
PLANNING AND DEPLOYING CLIENTS
391
Client Requirements Not all clients can pass authentication information to the ISA Server. SecureNAT clients cannot do this. This means that either Web proxy, or Firewall clients must be used. Additional configuration is therefore required. If Web proxy clients are used, then further issues must be considered. The Web proxy software must be capable of forwarding authentication information to the ISA Server. Internet Explorer can do this; Netscape Navigator cannot. You will need to check carefully as to the capabilities of any Web proxy client you may want to use. In addition, if Web proxy clients are used, the ISA Server must be configured to require authentication of all users. This is because a browser is configured to perform anonymous authentication and the ISA Server, by default is configured to accept it. If you want IE to pass authentication information to the ISA Server, you must force it to do so.
Infrastructure Changes Requiring client authentication may not specifically impact network infrastructure. If Windows 2000 domain structures are already in place and the ISA Server computer is a member of a domain in the forest, then Windows 2000 security groups and accounts can be used for authentication. If the ISA Server computer is a Windows 2000 standalone system, then its account database can be used. If deployment of the ISA Server computer is the deciding factor in
EXAM
Configuring clients can be as simple as changing the client default gateway (SecureNAT client), or as complex as configuring individual client configuration files (Firewall client). The more complex the client, the more knowledge is needed to ensure that clients and servers are correctly configured during deployment and maintained during production. There is also a heavier burden on help-desk staff and firewall administrators as they cope with client issues. Because client systems can be configured to utilize multiple ISA Server clients, the diagnosis of access problems is increased. Not only is there more to configure, but more can go wrong.
TIP
Knowledge Requirements
Chained Authentication When a client request is passed from one ISA Server to another, authentication information can also be transferred. However, in some cases the upstream server may not be able to determine the client that is requesting the object. This may be because the upstream server requires that the downstream server use an account in order to connect. In this case, it is this account information that is passed to the upstream server. Otherwise, the client’s authentication information will be passed to the upstream server. If authentication information is not required for all clients, then it is possible that access rules that rely on user identification may not be processed in the manner that you require.
392
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
initializing an Windows 2000 Active Directory infrastructure, then significant infrastructure changes will be involved. The scope of these changes is beyond that of this chapter or this book. However several good Windows 2000 infrastructure books are recommended at the end of this chapter. However, if client authentication via SSL is required, then you may need to deploy a Public Key Infrastructure (PKI) including a certificate server or otherwise obtain client certificates that may be used by the servers requiring their use. For assistance on deploying a PKI and/or in deploying and using Microsoft certificate services, please see the references at the end of the chapter.
Assessing General Client Needs To assess client needs, you should ask the following questions:
á Is your only usage of ISA Server forward caching of Web objects? Then consider using only SecureNAT clients. There is no software installation required; you are only obligated to ensure that Web requests are forwarded to the ISA Server. á Do you want the least cost, least complex solution? Most, if not all, clients should be SecureNAT clients. SecureNAT clients can utilize the benefits of ISA Server application filters to utilize many Web protocols in addition to typical Web protocols. á Do you require that all clients authenticate before they can access the Web? Are you configuring user-based rules? Firewall clients are your best choice. While Web proxy clients can be used, you must ensure that authentication is requested of all clients and that the Web proxy application is capable of passing authentication information to the ISA Server. SecureNAT clients do not support user authentication. á Will you be publishing servers located on your internal network? These servers should be configured as SecureNAT clients. These servers can be firewall clients, but the configuration will increase the complexity of the arrangement.
Chapter 13
PLANNING AND DEPLOYING CLIENTS
á Do you want to improve efficiency of the ISA Server computer for caching? Web proxy clients will directly use the Web proxy service. SecureNAT clients and Firewall clients use the firewall service and their HTTP requests are forwarded to the Web proxy service. á Do you have client operating systems and types other than Windows? Other clients such as Macintosh, Unix, and Linux can utilize SecureNAT and Web proxy client types. á Would you like to cache FTP requests? Use Web proxy clients. FTP requests made through the Web proxy application can be cached.
Evaluating Network Infrastructure Changes Installing ISA Server(s) to provide Internet access control and/or Web caching capability can result in numerous network infrastructure changes. The cost and complexity of deploying and maintaining these changes is dependent on the type of clients to be used as well as the nature of your infrastructure. SecureNAT client’s potential entails few infrastructure changes. This does not mean the cost will be low, rather that the modifications are simple. If SecureNAT clients need to be pointed directly to the internal interface of the ISA Server that information can be provided in DHCP or manual configured for those clients with static IP addresses. If multiple SecureNAT clients must be directly visited, then you must budget your time and cost accordingly. In a larger environment, however, SecureNAT clients may already be pointed to network routers for internal routing. These routers must be configured to route Internet requests to the ISA Server. Your time and cost is dependent on the number of routers that must be configured and the complexity of this configuration change. If Web proxy or Firewall clients need to be configured for automatic discovery then you may need to configure DHCP and/or DNS servers to provide information on where to locate the ISA Server. The protocol used in the Win Proxy Automatic Discover (WPAD) protocol.
393
394
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
CHAPTER SUMMARY KEY TERMS • Network Address Translation (NAT) • SecureNAT • Winsock applications • mspclnt.ini • msplat.txt • Chained authentication • Win Proxy Automatic Discover protocol (WPAD)
The process of deploying ISA Server can be reduced in complexity, cost, and time by carefully evaluating client requirements. The twin issues of maintenance and access troubleshooting can be more easily enabled if a thorough knowledge and understanding of clients is available to planners and implementers. It’s not just the configuration and installation steps that are important. This chapter provided insight into the knowledge base and planning decisions that are required while deferring the step-by-step implementation instructions in the next chapter.
Chapter 13
PLANNING AND DEPLOYING CLIENTS
395
A P P LY Y O U R K N O W L E D G E TABLE 13.3
Exercises
S A M P L E A N S W E R TA B L E 13.1 Planning Client Deployment
Requirement
Client Type
Before clients can be deployed, you must determine which clients should be deployed. A good understanding can save many hours and make maintenance and access troubleshooting much less demanding.
Authentication
Web proxy, Firewall
Web protocols
Web proxy, Firewall, SecureNAT
Estimated Time: 10 minutes 1. Use the Table 13.2 to list the client requirements, as you understand them, of your network. 2. In the second column of the table, list the client type that is required to fulfill this need. 3. Compare your results with the sample table that follows this exercise.
TABLE 13.2
CLIENT REQUIREMENTS Requirement
Client Type
Application filters
Firewall, SecureNAT
Caching of HTTP requests
Web proxy, Firewall, SecureNAT
Caching of FTP requests
Web proxy
Requires the least configuration
SecureNAT
Fine-tuned Winsock application usage
Firewall
Review Questions 1. Are 16-bit Winsock applications supported? With which clients? 2. Which client should be selected if access control will be configured by IP address, schedule, protocol, and destination requested? Which will be the simplest to configure? 3. Which clients use the Web proxy service? Which ones use it most efficiently? 4. Discuss two items that can increase the complexity and cost of deploying the various ISA Server clients.
Exam Questions 1. In a migration from Proxy Server 2.0 to ISA Server, an inventory of client status must be made. Of the clients listed here, which will not need changes to access the Internet through ISA Server? A. Winsock Proxy clients. B. Web proxy clients set for autodiscovery.
396
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
A P P LY Y O U R K N O W L E D G E C. Clients whose default gateway is set for the ISA Server’s internal network interface. D. Web proxy clients coded with the internal network interface of the Proxy 2.0 server (soon to be the ISA Server.) and port 80. 2. Which of the following ISA Server clients can be used to provide Internet access for Macintosh and Unix clients? A. Firewall client B. Web proxy client C. SecureNAT client D. Winsock Proxy Client 3. Various protocols and types of Web objects can be cached. Which of the following items can be cached?
C. The SecureNAT client can inform the Firewall service of the ports it needs to use. Firewall clients need for ports must be statically configured. D. The SecureNAT client will always pass user credentials, thus user group membership can be successfully used for access control. 5. Which clients can be used in which modes? A. SecureNAT clients are not supported in Caching mode. B. Web proxy clients are not supported in Firewall mode. C. Firewall clients are not supported in Integrated mode. D. SecureNAT clients are not supported in Firewall mode.
A. HTTP and FTP requests from Firewall clients. B. HTTP and FTP requests from Web proxy clients. C. HTTP and FTP requests from SecureNAT clients. D. HTTP requests from SecureNAT clients. 4. You are debating using the Firewall client or the SecureNAT client. Two advantages of one over the other are
Answers to Review Questions 1. 16-bit Winsock applications are only supported for Windows NT 4.0 clients and Windows 2000 clients. See the section, “Firewall Client.” 2. All clients can be used in this scenario, however, the SecureNAT is be the simplest to configure. See the section, “Using Multiple Clients on a Single Computer.”
A. The Firewall client can inform the Firewall service of the ports it needs to use. SecureNAT clients need for ports must be statically configured.
3. All clients use the Web proxy service. SecureNAT and Firewall client Web requests are forwarded to the Web proxy service. The Web proxy client uses the Web proxy service in the most efficient manner. See the section, “SecureNAT Client.”
B. The Firewall client will always pass user credentials, thus user group membership can be successfully used for access control.
4. Two items that can increase the complexity of a deployment are authentication and autodiscovery. Authentication might be required to fulfill access
Chapter 13
PLANNING AND DEPLOYING CLIENTS
397
A P P LY Y O U R K N O W L E D G E rules written to depend on group membership. This requires a more complex deployment. If Web proxy clients are used, then authentication must be required of all clients—this prevents participation by non-Windows clients. Autodiscovery can save configuration time, but can be difficult to get right. Changes to DNS and DHCP configuration may need to be made. See the section, “Considering Cost and Complexity.”
Answers to Exam Questions 1. A, B, C. D is incorrect. Proxy 2.0 uses port 80 to listen for Web requests. ISA Server uses port 8080. See the section, “Migrating Proxy 2.0 Clients.”
2. B, C. A and D are incorrect; the firewall and Winsock Proxy clients must be installed and there is no version for non-Windows operating systems. See, “Introducing ISA Server Client Types.” 3. B, D. A is incorrect; only HTTP requests from Firewall and SecureNAT clients are cached. See, “Using Multiple Clients on the Same Computer.” 4. A, B. C and D are incorrect. See, “Using Multiple Clients on the Same Computer.” 5. A, B. Firewall clients are supported in integrated mode and SecureNAT clients are supported in Firewall mode. See, “Introducing ISA Server
Suggested Readings and Resources Client Types.” 1. ISA Server “Installation and Deployment Guide” available at http://www.microsoft.com/ isaserver/techinfo/ISAdeploy.htm. 2. Carlisle Adams, Steve Lloyd, Understanding the Public-Key Infrastructure, 1999, New
Riders Publishing. ISBN: 157870166X. 3. Roberta Bragg, Windows 2000 Security. Chapters 4 and 17, 2000, New Riders Publishing. ISBN: 0735709912. 4. “Windows 2000 Certificate Services,” a white paper at http://www.microsoft.com/ WINDOWS2000/library/operations/security/
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Deploying, Configuring, and Troubleshooting the Client Computer section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Configure and troubleshoot the client computer for secure network address translation (SecureNAT).
What simple technique is used to implement the SecureNAT client? What do you have to do to create SecureNAT clients? Simple as it may seem, people have trouble with this one. Install the firewall Client software. Considerations include the cost and complexity of deployment.
. Troubleshoot autodetection Using the firewall client brings many benefits to the user or ISA Server services. Installation is uncomplicated, but issues do arise. The client information must first be configured correctly on the server, or communications will not occur. While the easiest path may appear to be to configure auto detection, there are several steps involved. How will you troubleshoot client issues? By knowing what’s supposed to happen. Configure the client computer’s Web browser to use ISA Server as an HTTP proxy.
Web proxy clients are simply client computers whose browser has been configured to point to the ISA Server. Instead of accessing the Internet directly, they send their requests to ISA Server.
14
C H A P T E R
Installing and Configuring Client Options
OUTLINE
S T U DY S T R AT E G I E S
Introduction
401
Configuring ISA Server and the Network to Support Clients
401
Modifying Routing
401
Adding DHCP and/or DNS Settings
402
Configuring ISA Server Properties
403
Configuring ISA Server Client Settings
404
Installing and Configuring Clients
407
Configuring the SecureNAT Client
407
Configuring Web Proxy Clients
408
Installing and Configuring Firewall Clients 409 Using Multiple Clients on Single Computers
411
Troubleshooting Client Trouble Spots
411
Troubleshooting Client Installation
412
Troubleshooting Autodetection
412
Troubleshooting Authentication
413
Chapter Summary
414
Apply Your Knowledge
415
Exercises
415
Answers to Exercises
415
Review Questions
415
Exam Questions
416
Answers to Review Questions
417
Answers to Exam Questions
417
. Consider the impact of having to configure and/or install hundreds of ISA Server clients. How would you do it? . Separate out for yourself, which clients are necessary where, and when you would use multiple clients. . Consider the multiple ISA Server client computers. What impact does adding the firewall client to the Web proxy have?
Chapter 14
INSTALLING AND CONFIGURING CLIENT OPTIONS
INTRODUCTION Now that you know which clients you will use where and have planned your client rollout, you need to take the steps to do so in the most efficient way. The following sections will support your efforts:
á Configuring ISA Server and the Network to Support Clients á Installing and Configuring Clients á Troubleshooting Client Trouble Spots
CONFIGURING ISA SERVER AND THE NETWORK TO SUPPORT CLIENTS To support ISA Server clients, it might be necessary to
á Modify Routing á Add DHCP and/or DNS Settings á Configure ISA Server Properties á Configure ISA Server Client Settings
Modifying Routing Modifications to routing will depend on the status of the current network routing configuration. The end results should be to route Internet requests through the ISA Server. This can be accomplished in a couple of ways. In a small network where all clients are on the same network as the ISA Server, it is only necessary to modify the default gateway of the ISA Server clients to be the address of the internal network interface card of the ISA Server. This can be done by adjusting DHCP settings or by manually setting the gateway on client systems.
401
402
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
In a larger environment consisting of multiple subnetworks, a client’s default gateway will be the router interface on its subnetwork. The routers then will need to be modified, if necessary to forward Internet requests to the ISA Server.
Adding DHCP and/or DNS Settings If the ISA Server clients will be configured to use automatic discovery to find the ISA Server, and all clients are not in the same subnetwork as the ISA Server the DHCP and/or DNS Server will need to be modified to allow the ISA Server clients to find the ISA Server. This is done by adding a Web Proxy Autodiscovery Protocol (WPAD) entry to these servers. DHCP can provide autodiscovery information for Windows 2000, Windows ME, and Windows 98 client computers. DNS can provide autodiscovery information for, Windows NT 4.0, Windows 2000, Windows ME, and Windows 98. For instructions see Step by Step 14.1 (DHCP) and Step by Step 14.2 (DNS).
STEP BY STEP 14.1 WPAD Entries in DHCP 1. Click Start, Programs, Administrative Tools, DHCP. 2. Right-click the DHCP server and select Set Predefined Options. 3. Click Add. 4. In the name box, type WPAD. 5. Type 252 for code. 6. In data type, select String. Click OK. 7. Enter http://computername:autodiscoveryport#/Wpad.dat (see Figure 14.1). Click OK. 8. Right-click Server Options and select Configure Options. FIGURE 14.1 Configuring DHCP for automatic discovery.
9. On the General Page, scroll down until you find 252 WPAD and check the box. Click OK.
STEP BY STEP 14.2 WPAD Entries in DNS 1. Click Start, Programs, Administrative Tools, DNS. 2. Right-click the forward look-up zone and select New Alias.
TIP
INSTALLING AND CONFIGURING CLIENT OPTIONS
EXAM
Chapter 14
Which Port Should Be Used? The autodiscovery port used will be either the Outgoing Web request port, or some other port designated as the automatic discovery port. When DNS is used to publish WPAD, you must use port 80 for automatic discovery.
3. In the name box, type WPAD. 4. In Fully Qualified Name for Target Host, enter the FQDN of the ISA Server (see Figure 14.2). 5. Click OK.
Configuring ISA Server Properties If ISA Server Properties are properly configured and clients are configured for automatic discovery, clients in the same subnet as the ISA Server can receive a response to their broadcast request for the address of the proxy server. To configure ISA Server to respond, you must publish automatic discovery.
STEP BY STEP 14.3 Publishing Automatic Discovery 1. Right-click Internet Security and Acceleration Server, Servers and Arrays\name, and select Properties. 2. Click the Auto Discovery tab. 3. Check the Publish Automatic Discovery Information box. 4. Enter the port number to use in the Use This Port for Automatic Discovery Requests. Click OK. 5. At the Warning box, select Save the Changes and Restart the Services. Click OK.
403
FIGURE 14.2 Configuring DNS for automatic discovery.
404
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
Configuring ISA Server Client Settings Before installing firewall client software, client configuration settings should be made on the ISA Server. Two types of settings can be made: Properties that will be modified on the firewall client’s Web browser, and properties that will be made for the firewall client. These settings become part of the client configuration file that is downloaded to the client when the client computer starts and every six hours that system remains online. The firewall client application can also be used to request a download of the file, and to change the ISA Server used for downloads. The file created can be edited directly, but this should only be done on the ISA Server. The client copy of the file should never be edited, as it will be periodically overwritten. Property pages in the Client Configuration node of the ISA Server management console offer the more common areas that may need to be changed. Web browser properties include
á The ability to specifically identify the ISA Server computer by DNS name and listening port. If selected, the client Web browser will be hard coded with this information (see Figure 14.3). á Automatic configuration settings. Web browsers can be set to automatically discover settings, or to set Web browsers to use an automatic configuration script.
FIGURE 14.3 Hard code or automatic discovery?
Chapter 14
INSTALLING AND CONFIGURING CLIENT OPTIONS
á Identification of servers and domains the client will access directly (see Figure 14.4). á Optional identification of a backup route. This is an alternative path to the Internet should the ISA Server be unavailable (see Figure 14.5).
FIGURE 14.4 Local servers and domains.
FIGURE 14.5 Alternative route.
405
406
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
EXAM
TIP
Configuration of the firewall client properties allows: Client Configuration Scripts The default configuration URL for client configuration scripts is http://computername/ array.dll?Get.Routing.Script. The script is automatically generated and includes ISA Server access (if an array exists, a list of ISA Servers is included) and backup route options for Web proxy clients. Using the script option for Web browser configuration allows you to update Web browser settings without reconfiguring each Web browser. Both IE 3.02 and later and Netscape 2.0 and later can use this feature. You can specify a custom client configuration script.
FIGURE 14.6 Choosing ISA Server location.
FIGURE 14.7 Application settings.
á The choice of hard coding ISA Server name or IP address or enabling automatic discovery (see Figure 14.6). á Application settings: specific, application by application settings including ports and the capability to add additional applications (see Figure 14.7).
Chapter 14
INSTALLING CLIENTS
AND
INSTALLING AND CONFIGURING CLIENT OPTIONS
CONFIGURING
Before clients can use ISA Server services, you must install or configure them. Multiple client types can be configured for a single client system. Client configuration options are
á Configuring the SecureNAT client á Configuring Web proxy clients á Installing and configuring firewall clients á Using multiple clients on a single computer
Configuring the SecureNAT Client Configure and troubleshoot the client computer for secure network address translation (SecureNAT).
To configure a client as a SecureNAT client you must configure the client so that all requests for Internet access are routed to the internal network interface of the ISA Server. How this is done depends on whether the client is on the same logical network as the ISA Server, or on some other internal network subnetwork. To configure the SecureNAT client:
á If the client is on the same logical network as the ISA Server internal network, use the ISA Server internal interface IP address as the client’s default gateway. á If the client is on a different internal network, the client’s default gateway should be the address of a router that has been configured to forward all requests for Internet addresses to the ISA Server.
407
408
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
Configuring Web Proxy Clients Configure the client computer’s Web browser to use ISA Server as an HTTP proxy.
To configure Web proxy clients, you must modify the client’s browser settings so that the browser can locate the ISA Server. There are multiple ways to do this. First, you could directly modify the client’s Web browser settings by opening the browser’s Property pages and entering the name or IP address of the ISA Server and the port (by default 8080) used by the ISA Server to listen for Web request. To do so follow Step by Step 14.4.
STEP BY STEP 14.4 Publishing Automatic Discovery 1. On the IE menu select Tools, Internet Options, Connections. 2. Click the LAN Settings button (see Figure 14.8). 3. If you want to hard code the ISA Server information, select Use a Proxy Server and enter the IP address and port of the ISA Server. 4. If you want to configure the Web browser for automatic discovery, select Automatically Detect Settings.
FIGURE 14.8 Manually setting browser configuration.
5. If you want to configure the Web browser to use a script select Use Automatic Configuration Script and enter the URL of the script.
Chapter 14
INSTALLING AND CONFIGURING CLIENT OPTIONS
409
Installing and Configuring Firewall Clients Install the firewall client software. Considerations include the cost and complexity of deployment.
The only client that requires installation of software is the firewall client. Both SecureNAT clients and firewall clients can run Winsock applications that utilize ISA Server application filters. The difference is the firewall client uses client side settings to better enable access and firewall clients can send user information (for authentication purposes) to the ISA Server. It works like this: 1. A firewall client uses a Winsock application and requests an object from another computer. 2. The firewall client checks its LAT. If the requested computer is in the LAT, the client goes directly to that client. If the computer is not in the LAT, the firewall client sends its request to the ISA Server firewall service. 3. If permitted, the ISA Server firewall service forwards the request to the desired computer. Prior to installing this client, you should configure the server settings that match your requirements (see “Configuring ISA Server Properties” earlier in the chapter). The client software is installed from a server share. The following components are installed on the client computer:
á mspclnt.ini—Client configuration file and local domain table. á msplat.txt—The LAT. á The firewall client application. á A Control Panel applet that can be used to request the configuration (see Figure 14.9). The mspclnt.ini and the msplat.txt files are saved to the Documents and Settings\All Users\Application Data\Microsoft\Firewall Client folder. To install the firewall client, follow Step by Step 14.5.
FIGURE 14.9 Using the Control Panel firewall client applet.
410
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
STEP BY STEP 14.5 Installing a Single Firewall Client 1. Browse to the network share for the \\ISAServercomputer\mspclnt share. 2. Double-click setup.exe. FIGURE 14.10
NOTE
Creating a local LAT file.
Customizing the LAT The msplat.txt file that is installed on the client computer during installation of the firewall client contains a copy of the LAT from the ISA Server. If you need to make changes to the LAT, do so on the server. Changes are downloaded to the client at regular intervals. If you need to customize this file for individual clients, don’t. Instead, create a custom LAT file and name it locallat.txt. Add IP address ranges, or single IP addresses for additional computers that the client should recognize as belonging in the internal network. A single IP address merely repeats the address, while a beginning and ending IP address indicate a range. It should be placed in the firewall client folder. Figure 14.10 is a sample locallat.txt file.
FIGURE 14.11 Firewall client Web install.
3. At the Welcome screen, click Next. 4. At the Destination page, modify the installation path if necessary and click Next. 5. Click Install. 6. Click Finish. A sample Web page is also provided (see Figure 14.11). This page (default.htm) and the batch file setup.bat can be placed on an intranet server and thus enable users to use a familiar process, the Web download, to install the firewall client. The page leads to a setup.bat file that merely provides the path to the setup.exe file mentioned earlier. These files can be found in the Program Files\Microsoft ISA Server\Clients\webinst folder.
Chapter 14
INSTALLING AND CONFIGURING CLIENT OPTIONS
The process of individually installing clients may be fine where clients are few, but what if the clients are many? ISA Server provides the installer package MS_FWC.msi. A group policy may be used to assign this package to users who require the firewall client.
Using Multiple Clients on Single Computers A single client computer can utilize all three client setups. The decision to use any, or all client types should be decided based on the advantages given versus the overhead and complexity of managing multiple clients. The strategy you take is also dictated by the client operating system.
TROUBLESHOOTING CLIENT TROUBLE SPOTS Before tackling the list of firewall rules to determine why a particular client cannot access the Internet, it is a good practice to be sure the client can connect to the ISA Server. One of the problems inherent in using any device between the client and the destination is that the individual using the client usually doesn’t have a clue as to how the data must go to reach its ultimate destination. All they know is that they cannot get where they want to go. The first item to check is to determine how the client is getting to the ISA Server. This depends on the type of client. To troubleshoot access, you may need to check client, network, and ISA Server configuration. Your first task is to determine if this is an isolated incident, or if all clients, or all clients on a particular subnet, or only one type of client are having problems. This approach lets you narrow your search. First, check access problems by reviewing client setup; then especially if clients are configured to automatically detect the ISA Server, you may need to troubleshoot the ISA Server interface as well. Be sure ISA Server services are running.
411
412
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
Troubleshooting Client Installation Check access problems vis-à-vis client types using the following rules:
á For SecureNAT clients, the requirement is that either routerbased networks forward Internet traffic to the ISA Server; or that clients in routerless networks assign their default gateway to the ISA Server internal network interface. If these absolutes are not configured, configure them and test again. á Web proxy clients need to know the IP address and listening port of the ISA Server. Check to be sure that either this is hard coded in or “automatic” detection is set. á Firewall clients have similar needs to Web proxy clients. Their configuration is done at installation from information on the ISA Server. You can display information on whether they automatically detect the ISA Server by opening the firewall Client Monitor Tool’s icon in the systems tray. á For Web proxy client and firewall clients, be sure the hard coded information is correct. Remember that the ISA Server listens, by default to port 8080. á For Web proxy clients and firewall clients that are set to “automatically discover” the ISA Server, you will need to troubleshoot automatic discovery. Additional client access issues can be the result from the installation process or in changes to the LAT that have not yet propagated to the client. The firewall client has a built-in update mechanism. In the Control Panel\Firewall Client program, press the Update Now button.
Troubleshooting Autodetection Troubleshoot autodetection.
If clients are set to autodetect the ISA Server and cannot, the problems may simply be a misconfiguration on the server side. Items to check are the following:
Chapter 14
INSTALLING AND CONFIGURING CLIENT OPTIONS
á Check ISA Server property pages. On the Auto Discovery page, the server should be configured to Publish Automatic Discovery Information and a port should be entered. á Check DHCP configuration. If DHCP is being used to provide information on the ISA Server location, then the WPAD option should be configured. á Check DNS configuration. If DNS is being used to provide information on the ISA Server location then there will be a WPAD alias configured for the ISA Server. á If neither DHCP or DNS configuration is present and routers are used in this network, then autodiscovery will only work for those clients who can broadcast and receive direct answers from the ISA Server. You will need to configure DNS or DHCP in this situation. á Check the port listed for autodiscovery on the ISA Server. Does it match client expectations? á Check port information in DHCP. Does it match the server port? á Check port information DNS. Whoops. No port info in DNS. The port used at the ISA Server must remain at port 80.
Troubleshooting Authentication Problems of client access often are related to authentication requirements. To troubleshoot these issues, you must understand the capabilities of the three ISA Server client types:
á SecureNAT clients cannot pass user information. á Web proxy clients that use Internet Explorer can pass user information if they are requested to do so. á Firewall clients always pass user information.
413
414
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
It is the middle bit of knowledge that causes the most trouble. Consider the situation in which site and content rules have been developed to restrict access by using Windows 2000 user groups. You might expect that both firewall clients and Web proxy clients could be managed successfully by these rules. However, you would soon find that Web proxy clients either were granted or refused access when by your best judgment the response should have been otherwise. This is because the Web browser is configured to make requests anonymously. Therefore, because no user information is provided in the request, the rule will fail. You can, however, remedy this situation either by installing the firewall client, or by checking the Ask Unauthenticated Users for Identification check box on the Outgoing Web Requests page of ISA Server properties (see Figure 14.12) .
FIGURE 14.12 Requiring authentication.
CHAPTER SUMMARY KEY TERMS • Web Proxy Autodiscovery Protocol (WPAD) • DHCP options • Automatic discovery • mspclnt.ini • msplat.txt • locallat.txt • MS_FWC.msi
Installing and configuring clients is really a simple chore, but there are tasks and nuances that can catch the unwary. The best strategy here is precautionary: Know the requirements of the three client types and know their little quirks. Most client connectivity issues revolve around finding the ISA Server. Don’t, however, forget the role that authentication plays in the interpretation of ISA Server rules.
Chapter 14
INSTALLING AND CONFIGURING CLIENT OPTIONS
415
A P P LY Y O U R K N O W L E D G E
Exercises 14.1 Client Melee
In order to understand client and server relationships and their bearing on site and content rules and protocol rules, you need to work with different clients. Don’t just install or configure the client and access a Web page. Try different combinations of client and server site settings and be sure to at least include the following. Estimated Time: 30 minutes 1. Create at least two user groups and include several user accounts in each group. For example, create the Financial Group and the Sales Group. Place users Bill and Bob in the Financial Group and users Sally and Wanda in the Sales Group. 2. Create site and content rules. Create at least one that blocks access to a specific site by using a user group (such as Financial) and a least one that allows access to a specific site to only a single group (such as Sales). 3. First, be sure that your client computer is configured only to be a SecureNAT client. Attempt access that would use the site and content rules you made. Can you access the forbidden site? 4. Next, configure your client to be a Web proxy client. Can you access the sites? What would you need to do to make the Web browser use user name and password? 5. Finally, install the firewall client and attempt to access the sites. Can you do so?
Answers to Exercises 3.The SecureNAT client cannot access the site. 4. The Web proxy client cannot access the site. If you require authentication of all users, your Web browser will provide user credentials. 5. The firewall client can access the site.
Review Questions 1. John configured his Web browser for proxy server automatic discovery but cannot access the Internet. There are no routers in his network. What could the problem be? 2. Peter is in the Accountants group. A site and content rule allows the Accountants group to access www.msnbc.com. Peter’s computer is configured as a Web proxy client. He cannot access www.msnbc.com. What could the problem be? 3. Given the network layout in Figure 14.13, what is the simplest configuration choice in order to allow the client computers access to the Internet?
416
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
A P P LY Y O U R K N O W L E D G E Internet
Internet
router
ISA Server
ISA Server
Win ME
W2K
A
Win 98
B
C
FIGURE 14.13
FIGURE 14.14
Question 3.
Question 1.
4. It is critical that users in the Marketing department be able to access the Internet even if the ISA Server is down. Other users can wait, and should, but not the Marketing department. The Marketing department has their own ISA Server. What should you do?
Exam Questions 1. Given the computers in Figure 14.14, and assuming that DHCP has the WPAD option set, which computers can auto discover the ISA Server? A. Computer A B. Computer B C. Computer C D. Computer D 2. Given the computers in Figure 14.15, and assuming that DNS has a WPAD alias created, which computers can auto discover the ISA Server?
NT
D
DHCP
A. Computer A B. Computer B C. Computer C D. Computer D 3. To deploy large numbers of firewall clients, you should A. Use Groups Policy to assign the MS_FWC.msi file to computers that will need to use the server. B. Use the Web-based installation program found in firewallclient\webinst folder. C. Write a Windows scripting host script to log on to client computers and run the client setup file. D. Copy the installation program to a floppy and distribute it to users to install.
Chapter 14
INSTALLING AND CONFIGURING CLIENT OPTIONS
417
A P P LY Y O U R K N O W L E D G E
Answers to Review Questions Internet
router
ISA Server
A
Win 98
B
C
NT
D
2. The ISA Server is not configured to require authentication of all users. The Web browser, by default, uses anonymous access. See the section, “Troubleshooting Authentication.” 3. Set the gateway of the client computers to the 192.168.6.100 address. See the section, “Configuring the SecureNAT Client.”
Win ME
W2K
1. The ISA Server has not been configured for autodiscovery. See the section, “Configuring ISA Server Properties.”
DNS
FIGURE 14.15 Question 2.
4. You need to configure some assistance for autodiscovery. You can (pick two): A. Configure WPAD option 252 on the DHCP server. B. Configure a WPAD SRV record on the DNS server. C. Uncheck the Publish Auto Discovery Information box. D. Assign port 80 as the autodiscovery port. 5. Select two items that are true about ISA Server client configuration. A. Applies to all firewall clients. B. Applies to all SecureNAT clients. C. Applies to all Web proxy clients. D. Can configure Web proxy settings for firewall clients.
4. Configure the Web browsers of these clients to use a backup route. See the section, “Configuring ISA Server Client Settings.”
Answers to Exam Questions 1. A, B, C. D is incorrect because DHCP cannot be used to configure Windows NT 4.0 computers. See the section, “Adding DHCP and/or DNS Settings.” 2. A, B, C, D. See the section, “Adding DHCP and/or DNS Settings.” 3. A. B is wrong. The Web-based folder simply is a shortcut to the location of the setup file. C is incorrect, although you could do this it would be more trouble than using group policy. D is wrong. You cannot install from a floppy disk. See the section. “Installing and Configuring Firewall Clients.” 4. A, D. B is incorrect. There is no such thing as a WPAD SRV. C is incorrect. The information should be published. See the section. “Adding DHCP and/or DNS Settings.”
418
Par t IV
DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER
A P P LY Y O U R K N O W L E D G E 5. A, D. B and C are incorrect. Client settings are not applied to SecureNAT or Web proxy clients. See the section the section, “Configuring ISA Server Client Settings.”
Suggested Readings and Resources 1. Abell, Kneif, Daniels. Windows 2000 DNS, New Riders Publishing, ISBN 0735709734; April 2000. 2. “Dynamic Host Control Protocol for Windows 2000,” a white paper at http://www.microsoft.com/TechNet/win2000/w in2ksrv/technote/dhcpnt5.asp.
3. RFC 2132 “DHCP Options and BOOTP Vendor Extensions,” search for at http://www.rfc-editor.org/cgi-bin/ rfcsearch.pl.
P A R T
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
15 Monitoring Network Security and Usage 16 Performance Analysis and Optimization
V
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Monitoring, Managing, and Analyzing ISA Server Use of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Monitor security and network usage by using logging and alerting.
. Configure intrusion detection. . Configure an alert to send an email message to an administrator. . Automate alert configuration. . Monitor alert status. A good firewall doesn’t just lock intruders out, it lets you know when they are knocking at your door. While it can use many tools, to do so, having intrusion detection technology increases your opportunities for detecting attempts to compromise your network. These services must be correctly configured and rely on the ability of the system to log information, detect attack patterns, and send alerts. Troubleshoot problems with security and network usage.
. Detect connections by using Netstat. . Test the status of external ports by using telnet or Network Monitor. It is not enough to rely on an automated collection of information, or an inspection of current configurations. An additional effort must be made to challenge the setup by inspecting connections and testing the status of external ports. Windows 2000 provides several tools that range from the simple network statistic gather tool, Netstat, include the use of a telnet client which can be used to attempt connection to ports and a super sophisticated network monitor which can inspect packets on the network.
15
C H A P T E R
Monitoring Network Security and Usage
OUTLINE Introduction
S T U DY S T R AT E G I E S 423
Monitoring Security and Network Usage with Logging and Alerting 423 Configuring Logs Understanding Log Choices Logging to an ODBC Database Configuring Intrusion Detection Detection of Common Attacks Application Filters Configuring Alerts Automating Alert Configuration Monitoring Alert Status.
Troubleshooting Problems with Security and Network Usage Confirming Configuration with Security Configuration and Analysis Detecting Connections with Netstat Testing External Port Status with Telnet and Network Monitor
424 424 425 429 429 431 433 435 435
436 436 438 440
Chapter Summary
443
Apply Your Knowledge
444
Exercises Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions
444 444 444 446 446
. Examine the intrusion detection facilities of ISA Server. Enable them. . Configure alerts to respond to intrusion detection attempts and inspect results. . Research the capabilities of third-party add-in products that can extend these services. Consider when they would be justified. . Examine the logs of the ISA Server until you can easily read the information contained within them and relate it to activities occurring on the network. This is easier to do in a test environment where you have limited activity.
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
INTRODUCTION All your efforts to configure ISA Server to provide manageable and efficient Web access while preventing external access to your private network are meaningless if you don’t understand how to monitor the security of your network and determine how it is really being used. Are you really blocking access? What parts are open? What are the potential sources of attack? Is anyone attempting to breech your security? Have they? It’s necessary to understand logging, alerting, and the tools that are available to assist you evaluating your security setup. There are two broad areas to cover:
á Monitoring Security and Network Usage with Logging and Alerting á Troubleshooting Problems with Security and Network Usage
Monitoring Security and Network Usage with Logging and Alerting Monitor security and network usage by using logging and alerting.
ISA logs and alerts can be used to monitor security and network usage. To do so, you need to understand the information in them. Configuring intrusion detection is easy, being sure you understand what you have done and how to use it is not. In order to understand the logs and how to use the intrusion detection facilities, you need to learn about:
á Configuring logs á Configuring intrusion detection á Configuring alerts á Automating alert configuration á Monitoring alert status
423
424
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
Configuring Logs By default, ISA Server logs information to three files in the ISALogs folder in the ISA Server installation folder. There are three logs:
á IPPEXTDyyyykmmdd.log. Information on blocked (by default) and allowed (if configured) packets. To enable the logging of “allowed” packets check the Log Packets from Allow filters check box on the IP Packet Filters property page (see Figure 15.1). á FWSEXTDyyyymmdd.log. Information on packets handled by the firewall service. á WEBEXTDyyyymmdd.log. Information handled by the Web proxy service. Each log is configured in a similar manner. FIGURE 15.1 Allowing allowed packets to be logged.
Understanding Log Choices There are four configurable areas of the logs:
á Log storage format. Log information, by default, is placed in a W3C extended log format file but can be changed to ISA Server Format or logged to an ODBC database (SQL Server or Access). See the section, “Logging to an ODBC Database” later in this chapter. á Enabling or disabling the log. A check box on the Log tab of the log properties page controls whether data is logged (see Figure 15.2). á Log options. You can decide to create a new log daily, weekly, monthly, or yearly. You decide how many log files to keep. Log files can be moved to the folder of your choice and can be compressed. á Log fields—Each log allows selection of a variety of fields (see Figure 15.3). FIGURE 15.2 Log options.
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
425
L O G F O R M AT D I F F E R E N C E S W3C Extended
ISA Format
Contains
Data and info about data
Just data
Are all fields logged?
Unselected fields are not logged
Unselected fields are logged as dashes
Delimiter
Tab
Comma
Date and time format
GMT
Local time
NOTE
TABLE 15.1 W3C Versus ISA Format There are a number of differences in these two formats that you should take note of in making your choice. Table 15.1 compares them. Take special note that W3C format date and time is GMT—otherwise you will be rather unclear as to what is happening in the log.
Logging to an ODBC Database Logging data to an ODBC database allows you to have more control over where data is logged. You also can record all data from various ISA Servers in one database, at one location. However, you will have to create your own database, including tables and other objects and be prepared to create your own reports for interpreting the data. ISA Server provides support by making ODBC database logging a simple matter of a simple configuration change and by providing sample SQL scripts for creating the necessary tables. To complete the process, you must do the following:
á Create the database and tables to hold the data.
Instructions follow for logging the packet filter log to an Access database. Repeat these instructions to move logging of other data to tables in your Microsoft Access database. However, I recommend this in a test environment only. Using a Microsoft SQL Server database on a separate machine is a better enterprise solution. Security can be tighter and your options are more flexible. In either case, you will have to develop your own queries, reports, and so on.
Selection log fields to record.
TIP
á Configure the ISA Server logs to log to the ODBC database.
FIGURE 15.3
EXAM
á Create the ODBC Data Source Name (DSN). This allows ISA Server to transfer data to the database.
SMS 1.0 Based Questions The location of the SMS.INI file was the root of the C:\ drive in SMS version 1.0, which has been changed in version 1.2.
426
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
Creating the Database and Tables Files (fwsrv.sql, pf.sql, w3proxy.sql) with sample SQL code for creating the tables are located in the ISA Server CDROM\ISA folder. To create the tables, you can paste the statement text in the query window of Microsoft SQL Server or Microsoft Access and run the query. Instructions for creating a single table in Microsoft Access are listed in Step by Step 15.1.
STEP BY STEP 15.1 Creating a Microsoft Access Packet Filter Log Table 1. Open the pf.sql file in Notepad, select the Create Table statement, and copy it to the Clipboard (Ctrl + C). 2. Close Notepad. 3. Open Microsoft Access and create a new Microsoft Access Database. 4. In the Objects column, select Query. 5. On the toolbar, click New. 6. Select Design View and click OK. 7. In the Show Table dialog box, click Close. 8. Right-click the Query window and select SQL Specific, then Data Definition. 9. Paste (Ctrl + V) the Create Table Statement. 10. From the menu bar, select Query\Run to run the query and create the table. 11. Close the Query window. 12. From the Object list, select Table, and open the table to see if it was created correctly. 13. Save the database and close Microsoft Access.
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
Creating the Data Source Name Next you must create the Data Source Name to be used by ISA Server to access the database. This is done in the ODBC Data Source Administrator and listed in Step by Step 15.2.
STEP BY STEP 15.2 Using the Delegation of Control Wizard 1. Open the Start, Programs, Administrative Tools, ODBC Data Sources (ODBC) program. 2. Click the System DSN tab. 3. Click the Add button. 4. Select the Microsoft Access Driver (*mdb) and click Finish. 5. On the ODBC Microsoft Access Setup page, enter the Data Source Name (see Figure 15.4). 6. Enter a description. 7. Click the Select Database button, browse to the database, and click OK. 8. Click OK twice to complete the task and exit the program.
Configuring ISA Server to Log to the Database Finally, you must point ISA Server to the DSN by using the Properties page of the log file in the ISA Server Management Console. See Step by Step 15.3.
FIGURE 15.4 Completing the DSN.
427
428
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
STEP BY STEP 15.3 Configuring the ODBC Log Option 1. Click Internet Security and Acceleration Server\Servers and Arrays\name\Monitoring Configuration\Logs. 2. Double-click the Packet Filters log icon in the details pane to expose its property pages. 3. Click the Database button under Log Storage Format. 4. Enter the name of the ODBC data source. 5. Enter the name of the Table name. 6. Click the Set Account button, select the account to be used, enter the password, and click OK. 7. Click OK.
To confirm a successful change to the logging status, open the database in Access and browse the table (see Figure 15.5). Check event logs for information to troubleshoot failed attempts.
FIGURE 15.5 Results in Access.
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
Configuring Intrusion Detection Configure intrusion detection.
Intrusion detection capabilities are configured in two places:
á Intrusion Detection of common attacks is enabled at IP Packet Filters\properties. á Additional Intrusion Detection Filters for specific protocols is found in the Extensions\Application filters folder.
Detection of Common Attacks ISA Server comes with an intrusion detection alerts for several common attacks. This functionality is based on technology licensed from Internet Security Systems, Inc. (http://www.iss.net/cgi-bin/dbtdisplay.exe/db_data/press_rel/release/070300266.plt). To effectively utilize the intrusion detection capabilities for ISA Server, you must be able to configure it, as well as understand the meaning of the alerts it generates and what to do about them. This section gives you specifics about configuring intrusion detection (see Step by Step 15.4). You must use the following sections on alerts to understand the results generated. Table 15.2 defines the alerts, and provides information on the alerts and events each attack may generate. Information on these alerts and the steps to creating new alerts can be found in later sections.
TABLE 15.2
INTRUSION DETECTION Attack
Description
Associated Built-In Alerts/Event Messages
WinNuke
Windows out-of-band attack: A denial-of-service attack attempt against an internal computer that includes unexpected information, or lacks expected information.
Intrusion detected alert; event message 15001; 15101
continues
429
430
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
TABLE 15.2
continued
INTRUSION DETECTION Attack
Description
Associated Built-In Alerts/Event Messages
Land
A TCP SYN packet sent with Intrusion detected; IP spoofing; a spoofed source IP address Event message 15003; 15103 and port number matching the destination IP address and port.
Ping of death
A large amount of information Intrusion detected; event message is appended to an Internet 15007; 151007 Control Message Protocol (ICMP) echo request (ping) packet.
IP half scan
Many attempts at connection to a computer made, but no corresponding ACK packets communicated.
Intrusion detected alert; event message 15002; 15102
UDP bomb
UDP packets constructed with illegal values in some fields are being sent.
Intrusion detected; event message 15006; 15106
Port scan
An attempt to access at more than the configured number of ports (settable threshold).
Intrusion detected alert; event message 15004 and 15104 (enumerated); event message 15005 and 15105 (generic)
Detect after attacks on x wellknown attacks and (detect after attacks on x ports).
STEP BY STEP 15.4 Configuring Intrusion Detection 1. Right-click Internet Security and Acceleration Server\Servers and Arrays\name\Access Policy\IP Packet Filters folder, and select Properties. 2. Check the Enable packet filtering and Enable Intrusion Detection check boxes (see Figure 15.6).
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
3. Change to the Intrusion Detection tab and select the check boxes for the attack that you want to generate events. Table 15.2 lists and describes the attacks (see Figure 15.7). 4. If you select the Port Scan check box you must also decide and fill in your choices for the number of attacks that will generate an event. (Two choices exist one for “well-known ports” and one for “ports.”) 5. Click OK. 6. Visit the Monitoring Configuration\Alerts folder to create new alerts and assure alerts for these attacks are configured and enabled.
Application Filters
FIGURE 15.6
In addition to these intrusion detection filters, which are triggered by an inspection of packets, two application filters perform intrusion detection chores for the DNS and POP protocols. These filters are enabled/disabled in the Extensions\Application Filters folder.
Enabling intrusion detection.
The DNS intrusion detection filter looks for common DNS related attacks. Its configuration is detailed in Step by Step 15.5. When this filter is enabled, the “DNS intrusion alert” is triggered in response to activity that meets your configuration choices.
STEP BY STEP 15.5 Configuring the DNS Intrusion Detection Application Filter 1. Click Internet Security and Acceleration Server\Servers and Arrays\name\Extensions\Application Filters. 2. Double-click the DNS intrusion detection filter to display the properties page. 3. On the General page, click the Enable box to enable the filter. continues
FIGURE 15.7 Selecting attack signatures.
431
432
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
NOTE
continued Well-Known Ports Because ports name the ends of logical connections, it makes sense to control the numbers assigned to many well-known computer services. The Internet Assigned Numbers Authority (www.iana.org) assigns these ports. The latest RFC that references the assignments is RFC 1700 (http://www.isi.edu/in-notes/ rfc1700.txt) which also describes the list of ports used by the server process as wellknown ports. The term has come to mean the ports commonly restricted to assignment by IANA—ports 0–1023. Some also include port 1024, which is defined in RFC 1700 as a “registered” port number reserved by IANA but also listed in the “well-known-ports “ list. A more up-to-date reference on port assignments and other IANA assigned numbers can be found at http://www.iana.org/numbers.htm.
FIGURE 15.8 Configuring the DNS intrusion detection filter.
4. Select the Attacks page and select the check boxes the attacks need to filter for. Table 15.3 lists and describes the attacks (see Figure 15.8). 5. Click OK.
TABLE 15.3
DNS I N T R U S I O N D E T E C T I O N F I LT E R A T TA C K FOOTPRINTS Attack
Description
DNS hostname overflow
A DNS hostname in a response is too large and might overflow internal buffers thus potentially allowing an attacker to execute arbitrary code on the target computer.
DNS length overflow
The length of a DNS response for IP addresses is set for a length of four bytes. If an application doing the lookup returns a DNS response with a larger value internal buffers may overflow.
DNS zone transfer from privileged ports (1–1024)
DNS zone transfers from unauthorized sources can provide an attacker with information about your internal network. The DNS server should be configured to only allow transfer requests from approved servers. This filter can detect attempts to obtain zone transfers from internal systems. The ports 1–1024 the privileged, or well-known ports are used by services, and the request therefore, is more likely to be coming from another server (and possibly be valid).
DNS zone transfer from privileged ports (above 1024)
See the previous entry. Requests from ports above 1024 are likely to be coming from client systems. You may want to be able to tell if the transfer was attempted from a client or server, thus the separation of two. There is no need to allow zone transfers to a client system. You may need to permit zone transfers through the firewall and yet want to prevent unauthorized attempts. In either case, you need to secure DNS and not allow zone transfers except to authorized systems.
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
433
The POP intrusion filter looks for common POP buffer overflow attacks. It requires no configuration but can be enabled or disabled. The “POP Intrusion Alert” is triggered in response to activity that meets its definition.
Configuring Alerts Configure an alert to send an email message to an administrator.
Alerts are simply ISA Server’s way of notifying you that some event has occurred. Although there are many default alerts, you can also create alerts to respond to specific events and conditions. Default and custom alerts can be configured to respond only to a defined threshold, such as
á Event frequency threshold. How many times per second and event occurs before an alert is issued. á Total number of events. How many events occur before an alert is issued. á Reissue. How long to wait before reissuing an alert. Alerts can also be configured to respond with a specific alert action:
á Send email á Take action á Log event in Windows 2000 event log (default)
If an application is executed and a user account is required, you should specify the name of a user account to be used. Be sure this user account has the Log on as a Batch Account privilege. This is configured in Security policies. To modify alerts, double-click the alert and change the Property pages. To configure a new alert follow Step by Step 15.6.
NOTE
á Start or stop ISA Server service
Array Caveat If your alert specifies the running of a program, you must locate the program at the same absolute path or logical path on each server. For logical paths, use environmental variables (such as %SystemDrive%) in the path.
434
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
STEP BY STEP 15.6 Creating a New Alert 1. Right-click Internet Security and Acceleration Server\ Servers and Arrays\name\Monitoring Configuration\Alerts and select New Alert. 2. Enter the name for the alert, and click Next. 3. If in an ISA Server array, select either Any Server to configure for all servers in the array, or This Server to specify which server will trigger the alert. Click Next. FIGURE 15.9 Configure an alert.
4. Select an event from the Event drop-down box. If the event has additional conditions, the Additional Condition drop-down box will be active and you can select an additional condition (see Figure 15.9). Click Next. 5. Choose an action that will be performed when the alert is triggered. This step-by-step details the Send an E-mail Message action. Other actions are displayed in Figure 15.10 and offer areas to enter the path and user credentials (for running a program); or check boxes for services to stop or start. The Report the Event to a Windows 2000 Event Log supplies no additional configuration pages. Click Next.
FIGURE 15.10 Selecting an action.
6. On the Sending E-Mail Messages page, browse to or enter the FQDN name of the SMTP server and enter From, To, and Cc addresses (see Figure 15.11). Click Next. 7. Click Finish. 8. Double-click the alert in the Alert Details pane to open property pages. 9. On the Events page, enter conditions and instructions about recurring actions. 10. Click Finish.
FIGURE 15.11 Configuring email.
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
Automating Alert Configuration Automate alert configuration.
Alert configuration can be automated in three ways:
á Setting alert recurring actions á Writing scripts á Using arrays Setting alert recurring actions avoids having to manually reset an alert. You can either have alerts reset immediately (once an alert is issued, the alert can immediately respond to another event) or set to wait some amount of time before being reset. The management functions of ISA Server are COM functions documented in the ISA Server SDK. The potential for selecting and setting multiple alerts to email an administrator, and other scenarios for configuring multiple alerts to use the same actions is a good use of this functionality. In an enterprise, group ISA Servers into arrays and set the alerts one time for the entire array. This is the default action. However, alerts can be directed to respond only to events at a single server.
Monitoring Alert Status Monitor alert status.
Alert status can be monitored by visiting the Internet Security and Acceleration Server\Servers and Arrays\name\Monitoring\Alerts folder. Those alerts that have occurred are listed here. If alerts have been configured to write events to the event log, you will also find useful information there.
435
436
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
TROUBLESHOOTING PROBLEMS WITH SECURITY AND NETWORK USAGE Troubleshoot problems with security and network usage.
Monitoring alerts and the event viewer and having alerts run programs or notify administrators with email is a big plus for maintaining security, but are there proactive things that you can do? The ultimate, of course, is to be able to test that the security you have worked to put into place is there. With ISA Server, you can proactively monitor three areas:
á Confirming configuration with security configuration and analysis á Detecting connections with Netstat á Testing external port status with telnet and network monitor
Confirming Configuration with Security Configuration and Analysis One of the steps you should have taken in setting up ISA Server was configuring security, either by using the provided security templates and the security wizard in ISA Server, and/or by manually configuring security settings. This is not enough, however. You should periodically audit your settings to be sure that things have not been modified. One way to do this is to use the Security Configuration and Analysis console to analyze the current machine status against what it should be. For example, if you selected “Limited Services” as the security level for your ISA Server. This equates to the securews.inf template. By running an analysis, you can determine where security items are not in conformance, and therefore take steps to fix them. To run an analysis, follow Step by Step 15.7.
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
STEP BY STEP 15.7 Auditing Security Status 1. Open an MMC console (Start, Run – MMC). 2. On the Console menu, select Add/Remove snap-in. 3. Click Add. 4. Select Security Configuration and Analysis and click Add. Click Close, and click OK. 5. Right-click the Security Configuration and Analysis node and select Open Database. 6. Enter the name of a new database. 7. On the Import Template window, select securews.inf. 8. Click Open. 9. Right-click the Security Configuration and Analysis node and select Analyze computer now. Click OK. 10. Click each item in the Scope pane to see the differences noted in the detail column. Red circles and Xs highlight areas where current machine specs do not meet the assigned database security model (see Figure 15.12). 11. Close all windows.
FIGURE 15.12 Finding security discrepancies.
437
438
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
Detecting Connections with Netstat Detect connections by using Netstat.
Although it is not the best tool for detecting open TCP/IP ports on all systems, the netstat command provides a simple way to use the system console to catalog them. Issuing netstat –na from a command prompt will list all client to server connections and listening ports. Other netstat parameters can be used to obtain statistics or to see information on a per protocol (TCP, UDP, ICMP, IP) basis. IN THE FIELD Even a simple tool can lead to interesting results. I was recently asked to audit the setup of an ISA Server. Figure 15.13, which is a snapshot of a portion of a window after running netstat –na on an ISA Server with a published Web server, clearly shows the Web proxy port 8080 open and listening on the internal interface and the port 80 open and listening on the external interface. Note that also open and listening on the external interface is the NetBIOS session port TCP 139. This is not a good thing. NetBIOS ports are often used by attackers to obtain information on, and access to, shared Windows systems. This company was aware of that and had disabled “Client for Microsoft Networks” and “File and Printer Sharing for Microsoft Networks” on the external network interface (see Figure 15.14). However, as noted, the external interface is still listening on port 139. My advice to them, and to you, is to also disable this port by disabling NetBIOS over TCP/IP on the external interface. (Be sure you only do this on the external interface!) This can be done on the WINS tab of the Advanced Property pages of TCP/IP properties (see Figure 15.15). Figure 15.16 shows another netstat capture after disabling NetBIOS over TCP/IP on the external interface.
FIGURE 15.13 Netstat –na.
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
439
FIGURE 15.14 Disabling file sharing and client connections.
FIGURE 15.15 Where to disable NetBIOS.
440
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
FIGURE 15.16 Netstat after disabling NetBIOS over TCP/IP.
Testing External Port Status with Telnet and Network Monitor Test the status of external ports by using telnet or Network Monitor.
A simple way to test ports on a remote system is by using the telnet command. (It’s also a good way to test your alerts.) The telnet command, when a port number is appended, attempts to start a session with a service. If the service is listening, it answers and now that an attacker has identified an open port he can then attempt a service specific attack on your system. To test a port, type the telnet command followed by a hostname and then port number. For example: telnet snowflake 139
If the port is closed, you will see a connect-failed message (see Figure 15.17).
FIGURE 15.17 Telnet results.
Network Monitor is a tool that comes with Windows 2000 Server. It can be used to capture and display the packets sent and received on a network interface. A full-blown network monitor product, available with Microsoft Systems Management Server, can capture all packets on the network. However, because we are interested in the packets being received on the local interface(s) the native Windows 2000 Network Monitor will be good enough. Running the Network Monitor on either interface of the ISA Server allows you to view the packets. You can view connections and connection attempts at connections to ports on this interface and view source and destination addresses, as well as protocol types, and so on. To install Network Monitor, follow Step by Step 15.8. To do a capture, see Step-by-Step 15.9.
STEP BY STEP
NOTE
MONITORING NETWORK SECURITY AND USAGE
WA R N I N G
Chapter 15
15.8 Installing Network Monitor 1. Open Start, Settings, Control Panel, Add/Remove Programs. 2. Click Add/Remove Windows Components. 3. Select Management and Monitoring Tools, and click Details. 4. Select Network Monitor and click OK.
NOTE
5. If prompted, insert Windows 2000 installation disk or enter a path to the installation files.
STEP BY STEP 15.9 Capturing and Viewing Packets 1. Double-click Start, Programs, Administrative Tools, Network Monitor. 2. If prompted for a default network, select the network to monitor, if not, check the Capture menu\Networks selection and select a network adapter to monitor. continues
441
Multihomed? On a multihomed system, you can set up Network Monitor to monitor one or both of the network interfaces.
Is It Such a Good Idea? Installing a Network Monitor of some type on your network to periodically view packets looking for vulnerabilities, attacks, or to troubleshoot connectivity issues is a good thing. However, there is a dark lining to this silver cloud. By installing this tool on your ISA Server computer, you are also adding a service which, should your system be compromised, an attacker could use to learn about your internal network. The Network Monitor driver, which is installed when you install Network Monitor, can respond to the full-blown Network Monitor product and thus an attacker might use this useful diagnostic tool as a weapon turned against you.
Shields Up! A useful utility for doing a quick, but limited port detection test is available at www.grc.com. You can run the Shields Up program, which attempts to connect to NetBIOS ports and also does a limited port scan. Figures 15.18 and 15.19 display the results from a scan requested by a client on the inside of ISA Server.
442
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
continued 3. On the Capture menu, select Start. 4. Wait, and then on the Capture menu, click Stop and View.
FIGURE 15.18 Nope—no connections.
FIGURE 15.19 Shields Up!
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
443
CHAPTER SUMMARY One of the first security lessons to learn is that being proactive is not just setting up a firewall and then calling your network secured. Setting up a firewall is only step one. Next, you must test the firewall defenses to see that it is really doing what you believe you have configured it to do. Remember, a firewall is only defending your network from external attack if you unplug its external interface from the network. As long as it allows some access in or out, you are vulnerable to two types of successful attacks. First, if there is some configuration flaw that allows an attack that you thought you were blocking and preventing. Second, some new attack or vulnerability is discovered. The only recourse is to remain vigilant, test configuration, set up intrusion detection, and review logs.
KEY TERMS • ODBC Data Source Name (DSN) • Internet Assigned Numbers Authority (IANA) • Well-known ports • Security Configuration and analysis
444
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
A P P LY Y O U R K N O W L E D G E
Exercises 15.1
In all the excitement of setting up ISA Server, it’s easy to forget why it is being done. Ultimately, you will want to know if your hard work is helping to protect your network. To do so, you must configure intrusion detection and alerting, and test your ISA Server configuration. Estimated Time: 30 minutes 1. Configure intrusion detection and alerting. 2. Use two techniques to test security on your external interface and generate some alerts. 3. Use two techniques to examine security configuration on your system.
Review Questions
Exam Questions 1. To log ISA Server files to an ODBC database, do the following: A. Create the DSN, create the database, create the tables, configure the log to point to the ODBC database. B. Create the database, create the tables, create the DSN, configure the log to point to the ODBC database. C. Create the database, create the tables, configure the log to point to the ODBC database, create the DSN D. Create the DSN, create the database, create the tables, configure the log to point to the ODBC database. 2. The following tool(s) can be used to determine what ports are open on your external ISA Server interface:
1. Why are intrusion detection filters listed in two different places?
A. Netstat
2. If you don’t configure alerts to be emailed to a specific account, where can the information be found?
C. Telnet
3. Why are there two DNS Zone transfer attack signatures configured in the DNS intrusion detection application filter? 4. The same alert is configured for most of the intrusion detection filters. How could you configure ISA so that each type of alert sends a different message to the event viewer?
B. Security configuration and analysis
D. NetBEUI 3. The following tool(s) can be used to inspect packets and display the information within them. You can use it (them) to look at packets that are received on the external interface of the ISA Server. A. Netstat B. Telnet C. Network Monitor D. Security configuration and analysis
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
445
A P P LY Y O U R K N O W L E D G E 4. John’s network is constantly being scanned and probed. He wants to automate response to these common preattack syndromes. Required Result: John wants to configure an alert that will run a program to report a hacker to [email protected]. The program should gather information about the attack and then email it. Optional Desired Results:
5. John’s network is constantly being scanned and probed. He wants to automate response to these common pre-attack syndromes. Required Result: John wants to configure an alert that will run a program to report a hacker to [email protected]. The program should gather information about the attack and then email it. Optional Desired Results:
The program should log to the event viewer the fact that it sent the email.
The program should log to the event viewer the fact that it sent the email.
The program should run on all servers in the array.
The program should indicate in the email if this is a repeat offense.
Proposed Solution: John writes his program and tests it. It can abstract information about an attack and generate an email. He configures an alert to run his program when an intrusion is detected. He specifies an account to be used by the program when it must run. This is an ordinary account with no special privileges. He has logged on as this account and run his program from a command prompt. Evaluation of Proposed Solution: Which results (s) does the proposed solution produce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results. C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result.
Proposed Solution: John writes his program and tests it. It can abstract information about an attack and generate an email. He configures an alert to run his program when an intrusion is detected. He specifies an account to be used by the program when it must run. This is an ordinary account with no special privileges. He has logged on as this account and run his program from a command prompt. He then gives this account the “run program as a batch job” privilege. Evaluation of Proposed Solution: Which results (s) does the proposed solution produce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results. C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result.
446
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
A P P LY Y O U R K N O W L E D G E 6. John’s network is constantly being scanned and probed. He wants to automate response to these common preattack syndromes. Required Result: John wants to configure an alert that will run a program to report a hacker to [email protected]. The program should gather information about the attack and then email it. Optional Desired Results: The program should log to the event viewer the fact that it sent the email. The should indicate in the email if this is a repeat offense. Proposed Solution: John writes his program and tests it. It can abstract information about an attack and generate an email. He configures an alert to run his program when an intrusion is detected. He specifies an account to be used by the program when it must run. This is an ordinary account with no special privileges. He has logged on as this account and run his program from a command prompt. He then gives this account the “run program as a batch job” privilege. He places a copy of the program on every ISA Server in the array in the same path.
C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result.
Answers to Review Questions 1. One group of intrusion detection filters works at the protocol layer, the other at the application layer. See the section, “Application Filters.” 2. Alerts, by default record warnings in the Event logs. See the section, “Configuring Alerts.” 3. One detects zone transfers from well-known ports and is likely to be from a server, therefore, the possibility exists that this is a legitimate request. The other detects requests from ports above that range, requests that are likely to be from clients who have no legitimate reason to make a zone transfer request. See the section, “Application Filters.” 4. Write a custom alert. See the section, “Configuring Alerts.”
Answers to Exam Questions
A. The proposed solution produces the required result but neither of the optional results.
1. B. You must create the database first. A is incorrect, you cannot create a DSN without a database to point to. C is incorrect, you cannot configure the log to point at the database without the DSN. D is incorrect. You cannot create the DSN without the database. See the section, “Logging to an ODBC Database.”
B. The proposed solution produces the required result and one of the optional results.
2. A, C. B is incorrect, the Security Configuration and Analysis tool can detect variances in security
Evaluation of Proposed Solution: Which results (s) does the proposed solution produce?
Chapter 15
MONITORING NETWORK SECURITY AND USAGE
447
A P P LY Y O U R K N O W L E D G E configuration from a given baseline, but does not detect open port. D is incorrect. NetBEUI is a transport protocol. See the section, “Testing External Port Status with Telnet and Network Monitor.” 3. C. Network Monitor is correct. A, B, D are incorrect. They do not allow you to see information inside the packets. See the section, “Testing External Port Status with Telnet and Network Monitor.”
4. D. The program will not work. The user account used to run the program must have the “run program as a batch job” right. See the section, Configuring Alerts.” 5. D. Now the program will run—if it just happens to run on the one server that John has placed the program code on. See the section, “Configuring Alerts.” 6. B. By adding the program to every server in the array, the program can now run every time. See the section, “Configuring Alerts.”
Suggested Readings and Resources 1. Network Intrusion Detection. Stephen Northcutt, September 2000. New Riders Publishing; ISBN: 0735710082.
2.
www.iana.org:
Internet Assigned Numbers
Authority. 3.
www.grc.com:
The Shields Up program.
OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Monitoring, Managing, and Analyzing ISA Server section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Analyze the performance of ISA Server by using reports. Report types include summary, Web usage, application usage, traffic and utilization, and security.
What reports does ISA Server generate? What do they show? How can they be used to determine whether ISA Server is performing its job efficiently and effectively? When we talk about analyzing the performance of a server we often think of speed as the only criteria. Although this is important, there are other concerns as well. Optimize the performance of the ISA Server computer. Considerations include capacity planning, allocation priorities, and trend analysis.
. Analyze the performance of the ISA Server computer by using Performance Monitor. . Analyze the performance of the ISA Server computer by using reporting and logging. . Control the total RAM used by ISA Server for caching. In order to utilize reporting information to optimize ISA Server, you need to investigate other sources of performance information, and understand the ways that performance can be improved.
C H A P T E R
16
Performance Analysis and Optimization
OUTLINE
S T U DY S T R AT E G I E S
Introduction
451
Analyzing ISA Server Performance Using Reports
451
Summary Reports Web Usage Application Usage Traffic and Utilization Security
Optimizing Performance Using the Registry to Optimize Performance Analyzing Performance Using Performance Monitor Configuring Performance Monitoring Optimizing ISA Server Using Performance Monitor Understanding Standard Objects and Counters to Monitor for System and Network Health Analyzing Performance Using Reporting and Logging Controlling RAM Used by Caching
455 455 456 457 458
459 459 460 461 464
467 468 469
Chapter Summary
470
Apply Your Knowledge
471
Exercises Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions
471 471 471 472 473
. Configure reporting and observe the types of information provided in the reports. . Examine the Registry keys mentioned. Are they set to some value by default? . Use ISA Server Performance Monitor to observe normal operations. Generate activity, or observe a production ISA Server to look at peak and offpeak activity. . Configure ISA Server to automatically log performance data during a peak usage time and examine the logs produced.
Chapter 16
PERFORMANCE ANALYSIS AND OPTIMIZATION
INTRODUCTION Understanding how a server works and being able to configure it is only half the job of a network administrator. To effectively administer ISA Server, you must understand how to measure its operation and how to tune it to work most effectively for the load it must carry. Your measurement can provide you with information necessary to proactively grow or configure the system. That is, allow you to forecast the eventual need to purchase more powerful hardware or add additional ISA Servers to the array. To be able to do this, you must spend time learning how to use reports, logs, and Performance Monitor to gather information, and then analyze what it means. This information can then be your guide in optimizing the system. This chapter gets you started by covering these topics:
á Analyze ISA Server Performance Using Reports á Optimize ISA Server Performance
ANALYZING ISA SERVER PERFORMANCE USING REPORTS Analyze the performance of ISA Server by using reports. Report types include summary, Web usage, application usage, traffic and utilization, and security.
ISA Server uses the information collected in its logs to create several reports. In order to use these reports to analyze performance, you must first configure and schedule report summaries reports. To configure and schedule reports, use Step by Step 16.1.
451
NOTE
452
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
When Are Report Summaries Generated? After reporting is enabled, a report summary is generated every day at 12:30 A.M.
STEP BY STEP 16.1 Creating and Viewing Reports 1. Enable logging. 2. Enable and configure reports in Monitoring Configuration node. (see Step by Step 16.2). 3. View Reports in Monitoring node.
STEP BY STEP 16.2 Enable and Configure Reporting 1. Right-click Internet Security and Acceleration Server\Servers and Arrays\name\Monitoring Configuration\Report Jobs and select New Report Job. 2. On the General page, enter a name and description. Be sure the Enable Reports check box is checked. 3. On the period page, select when summary reports are generated (Daily, Weekly, Monthly, Yearly, or Custom). 4. If Custom was selected, enter a to and a from date
FIGURE 16.1 Daily or monthly summaries.
5. On the Schedule page, indicate if a report is desired immediately and what the recurrence rate is: Daily at some time, Weekly on such day, and so on (see Figure 16.1). 6. On the Credentials tab, enter the name and password of a user who has authority to create reports. If this is an array, this must be someone who has authority to create reports for all ISA Servers in the array. 7. Click OK.
PERFORMANCE ANALYSIS AND OPTIMIZATION
After reporting is enabled, the data from all the SQL logs is combined to one log database on the ISA Server. This occurs once each day regardless of whether any reports are scheduled. The monthly report summary process combines all daily databases into a single, monthly summary.
NOTE
Chapter 16
To view the reports, open the Internet Security and Acceleration Server\ Servers and Arrays\name\Monitoring\Reports and open the report type you want to view. In the Details pane, double-click the report. It will be displayed in Internet Explorer.
453
Who Can Generate Reports? In order to generate reports you must be in the local Administrators group on the ISA Server. If the ISA Server is in an array then you must be in the local Administrators group on every ISA Server computer in the array and able to access and launch DCOM objects on every server in the array.
The following reports are predefined on ISA Server: TIP
á Summary reports á Web Usage reports
EXAM
á Application usage reports á Traffic and utilization reports
When Did That Occur? It’s important to note that data in the reports is not compiled in real-time. In fact, data in the reports is from at least the day before. Reports and their timeframes are • Daily—Show previous day’s activity
á Security reports
• Weekly—Show previous week’s activity
It’s important to realize that each report is made up of several subreports in the form of graphs and charts. Table 16.1 lists the charts and graphs available in each report.
• Monthly—Show previous month activity • Yearly—Show previous year’s activity • Specified period—Custom
TABLE 16.1
REPORTS WITHIN REPORTS Report
Subreports
Summary
Protocols used in descending order Traffic by protocol Top users Traffic by user Top Web sites Traffic by Web sites Cache performance Cache usage breakdown Traffic Traffic by date Daily traffic Traffic by time of day
continues
454
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
TABLE 16.1
continued
REPORTS WITHIN REPORTS Report
Subreports
Web Usage Report
Top Web users Web traffic by users Top Web sites Traffic by Web sites Protocols Web traffic by protocols HTTP responses HTTP response breakdown Object types Web traffic by object types Top browsers Web traffic by browser Operating system Web traffic by operating system Browser vs operating system
Application Usage Report
Protocols Application traffic by protocols Top application users Application traffic by users Top applications Traffic by application Operating systems Web traffic by operating system Top destination Traffic by destination
Traffic and Utilization
Protocols Traffic by protocols Traffic Traffic by date Cache performance Cache usage breakdown Connections Peak simultaneous connections by date Processing time Processing time by date Daily traffic Traffic by time of day Errors Error breakdown
Security
Authorization failures Authorization failures by user Dropped packets Dropped packets by users
Chapter 16
PERFORMANCE ANALYSIS AND OPTIMIZATION
Summary Reports Summary reports combine data from the Web proxy service log and the firewall service log. They illustrate network traffic usage and are sorted by application. Many of the items in this report are displayed in more detail in the other reports. This information is valuable to network administrators to help them determine trends traffic patterns, as well as the types of applications used to access Web data. Knowing the application use allows decisions to be made on making sure the ISA Server allows the traffic that is necessary, but does not allow unnecessary traffic. Being able to see traffic patterns helps them identify peak usage andtrends in usage. A portion of a summary report can be found in Figure 16.2.
Web Usage Web usage reports display such items as top Web users, common responses, and browsers in use. In other words, they are pictures of how the Web is being used in the company. The information used comes from the Web Proxy Service logs. Knowing how the Web is being used helps to identify whether there are adequate controls on Web usage as well as who the major users are. When attempting to analyze needs for greater bandwidth, it is useful to know something about the actual usage of the Web. A portion of a Web usage report is displayed in Figure 16.3.
FIGURE 16.2 The summary report.
455
456
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
FIGURE 16.3 The Web usage report.
Application Usage The application usage report focuses on incoming and outgoing traffic and shows the following:
á Top users á Amount of incoming and outgoing traffic á Client applications á Destinations Because it focuses on incoming and outgoing traffic, the application usage report can also provide valuable information about the usage of published servers on the internal network. A sample report is in Figure 16.4.
Chapter 16
PERFORMANCE ANALYSIS AND OPTIMIZATION
FIGURE 16.4 The application usage report.
Traffic and Utilization The traffic and utilization report can determine trends in usage. This helps in planning network capacity and determining bandwidth policies. By tracking the cache hit ratio ,you can determine potential areas for improvement, either by enlarging the size of the cache, or scaling out and adding another ISA Server to the array. A sample traffic and utilization report is in Figure 16.5. The Web proxy and firewall service logs are used to provide:
á Usage by application protocol and direction á Average peaks á Cache hit ratio á Errors á Statistics
457
458
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
FIGURE 16.5 Traffic and utilization report.
Security The security report combines data from all three logs. The information in this report can help you identify attacks or security violations after they have occurred. A sample report is in Figure 16.6.
FIGURE 16.6 The security report.
PERFORMANCE ANALYSIS AND OPTIMIZATION
OPTIMIZING PERFORMANCE Optimize the performance of the ISA Server computer. Considerations include capacity planning, allocation priorities, and trend analysis.
In addition to diagnosing problems, reports, logs, and tools can be used to analyze ISA Server performance and determine what might need to be done to optimize its performance. There are four areas to look at:
á Using the Registry to optimize performance á Analyzing performance using Performance Monitor á Analyzing performance using reporting and logging á Controlling RAM used by caching
Using the Registry to Optimize Performance ISA Server can be managed by the ISA Server Management Console, by using Administration COM objects and by Registry entries. The majority of this book focuses on using the Management Console. Using Administration COM objects is a little beyond our scope, (you will find them described in the SDK if you are interested). However, there are Registry settings that you should take note of. Obviously, before making any changes to the Registry, you will use the normal precautions and find out more of the implications of making these changes. Registry keys that can affect cache performance (located at HKLM\System\CurrentControlSet\Services\ W2cache\Parameters) are described in Table 16.2.
NOTE
Chapter 16
459
Cache Off Results In this chapter we are talking about analyzing and optimizing ISA Server in situ—that is, in its native environment, your network. It is interesting to note ISA Servers performance against other caching products at an independent test (see From Web polygraph site http://www.measurement-factory.com/results/public/cacheoff/N03/report.by-alph.htm l). In the test an ISA Server with a single processor managed 750 requests per second. An ISA Server with four processors managed 2,000 requests /sec. These rates are about 10 times the rate produced by Proxy Server. Two types of measurements were made “overall throughput” (how many requests users generate) and hit throughput (rate at which the requests are served from cache). ISA Server was the top scorer here for both. The difference between the two, or “response time improvement” is even more important as it says what the caching server is doing for you. ISA Server response time improvement was 50 percent.
460
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
TABLE 16.2
D E FA U LT S E C U R I T Y G R O U P F I L E P E R M I S S I O N S Parameter
Description
Usage
TZ Persistent Interval Threshold
Maximum time interval in minutes that recovery data will be inconsistent.
If set to one minute and the w3proxy service stops unexpectedly, at most one minute will be lost while the cache is recovered.
Recovery MRU Size Threshold
Time interval in minutes. What data will be recovered first? How much of it?
Content cache in the last X minutes prior to failure of Web proxy service will be recovered first.
MaxClientSession
Size of pool for client sessions objects.
An object is freed and memory returned to system memory if the pool has more than X objects. Set to a high value and objects are freed less frequently (but more memory is used).
OutstandAccept
Number of listeners Set high to minimize the waiting for a connection number of rejected to be established; versus connection requests. number of accepts pending for a connection to be established before rejecting the new connection .
Analyzing Performance Using Performance Monitor Analyze the performance of the ISA Server computer by using Performance Monitor.
When ISA Server installs, it makes two consoles available for use in its management: The ISA Server Management console and the ISA Server Performance Monitor. Although the ISA Server Management Console is used to administer the ISA Server, the ISA Server Performance Monitor is used to analyze the functioning of the ISA Server itself. When opened, it displays the Windows 2000 Performance Monitor and System Monitor preconfigured with ISA Server specific objects and counters (see Figure 16.7). It is important to understand what these counters mean; a section later in this chapter introduces you to some of the more common counters. The ISA Server online help can be used to find the meaning of others.
Chapter 16
PERFORMANCE ANALYSIS AND OPTIMIZATION
461
FIGURE 16.7
It is important to note that the design of this console is open; that is, you can add counters for measurement, extract data to text files for analysis, and create logs which gather these statistics in the background at scheduled times. To use the charts, graphs, and logs produced by Performance Monitor you should be knowledgeable about:
á Configuring performance monitoring á Analyzing and optimizing ISA Server using Performance Monitor á Using traditional server objects in ISA Server analysis
Configuring Performance Monitoring The first decision to make in performance monitoring is in choosing the monitoring method. Two possibilities exist: graphs and logs. Although graphs are real-time and allow you to observe an event while it’s happening, they are usually only valuable for short periods. Graphs can be used to grab a snapshot of ISA Server health at any time of the day. They are good diagnostic tools that may be used when systems seem to be running slow or experiencing other
NOTE
ISA Server Performance Monitor.
Objects and Counters A performance object can be thought of as logical group of counters that are associated with a resource or service (such as memory or processor). A performance counter then is the data item associated with an object. It represents some value which can be interpreted as relative performance of that object, or some concrete measurement.
462
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
problems. The ISA Server Performance Monitor opens in graph view and already collecting statistics and displaying them in a graphical view. To analyze performance you might need to add additional counters. To do so, follow Step by Step 16.3.
STEP BY STEP 16.3 Add Performance Counters 1. Open ISA Server Performance Monitor (Start, Programs, ISA Server Performance Monitor). 2. Right-click System Monitor node. In the Details pane, click Add Counters. 3. In the Performance Object box, select the object to monitor. 4. To monitor all the counters for this object, click All Counters. 5. Or to select the counter to monitor, click Select Counter from list and select those you want to monitor. 6. To monitor all instances of the object, click All Instances. 7. Or, to select the instance to select, check Select Instances From List, and select the instance you want to monitor. 8. Click Add.
NOTE
9. Click Close.
What Is an Instance? As used in Performance Monitor, an instance identities which object to monitor if there are more than one of the same type. For example, a multiprocessor computer would show several processor instances.
Although graphs give you animmediate visual feel for your system, logs can be saved and keep extensive records for monitoring, analyzing, and researching trends over time. To capture performance data in a log, follow Step by Step 16.4. To view it, follow Step by Step 16.5.
Chapter 16
PERFORMANCE ANALYSIS AND OPTIMIZATION
STEP BY STEP 16.4 Logging Performance Data (Creating a Counter Log) 1. Open ISA Server Performance Monitor. 2. Double-click Performance Log and Alerts, and then click Counter Logs. 3. Right-click a blank area of the Details pane and click New Log Settings. 4. In the name box, type a name for the log. Click OK. 5. On the General page, click Add.
FIGURE 16.8 Adding counters.
6. Select a counter(s) to add in the normal manner (see Figure 16.8). 7. Use the Log Files tab to set a path for storing the file. 8. Use the Schedule tab (see Figure 16.9) to schedule the start of logging. Click OK. 9. To manually start logging, right-click the log in the Details pane and click Start. 10. To manually stop logging, click Stop.
STEP BY STEP 16.5 Viewing Log Files 1. Click System Monitor. 2. Click View Log File data button. 3. Select the log file. 4. Click Open.
FIGURE 16.9 Scheduling logging.
463
464
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
Optimizing ISA Server Using Performance Monitor Making graphs and logs is all fine and well, but the purpose behind doing so is to analyze the performance of the ISA Server system and use that information to optimize it, to determine when to add additional systems in order to optimize the array, or to boost hardware. There are two important things to understand: when to monitor and what to monitor—or what performance counters mean. Deciding how often to monitor depends on the nature of your ISA Server installation. How many users does it support? How busy is Web access? When are peak times? Are you monitoring to find the answer to specific problems? To research trends over time? One of the first uses of ISA Server Performance Monitor is to create a baseline graph of system performance. A baseline graph reflects the performance of a system when it is first installed, configured and put under load. Measurements should be taken at low and peak times to arrive at ordinary statistics for the current operation. When you are monitoring, how frequently do you take a measurement? Graphs in Performance Monitor are compiled from statistics gathered at intervals that you set. If you are logging data, you can reasonably set the log to capture information every 15 minutes if you are taking measurements over a long period of time. If you are measuring for several hours, 300 seconds might be an adequate rate. This will put less stress on the system and yet gather broad trends over time. If you are monitoring for a specific problem, you might be gathering information at a specific time and will want to update information frequently. However, some problems, such as memory leaks show up over time; hopefully, you have been periodically measuring and capturing that. Deciding which counters to measure, and how to use them, is a more difficult process. There are many objects and counters. Table 16.3 defines a few of the more interesting counters and how they might be used.
Chapter 16
PERFORMANCE ANALYSIS AND OPTIMIZATION
TABLE 16.3
C O M M O N ISA S E R V E R P E R F O R M A N C E C O U N T E R S Counter (Object)
Description
Usage
Active Sessions (firewall)
Number of sessions for the firewall service.
Compare at peak and off peak times to get a picture of server usage.
Active TCP Sessions (firewall)
Total number of active TCP connections.
Used in comparison with performance indicators to determine load on system.
Active UDP connections (firewall)
Total number of active UDP connections.
Used in comparison with performance indicators to determine the load on the system.
Cache Hit Ratio(%) (Web proxy)
Compares total cache fetches as percent of total successful requests —how effective is the cache (since last time Web proxy was started).
High %—Faster response times. Zero—Caching is not enabled. Low—May indicated configuration problem.
Cache Running Hit Ratio (%) (Web proxy)
Requests served from cache % of total successful requests served (for last 10,000 requests).
A more accurate evaluation of cache effectiveness.
Client bytes total/sec (Web proxy)
Client bytes sent/sec plus client bytes received/sec.
This tells you the total bytes transferred between ISA Server computer and Web proxy clients.
Current average milliseconds/requests (Web proxy)
Average time to process a request.
Lower numbers—Faster responses. Do compare at peak and off peak times. If this number is consistently high, the system is working at max capacity— consider adding a new server.
Current users
Current Web proxy clients.
Monitor peak and off peak to see indication of server usage.
Disk cache allocated (KB) (Web proxy)
How much is actually used.
Determine if you need a larger cache or if you are not using what you have allocated.
continues
465
466
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
TABLE 16.3
continued C O M M O N ISA S E R V E R P E R F O R M A N C E C O U N T E R S Counter (Object)
Description
Usage
MAX URLs cached
Maximum number of Another approach to usage. URLs stored in the cache. Has impllications for prefetching of frequently used pages.
Memory cache allocated space
How much space used by memory cache.
Memory usage ratio percent
Ratio between amount Because ISA Server tends of fetches from memory to favor usage of RAM over cache and from disk cache. drive, if more is being used from cache, perhaps not enough memory is available for ISA Server to use.
Request/sec (Web proxy)
Number incoming requests to Web proxy service.
Higher means more resources required to service request, use in conjunction with failing requests/sec. If failing is high in proportion to requests, ISA Server is not coping with the load.
SecureNAT Mappings (firewall)
The number of mappings created by a secureNAT client.
How much is a secureNAT client using the service.
URL commit rate (URL/sec)
Speed at which URLs are written to the cache.
Compare to the value of the cache counter—disk failure rate (fail/sec.) Is the cache too slow or too small?
Disk URL retrieval rate (URL/sec)
How many URLs sent to client from disk cache.
Measure at peak and offpeak times to compare with memory URL allocated.
MAX URLs cached
Maximum number of Another approach to usage. URLs stored in the cache. Has implications for prefetching of frequently used pages.
Memory cache allocated space
How much space used by memory cache.
Implications for requiring more memory or realizing it is being underutilized.
Implications for requiring more memory or realizing it is being underutilized.
Chapter 16
PERFORMANCE ANALYSIS AND OPTIMIZATION
Counter (Object)
Description
Usage
Memory usage ratio percent
Ratio between amount Because ISA Server tends of fetches from memory to favor usage of RAM cache and from disk cache. over drive, if more is being used from cache then perhaps not enough memory is available for ISA Server to use.
Requests/sec (Web proxy)
Number incoming requests to Web proxy service.
Higher means more resources required to service request, use in conjunction with failing requests/sec. If failing is high in proportion to requests; ISA Server is not coping with the load.
SecureNAT Mappings (firewall)
The number of mappings created by a secureNAT client.
How much is a secureNAT client using the service.
URL commit rate (URL/sec)
Speed at which URLs are written to the cache.
Compare to the value of the cache counter—disk failure rate (fail/sec). Is the cache too slow or too small?
Disk URL retrieval rate (URL/sec)
How many URLs sent to client from disk cache in one second?
Measure at peak and offpeak times to compare with memory URL retreival rate to see how cache disk and memory cache are being utilized.
Understanding Standard Objects and Counters to Monitor for System and Network Health It’s also important to measure standard objects and counters. Items to monitor include
á Disk. Physical disk writes/reads per second. Amount of disk free space. Don’t forget to add logical disk counter by entering diskperf –yv at the command prompt and diskperf –yd for physical disk counters. Don’t forget to reboot for these counters to take affect. Disk bottlenecks can often be detected by observing the average disk queue length.
467
468
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
á Memory. Measure usage, memory available in bytes, memory cache bytes, pages per second, page reads/sec, transition, pool paged bytes, pool nonpaged bytes faults/sec, paging file % usage, cache and data map hits, and server pool paged bytes and nonpaged bytes. á Network. Measure network segment % utilization; network throughput, protocol transmission counters, bytes total/sec, packets/sec, server bytes total/sec or server bytes transmitted and received/sec. á Processor. Measure % processor time, interrupts/sec, Processor bottlenecks often show up as %processor time being sustained at over 80 percent.
Analyzing Performance Using Reporting and Logging Analyze the performance of the ISA Server computer by using reporting and logging.
The previous sessions indicated how to obtain statistics and reports on everything from patterns of Web usage to network and internal ISA Server and Windows 2000 Server activity. How then can this information be used to analyze performance? Many of the sections indicated how to take the data and abstract meaningful information from it. The reports themselves are a combination of charts and graphs which present the information in a manner which both displays in interprets it. There are several ways to use this information:
á Immediate measurement for verification that things are okay (Performance Monitor). á Troubleshooting immediate issue of “slow” Web access or inability to access (Performance Monitor, logs). á Long-term trend analysis to assist in capacity planning and the allocation of priorities.
It is the last usage in the preceding list that can assist you in moving from the status of “fighting fires” to one of orderly management and growth over time. You will, over time, use gathered performance data and reports to
469
NOTE
PERFORMANCE ANALYSIS AND OPTIMIZATION
More Hardware or More Policy One way to respond to growth in usage is to purchase more hardware. Another is to manage policy. Recently, I was asked to advise a company as to how much additional capacity they needed to handle their growth in Web usage. An analysis of Web usage revealed that most growth resulted from users using streaming media. Web browsers were being used to listen to favorite radio stations! A change in policy, and blocking this type of traffic reduced the demand on the current systems and relieved the company of having to make immediate hardware purchases—purchases that would have not gained them anything business wise.
NOTE
Chapter 16
Cache Adjustments What if your efforts to justify more powerful hardware or another server in the array fail? What then? There are several areas of cache configuration that can aide performance. The Cache Configuration pages can be used to make some adjustments (see Figure 16.10):
á Understand server workload á Understand impact of workload on responses á Track trends á Follow results of changes á Tune configuration For example, as you begin to review reports, logs, and Performance Monitor charts gathered over time, you can begin to spot trends in usage or in growth of demand for certain services. You can analyze these trends (trend analysis) to determine if they will mean changes necessary to ISA Server configuration, addition of more powerful hardware, ISA Server added to the array, or a change in policy which reduces the availability of Web services to users and thus the need to expand the size of the array or purchase more hardware.
Controlling RAM Used by Caching Control the total RAM used by ISA Server for caching.
If the ISA Server computer is only used as a caching server, it will use RAM as primary cache storage for more efficient service. However, if the ISA Server computer is used for other services, this characteristic, is not beneficial. You can, however, throttle down the amount of RAM used by ISA Server for caching; to do so, follow Step by Step 16.6.
• Do not cache objects larger than: • Do not cache dynamic content • Reduce the size of the maximum URL cached in memory • Use scheduled downloads instead of active caching
470
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
STEP BY STEP 16.6 Managing RAM Usage 1. Right-click Internet Security and Acceleration Server\Servers and Arrays\name\Cache Configuration and select Properties. 2. Click the Advanced tab. 3. Enter the amount of free RAM to use for caching in the Percentage of Free Memory to Use for Caching box (see Figure 16.10). 4. Click OK.
FIGURE 16.10 Throttling memory on the Cache Configuration Properties page.
CHAPTER SUMMARY KEY TERMS • Capacity planning • Allocation priorities • Trend analysis • Performance Monitor objects • Performance Monitor counters
Analyzing and optimizing will be an ongoing project as the needs for Web usage and protection from attack increase over time. This chapter introduced the tools that can assist you in gathering the information needed to do this and given some pointers that will lead to the optimization of systems.
Chapter 16
PERFORMANCE ANALYSIS AND OPTIMIZATION
471
A P P LY Y O U R K N O W L E D G E
Exercises 16.1 Obtaining an ISA Server Baseline Monitoring
Performance baselining is an important function. It can tell you how your system is performing under peak and off-peak times at some designated time. A good time is when the system was first set up. This baseline sets a norm against which to compare later tests. You can determine the impact of growth over time and anticipate the demands of further growth. The key here is having something to compare later tests to. What goes in the baseline test? You will want to measure common functions of ISA Server and add typical keys that will help you understand the system functions. A good place to start is with those keys selected to appear in the ISA Server Performance Monitor. Estimated Time: 1 hour 20 minutes 1. Open the ISA Server Performance Monitor and record the objects and counters that are being measured. 2. Prepare a log file for recording, using these same objects and counters. 3. Record for an hour or so and then stop recording. Make a recording, using the same setup for at least one peak and one off-peak time. 4. Open and view the logs. 5. Keep the logs. If possible, take new log snapshots at intervals and compare growth over time.
Review Questions 1. Reports can provide data that is useful in reallocating resources. What report might provide information usage trends and suggest a way to improve or manage performance if network capacity cannot be increased? 2. What specific policy could be adjusted to help meet these increased utilization needs? 3. Web usage data can tell us if use of the ISA Server has grown over time. Other information can tell us how effectively the resources on the ISA Server are being used. What are two of these measurements and in which reports can they be found? 4. Why is controlling the amount of RAM use for caching important? 5. Explain the difference between cache hit ratio and cache running hit ratio. 6. How can you determine whether you need a larger cache or if you are using less cache than you have allocated?
Exam Questions 1. Once reporting is enabled, I can view today’s data in a report: A. This afternoon at 5 P.M. B. This evening at 9 P.M. C. Midnight D. 1:00 A.M. tomorrow
472
Par t V
MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER
A P P LY Y O U R K N O W L E D G E 2. Reports are (pick two) A. Configured in Monitoring Configuration\Report Jobs B. Configured in Monitoring C. Monitored in Configuring D. Viewed from Monitoring\Report Jobs E. Viewed from Configuring\Report Jobs 3. You must enter the credentials of a user who has the authority to create reports for all ISA Servers in the array when
C. Too much RAM is allocated. D. Not enough RAM is allocated. 6. Analysis determines that the demand on the ISA Server cache is far greater than the size of the cache can effectively handle. You cannot purchase another drive to enlarge the size of your cache, nor can you set up another ISA Server in the array. Which of the following adjustments will be effective in improving existing cache functioning. A. Reduce the size of the maximum URL cached in memory.
A. Enabling reports
B. Scheduling downloads.
B. Configuring reports
C. Configuring active caching.
C. Monitoring reports
D. Eliminating size restrictions on the size of objects cached.
D. Configuring ISA Server Performance Monitor 4. The network administrator is looking for data that will support his opinion that Internet usage has increased. Which report will be of most interest to him? A. Summary report B. Traffic and utilization C. Web utilization D. Security 5. The following information is collected by using ISA Server Performance Monitor: Failing requests/sec is equal to 50 percent of Requests/sec. Disk cache allocated is almost equal to the size of the disk cache. What does this mean? A. The cache needs to be larger. B. The cache size is too large.
Answers to Review Questions 1. Traffic and utilization report. See the section “Traffic and Utilization.” 2. Bandwidth policies. See the section, “Traffic and Utilization.” 3. Cache hit ratio. Amount of incoming and outgoing traffic. See the sections, “Traffic and Utilization” and “Application Usage.” 4. RAM is used for caching and other things. By controlling the amount used by caching you can assure there is RAM available for other processes. See the section, “Controlling the Size of RAM Used for Caching.” 5. Cache hit ratio is the percentage of requests that were found in the cache since the last time the Web proxy service was started. Cache running hit
Chapter 16
PERFORMANCE ANALYSIS AND OPTIMIZATION
473
A P P LY Y O U R K N O W L E D G E ratio gives this figure for the last 10,000 requests and is thus a more accurate evaluation of cache effectiveness. See the section, “Optimizing ISA Server Using Performance Monitor.” 6. By looking at the counter “disk cache allocated” this is the amount of cache that is being used. Compare this to the size of the cache. See the section, “Optimizing ISA Server Using Performance Monitor.”
Answers to Exam Questions 1. D. A, B, and C are incorrect. The time that the report is generated is at 12:30 A.M. None of the other times are before this time. See the section, “Analyzing ISA Server Performance Using Reports.” 2. A, D. B is incorrect. Reports are viewed in Monitoring. C and E are incorrect, there is no Configuring node. See the section, “Analyzing ISA Server Performance Using Reports.”
Suggested Readings and Resources 1. The WebPolygraph cacheoff test: http://www.measurement-factory.com/ results/public/cacheoff/N03/report.byalph.html.
3. B. A is incorrect. Enabling reports does not require permission everywhere. C is incorrect. Viewing does not require this level of permissions. D is incorrect. See the section, “Analyzing ISA Server Performance Using Reports.” 4. B. A and C are incorrect, although they do provide useful information, they do not provide enough. D is incorrect. The security report does not provide this type of information. See the section, “Traffic and Utilization Reports.” 5. A. B is incorrect, most requests are failing. The disk is pretty much allocated. C and D are incorrect. Although RAM is used for caching, the combination of failing requests and disk allocation points to the cache size as being the problem. See the section, “Optimizing ISA Server Using Performance Monitor.” 6. A. B is incorrect. Scheduling downloads can move download times to off peak, but will do nothing for the size of the cache. C is incorrect, active caching will utilize the cache to store data before its requested. D is incorrect. Eliminating size restrictions on the size of the objects cached will only fill up the cache. See the section, “Controlling RAM Used for Caching.”
P A R T
FINAL REVIEW
Fast Facts Study and Exam Prep Tips Practice Exam
VI
To successfully and securely install and configure Microsoft Internet Security and Acceleration Server, you need to understand all its features and capabilities. You also need to be aware of how these features work with each other. So your implementation is an effective security barrier and/or an efficient caching server you will need to review a lot of information. The following “fast facts” briefly record important details for your review.
INSTALLATION Three possible installation modes determine the usefulness of your ISA implementation:
á Firewall. Control inbound access and outbound access via filters, rules, and settings. á Caching. Manage outbound access via rules and by caching downloaded data for repeated access á Integrated. A combination of firewall and caching modes. Table 1 lists the features available per mode, and Table 2 identifies the requirements of each mode.
Fast Facts
478
FAST FACTS
SUMMARY TABLE 1
SUMMARY TABLE 2
F E AT U R E S A VA I L A B L E P E R I N S TA L L AT I O N MODE
W H I C H I N S TA L L AT I O N R E Q U I R E S W H AT ?
Feature
Firewall
Caching
Integrated
Cache Configuration
No
Yes
Yes
Distributed Caching
No
Yes
Yes
Hierarchical Caching
No
Yes
Yes
Array Based Policy
Yes
Yes
Yes
Enterprise Policy
Yes
Yes
Yes
Access Policy
Yes
Only for HTTP, HTTPS, FTP
Yes
H.323 Gatekeeper
Yes
Yes
Yes
Intrusion Detection
Yes
No
Yes
Message Screener
Yes
Yes
Yes
Web Publishing
Yes
Yes
Yes
Server Publishing
Yes
No
Yes
Active Directory Integration Yes
Yes
Yes
á Fax service
Bandwidth Control
Yes
Yes
Yes
á License logging
Logging and Reporting
Yes
Yes
Yes
á Distributed file system
Packet Filtering
Yes
No
Yes
á Distributed link tracking
Local Address Table
Yes
No
Yes
Application Filtering
Yes
No
Yes
Web Filters
Yes
Yes
Yes
Real time Monitoring
Yes
Yes
Yes
Alerts
Yes
Yes
Yes
Reports
Yes
Yes
Yes
VPN
Yes
No
Yes
SecureNAT Client Support Yes
No
Yes
Firewall Client Support
Yes
No
Yes
Web Proxy Client Support
Yes
Yes
Yes
Process
Firewall
Caching
Integrated
Configure the LAT Yes
No
Yes
Configure the initial cache
Yes
Yes
Update Active Enterprise Director Schema version prior to installation
Enterprise version
Enterprise version
Configure an Enterprise Policy
Enterprise version
Enterprise version
No
Enterprise version
PreInstallation Process Prior to installation, it is a good idea to disable several common unnecessary services:
á Computer browser
Minimum System Requirements Use the following minimum system requirements as the starting point in determining the actual hardware specifications for your ISA Servers. Table 3 provides estimates of disk space to reserve for cache as well as the number of recommended ISA Servers per hundreds of users. Table 4 should help you in estimating publishing requirements, while Table 5 presents suggestions for disk space required for forward caching.
á 256MB RAM (ISA Server installs at much less)
FAST FACTS
á 20MB of hard disk space (does not include space for cache)
479
SUMMARY TABLE 5
FORWARD CACHING REQUIREMENTS Less than 500 Users
á 300MHz Pentium II compatible CPU
500–2,000 Users
More than 2,000 Users
á Windows 2000 compatible network adapter for communication with the internal network
Computer configuration
á Modem, or other type of adapter for communications with the Internet
Pentium II, Pentium III, Pentium III, 300MHz 550MHz 550MHz computer for each 2,000 users
RAM
256MB
256MB
256MB for each computer (for each 2,000 users)
Cache disk space
2–4GB
10GB
10GB for each computer (for each 2,000 users)
á Hard disk volume formatted with NTFS (required for Web cache—more secure)
SUMMARY TABLE 3
E S T I M AT I N G C A C H E D I S K R E Q U I R E M E N T S Number of Users
Disk Space for Caching
Number of ISA Servers
1,000
10GB per 1,000 users
1 per 1,000 or add additional processors/ larger processors/more RAM
Post Installation After installation, the following settings are in place:
á Access Control. A default site rule (Allow Rule) allows all clients access to all content on all sites at all times. However, there is no protocol rule so no traffic can pass through the server. á Alerts. The “All port scan attack,” “Dropped packets,” “Protocol violation,” and “UDP bomb attack” alerts are not active. All others are.
SUMMARY TABLE 4
E S T I M AT I N G P U B L I S H I N G R E Q U I R E M E N T S Hits/Second
Server Configuration
RAM*
250
Add another processor or another computer for each 250 hits per second.
256
á Caching (Caching or Integrated mode). Cache size is set to a size specified during setup. Active caching is disabled. HTTP and FTP caching are enabled. á Local Address Table (Firewall or Integrated mode). Consists of those entries made during installation. á Packet filtering. In Firewall mode and Integrated mode, this is enabled. In Caching mode, this is disabled. á Publishing. No publishing. Requests are discarded.
480
FAST FACTS
á Policy (enterprise addition; arrays). Default policy installed. Enterprise policy sets the policy. Arrays do not restrict the policy.
FIREWALL MODE Running ISA Server in Firewall mode allows the use of multiple modern firewall techniques. These include
á Packet filtering. The header of each packet is inspected by ISA Server. Because the protocol, port, destination and source address can be determined by this inspection, packets can be passed to their destination, or dropped before they enter the network. á Circuit-level filtering. Each application request is redirected by the firewall service to the ISA Server—no application specific gateway is necessary. Applications that do not support a proxy can be accessed this way. Access to Windows applications (using WinSOCK for communications over the Internet) are supported for client machines that have the Firewall Client software installed. These requests can be inspected per session, vs at the time of connection or by mere packet level filtering. Circuit-level filtering supplies built-in support for protocols with secondary connections. á SOCKS connections can be filtered at the circuitlevel via a SOCKS filter, which forwards requests to the ISA firewall service. SOCKS supports client platforms such as Unix and Macintosh. á Application-level filtering. Application-level filtering analyze a data stream for an application and can inspect, screen, block, redirect or modify data as it passes through the firewall. ISA Server
uses application-level filtering to protect against unsafe SMTP commands or DNS server attacks. In addition, third-party tools for content screening, virus detection, lexical analysis and site categorization can apply application and Web filters.
á Stateful inspection. Stateful inspection involves inspecting both protocol and connection state. Dynamic packet filters only open a port in response to a user request. The port only stays open while that request is being filled. This reduces vulnerability. á Built-in intrusion detection. In addition to ISA application filters that protect against attacks against the known vulnerabilities for DNS and POP, ISA detects and protects the network from several common attacks against the network. A set of configured alerts are issued in response to these detected attacks. This system of intrusion detection in ISA Server is based on licensed technology from Internet Security Systems, Inc. (www.iss.net). á System hardening templates. An ISA Server Security Configuration Wizard can be used to apply system security settings to all servers in an array. á Virtual Private Networking. ISA Server can function as the endpoint for a Virtual Private Network (VPN). A VPN extends a private network by creating a secure link between two separate networks over a third. Two wizards assist in configuring endpoints for both sides of the VPN tunnel.
FAST FACTS
Intrusion Detection If intrusion detection is enabled, some known attacks can be detected:
á All ports scan attack. An attempt to access at more than the configured number of ports (settable threshold). á IP half scan attack. Many attempts at connection to a computer made, but no corresponding ACK packets communicated.
SUMMARY TABLE 6
DNS I N T R U S I O N D E T E C T I O N F I LT E R A T TA C K FOOTPRINTS Attack
Description
DNS hostname overflow
A DNS hostname in a response is too large and may overflow internal buffers, thus potentially allowing an attacker to execute arbitrary code on the target computer.
DNS length overflow
The length of a DNS response for IP addresses is set for a length of four bytes. If an application doing the lookup returns a DNS response with a larger value, internal buffers may overflow.
DNS zone transfer from privileged ports (1–1024)
DNS zone transfers from unauthorized sources can provide an attacker with information about your internal network. The DNS server should be configured to only allow transfer requests from approved servers. This filter can detect attempts to obtain zone transfers from internal systems. The ports 1–1024 the privileged, or well-known ports are used by services, and the request therefore, is more likely to be coming from another server (and possibly be valid).
DNS zone transfer from privileged ports (above 1024)
See previous entry. Requests from ports above 1024 are likely to be coming from client systems. You may want to be able to tell if the transfer was attempted from a client or server, thus the separation of two. There is no need to allow zone transfers to a client system. You may need to permit zone transfers through the firewall and yet want to prevent unauthorized attempts. In either case, you need to secure DNS and not allow zone transfers except to authorized systems.
á Land attack. A TCP SYN packet sent with a spoofed source IP address and port number matching the destination IP address and port. á UDP bomb attack. UDP packets constructed with illegal values in some fields are being sent. á Enumerated port scan attack. An attempt to count the services running. á Windows out-of-band attack. A denial-ofservice attack attempt against an internal computer that includes unexpected information, or lacks expected information. Additional intrusion detection is added by the DNS application filter. Attack footprints are detailed in Table 6.
481
482
FAST FACTS
Application Filters Several default application filters exist, including
á File Transfer Protocol (FTP) access filter. Used by SecureNAT clients when they require access to FTP. You must create protocol rules to allow access to the FTP protocol. If access is allowed, the filter forwards their requests to the firewall service which dynamically opens secondary ports required by the FTP protocol. This filter is enabled by default. The filter also performs address translation for the SecureNAT clients. It uses predefined protocol definitions: FTP download only, FTP client, and FTP server. If, instead of using the FTP access filter, you define a protocol definition for FTP you will not obtain address translation, secondary port handling, or control over read and write FTP operations. á H.323 protocol filter. Uses H.323 protocol definitions (added when the H.323 gatekeeper is installed) to allow incoming and outgoing H.323 calls, audio, video, and application sharing. á HyperText Transfer Protocol (HTTP) redirector filter. Forwards HTTP requests from SecureNAT and firewall clients to the Web proxy service. Requests are cached. If requests are redirected to the Web proxy service, firewall client requests are unauthenticated. If you have configured specific rules using user names and groups, these rules will not be followed. If the rules deny access, access will actually be allowed as there is no way to check which user is making the request. If you do not allow unauthenticated access, then all requests will be denied. á Intrusion detection filters. DNS and POP intrusion detection filters.
á Remote Procedure Call (RPC) filter. Enables publishing of RPC. While the filter is enabled by default, to publish a RPC server you must create a server-publishing rule and apply the RPC protocol. Two protocol definitions (any RPC server, Exchange RPC server) are added with the RPC filter. á SOCKS filter. Forwards requests from SOCKS applications to the firewall service. Access policy rules must be configured to allow or deny the SOCKS client application access to the Internet. The default port for SOCKS request is 1080. á Simple Mail Transfer Protocol (SMTP) filter. Accepts and inspects SMTP traffic arriving on port 25. á Streaming media filter. Allows client access and server publishing of Microsoft Windows Media (MMS), Progressive Networks protocol (PNM or RealPlayer), and Real Time Streaming Protocol (RTSP or RealPlayer G2 and QuickTime 4).
Packet Filters Packet filter rules are written to control communications between networks. The ISA Server, by default, does not allow any communication between its networks until some combination of the following allows access:
á Protocol rules and site and content rules— Outbound access á Publishing rules—Inbound access á Packet filters—Determine where incoming and outgoing requests are redirected á Routing rules—Move packets from some interface to another
FAST FACTS
483
If Active Directory integration is desired, two factors affect your planning and preinstallation activity:
CACHING MODE Caching can be implemented in the following ways:
á Reverse caching á Forward caching á Scheduled caching
á First, you must have Schema Admin and Enterprise Admin membership before you can use the ISA Server Active Directory Initialization utility. á Second, you must wait until the schema modification replicates to all domain controllers. It is only necessary to apply the utility once in the enterprise, but it may take some time before changes are replicated throughout the forest.
á Distributed caching á Hierarchical caching or chaining
ISA SERVER EDITIONS ISA Server is available in two editions. Significant differences exist between the editions (detailed in Table 7).
POLICY ISA Server policy is created by creating access rules. Rules are made up of policy elements. (Note that in order to allow access to the Internet a protocol rule and a site and content rule must exist that match the client, site and protocol.)
SUMMARY TABLE 7
D I F F E R E N C E S B E T W E E N ISA S E R V E R EDITIONS Feature
Enterprise Edition
Standard Edition
Distributed caching
Yes
No
Hierarchical caching
Yes
Yes
Array based policy
Yes
Yes
Enterprise policy
Yes
No
H.323 gatekeeper
Yes
Yes
Intrusion detection
Yes
Yes
Message screener
Yes
Yes
Web publishing
Yes
Yes
Server publishing
Yes
Yes
Active Directory integration
Yes
No
Firewall, Caching, or Integrated modes
Yes
Yes
Bandwidth control
Yes
Yes
Logging and reporting
Yes
Yes
Packet filtering
Yes
Yes
Default Rules Some default rules exist:
á ICMP outbound. Allow all ICMP outbound from the ISA Server’s default IP addresses on the external interface to all remote computers. (The ISA computer can send ICMP messages.) á ICMP ping response(in). To the default IP address on the external computer from all remote computers. (The ISA Server can receive inbound ping responses.) á ICMP source quench. From outside to the default IP addresses on the external interface. (The ISA Server receives instructions to slow its packet sending rate.)
484
FAST FACTS
á ICMP timeout (in). To the default IP address on the external interface computer from all remote computers. (The ISA Server can receive messages relating to timeouts, for example, of ping requests.) á ICMP unreachable. To the default IP address on the external interface from all remote computers. (The ISA Server can receive notice of an unreachable address.) á DHCP Client. Allows the external interface to act as a DHCP client. This rule is disabled by default. á DNS filter. DNS lookup. (Requests for DNS lookup can pass.)
SUMMARY TABLE 8
POLICY ELEMENTS Policy Element
Definition
Used By
Schedules
Identifies the hours of the day and the days of the week that the rule is in effect.
Protocol rules, site and content rules, bandwith rules
Bandwidth Priorities Identifies an inbound Bandwidth rules and outbound priority number from 1–200. The numbers establish a relative percentage of the available bandwidth that can be applied to the traffic identified by the rule. Destination Sets
Identifies the computers and potentially the directories and files on those computers which can or cannot be accessed.
Site and content rules, bandwidth rules, Web publishing rules, routing rules
Client Address Sets
A collection of one or more computers identified by IP address.
Protocol rules, site and contest rules, bandwidth rules, server publishing rules, Web publishing rules
When multiple rules exist they are processed in the following manner: 1. First, protocol rules are examined to determine if the protocol being used is defined in one of the rules. If it is, and the protocol is allowed, not denied, processing continues. 2. Next, site and content rules are applied. Does a site and content rule exist which matches the request and no other site and content rule denies it? Processing continues. 3. Third, IP Packet filters are checked to determine if a blocking filter exists. Is the communication protocol used blocked explicitly? 4. If all answers have been affirmative, ISA Server checks its routing rules or its firewall chaining setup to find out how the message should be sent.
Policy Elements Rules include policy elements which must be predefined. These elements are defined in Table 8.
Protocol Definitions Characteristics that define available protocols via port, protocol type, and direction.
Protocol rules, server publishing rules, bandwith rules
Content Groups
Arranges content definitions by MIME type or extension.
Site and content rules, bandwith rules
Dial-Up Entries
Specific dial-up information such as account information.
Routing rules, firewall chaining
FAST FACTS
LOGS
AND
REPORTS
You will, over time, use gathered performance data and reports to
á Understand server workload á Understand impact of workload on responses á Track trends á Follow results of changes á Tune configuration
Logs The following log files are created by ISA Server:
á IPPDyyyykmmdd.log. Information on blocked (by default) and allowed (if configured) packets. To enable the logging of “allowed” packets check the Log Packets from Allow Filters check box on the IP Packet Filters property page. á FWSEXTDyyyymmdd.log. Information on packets handled by the firewall service. á WEBEXTDyyyymmdd.log. Information handled by the Web proxy service.
485
á Application usage reports. Application usage by top users, incoming and outgoing traffic, client applications, and destinations. á Traffic and utilization reports. Total Internet usages by application, protocol, direction. á Security reports. Attempts to breech network security. It is important to note that report summaries are generated every day at 12:30 A.M. This means that data in the reports are not compiled in real-time. In fact, it is from at least the day before.
Cache Adjustments What if your efforts to justify more powerful hardware or another server in the array fail? What then? There are several areas of cache configuration that can aide performance. The cache configuration pages can be used to make some adjustments. For example, you can:
á Reduce the size of the maximum URL cached in memory á Use scheduled downloads instead of active caching á Do not cache objects larger than
Reports In addition to the logs, ISA Server can be configured to produce a number of predefined reports. Reports include:
á Summary report. Illustrate traffic usage. á Web usage reports. Top users, common responses, browsers.
á Do not cache dynamic content
AUTHENTICATION You may use various authentication modes as part of access rules. Pay particular attention to how your authentication requirements and the ISA client used may impact the function of these rules.
486
FAST FACTS
Authentication to external sources may also be an issue. One such problem can be solved by installing the Identd service. When a client operates behind a firewall it cannot respond to some types of requests for identification from Internet servers. The Identd simulation service, when installed on an ISA Server can respond to the Internet server on behalf of the client.
SUMMARY TABLE 9
Client authentication before a requested access is granted is required in the following circumstances:
A U T H E N T I C AT I O N P R O C E S S E S Method
Description
Who Can Use It?
Basic
Credentials sent in encoded text characters (easily read—no encryption).
Users with accounts on the ISA Server comput er or trusted domain of the ISA Server.
Digest
Credentials modified User with accounts with values that in a trusted domain of identify user, comthe ISA Server. puter, and domain are time stamped and then are hashed to create a message digest (the result of this oneway encryption process; by one-way it is meant that the product cannot be decrypted).
Integrated
á If a firewall client requests access to some other protocol and rules have been configured that require membership in a group, or access is specific to certain users, then authentication is required.
Integrated windows authentication. (Authentication protocol is dependent on OS and client account membership involved.)
Pass-through
ISA Server can pass Outgoing and incoming a client authentication Web requests. information to the destination server.
á ISA Server has been configured to always require authentication.
Certificates
Certificate Authority Clients. Servers. issued certificates are used for authentication.
á When rules are configured to require membership in specific groups, or the participation of specific users, the ISA Server requires client authentication so it can determine if access is allowed by that user. á If the HTTP protocol is requested by Web proxy or firewall clients, ISA Server determines if the rule allows anonymous access. If this is so, and no other configuration blocks the access, then access is allowed. However, if no rule allows anonymous access to HTTP, the ISA Server requires authentication.
Remote Access Authentication Authentication choices are defined in Table 9.
Windows user accounts. Can use Kerberos if W2K domain user accounts are being used from a W2K domain member computer. Kerberos cannot be used in a passthrough scenario.
FAST FACTS
Chained Authentication When a client request is passed from one ISA Server to another, authentication information can also be transferred. However, in some cases the upstream server might not be able to determine the client that is requesting the object. This might be because the upstream server requires that the downstream server use an account in order to connect. In this case, it is this account information that is passed to the upstream server. Otherwise, the client’s authentication information will be passed to the upstream server. If authentication information is not required for all clients, then it is possible that access rules that rely on user identification may not be processed in the manner that you require.
INTEROPERABILITY Server interoperability with services that may already be employed in the network should be explored. Information on common network services and ISA Server is detailed here:
á Windows NT 4.0 domains. ISA can be installed on a standalone Windows 2000 server in a Windows NT 4.0 domain. á ISA Server arrays in a Windows NT 4.0 domain. An ISA Server array requires a Windows 2000 domain. However, this domain be joined in a trust relationship with a Windows NT 4.0 domain in order to provide services to Window NT 4.0 clients. á Routing and Remote Access. ISA Server provides remote connectivity and extends RRAS. ISA can use the dial-up entries configured for RRAS (RRAS can run on the ISA Server). You should allow ISA packet filtering to replace RRAS packet filtering and allow the ISA Server to provide
487
remote connectivity for internal clients.
á IIS Server. IIS server is not required on an ISA Server. It can run on one. However, you should configure Web-publishing rules if you wish to allow public users to access the Web server. Set the IIS Server to listen on a port different than port 80, as ISA Server listens for inbound Web requests on that port. á Internet Connection Sharing (ICS). ISA Server replaces the need to run Internet Connection sharing. á IPSec. ISA Server can be configured as an IPSec/L2TP VPN server. á Terminal services. May be installed on the ISA Server for remote administration purposes. á SNMP May be installed if required to support network Server interoperability with services that may already be employed in the network. á Other applications and services. Running other applications on the ISA Server can be done by creating packet filters which allow their services access. However, if the ISA Server is acting as a firewall, you should avoid statically opening ports (that is, via creating packet filters). In most cases, it is not a good idea to enable additional applications on the ISA Server.
ENTERPRISE EDITION Differences between the standard and enterprise editions often come down to the ability to configure enterprise and array level policies, and the ability to create arrays.
488
FAST FACTS
Enterprise Policies
Array Types
Policy settings in the enterprise depend on enterprise policy choices. Choices are listed in Table 10.
Hierarchical arrays are chains of ISA Servers and can be established for Standard and Enterprise edition ISA Servers. It is a simple matter of configuring the server to forward requests to other ISA Servers, instead of directly to the requested source. Chains of distributed arrays are also possible.
SUMMARY TABLE 10
CUSTOM POLICY SETTINGS Choice
Can Be Combined With
If This Is Selected, You Can Also Select
Number
Use array policy only
The enterprise policy is not used. Each array has its own policy.
4 and 5
1
Use this enterprise policy
Select a created enterprise policy by name
3, 4, 5
2
Allow array level access rules that restrict enterprise policy
The enterprise policy is applied to all arrays, however, array policies may contain and enforce more restrictive settings.
2
Allow publishing rules
Publishing rules can be created to allow access to internal Web servers from the public network.
1 and 2
Packet filtering will be used to restrict entry. By default, no access is allowed until rules and policies are configured.
1 and 2
Force packet filtering on this array
3
Distributed arrays are collections of Enterprise edition ISA Servers and are managed by assigning Enterprise and Array policies. They can only be created using the Enterprise Edition of ISA Server. They offer multiple advantages including centralized management, fault tolerance, and improved processing efficiency. Three basic policy scopes exist:
á Combined Array and Enterprise policy. Management is potentially split between enterprise and array level policies. á Array Policy Only. The enterprise policy gives control to the managers of array level policy á Enterprise Policy Only. All policies are set at the enterprise level.
4
Promotion 5
If an enterprise license is obtained, or if an enterprise edition ISA Server was installed in standard mode, an ISA Server can be promoted to an array. Changes to policy will occur as defined in Table 11.
FAST FACTS
SUMMARY TABLE 11
A R R AY P O L I C Y M O D I F I C AT I O N D U R I N G PROMOTION Enterprise Policy Setting
Change in Policy
Policy Managed entirely by arrays
No changes
Policy Managed entirely by Enterprise
Delete all array policies
Policy Managed by enterprise and array Delete all “allow” policies Publishing Allowed?—Yes
Publishing rules retained
Publishing Allowed?—No
Publishing rules deleted
Understanding CARP CARP is a routing algorithm that efficiently determines the best location for a retrieved object. When the object is requested again, the CARP algorithm can be used to locate it. The entire array of ISA caching servers is managed as a single logical array. No object is stored more than once. As servers are added to the array, CARP becomes more efficient. CARP is enabled in array properties. However, for CARP to work, listeners on each server must be configured to use an address for intra-array communications. You may also want to balance the “load factor” on servers within the array.
Network Load Balancing To plan and implement network load balancing requires that you: 1. Verify that ISA Servers which will be in the cluster are installed in the same mode. 2. Assign a unique IP address to the cluster and assign a fully qualified domain name for this address.
489
3. The primary network address of each ISA Server computer’s internal interface adapter will use this cluster address. All ISA Server computers will have the same primary address in the NLB configuration. 4. Assign a unique priority to each machine in the NLB cluster. 5. Set the dedicated IP address to the IP address of the ISA Server’s internal network adapter. (This address can be used to individually address a single server.) 6. If a server has two internal network adapters, the one which receives the dedicated address, should have the lower metric value (higher priority) than the adapter with the cluster address. 7. If a server has one internal network adapter, the dedicated address should be ordered first. 8. The default gateway for SecureNAT clients will be the cluster IP address. Thus, all SecureNAT requests are handled by Network Load Balancing.
CLIENTS ISA Server listens for client requests on port 8080. (It listens for Web server requests on port 80.) If an ISS Server is present on the same machine and has not been configured to use different ports, there will be possible conflicts. In addition, Web Proxy clients will either need to do autodiscovery, or be configured to use port 8080. (Proxy Server 2.0 listened on port 80 for client requests.) This is also why during installation, if an IIS is installed on the same machine, its WWW publishing service is stopped. After installation, the IIS should be removed or its listening port changed before the service is restarted. (An IIS on the ISA Server can be published via the Web publishing rules or by using IP packet filters.)
490
FAST FACTS
SUMMARY TABLE 12
DISTINGUISHING CLIENT TYPES Client Type
Client Configuration Necessary
Protocols that Can Be Used To Access Internet Resources
Client OS Required
Requirements
Requirements Mode
SecureNAT
Possible – client default gateway set to ISA Server internal interface
Requires ISA Server application filters
Any
TCP/IP; Internet requests are routed to ISA Server
Firewall, integrated
Web Proxy
Configure Brower
HTTP; HTTPs, FTP, Gopher
Most any
Web application Caching, can be configured integrated, to use proxy firewall
Firewall
Install client
Winsock applications
Win32
Configuration file Firewall, integrated
Client Types Several client types exist. They are distinguished by the features illustrated in Table 12.
Infrastructure Changes for Client Types SecureNAT clients potential entail few infrastructure changes. This does not mean the cost will be low, but that the modifications are simple. If SecureNAT clients need to be pointed directly to the internal interface of the ISA Server, that information can be provided in DHCP or manually configured for those clients with static IP addresses. If multiple SecureNAT clients must be directly visited then you must budget your time and cost accordingly. In a larger environment, however, SecureNAT clients may already be pointed to network routers for internal routing. These routers will need to be configured to route Internet requests to the ISA Server. Your time and cost will depend on the number
of routers that must be configured and the complexity of this configuration change. If Web proxy or firewall clients need to be configured for automatic discovery, you might need to configure DHCP and/or DNS servers to provide information on where to locate the ISA Server. The protocol used in the Win Proxy Automatic Discover (WPAD) protocol.
MIGRATION
FROM
PROXY 2.0
Many installations of Proxy 2.0 will eventually be migrated to ISA Server. It is important to know what will happen to current settings when this is done. First however, remember that the steps you take during migration are dictated by the variables in Table 13. Then, review the setting modifications explained in Table 14.
FAST FACTS
491
Changes necessary after migration are
SUMMARY TABLE 13
M I G R AT I O N P AT H V A R I A B L E S Variable
Steps to Take
Is the Proxy Server a member of an array?
Remove the Proxy Server from the array prior to the migration.
Is the Proxy Server on a standalone system?
No additional steps necessary.
Will you be installing the server into an array or not?
You must have appropriate permissions to install into the array.
What is your role in Windows 2000 administration? (Are you a Domain Admin or Enterprise Admin?)
Membership in the Enterprise Admin and Schema Admin group is necessary to modify the AD Schema.
Will the ISA Server system be a domain member?
Join the Windows 2000 system to the proper domain.
Does the Proxy 2.0 NT 4.0 computer meet minimal and appropriate specification for Windows 2000?
If the Proxy 2.0 system does not meet the minimum requirements for Windows 2000, you will need to upgrade the hardware prior to continuing the migration.
á Because ISA Server and Proxy Server listen on different ports for HTTP requests, downstream browsers will have to be reconfigured. á All network configurations on the ISA Server should be checked for correctness. á Web publishing under ISA Server doesn’t require changes to the published server; however, the server may have had changes configured which now need to be removed. á SOCKS rules from Proxy Server 2.0 are not migrated, ISA Server uses SOCKS application filters. You may need to configure, or adjust these. ISA Server listens on port 1080 for SOCKS requests. This can be changed. á ISA Server installs with only Windows integrated authentication. This will have the affect that previously supported requests from non-I.E. browsers will be rejected. You will need to configure basic authentication for Web requests.
SUMMARY TABLE 14
P R E M I G R AT I O N V A R I A B L E E F F E C T Proxy Server 2.0 standalone
ON
P R O X Y C O N F I G U R AT I O N M I G R AT I O N
Install to Existing ISA Array
Install to New ISA Array
Install ISA Standalone Server
ISA Enterprise configuration determines final configuration
ISA Enterprise configuration set during installation determines final configuration
Retains most Proxy Server 2.0 configuration
Can utilize array settings from Proxy Server 2.0 array
Because Proxy Server removed from array before installation, most settings from array.
Proxy Server 2.0 Array member ISA Enterprise configuration determines final configuration
492
FAST FACTS
PUBLISHING
SSL Bridging
Keeping Web and other externally accessed servers behind a firewall is a good thing. To make their contents available externally use publishing. Web publishing configuration is listed in Table 15.
If a published Web server requires SSL access you may need to make some choices and configure SSL bridging. Your choices are defined in Table 16.
SUMMARY TABLE 16
SSL B R I D G I N G C H O I C E S
Web Publishing SUMMARY TABLE 15
Redirection
Choice
Description
Redirect HTTP requests as:
HTTP requests SSL request
No mystery here.
CONFIGURING WEB PUBLISHING Action
Instructions
Mandatory?
Configure Web site domain resolution
Assure that the public Web server address is registerd in DNS with the address of the ISA Server that will perform the Web hosting.
Yes
Configure destination sets to identify the ISA Servers that will be configured for publishing.
The destination set includes the external IP address or names of ISA Servers that will route the request to the internal Web server. You can choose to use more general terms instead of explicitly identifying the firewall.
No
Configure a listener on the external interface of the firewall. Configure client access types to restrict access. Create a Web publishing rule.
Yes
Redirect SSL requests as:
HTTP request
The SSL secure channel ends at the ISA Server. Communications between the ISA Server an the Web serer would be unencrypted.
SSL request
While the SSL channel terminates at the ISA Server (the client conversation is secured between itself and the ISA Server.); this option requires a new SSL channel be established between the ISA Server and the Web server.
Require secure channel (SSL)
No conversation takes place if SSL cannot be established. Require 128-bit encryption
Client types include ranges of IP addresses, and specific user accounts.
No
Yes
Use a certificate to authentication to the SSL Web server
Use this choice to secure HTTP communications between the ISA Server and the internal Web server.
The ISA Server must have the high-encryption pack for Windows 2000 installed to use this feature. If an SSL channel is required between the ISA Server and the Web server, check this box and identify the certificate to be used.
FAST FACTS
Publishing Servers on a Perimeter Network Packet filters must be configured to publish servers which exist on a perimeter network.
H.323 The H.323 Gatekeeper Service is installed as a separate component of ISA Server. Once installed and configured, it provides H.323 Gatekeeper services for registered clients. The registration database holds the aliases and their matching IP addresses and allows the H.323 Gatekeeper to translate between the two. Connections to those addresses registered in the database are controlled and managed by the gatekeeper using rules defined for the service. You do not need to use the H.323 Gatekeeper or the registration database to access H.323 services through the ISA Server. However, clients must be registered in the registration database for two types of H.323 communication:
á First, to receive inbound calls through the gatekeeper service to a well-known alias. (A wellknown alias can be an email address.) á Second, if translation services are needed to place outgoing calls. Translation services provide the capability to reference H.323 services that may not have a registered DNS address—for example, a personal email address, a Plain Old Telephone System (POTS) device phone number, and so on. H.323 RAS alias addressing supported by the H.323 Gatekeeper is of three types from two versions of the protocol (Table 17). Aliases consist of a type and a name.
493
SUMMARY TABLE 17
H.323 RAS A L I A S A D D R E S S I N G Types
Format
H.323 RAS Version
E-Mail-ID
Internet-type email addressing
Two
H.323-ID
DNS strings, email addresses, account names, computer names
One
E164
Phone number addressing— characters 0–9
One
An example of some of these types of address endpoints can be a H.323 client such as a Proxy server (ISA Server), or a client running NetMeeting, or a H.323 gateway. Registration includes:
á Endpoint Q931 (IP address plus port) addressees á H.323 RAS addresses for the endpoint á List of aliases Several ports are used by this service. They are listed in Table 18.
SUMMARY TABLE 18
H.323 P O R T S Port
Use
1720 (TCP)
H.323 call setup
1731 (TCP)
Audio call control
Dynamic (TCP)
H.323 call control
Dynamic (RTP over UDP)
H.334 streaming
389 (TCP)
Internet Locator Server
522 (TCP)
User Location Service
1503 (TCP)
T.120
For H.323 proxies outside your organization to locate the ISA Server which hosts the H.323 Gatekeeper service, you must configure a DNS service location resource record. The port number required is 1720.
494
FAST FACTS
ROUTING
VPNS
Routing is configured to let the ISA Server know where to forward a request. Choices are elucidated in Table 19.
ISA Server can be configured to be a client endpoint in a client to server VPN. Two ISA Servers can create a gateway to gateway VPN tunnel. Wizards assist the process.
SUMMARY TABLE 19
ROUTING RULE OPTIONS Routing Wizard/ Property Page
Option
Cache Retrieval A valid version of the Configuration/ object. If none exists, Cache retrieve the request using the specified requested action. Any version of the object. If none exists, retrieve the request using the specified request action. Any versions of the requested object. Never route the request. Cache content configuration/ Cache
All content, including dynamic objects are cached. If source and request headers indicate to cache, then the content will be cached. No content is ever cached.
Client to Server VPN Wizard Explanation
ISA looks first in the cache but if the object has expired, will route the request. Even expired content is is returned before requests are routed.
You get the object if its there, otherwise tough luck. All downloaded objects are cached. Not all objects are cached.
Nothing is cached.
In the client connection VPN the following packet filters are created (see Table 20). If the ISA Server will not be the VPN endpoint, or if internal clients need to connect to external VPN endpoints, you must create packet filters which allow these protocols to pass through the ISA Server. You might also want to create specific site and content rules and protocol rules to restrict their use.
Gateway to Gateway VPN Two wizards simplify this setup. Before proceeding to the remote computer to install the remote gateway, examine the changes made on the local ISA Server. Changes are made to the ISA Server system in three areas.
á Computer Management\Users and Groups\Users. Note that a new user has been added with the name of the interface created by the wizard. This new user is configured with “Allow dial-up access” and “Password never expires.” The User Must Change Password at Next Logon check box has been cleared. The wizard assigns a strong password to this account and transfers that information to the VPN file.
FAST FACTS
495
SUMMARY TABLE 20
VPN C L I E N T C O N N E C T I O N P A C K E T F I LT E R S Packet Filter
Filter Type
Local Computer
Remote Computer
Allow L2TP protocol IKE packets
UDP protocol number 17; port 500; both directions
Default IP address on external interfaced
All remote computers
Allow L2TP protocol packets
UDP protocol number 17; port 1701 both directions
Default IP address on external interfaced
All remote computers
Allow PPTP protocol packets (client)
Predefined filter: PPTP call; protocol 47
Default IP address on external interfaced
All remote computers
Allow PPTP protocol packets (server)
Predefined filter: PPTP receive; protocol 47
Default IP address on external interfaced
All remote computers
á Routing and Remote Access. A demand-dial interface is created and named with the interface name. Inspect the demand dial interface properties to verify that the remote computer’s IP address is correctly configured. Check the options and see that no callback has been configured. Security is configured behind the Advanced button. Note that the check box mandating data encryption is checked.
In a 3-homed configuration, both the Internet interface and the perimeter network are considered to be external networks. The Web proxy service can route requests from the internal network to the Internet, but to route Internet requests to the perimeter network requires IP routing. You will create packet filters to allow routing for desired traffic to each server in the perimeter network.
á ISA Server Management Console. Packet filters for PPTP and/or IPSec have been created. Examine each packet filter to see that the appropriate local computer address (the external IP address of the local ISA Server) and the remote computer address (the external IP address of the remote ISA Server) have been entered.
TESTING TOOLS
3-HOMED ISA SERVER The 3-homed firewall presents a special challenge. For it, only the interface directly connected to the internal network should be included in the LAT. The address of the card connected to the perimeter network should never appear in the LAT. So, both the external interface and the perimeter interface are not in the LAT.
Although it is not the best tool for detecting open TCP/IP ports on all systems, the netstat command provides a simple way to use the system console to catalog them. Issuing netstat –na from a command prompt lists all client to server connections and listening ports. Other netstat parameters can be used to obtain statistics or to see information on a per protocol (TCP, UDP, ICMP, IP) basis. A simple way to test ports on a remote system is by using the telnet command. (It’s also a good way to test your alerts.) The telnet command, when a port number is appended, attempts to start a session with a service. If the service is listening, it answers and now that an attacker has identified an open port he can then attempt a service specific attack on your system. To test a port, you type the telnet command followed by a host name and then the port number.
These study and exam prep tips provide you with some general guidelines to help prepare for the exams. The information is organized into two sections. The first section addresses your pre-exam preparation activities and covers general study tips. Following this are some tips and hints for the actual test-taking situation. Before tackling those areas, however, think a little bit about how you learn.
LEARNING
AS A
PROCESS
To better understand the nature of preparation for the exams, it is important to understand learning as a process. You probably are aware of how you best learn new material. You may find that outlining works best for you, or you may need to “see” things as a visual learner. Whatever your learning style, test preparation takes place over time. Obviously, you cannot start studying for these exams the night before you take them; it is very important to understand that learning is a developmental process. And as part of that process, you need to focus on what you know and what you have yet to learn. Learning takes place when we match new information to old. You have some previous experience with computers, and now you are preparing for these certification exams. Using this book, software, and supplementary materials will not just add incrementally to what you know; as you study, you will actually change the organization of your knowledge as you integrate this new information into your existing knowledge base. This will lead you to a more comprehensive understanding of the tasks and concepts outlined in the objectives and of computing in general. Again, this happens as a repetitive process rather than a singular event. Keep this model of learning in mind as you prepare for the exam, and you will make better decisions concerning what to study and how much more studying you need to do.
Study and Exam Prep Tips
498
STUDY AND EXAM PREP TIPS
STUDY TIPS There are many ways to approach studying, just as there are many different types of material to study. The following tips, however, should work well for the type of material covered on the certification exams.
Study Strategies Although individuals vary in the ways they learn, some basic principles apply to everyone. You should adopt some study strategies that take advantage of these principles. One of these principles is that learning can be broken into various depths. Recognition (of terms, for example) exemplifies a more surface level of learning in which you rely on a prompt of some sort to elicit recall. Comprehension or understandiˇˇˇˇof the concepts behind the terms, for example) represents a deeper level of learning. The ability to analyze a concept and apply your understanding of it in a new way represents an even deeper level of learning. Your learning strategy should enable you to know the material at a level or two deeper than mere recognition. This will help you do well on the exams. You will know the material so thoroughly that you can easily handle the recognition-level types of questions used in multiple-choice testing. You also will be able to apply your knowledge to solve new problems.
Macro and Micro Study Strategies One strategy that can lead to this deeper learning includes preparing an outline that covers all the objectives and subobjectives for the particular exam you are working on. You should delve a bit further into the material and include a level or two of detail beyond the stated objectives and subobjectives for the exam. Then expand the outline by coming up with a statement of definition or a summary for each point in the outline.
An outline provides two approaches to studying. First, you can study the outline by focusing on the organization of the material. Work your way through the points and subpoints of your outline with the goal of learning how they relate to one another. Be certain, for example, that you understand how each of the main objective areas is similar to and different from the others. Then do the same thing with the subobjectives; be sure you know which subobjectives pertain to each objective area and how they relate to one another. Next, you can work through the outline, focusing on learning the details. Memorize and understand terms and their definitions, facts, rules and strategies, advantages and disadvantages, and so on. In this pass through the outline, attempt to learn detail rather than the big picture (the organizational information that you worked on in the first pass through the outline). Research has shown that attempting to assimilate both types of information at the same time seems to interfere with the overall learning process. To better perform on the exam, separate your studying into these two approaches.
Active-Study Strategies Develop and exercise an active-study strategy. Write down and define objectives, subobjectives, terms, facts, and definitions. In human information-processing terms, writing forces you to engage in more active encoding of the information. Just reading over it exemplifies more passive processing. Next, determine whether you can apply the information you have learned by attempting to create examples and scenarios on your own. Think about how or where you could apply the concepts you are learning. Again, write down this information to process the facts and concepts in a more active fashion.
STUDY AND EXAM PREP TIPS
Common-Sense Strategies Finally, you also should follow common-sense practices when studying. Study when you are alert, reduce or eliminate distractions, take breaks when you become fatigued, and so on.
Pre-Testing Yourself Pre-testing enables you to assess how well you are learning. One of the most important aspects of learning is what has been called meta-learning. Meta-learning has to do with realizing when you know something well or when you need to study some more. In other words, you recognize how well or how poorly you have learned the material you are studying. For most people, this can be difficult to assess objectively on their own. Practice tests are useful in that they reveal more objectively what you have learned and what you have not learned. You should use this information to guide review and further study. Developmental learning takes place as you cycle through studying, assessing how well you have learned, reviewing, and assessing again until you feel you are ready to take the exam. You may have noticed the practice exams included in this book. Use them as part of the learning process. The ExamGear software on the CD-ROM also provides a variety of ways to test yourself before you take the actual exam. By using the practice exams, you can take an entire timed, practice test quite similar in nature to that of the actual Core Hardware Service Technician or Operating System Technologies exams. The ExamGear Adaptive Exam option can be used to take the same test in an adaptive testing environment. This mode monitors your progress as you are taking the test to offer you more difficult questions as you succeed. By using the Study Mode option, you can set your own time limit, focus only on a particular objective domain (such as Diagnosing and Troubleshooting
499
or Basic Networking) and also receive instant feedback on your answers. You should set a goal for your pre-testing. A reasonable goal would be to score consistently in the 90% range. See Appendix G, “Using the ExamGear, Training Guide Edition Software,” for a more detailed explanation of the test engine.
EXAM PREP TIPS A+ Certification exams start out as standardized, computerized, fixed-form exams that reflect the knowledge domains established by CompTIA. After being in use for some period of time, the questions in the test banks become stable and CompTIA converts their tests to an adaptive delivery mode. An original fixed-form, computerized exam is based on a fixed set of exam questions. The individual questions are presented in random order during a test session. If you take the same exam more than once, you will see the same number of questions, but you won’t necessarily see the exact same questions. This is because two or three final forms are typically assembled for such exams. These are usually labeled Forms A, B, and C. As suggested previously, the final forms of a fixed-form exam are identical in terms of content coverage, number of questions, and allotted time, but the questions differ. You may notice, however, that some of the same questions appear on, or rather are shared among, different final forms. When questions are shared among multiple final forms of an exam, the percentage of sharing is generally small. Many final forms share no questions, but some older exams may have a 10% to 15% duplication of exam questions on the final exam forms. Fixed-form exams also have a fixed time limit in which you must complete the exam. The ExamGear test engine on the CD-ROM that accompanies this book provides fixed-form exams.
500
STUDY AND EXAM PREP TIPS
Finally, the score you achieve on a fixed-form exam is based on the number of questions you answer correctly. The exam’s passing score is the same for all final forms of a given fixed-form exam. Table 1 shows the formats for the exams.
the 69/70 question in the fixed length tests. The adaptive engine also will end the exam when it detects that you have mathematically been eliminated from passing the test. The main point to remember when preparing for the exam is that the fixed-length and adaptive tests all use the same question pools.
TABLE 1
TIME
AND
NUMBER
OF
QUESTIONS
BY
EXAM
Exam
Time Limit in Minutes
Number of Questions
Core Hardware Service Technician
90
70
Operating System Technologies
90
70
Putting It All Together Given all these different pieces of information, the task now is to assemble a set of tips that will help you successfully tackle the A+ Certification exams.
More Pre-Exam Prep Tips This may seem like ample time for each question, but remember that many of the scenario questions are lengthy word problems, which can ramble on for paragraphs and/or include several exhibits. Your 90 minutes of exam time can be consumed very quickly. Keep in mind that to pass the Core Hardware Service Technician exam, a score of at least 683 on a scale of 100 to 900 is required. To pass the Operating System Technologies exam, a score of at least 614 on the same scale is required. When CompTIA converts the exams to an adaptivedelivery format (as discussed previously), the number of questions you will be asked will decrease. The adaptive test engine measures your performance as you move through the test and adjusts the difficulty level of the questions you receive. If you answer introductory questions correctly, you will be shifted to more difficult questions until you have achieved enough points to pass the test. Therefore, you should see only between 20 and 25 questions under the adaptive exam, versus
Generic exam-preparation advice is always useful. Tips include the following:
á Become familiar with PCs and the operating systems. Hands-on experience is one of the keys to success. Review the exercises and the Step by Steps in the book. á Review the current exam-preparation guide on the CompTIA Web site. á Memorize foundational technical detail, but remember that you need to be able to think your way through questions as well. á Take any of the available practice tests. We recommend the ones included in this book and the ones you can create using the ExamGear software on the CD-ROM. á Look on the CompTIA Web site for samples and demonstration items.
STUDY AND EXAM PREP TIPS
During the Exam Session The following generic exam-taking advice that you have heard for years applies when taking an A+ Certification exams:
á Take a deep breath and try to relax when you first sit down for your exam session. It is important to control the pressure you may (naturally) feel when taking exams. á You will be provided scratch paper. Take a moment to write down any factual information and technical detail that you committed to shortterm memory. á Carefully read all information and instruction screens. These displays have been put together to give you information relevant to the exam you are taking. á Read the exam questions carefully. Reread each question to identify all relevant detail. á Tackle the questions in the order they are presented. Skipping around will not build your confidence; the clock is always counting down. á Do not rush, but also do not linger on difficult questions. The questions vary in degree of difficulty. Don’t let yourself be flustered by a particularly difficult or verbose question. á Note the time allotted and the number of questions appearing on the exam you are taking. Make a rough calculation of how many minutes you can spend on each question and use this to pace yourself through the exam. á Take advantage of the fact that you can return to and review skipped or previously answered questions. Record the questions you cannot answer confidently, noting the relative difficulty of each question, on the scratch paper provided. After you have made it to the end of the exam, return to the more difficult questions.
501
á If session time remains after you have completed all questions (and if you aren’t too fatigued!), review your answers. Pay particular attention to questions that seem to have a lot of detail or that involved graphics. á As for changing your answers, the general rule of thumb here is don’t! If you read the question carefully and completely and you felt like you knew the right answer, you probably did. Do not second-guess yourself. If as you check your answers, one clearly stands out as incorrectly marked, of course you should change it. If you are at all unsure, however, go with your first impression. If you have done your studying and follow the preceding suggestions, you should do well. Good luck!
This exam consists of 65 questions that reflect the material you have covered in the chapters and that are representative of the types that you should expect to see on the actual exam. The answers to all questions appear in their own section following the exam. It is strongly suggested that when you take this exam, you treat it just as you would the actual exam at the test center. Time yourself, read carefully, and answer all the questions to the best of your ability. Most of the questions do not simply require you to recall facts, but require deduction on your part to come up with the best answer. Most questions require you to identify the best course of action to take in a given situation. Many of the questions are verbose, requiring you to read them carefully and thoroughly before you attempt to answer them. Run through the exam; for questions you miss, review any material associated with them.
Practice Exam
504
PRACTICE EXAM
EXAM QUESTIONS 1. Your company has a Web-based application available to customers over the Internet. The application provides customers with order status and shipping information, as well as billing and account status data. The application uses TCP port 29214. The application administrator is concerned about the security of the server, and asks you if you can expose a different port over the Internet, and use port redirection. How would you accomplish this? A. By creating a new Web publishing rule, and redirecting a different port from the ISA Server to the application server’s TCP port 29214. B. By creating a new Server Publishing rule, and redirecting a different port from the ISA Server to the application server’s port 29214. C. You must install the Web-based application on the ISA Server to accomplish port redirection. D. This cannot be done. 2. Your manager has a project for you. Your company has an ISA Server installation, and he would like you to verify that the Bandwidth Rules that have been created are providing acceptable performance. The company’s executives are not using Microsoft NetMeeting as often as you had planned, and the software developers have been complaining that copying files to and from Internet sites they are working on is too slow. Which of the following methods could you use to determine if your bandwidth rules are providing acceptable usage? (Select two answers.) A. Modify your bandwidth rules to provide less bandwidth to the executives, and see if they start complaining.
B. Print a traffic and utilization report, and compare the appropriate statistics. C. Run Performance Monitor, and use the ISA Server Bandwidth Control object. D. Run Performance Monitor, and use the ISA Server Web Proxy Service object. E. Print a Web usage report. 3. Your company has decided that it would like to host its Web site on an internal Internet Information Server. Your Internet Service Provider is currently hosting the Web site. You have decided to use Microsoft ISA as your firewall. One of the concerns of your CEO is that the extra network traffic on the internal network will cause performance on the network to fall below acceptable thresholds. Which of the following features of Microsoft ISA Server will help to prevent this problem? A. Reverse caching B. Forward caching C. Scheduled caching D. Distributed caching E. Hierarchical caching 4. You are preparing to install the first ISA Server for your company, and need to run the Enterprise Initialization Utility. You have also verified that you have all of the appropriate group memberships. Your company’s Active Directory structure consists of a single domain. You have 14 remote offices around the country, each office has at least one domain controller. Each of these offices are connected to your main location by means of a 56K permanent virtual circuit. These circuits run at an average of 85 percent utilization during normal business hours. Your CEO has asked that you get the ISA Servers up and
PRACTICE EXAM
505
running as soon as possible. When would be the best time to run the Enterprise Initialization Utility?
C. Re-create the array policies. When the enterprise policy was applied, the existing array policies were deleted.
A. After hours, when the WAN links are not heavily utilized.
D. This cannot be done. You cannot combine enterprise policies and array policies.
B. At any time. It has no effect on the network. C. Immediately. D. During the busiest time on the network. 5. Your company has decided to install an ISA Server. Because the organization deals with state government agencies, security is a major concern. The Chief Information Officer of your company has asked that you configure the ISA Server to notify him by email if certain types of intrusions are detected. Prior to configuring the alerts, which of the following procedures must you complete to allow alerts to function? A. Enable the appropriate ISA Server events. B. Enable auditing on the server that will be running ISA Server. C. Enable Intrusion Detection on the ISA Server. D. Enable Logging on the ISA Server computer. 6. A large financial institution has asked you to assist them in reconfiguring their ISA Server configuration. The firm created three separate ISA Server arrays, and allowed departmental administrators to configure the arrays independently. You have created the Enterprise Policy, and applied it to the existing arrays. What do the department administrators need to do to be sure that the array policies they created are applied? A. Nothing. The existing array polices are not affected. B. Enable the existing array policies. When the enterprise policy was applied, the array policies were disabled.
7. The sales manager for your company comes to you with a problem. Many of her staff must travel to customer locations with their notebook computers, and she would like to provide them access to the internal network’s shared resources from these remote locations. Which of the following features of ISA will provide the type of access to resolve the sales manager’s problem? A. Access Policy B. Application Filters C. Packet Filtering D. Server Publishing E. Virtual Private Networks 8. As the network administrator for your company, you have purchased the new system that will be used for your ISA Server. You have installed Windows 2000 Server with the default options, and verified network connectivity and name resolution. Which of the following are also required to complete the installation of ISA Server? A. Internet Information Server 5.0 B. Domain Name System service C. Windows 2000 Service Pack 1 D. Windows Internet Name service 9. Your company has just installed a Windows 2000 Active Directory domain, MYCO.COM. The DNS server to support Active Directory is on the private network. Your company also has an Internet site, WWW.MYCO.COM, that is hosted by an Internet Service Provider. The ISP also handles name resolution for your Internet site. To
506
PRACTICE EXAM
protect your private network, there is no relationship between your DNS server and the ISP’s DNS server. In addition to the migration to Windows 2000, an ISA Server was installed to provide Internet access to the endusers. You have set up five of your users to test your new network, and they inform you that they are unable to access the company’s Web site. Which of the following would you initially check to determine the problem? (Select two answers.) A. Verify that the private DNS server forwards name requests to the ISP’s DNS server. B. Verify the IP address of your Web server is manually added to your internal DNS server. C. Be sure the firewall client is installed on the users computers. D. Verify that you have a protocol rule that allows DNS queries to pass through the ISA Server. E. Be sure that the ISA Server’s external network interface is configured to use the internal DNS server. 10. You have created a back-to-back perimeter network configuration. You have an ISA Server array named EXTARRAY that is connected to the Internet and the perimeter network. You have an ISA Server array named INTARRAY that is connected to the perimeter network and your private corporate network. What IP address ranges should be in the LAT of EXTARRAY? A. The address range of the perimeter network. B. The address range of the perimeter network and the private network. C. The address range of the private network. D. The address range of the external network interface IP address.
11. Your company has recently created a Windows 2000 Active Directory root domain, myco.com, with two child domains, corp.myco.com and sales.myco.com. The sales organization has recently created the new domain, and maintains an intranet site at info.sales.myco.com. Since the installation of ISA, you can connect to external Web sites and to your company’s main Web site, but when you attempt to connect to the sales intranet site, you receive the error message, “Can’t find server or DNS error.” You have verified that you can ping the server by its name. Which of the following would be the best place to start troubleshooting this problem? A. LAT B. DNS C. Client software D. LDT E. Permissions 12. You would like to create a perimeter network using a 3-homed ISA Server. You plan to have two Web servers on the perimeter network. You need to prevent access to the corporate network from users on the Internet. Which of the following is the correct method of configuring a 3homed perimeter network? A. Routing and packet filtering between the Internet and the perimeter network, and server publishing between the perimeter network and the corporate network. B. Routing and packet filtering between the corporate network and the perimeter network, and server publishing between the perimeter network and the Internet. C. Routing and packet filtering between the Internet and perimeter network, and between the perimeter network and the corporate network.
PRACTICE EXAM
D. Server Publishing between the Internet and perimeter network, and between the perimeter network and the corporate network. 13. You have been assigned the task of installing ISA Server for your company. To become familiar with ISA Server, you installed ISA on a test computer that is a member of the workgroup ISAGROUP as a standalone server. You have now created an array that contains two ISA Servers, and would like to promote your test server to be a member of the array. Which of the following steps must you do first to allow you to promote the server? A. Uninstall ISA Server on the test computer. B. Reinstall Windows 2000 on the computer. C. Join the computer to the domain that contains the array. D. Nothing; you can promote the server as is. 14. Your company has decided to use Microsoft ISA Server as its firewall and Internet access solution. The organization’s corporate office is located in Boston. There are also offices in St. Louis, Tampa, and Phoenix. Each office has a T1 connection to the corporate office. There is also a direct T1 connection from the corporate office to the Internet. You have decided to create an ISA Server array at each of the locations, and want to chain the arrays from each office to the corporate office. Which of the following is the correct method of configuring the remote office arrays to chain to the corporate office array? A. Select Enterprise under the ISA MMC snapin. Select Policies | Chaining, and configure the name of the corporate office array. B. Select Array under the ISA MMC snap-in. Select Cache | Chaining, and configure the name of the corporate office array.
507
C. Select Array under the ISA MMC snap-in. Select Chaining | Properties and configure the name of the corporate office array. D. Select Array under the ISA MMC snap-in. Select Network Configuration | Configure Firewall Chaining, and configure the name of the corporate office array. 15. You work at the main office of a software development company. The organization has a main office in Denver, and 14 remote offices around the United States. Each location has a network administrator and network support staff. The company also maintains an intranet site at the main office in Denver. Once each month, the network administrators have a conference call to discuss planning and issues. Each of the network administrators is in charge of their ISA Server installation, and has been asked to print various reports from ISA Server, and email these reports to each of the other administrators. The administrators would like to know if you can come up with a better method of making this information available to all the network administrators, and eliminate the need to email these reports. A. Create a share on a server in the main office, and have the administrators save their reports to this location. B. Save all the logs to a single Microsoft SQL database, and have the administrators print the reports then require. C. Save the reports as Web pages, and publish them to the intranet site. D. Have the administrators connect to each office’s ISA Server using the MMC snap-in, and print each of the reports locally. 16. The CEO of your company has asked that you create a Virtual Private Network for the Sales staff. The Sales users have all been issued laptop
508
PRACTICE EXAM
computers, 45 are running Windows 2000 Professional and 20 are running Windows 98. The CEO has specified that he would like to have as much security as possible. How would you configure ISA Server to support the CEO’s request? A. Use L2TP over IPSec, if available. Otherwise, use PPTP. B. Use L2TP over IPSec. C. Use PPTP. D. Use IPSec. 17. You are the network administrator for a large health care organization. Your organization has seven remote clinics located throughout the state. Your company has purchased a patient management application that runs over the Internet. The remote clinics have between 10 and 15 Microsoft Windows 2000 Professional computers at each location. Which client would you need to have installed on each of these computers for the users to connect to and use this application across the Internet? A. Web Proxy client. B. Firewall client. C. SecureNAT client. D. The users do not require client software. 18. Your company has entered into a joint venture with another organization. The department managers of both companies will be using Microsoft NetMeeting for videoconferencing purposes during the initial phase of the venture. The conferences are considered critical by the organizations, and management has asked for your assistance in making sure that the network performance of these transmissions are acceptable. Other groups within the two companies will also be using
NetMeeting, but these communications are not considered critical. Which of the following is the best method of configuring ISA Server to accomplish this? A. Create a bandwidth rule for protocols used by NetMeeting, and select the Content Group for NetMeeting. B. Create a bandwidth rule, select the Destination Sets page, and specify the appropriate Managers groups. C. Create a bandwidth rule, select the Bandwidth Priority page, and specify the appropriate priority for the Managers groups. D. Create a bandwidth rule, at the Client Types page specify the appropriate Managers groups. 19. Your company has opened a small remote office of 10 client computers and three servers. You want to create a Virtual Private Network between ISA Servers in your office and the remote office. Your concern is that users in your location will initiate connections to the remote office, and you want to prevent this. How would you configure ISA to prevent users from your location to open connections to the remote office? A. On the Two-Way Communications page of the Virtual Private Network Setup wizard, specify the IP address of the remote ISA Server, which can initial communications. B. On the Two-Way Communications page of the Virtual Private Network Setup wizard, specify that only the remote VPN can establish communications. C. On the Two-Way Communications page of the Virtual Private Network Setup wizard, specify the user’s accounts that may initiate the VPN connection.
PRACTICE EXAM
D. On the Two-Way Communications page of the Virtual Private Network Setup wizard, specify that the administrator can only establish the VPN connection. 20. As the Security Officer for your company, you have the responsibility for configuring the ISA Server for Internet access. You have completed a default installation of ISA Server on a PIII-550 computer that is running Windows 2000 Server as a member server in your domain. You are preparing to run the ISA Server Security Configuration Wizard, but you want to review the settings that will be applied when you select the Limited Services level. Which of the following templates would you view to see the settings that will be applied? A. Basicsv.inf B. Basicws.inf C. Securews.inf D. Securesv.inf E. Securedc.inf F. Hisecws.inf 21. You have been hired by a company to install their ISA Server. You need to provide the Chief Information Officer for the company specifications on the recommended hardware. The CIO has informed you that the company has about 600 users. What is the Microsoft recommended minimum amount of hard drive space to support ISA as a firewall and caching server? A. 100MB B. 300MB C. 400MB D. 600MB E. 1000MB
509
22. You have been contracted by a small software development company to provide Internet access to its employees. The owner of the company would also like to have a Web site for its three different software packages. A different department maintains each of the software packages, and the departments will be responsible for their own Web page. Because the Web pages will be hosted on separate IIS servers on the internal network, which client will be required to support this scenario? A. Web proxy client B. SecureNAT client C. Firewall client D. Winsock client 23. You are the network administrator for a large insurance company. Your company has a Windows 2000 Active Directory domain, and maintains its own DNS servers. The company also has an Internet site that it maintains, and uses the internal DNS server for name resolution to Internet users. Because the DNS server maintains internal and external resources, the CEO of the company is concerned that hackers will attempt to gain access to your internal resources by some sort of attack on DNS. Which of the following methods would allow you to determine if an external user is attempting to compromise your DNS server? A. Create an inbound packet filter on the external interface, and block all DNS traffic. B. Place the DNS server on the public side of the ISA Server, and do not use DNS on the internal network. C. Enable the DNS intrusion events on the ISA Server. D. Create an inbound packet filter on the internal interface, and block all DNS traffic.
510
PRACTICE EXAM
24. You have been hired by a small publishing firm to assist them in deploying ISA Server. The organization has 100 computers on a single IP subnet. The network administrator manually manages the TCP/IP configurations of these computers. The firm will be providing Internet access to the users by means of their new ISA Server, and would like to allow users to access the Internet for HTTP and FTP resources. Which of the following methods would allow you to setup the required Internet access? (Select two answers.) A. Manually configure the IP address of the ISA Server as the default gateway of each computer. B. Manually configure the IP address of the ISA Server as the proxy server of each computer’s Web browser. C. Configure the computers to be DHCP clients, and configure the DHCP scope to provide the ISA Server’s IP address as the default gateway. D. Configure the computers to be DHCP clients, and configure the DHCP scope to provide the ISA Server’s IP address as the proxy server. 25. The CEO of your company has given you a list of Web sites that the users should be allowed to access. You have created the appropriate site and content rules, and verified that users will not be able to access these Web sites. You have just received a call from the Help Desk manager, indicating that the analysts on the Help Desk are being flooded with calls from users. The users are questioning if there is a problem with Internet access, as there are some sites to which they cannot connect. What can you do to inform the users they have attempted to access a restricted site?
A. In the rule action, select the If HTTP Request, Redirect Request to This Site option. Redirect the users to an internal Web page specifying the company’s access policies. B. In the rule action, enable the check box to display a warning pop-up message if they attempt to access a restricted site. C. Do nothing. ISA Server automatically informs users they have attempted to access a restricted site. D. This cannot be done. Users will only get the default Unable to Connect to Site message. 26. You have found that some users are connecting to an Internet site to play a multiplayer game. You want to be sure that users are unable to play this game from your location. The game uses TCP port 21500. Which of the following options can be used to accomplish this? (Select two answers.) A. Create Protocol rules allowing only the appropriate protocols, such as HTTP and FTP. B. Create Protocol rules allowing only the appropriate protocols, such as HTTP and FTP, and create another rule denying access to all other protocols. C. Create a Protocol rule denying access to port 21500. D. Create a Protocol rule denying access to port 21500, and another rule allowing access to the appropriate protocols, such as HTTP and FTP. E. Create a policy using site and content rules, and deny access to any online games. 27. Your company has been using Microsoft Proxy 2.0 running on a Windows NT 4.0 server, and you have just upgraded it to Windows 2000 and Microsoft ISA Server. Your users are running
PRACTICE EXAM
511
either Windows NT 4.0 Workstation or Windows 98. You have maintained the hostname and static IP address of the server, and have verified connectivity to the Internet. You are now receiving calls from your internal users that they are no longer able to access external Web sites. Which of the following will resolve the problem? (Select 2 answers.)
Servers to allow access from the Internet to the three servers on the perimeter network, but not the corporate network. You will also allow the users on your corporate network to access normal Web and FTP sites on the Internet, as well as resources on the perimeter network. Which of the following steps should be taken to allow the appropriate access? (Choose three answers.)
A. You must install a new Web proxy client on each of your PCs.
A. Ensure that the IP addresses of the computers on the private network, and the IP addresses of the perimeter network are in the LAT of the ISA Server connected to the Internet.
B. Modify your client browsers to use port 8080 for HTTP requests. C. Modify the ISA Server properties to use port 80 for client HTTP requests. D. You have incorrectly configured the Local Address Table. E. Microsoft ISA Server does not support operating systems prior to Windows 2000. F. You must install the firewall client on each of the internal computers. 28. The CEO of your company would like to use Microsoft NetMeeting for videoconferencing between you main office and the five remote offices. Which of the following ISA services provide support for video conferencing? A. ISA Server Control Service B. Firewall Service C. Web Proxy Service D. Scheduled Cache Content Download E. H.323 Gatekeeper 29. You have created a back-to-back perimeter network. Within the perimeter network, you have one Microsoft Internet Information Server, one Microsoft Exchange 5.5 server, and one Microsoft SQL server. You need to configure the two ISA
B. Create publishing rules on the ISA Server that is connected to the Internet to make the servers on the perimeter network available to Internet clients. C. Create a publishing rule on the ISA Server connected to the private network, making resources on the Internet available to internal users. D. Ensure that the IP addresses of the computers on the perimeter network are in the LAT of the ISA Server that is connected to the Internet. E. Include only the IP addresses of the computers on the corporate network in the LAT of the ISA Server connected to the private network. F. Configure a secure channel between the two ISA Servers. 30. You are in the process of testing your new ISA Server installation. The ISA Server has two network adapters: the internal IP address is 192.168.2.200, and the external IP address is 131.107.1.90. The network administrator has requested that you not allow outgoing connections to TCP port 2650. You have configured the port filter to block this port, and now want to
512
PRACTICE EXAM
verify that the port filter works at you expect. Which of the following methods is the easiest way to verify that the port filter is working correctly? A. From a command prompt, type Telnet 192.168.2.200 2650. You should not establish a session. B. From a command prompt, type Telnet 2650 192.168.2.200. You should not be able to establish a session. C. Enable packet filter logging on blocked ports, and try to establish a session to the Internet using port 2650. Then view the log to see if it was successful. D. Enable packet filter logging on allowed ports, and try to establish a session to the Internet using port 2650. Then view the log to see if it was successful. 31. The Information Systems Manager has asked that you prevent access to certain Web sites, and has created a destination set to include the Web sites. You notice that several users are still able to gain access to the Web sites. Which of the following must be done to prevent users from gaining access to these sites? A. Configure Integrated Windows Authentication. B. Configure the firewall client on the user’s computers. C. Configure a site and content rule. D. Stop and restart the ISA service. 32. You are the Network Manager of a large software development company. Your organization consists of five departments: Corporate, Development, Sales, R&D, and Human Resources. Your Active
Directory structure consists of a root domain containing the corporate resources, and a child domain for each of the other four departments. You are preparing to install the first ISA Server for your Enterprise. What group memberships must you have to install the first ISA Server, and run the Enterprise Initialization Utility? (Select all that apply.) A. Local Administrator on the computer B. Domain Administrators in the forest root C. Enterprise Administrators D. Schema Administrators E. Domain Administrators in the domain that contains the ISA Server F. Security Administrators G. Group Policy Administrators 33. Your manager is concerned that users from the Internet are attempting to gain access to the internal network. He has asked you to provide him with documentation of all network traffic that has been blocked. After enabling packet filtering, what must you do to enable logging for blocked network traffic on the ISA Server? A. On the Properties tab of the block-mode filter, place a check in the Log Any Packets Matching This Filter box. B. On the Properties tab of the IP Packet filtering alert, place a check in the LOG ANY PACKETS MATCHING This Filter box. C. On the Properties tab of Configure Logs, place a check in the IP Packet Filter BlockMode Event box. D. Do nothing. With packet filtering enabled, blocked packets are logged by default.
PRACTICE EXAM
34. You are administering an ISA Server array, and want to create a site and content rule to allow users to gain access to a Web site. When you attempt to create this rule, the option to allow access is not available, you can only deny access. What is causing this problem? A. You must be a member of the Enterprise Admins group to configure this rule. B. There is already a rule to allow access to the Web site configured. C. There is an Enterprise policy defined for this array. D. Array policies are only defined to deny access, not allow access. 35. As the network administrator for your organization, you are in the process of installing ISA Server. You have selected the Integrated installation mode, because you want to have the ISA Server perform forward caching. When the installation program presents you with the interface to specify the initial cache size, there are no drives listed in the drive selection box. What is the cause of this problem? A. There is insufficient drive space available for caching. B. There is only one volume on the hard drive. The cache must be on a separate volume than the operating system. C. There are no NTFS volumes on the system. D. Caching is not available in Integrated mode. 36. Your company has established a joint venture with another company, and some of your employees will be working at the partner company’s location. These users will need to connect to your company’s intranet site from the remote location. The partner company uses a third-party
513
proxy server product. Which authentication method should you use to provide secure access to your intranet from the partner company’s location? A. Basic Authentication B. Digest Authentication C. Integrated Windows Authentication D. Client Certificate Authentication 37. Your company has a secure intranet site that you would like to make available over the public Internet. The Web server runs Microsoft Internet Information Server v5, and is accessible on the private network. The Web server is configured to use Integrated Windows Authentication. When users access the Web server on the private network, they authenticate normally by entering their ID and password. When users attempt to access the server from across the Internet, they are forced to enter their ID and password twice. Which of the following explains why this is happening? A. This is normal Windows NT Challenge/ Response authentication behavior. B. Because the ISA Server and the IIS server are using two different authentication methods. C. The ISA Server must always authenticate a user to a Windows domain before passing the request to the Web server. D. Because the ISA listener is configured to require authentication. This authentication is in addition to any authentication performed by the Web server. 38. You have been asked by the network administrator for some assistance. The administrator would like to determine if the current ISA Server configuration and hardware is providing acceptable
514
PRACTICE EXAM
performance for servicing user requests to Web pages on the Internet. You would like to verify that the company’s connection to the Internet is utilized as efficiently as possible. Which of the following Performance Monitor object would you select to evaluate this information?
Winsock-based application to only the three users that require it?
A. ISA Server Bandwidth Control
C. Configure all the clients as firewall clients.
B. ISA Server Cache
D. Configure all the clients as Web proxy clients, and the users requiring access to the Winsock application, install the firewall client.
C. ISA Server Firewall Service D. ISA Server Packet Filter E. ISA Server Web Proxy Service 39. Your company has recently created its public Web site, and has also configured a DNS server to handle name resolution for Internet clients. Because the DNS server has a network interface for both the Internet and the internal network, you have decided to install ISA Server on the computer running DNS. You need to configure a packet filter to allow the DNS service to continue to respond to DNS queries from the Internet. Which of the following port numbers should you allow access to from the Internet? (Select two answers.) A. TCP port 25 B. UDP port 35 C. UDP port 25 D. TCP port 53 E. TCP port 35 F. UDP port 53 40. As the network administrator for an insurance company, you need to provide access to an Internet-based, Winsock-based application for three of your users. You also would like to provide access to Web sites for all your users. Which of the following will allow access to the
A. Configure all the clients as Web proxy clients. B. Configure all the clients as SecureNAT clients.
E. Configure all the clients as Web proxy clients, and the users requiring access to the Winsock application, install the SecureNAT client. 41. The manager of a real-estate office calls you with a problem. The local telephone company has installed a DSL line into the office to provide Internet access to the agents. The office has a Windows 2000 Server that they use for file and print sharing. The manager tells you that one of her agents has the responsibility of creating and managing their Web page. Her problem is that several of the other agents are using this Internet connection to download pictures, MP3 files, and other unnecessary files. She would like to permit only the one agent the capability to FTP files to and from the Internet, and all other users the capability to only use the connection for Web browsing. Which of the following methods would you use to provide this security to this company? A. Web proxy client B. SecureNAT client C. Firewall client D. Winsock proxy client 42. The network administrator of the company that you work for has asked to you handle the configuration of the end-user computers for him. He informs you that the company has installed and
PRACTICE EXAM
configured a new ISA Server, and he asks you to configure all of the end user computers to be Web proxy clients. The company has 200 Windows 98 computers, 10 Windows NT 4.0 computers, and 75 Windows 2000 Professional computers. You have also installed Microsoft Internet Explorer 5.0 on all computers. How would you configure each of the computers to be Web proxy clients? A. Open the TCP/IP properties, and set the Default Gateway to the IP address of the ISA Server. B. Open the Properties page of Internet Explorer, place a check mark in the Use a Proxy Server box, and specify the IP address and port numbers for the ISA Server. C. From each computer, connect to the \MSPClnt share of the ISA Server, and run Setup.exe. D. At each of your routers, create a static route of 0.0.0.0, and set the gateway address of the route to the IP address of the ISA Server. 43. The Information Systems manager of your company has requested that you assist her with a project. Your company has a mail server that is used for internal email only. She would like to make the mail server accessible over the Internet, so users can access their mailboxes from other locations, and customers can send email directly to your employees. She requires that the mail server be secure, as it also is used for file and print services. She would also like to have content filtering applied to all incoming email. What is the simplest method of making this server available? A. Publish the server using the Mail Server Security Wizard. The default options are SSL authentication and the application of content filters on incoming email.
515
B. Publish the server using the Mail Server Security Wizard. Select the option use SSL authentication and the application of content filters on incoming email. C. Publish the server using the Mail Server Security Wizard. Configure the ISA Server to use IPSec to connect to the mail server, and create a content filter rule for incoming email. D. Publish the server using the Mail Server Security Wizard. Configure the ISA Server to use IPSec for client connections over the Internet, which will secure communications. Create a content filter rule for incoming email. 44. You have been hired to assist a small manufacturing company provide Internet access to its employees. The company has 45 computers running Windows 98 and 20 computers running Windows 2000 Professional. The company also has four Windows 2000 Server computers, one is a domain controller only, and one is a domain controller and also hosts the users home directories. Another server runs Exchange 2000, and the fourth server hosts the company’s Web site. You have decided to install ISA Server on the Web server. Which of the following Security Levels should you select for this scenario? A. Secure B. Limited Services C. Dedicated D. Integrated 45. As the network administrator for a small computer consulting firm, several of the employees are requesting access to the internal network from customer locations. You have decided to use ISA Server’s Virtual Private Networking feature to accomplish this. The consultants in your
516
PRACTICE EXAM
company have laptop computers, some running Windows 2000 Professional, some are running Windows 98. Which of VPN Protocol selections would you choose to provide the most secure method for your remote users to connect to your internal network?
site, the Web administrator has changed to the port number used to connect to the site to 27443. All three Web sites are published to the ISA Server. Employees at remote locations are unable to connect to the employee’s only site. What must be done to correct this problem?
A. Use L2TP over IPSec, if available; otherwise use PPTP.
A. You must change the employees’ site back to the default TCP port for HTTPS.
B. Use L2TP over IPSec.
B. On the Web Publishing Rules Properties page, set the Use This Port For Redirecting HTTP Requests box to 27443.
C. Use PPTP. D. Use IPSec. 46. You are a member of a team that has been assigned the role of installing and configuring your company’s ISA Server deployment. Your team has been asked to present a demonstration of some of ISA Server capabilities to the executives. You have been asked to print some of the reports available in ISA Server. After installing ISA Server with the default options, you attempt to create some reports, but are unable to do so. What is most likely the cause of this problem? A. There are no log files available for the reports you are trying to print. B. The default installation of ISA Server does not include a reporting module. C. You must be a member of the ISAadmin group to print reports. D. You have installed ISA Server as a standalone server. Only arrays provide the option of printing reports. 47. You work for a software-development company. The company has a public Web site, as well as a secure Web site for existing customers. Both the public and secure sites use the default TCP port numbers. Your company also has a secure site for employees only. To protect the employees-only
C. On the Web Publishing Rules Properties page, set the Use This port For Redirecting SSL Requests box to 27443. D. On the Web Publishing Rules Properties page, set the Use This Port For Redirecting FTP Requests box to 27443. 48. As the network administrator for a large company, you have been assigned the task of creating the ISA Server structure. Your company has 8,000 users, who are roughly divided equally across the domain root and three child domains. All the users work at your company’s office complex, in which all the buildings are connected via T1 lines in a single site. After doing your performance evaluation, you determine that you will create an array of four ISA Server computers to support all of the users. Which of the below guidelines should you follow to correctly create the ISA Server array? (Select two answers.) A. Have one of the ISA Servers in each of the domains. B. All members of the array are required to be members of the forest root domain. C. All members of the array are required to be members of the same domain. D. Use the installation mode for a particular member that most closely applies to the users for a particular domain.
PRACTICE EXAM
E. Use the same installation mode for all members of the array. F. You can only install array members using Integrated mode. 49. As the security administrator for your company, you want to ensure that the ISA Server never responds to any outside connection attempts that use the telnet protocol. You have installed the telnet service on the ISA Server so you can do remote administration from inside the network. Which port number should you create an IP packet filter for to prevent an outside user to telnet into your ISA Server? A. TCP 25 B. TCP 23 C. UDP 23 D. UDP 25 E. TCP32 50. The Human Resources manager of your company needs your help. The users in her department need access to an application across the Internet. All the users have Microsoft Internet Explorer 5.0. You have already created the permissions for the appropriate groups, and allowed access to the protocols required by the application. You have notified the HR manager that all that is left to do is to deploy the firewall client. Which of the following could be used to deploy the firewall client software to the HR department’s users? (Select two answers.) A. Have the users connect to the ISA Server’s \MSPCLNT share, and run setup.exe. B. Have the users connect to the ISA Server’s \PRXYCLNT share and run setup.exe. C. Have the users open the URL to a Web server that you have copied the default.htm and
517
setup.bat files from the ISA Server’s \WEBINST folder, and select the link “ISA CLIENT SOFTWARE.” D. Create an installation disk set, and have the HR manager install the software manually. E. Have the users open the URL to a Web server that you have copied the default.htm and setup.bat files from the ISA Server’s \WEBINST folder, save the file setup.bat to their hard drive, and run it from the saved location. 51. You have been hired by a firm to assist them with the installation and configuration of ISA Server. The firm is a contractor with the Department of Defense, and must provide information to the DoD for auditing purposes. To ensure that the correct information is available in the Security reports, which of the following logs and summaries must be available to print the reports. (Select three answers.) A. Web Proxy logs B. Firewall Service logs C. Application Filter logs D. SecureNAT logs E. Bandwidth logs F. Site and Content logs G. Packet Filter logs 52. Your company created a private Web site for its customers to obtain billing and shipping information. You are using an ISA Server as the firewall from the Internet. Because sensitive information is to be passed back to the customer, you would like to secure communications between the Internet client, and your ISA Server. Which of the features of ISA Server provides this function?
518
PRACTICE EXAM
A. IPSec B. L2TP C. SSL Bridging D. SSL 53. Your company has recently upgraded its network to a Windows 2000 domain, RIPCO.COM. The organization has maintained a public Web site for several months, and your Internet Service Provider (ISP) hosts this site. You have just installed an ISA Server, and configured your user’s computers Web browsers with the IP address of the ISA Server, and the correct port number for HTTP. Users can connect to Web sites with no problems. You have also recently created an intranet site that hosts an application that your employees use for billing and Human Recourse purposes. You now find that users cannot connect to the intranet site. What would be the simplest method for resolving this problem? A. Install the firewall client on each computer. B. Configure the ISA Server to ignore these requests
B. A PTR record for the CEO’s computer IP address. C. A SRV record for the Q931 service at the H.323 Gatekeeper’s IP address. D. A SRV record for the H323 service at the H.323 Gatekeeper’s IP address. E. A MX record for the email server. The email server will locate the user. 55. You have just installed Microsoft ISA Server for your organization. Other members of the Information Systems department, including yourself, test the ISA Server from your computers, which are on the same subnet as the ISA Server, and connect to external Web sites with no problem. When you attempt to connect to the Internet from other users computers on different subnets, you are unable to connect to the Internet. Where would you begin troubleshooting your ISA installation? A. Be sure that users have permissions to communicate with the ISA Server. B. The Local Address Table.
C. Publish the intranet server in the ISA Server.
C. The ISA Server’s internal routing table.
D. Configure the client computer browsers to Bypass Proxy Server for Local Addresses.
D. The ISA Server’s host name and IP address.
54. The CEO of your company wants to use Microsoft NetMeeting to conference with executives of other companies. You have created the H.323 Gatekeeper and H.323 filter to allow incoming calls. You must also create a record in DNS so the address of the CEO’s computer can be found. How should the DNS record be configured so users can contact the CEO via NetMeeting? A. An A record for the CEO’s computer IP address.
56. You completed a default installation of ISA Server. You have determined that you would like to apply the Limited Services security level to the server. When you run the ISA Server Security Configuration Wizard, and select the Limited Services option, you receive an error message that the process failed. Which of the following is the reason this is occurring? A. You do not have ISA Admin permissions. B. You have installed ISA on a domain controller.
PRACTICE EXAM
C. You must stop the ISA Server service to change security level. D. The template files are not in the systemroot\security\templates folder. 57. You created a secure intranet Web site for your employees. They will be managing their timesheets, tracking vacation days, and viewing information about your company’s projects. You have secured this Web site by using Integrated Windows Authentication. One of your employees calls, indicating that he cannot connect to the Web site from your internal network. Which of the following is a reason why this user cannot connect to the intranet site? A. He is using Internet Explorer 3.0. B. His password to the intranet site is different than his domain password. C. He is on a computer running Windows 98. D. He is using the Netscape Web browser. 58. The CEO of your firm is concerned about viruses attached to email messages infecting your system. He is especially concerned about Vbscript attachments. He has asked you if there is anyway to prevent these types of files from entering the network via email. How would you go about preventing Visual Basic script attachments from getting to your email server using ISA Server? A. Create a protocol filter denying access to TCP port 25. B. Create a site and content rule, and deny .vbs file types. C. Configure the SMTP filter under Application Filters, and select the option to Disallow an SMTP command. D. Configure the SMTP filter under Application Filters. On the Attachments tab, add the Mail
519
Attachment Rule, and select Attachment Extension. E. Configure the SMTP filter under Application Filters. On the Attachments tab, add the Mail Attachment Rule, and select Attachment Name. 59. The Information Systems Manager of your company has asked you to be part of the Network Capacity team. The responsibility of this team is to monitor activity on the company’s network, and to make recommendations to improve performance. You have been asked to monitor and report on Internet activity. The team leader has asked that you give her a report showing which members of the company utilize the Internet the most, and which Web browsers they are using. Which of the following ISA reports would you print to provide this information to the team lead? A. Summary Reports B. Web Usage Reports C. Application Usage Reports D. Traffic and Utilization Reports E. Security Reports 60. The network administrator has asked for your assistance with a problem. Several of the users on the network are downloading MP3 files from the Internet and storing them in their home directories on one of the servers. She would like to prevent users from downloading MP3 files from the Internet. Which of the following is the correct method for preventing users from downloading MP3 files? A. Create a Destination set for .mp3.* and deny access to all users. B. Create a Protocol definition for mp3, and deny access to all users.
520
PRACTICE EXAM
C. Create a Content group for mp3, and deny access to all users. D. Use the predefined Audio Content Type, and deny access to all users. 61. You have been hired by a large software-publishing company to assist them with the installation and configuration of their ISA Servers. The company has an array of three ISA Servers at their main office. Each of the company’s five remote offices also has an ISA Server. All the remote offices are connected to the main office by means of a Frame Relay Private Virtual Circuit. The IS manager would like to log information from all of the organizations ISA Servers to a single location. Which of the following formats would you select in this situation? A. W3C format B. ISA format C. ODBC format D. CSV format 62. Your organization has decided to implement Microsoft ISA Server to provide Internet access for its users, and to protect its internal resources from intrusion from the Internet. The company has approximately 1,500 users. Which of the following are the recommended hardware requirements for this configuration? A. Pentium II 300Mhz with 128MB RAM. B. Pentium II 300Mhz with 256MB RAM. C. Pentium III 55Mhz with 128MB RAM. D. Pentium III 550Mhz with 256MB RAM. 63. The network administrator of a small manufacturing company has asked you to assist him in providing Internet access to the 50 users in his company. The organization has 40 Windows 98
computers, and 10 Windows NT 4.0 Workstation computers. The company has three Windows NT 4.0 server computers, two acting as file and print servers, and one acting as a domain controller. The administrator would like to provide access only for Web browsing. How would you configure the users computers to meet these requirements? A. Web proxy clients B. SecureNAT clients C. Firewall clients D. Winsock proxy clients 64. You have been hired to consult for a large manufacturing company on its ISA Server implementation. The organization has 6,000 computers running a variety of operating systems. The project lead for the company informs you that they will be required to use the firewall client, as they need to provide Internet access based on user identification. He asks you to provide him with a list of operating systems on which the firewall client can be installed. Which of the following operating systems support the firewall client? (Select all that apply.) A. Windows Millennium Edition B. Windows for Workgroups 3.11 C. Windows 95 D. Windows 95 OSR2 E. Windows 98 F. Windows 98 Second Edition G. Windows NT 3.51 H. Windows NT 4.0 I. Windows 2000
PRACTICE EXAM
65. You have agreed to act as a security consultant for a small publishing company. The company wants to provide Internet access to their internal users. They have a Windows 2000 native mode domain, email that is hosted by their Internet Service Provider, and three Windows 2000 member servers. The organization consists of 10 PCs running Windows 2000 Professional, and 16 PCs running Windows 98. The president of the company wants to determine if she should purchase the Enterprise Edition or Standard Edition of Microsoft ISA Server. Which of the following features are available in the Enterprise edition, and not available in the Standard edition? (Choose three answers.) A. Hierarchical caching B. Enterprise Policy C. Bandwidth control D. Packet filtering E. Active Directory Integration F. Distributed caching G. Server publishing
ANSWERS TO EXAM QUESTIONS 1. B. No, this cannot be done. Unlike Web publishing, you cannot use a different port for the ISA Server to connect to a published server. 2. B, C. With the Web proxy service logs and firewall service logs available, you would be able to print traffic and utilization reports to determine areas where bandwidth is over- or under-utilized. You could also create a Performance Monitor log, using the ISA Server Bandwidth Control object,
521
and capture the appropriate counters to view this information. With this information, you can make appropriate modifications to Bandwidth Rules. 3. A. Reverse caching assists in minimizing network traffic on the internal network. Once the ISA Server has cached the Web page from your internal Web server, it will provide this content to subsequent external requests from its cache, without generating any traffic on the internal network. Forward caching refers to internal clients obtaining content from the external network, the Internet. 4. A. Because the Enterprise Initialization Utility makes modifications to the Schema, you will only want to run this utility when network performance will be least affected. The utility contacts the domain controller that holds the Schema Master role, and makes the modifications. These modifications must then be replicated out to all domain controllers in the forest. 5. A. Events must be enabled on the ISA Server to allow alerts to function. To enable Events, expand the server or array name, and then expand Monitoring Configuration. Open the Alerts folder, and double-click the alert you want to use. Placing a check mark in the Enable box activates the alert. 6. C. The array policies would need to be redefined. When an enterprise policy is applied to an existing array, the array policies are deleted. 7. E. An ISA Server in firewall mode can be configured to use Virtual Private Networking. The sales staff at remote locations can then securely connect to the internal network, and access resources as if they were in the office. 8. C. Windows 2000 Service Pack 1 is also required to install ISA Server. Because you
522
PRACTICE EXAM
installed Windows 2000 with the default options, Internet Information Server is already installed. DNS and WINS are not required options on the computer running ISA Server. 9. B, D. Because the internal and ISP’s DNS servers are authoritative for the DNS namespace of MYCO.COM, you will need to manually update the internal DNS server with the IP address of the company’s Web server. You should also verify the DNS queries are allowed to pass through the ISA Server to the Internet for name resolution of external domain names. 10. A. Because EXTARRAY is connected to the Internet and the perimeter network, the only address range that should be in its Local Address Table is the perimeter network address range. The array that is connected to the perimeter network and the private network will have the private network ranges in its Local Address Table. 11. D. Based on the fact that the hostname can be resolved via ping, but not via the ISA Server, the Local Domain Table would be the place to start. Because the site you are trying to connect to is internal only, it must be resolved by your internal DNS. If the ISA Server does not have the domain name in the Local Domain Table, it will attempt to resolve the name via external DNS. 12. B. By enabling routing and packet filtering between the corporate network interface and the perimeter network resources, you are allowing your users direct access to the resources. Publishing servers to the Internet through the ISA Server will prevent external users from directly connecting to the servers, and protect the internal structure of the servers from Internet users. 13. C. You would first need to join the computer to the domain that contains the array. You would
then be able to promote the standalone server to a member of the array. 14. D. To configure an array to chain up to another array, open the ISA MMC snap-in. Under the Array option, select Network Configuration. You will then have an option to Configure Firewall Chaining. From this interface, you can configure the array to forward request to. 15. C. A feature of ISA Server is the capability to save reports as Web (HTML) pages. The administrators would then have the capability to publish their reports to the intranet server, where their Web browser can then view them easily. Assuming the intranet server is also connected to the Internet, the administrators would then be able to view this information from any location. 16. A. Use L2TP over IPSec, if available; otherwise use PPTP. Because some of the computers are not using Windows 2000, you will still be required to support PPTP. The Windows 2000 computers will negotiate the use of L2TP with the VPN server, which will provide you with the highest level of security. You would be able to modify this setting to Use L2TP over IPSec, and eliminate the need for PPTP after all the remote computers have been upgraded to Windows 2000. 17. B. The computers at the remote clinics will require the firewall client to access this application. You may be required to do some additional configuration to allow access to the application, depending on the port that is being used. The Web proxy client and SecureNAT client will only allow access to the HTTP and FTP protocols. 18. D. Based on the information in the question, D is the correct option. Because you are required to set priorities for specific groups, using Client Types page, where you can specify Any user, group, or computer, or specific users and groups,
PRACTICE EXAM
or specific computers. Destination sets allow you to specify certain network addresses, or all network addresses. Content Groups are used to specify types of content by file extension. 19. B. When establishing a VPN, on the Two-Way Communications page of the VPN Setup Wizard, you can specify that the local and remote, just the local or just the remote network can initiate a connection. 20. C. When the Security Level of Limit Services is selected on an ISA Server installed on a member server, the Securews.inf template is used. Securedc.inf is used if the ISA is installed on a Windows 2000 domain controller. 21. C. 400 megabytes would be the recommended cache size for this organization. Microsoft recommends 100MB, plus 0.5MB for each Web proxy client. 22. B. The SecureNAT client provides support for publishing Web servers on your private network to the Internet. The Web proxy service is only used for Internet access from your internal clients. The Firewall Service prevents access to your internal network from the Internet. The Winsock client allows clients on you local network access to socket-based applications on the Internet. 23. C. Enabling the DNS intrusion event on the DNS server is the best answer here. This will notify you if a user from the Internet attempts a DNS attack. A common method for hackers to gain access to resources on your internal network is to perform a zone transfer from your DNS server. This will provide the hacker with a list of computer names and IP addresses. DNS intrusion will look for these types of attacks. Packet filtering on the internal or external interface and dropping all DNS requests would not work in this case, because your DNS server must resolve
523
your Internet exposed resources; Internet users must be able to query your DNS server to determine the IP address of your Web server. If no DNS traffic were allowed in, users would not be able to connect to your Web server by its host name. 24. A, D. You have two possible options. Because both HTTP and FTP access is required, you need to configure the end-user computers to be SecureNAT clients, which is accomplished by making the ISA Server the gateway to the Internet. This can be done by manually by simply adding the ISA Server’s IP address as the default gateway, or by making the computers DHCP clients, and providing the default gateway as part of the DHCP options. By making the ISA Server the proxy server, the users would not be able to access FTP sites, only HTTP. 25. A. You can redirect users that have attempted to access a restricted site to a Web page. You can then create a Web page to inform users of their actions. 26. A, C. The most common method of providing standard Internet access to users is to create Protocol rules only allowing specific protocols. All other protocols will be denied. If your rules allow all protocols, you could also create an explicit denial of specific protocols. You would not have to do both. Because multiplayer games are socketbased, and the ports used to play the games are specified by the developer, there are no specific ports for games content. 27. B, C. Microsoft Proxy 2.0 supports Web requests to port 80, while Microsoft ISA Server supports these requests on port 8080. You will either need to modify each of the client browsers to send HTTP requests to port 8080, or modify the ISA Server configuration to use port 80 for HTTP requests.
524
PRACTICE EXAM
28. E. The H.323 Gatekeeper Service provides support for videoconferencing over the Internet. 29. A, B, E. The ISA Server that is connected to the Internet should have its Local Address Table include both the IP address ranges from the perimeter network and the corporate network. The ISA Server that is connected to the internal network should have a Local Address Table that contains only the IP address ranges from the corporate network. You should then create the appropriate publishing rules on the ISA Server that is connected to the Internet for the servers on the perimeter network. 30. A. The simplest method to verify if a packet filter is functioning properly is to try to establish a telnet session to the port on the ISA Server. The correct syntax for telnet is “Telnet ip_address port_number”. In this case, if telnet was able to create a session on the ISA Server’s port 2650, the packet filter is not configured correctly. 31.C.
Configure a site and content Rule. Creating Destination Set only groups the Web sites for use with a site and content Rule.
32. A, C, D. To run the Enterprise Initialization Utility, you need to be an administrator on the local computer. You must also be a member of the Enterprise Administrator group and the Schema Administrator group. Because the EIU makes modifications to the Schema, you are required to be a member of these groups to perform the schema modifications. 33. D. When packet filtering is enabled, all blocked packets are logged by default. No additional configuration is required. If you want to enable logging of allowed packets, you would need to enable logging on the IP Packet Filters properties tab.
34. C. If an Enterprise policy is applied to an array, you will only be able to create site and content rules that deny access to Web sites. You would have to create this rule in the Enterprise policy, or remove the Enterprise policy from the array to create this site and content rule. 35. C. Caching can only be directed to an NTFS volume. While caching may be directed to a different volume or physical hard disk, it is not required. 36. B. Digest Authentication is the correct choice. By creating a hash of the user’s password, the user ID and password remain secure. Basic authentication does not protect a users password, and Integrated Windows authentication uses Kerberos v5 to authenticate users. Because the partner company is using a third-party proxy, Digest Authentication will secure the password, but not require Microsoft specific authentication. 37. D. When a listener is configured to request authentication, this is in addition to any other authentication required by the resource. To avoid this, configure the listener not to require authentication. 38. B. Monitor the ISA Server cache. One of the most effective ways of effectively utilizing your Internet connection is to provide Web requests from the ISA Servers cache. As users on your network request Web pages, the ISA Server will check its cache, and return the Web objects from the cache without having to use its Internet connection. The more objects return from the cache, the more bandwidth that is available for other users. The ISA Server Cache object provides counters that will allow you to determine the rate at which objects are retrieved from cache, and when they must be retrieved from the Internet.
PRACTICE EXAM
39. D, F. The DNS service uses TCP and UPD port 53. You would need to configure a packet filter that allows incoming packets to those two ports to allow the DNS service to respond to DNS queries from the Internet. 40. D. Configure all your clients as Web proxy clients, which will allow all users access to Web pages on the Internet. You then need to install configure the three users requiring access to the Winsock-based application. This will provide access to the application only for the appropriate users based on their user IDs. 41. C. Using the firewall client would be the best option here. This allows the appropriate Internet access to the appropriate users based on their user ID. The Web proxy client and SecureNAT client provide the same access to all users. The firewall client is the only one of these options that provides Web and FTP access based on the authenticated user. 42. B. To configure client computers to be Web proxy clients, you would need to configure the browser, in this case Microsoft Internet Explorer, to use the ISA Server IP address. This will only pass HTTP requests to the ISA Server. Configuring the ISA Server address as the computers default gateway creates SecureNAT clients, which will pass both HTTP and FTP requests to the ISA Server. Connecting to the ISA Servers/MSPClnt share and running Setup.exe will install the firewall client. The last option would be used if you were configuring your computers to be SecureNAT clients in a routed network. 43. B. Once you have started the Mail Server Security Wizard, you will have the option of SSL authentication and content filtering. The default settings are Basic Authentication, with no content filters on incoming email.
525
44. A. When installing ISA Server on a computer that performs other functions, such as a Web server, Microsoft recommends using the Secure level. Limited Services is suggested for running ISA Server as a combined firewall and cache server. Dedicated is used when the server functions only as a dedicated firewall. Integrated is not an option as a Security Level. 45. A. Use L2TP over IPSec, otherwise use PPTP. Because Windows 98 clients do not support L2TP, your VPN server will still need to support PPTP. The VPN server will attempt to negotiate L2TP first. If the remote client is unable to use L2TP, then PPTP will be used. 46. A. ISA Server requires logs and log summaries to print reports. You must configure ISA Server to create the required logs and summaries, and there must be at least one daily entry in the summary to create a report. ISA Server creates summaries daily at 12:30 A.M. 47. C. Because employees connecting to the site will be going through the ISA Server, you need to inform the ISA Server what port to redirect requests to. Secure Web sites use SSL, so you need to change the SSL request box for the employees-only Web server to 27443. 48. C, E. All the array members must be in the same Windows 2000 domain. It is not required that it be the forest root domain, just that the computers are members of the same domain. Array members must also use the same installation mode of either Firewall mode, Cache mode, or Integrated Mode. The arrays can be created using any of these modes, but all array members must use the same mode. 49. B. Telnet uses TCP port 23. You would need to configure an IP packet filter to block packets from an external source to TCP port 23.
526
PRACTICE EXAM
50. A, C. There are two methods to install the firewall client software. Users can connect to the \MSPCLNT share on the ISA Server, and run the setup utility. Users could also connect to a Web server that you have copied default.htm and setup.bat from the \WEBINST folder on the ISA Server. The user can then select the link “ISA CLIENT SOFTWARE.” The option to save setup.bat to the users local hard drive is only necessary when the users are running the Netscape Web browser. 51. A, B, G. When configuring logging, the three types of logs that are available are Packet filter logs, Firewall Service logs and Web Proxy logs. Security reports require that all three of these logs and summaries are available to print reports. 52. C. SSL bridging would be required for this scenario. Secure Socket Layer provides a secure transport between an Internet client and Web server. Because security is not required between the ISA Server and the Web server, setting up an SSL bridge is the best solution. 53. D. Configuring the client computers to bypass the ISA Server for local addresses would be the simplest method of resolving this issue. Because the users are connecting to the intranet Server via a Web browser to use this application, it will pass all requests initiated through the browser to the ISA Server. By placing a check in the browser properties’ Bypass Proxy Server for Local Addresses, the clients will connect directly to the server and not required any additional configuration. 54. C. A DNS service location record for the Q931 service must be placed in the DNS server zone. This will allow name resolution over the Internet for users to locate the H.323 Gatekeeper for your organization.
55. B. In the case of users on the local subnet accessing the Internet, and users on remote subnets not being able to access the Internet, usually points to a problem with the ISA Servers Local Address Table. Because the ISA Server uses the LAT to determine who is on the internal network and who is on the external network, and incorrectly configured LAT can cause this type of problem. 56. D. The template files must be located in the systemroot\security\templates folder for the Security Configuration Wizard to apply the setting. If they are missing, they can be copied from the Windows 2000 Server CD. 57. D. Of the four possible problems, D is the likely choice here. Integrated Windows authentication uses Kerberos v5 to authenticate a user to Active Directory, so the password to the Web site and Active Directory would be the same. Integrated Windows authentication also required Microsoft Internet Explorer 2.0 or later, on any platform. 58. D. To prevent a specific type of email attachment from passing through the ISA Server, select Application Filters, in the details pane, right-click SMTP Filter, and click Properties. On the Attachments tab, click Add. In the Mail Attachment Rule dialog box, select Enable Attachment Rule, then select Attachment Extension, and type the file extension that you want to block. 59. B. The Web Usage Reports include a set of reports that display top Web users, common responses, and Web browsers. This would be the best selection for this question, as it shows usage by user. 60. D. The predefined Audio Content Type can be used to deny access to all audio files types,
PRACTICE EXAM
including MP3. ISA Server includes Content Type groups for most of the common files types, and it would not be necessary to create a new group. 61. B. Using the ODBC format option for logging, you would be able to direct logging information from all of the ISA Servers in the organization to a single database, such as a Microsoft SQL server database. By default, the W3C and ISA formats store the log information in the ISAlogs folder, under the ISA installation folder. 62. D. Microsoft’s recommendation for forward caching to support between 250 and 2,000 users is a Pentium III 550Mhz with 256MB RAM. A firewall recommendation is based on throughput, and is dependent on the connection to the Internet.
527
63. A. Because the organization only requires access to Web browsing, you would configure the client computers as Web proxy clients. The users would then have access only to Web browsing, and no other functions. The SecureNAT client provides assess to both HTTP and FTP. The firewall client provides access on a per user basis to any configured TCP or UDP port. The Winsock proxy client provides access to sockets-based applications that reside on the Internet. 64. A, D, E, F, H, I. The firewall client can only be used on the following operating systems: Windows Millennium Edition, Windows 95 OSR2, Windows 98, Windows NT 4.0, and Windows 2000. Microsoft ISA Server will support other operating systems as Web proxy clients or SecureNAT clients; only the above operating systems can use the firewall client. 65. B, E, F. Enterprise Policy, Active Directory Integration, and Distributed Caching are available only in the Enterprise Edition.
P A R T
VII
APPENDIXES
A Microsoft Proxy Server 2.0 Configuration Backup B ISA Setup Log C ISA Upgrade Log D Glossary E Overview of the Certification Process F What’s on the CD-ROM G Using the ExamGear, Training Guide Edition Software
A P P E N D I X
Microsoft Proxy Server 2.0 Configuration Backup This appendix consists of a copy of a the Microsoft Proxy 2.0 configuration backup. MSP20010102.MPC [@MSP_MSP configuration] CompletionStatus=1 Version=7 ConfigStamp=070000007B25513A7B25513ADD101600 CreationTime=Tue Jan 02 01:10:40 200 (GMT) AdminMachine=ABC1 AdminName=ABC1\Administrator ServerName=ABC1 PID=66696-335-3353356-92414 DomainFilterType=1 PacketFilterEnabled=15 MailServer=fredf SMTPPort=25 [email protected] [email protected] [@MSP_WSP] Authentication=1 ServerComment= [@MSP_W3Proxy] EnableAccessControl=1 ServerComment= EnableDiskCache=7 FtpTTLSecs=86400 UrlDataVersion=256 HttpViaHeaderAlias=ABC1 [@MSP_Socks] ServerComment= [@MSP_Web Proxy Cache] Version=256 FreshnessInterval=86400 CleanupInterval=86400 CleanupFactor=25 CleanupTime=0 Persistent=1 EnableActiveCache=1 ActiveRefreshAggressiveness=2 CacheByDefault=1 Enable TTL=1 Age Factor (%)=20 Min Interval (minutes)=15
continues
A
532
Appendix A
MICROSOFT PROXY SERVER 2.0 CONFIGURATION BACKUP
continued Max Interval Value=1 Max Interval Units=4 Enable Protect=1 Protection Factor (%)=50 Max. Protection Time (minutes)=60 EnableMaxObjectSize=0 MaxObjectSize=0 [@MSP_Cache Containers] Container0=G:\urlcache\dir1;10 Container1=G:\urlcache\dir2;10 Container2=G:\urlcache\dir3;10 Container3=G:\urlcache\dir4;10 Container4=G:\urlcache\dir5;10 [@MSP_DenyDomainFilters] NDDF0=microsoft.com [@MSP_WSP Protocols] Proto1=AlphaWorld Proto2=AOL Proto3=Archie Proto4=DNS Proto5=Echo (TCP) Proto6=Echo (UDP) Proto7=Enliven Proto8=Finger Proto9=FTP Proto10=Gopher Proto11=HTTP Proto12=HTTP-S Proto13=ICQ Proto14=IMAP4 Proto15=IRC Proto16=LDAP Proto17=MS NetShow Proto18=MSN Proto19=Net2Phone Proto20=Net2Phone registration Proto21=NNTP Proto22=POP3 Proto23=Real Audio (7070) Proto24=Real Audio (7075) Proto25=SMTP (client) Proto26=SuperUserPseudoProtocol Proto27=Telnet Proto28=Time (TCP) Proto29=VDOLive Proto30=VXtreme Proto31=WhoIs [AlphaWorld] PrimaryPort=5670,OUT,TCP SecondaryPorts=80-80,OUT,TCP;3000-3050,IN,UDP;3000-3050,OUT,UDP;7000-7999,OUT,TCP;7000-7999,OUT,UDP; [AOL] PrimaryPort=5190,OUT,TCP [Archie] PrimaryPort=1525,OUT,UDP SecondaryPorts=0-0,IN,UDP; [DNS]
Appendix A
MICROSOFT PROXY SERVER 2.0 CONFIGURATION BACKUP
PrimaryPort=53,OUT,UDP SecondaryPorts=0-0,IN,UDP; [Echo (TCP)] PrimaryPort=7,OUT,TCP [Echo (UDP)] PrimaryPort=7,OUT,UDP [Enliven] PrimaryPort=537,OUT,TCP [Finger] PrimaryPort=79,OUT,TCP [FTP] PrimaryPort=21,OUT,TCP SecondaryPorts=0-0,IN,TCP;1025-5000,OUT,TCP;32768-65535,OUT,TCP; [Gopher] PrimaryPort=70,OUT,TCP [HTTP] PrimaryPort=80,OUT,TCP [HTTP-S] PrimaryPort=443,OUT,TCP [ICQ] PrimaryPort=4000,OUT,UDP SecondaryPorts=0-0,IN,TCP;0-0,IN,UDP;1025-5000,IN,TCP;1025-5000,OUT,TCP; [IMAP4] PrimaryPort=143,OUT,TCP [IRC] PrimaryPort=6667,OUT,TCP [LDAP] PrimaryPort=389,OUT,TCP [MS NetShow] PrimaryPort=1755,OUT,TCP SecondaryPorts=1025-5000,IN,UDP; [MSN] PrimaryPort=569,OUT,TCP [Net2Phone] PrimaryPort=6801,OUT,UDP SecondaryPorts=0-0,IN,TCP;0-0,IN,UDP;1025-5000,OUT,UDP; [Net2Phone registration] PrimaryPort=6500,OUT,TCP [NNTP] PrimaryPort=119,OUT,TCP [POP3] PrimaryPort=110,OUT,TCP [Real Audio (7070)] PrimaryPort=7070,OUT,TCP SecondaryPorts=6770-6770,OUT,UDP;6970-7170,IN,UDP; [Real Audio (7075)] PrimaryPort=7075,OUT,TCP SecondaryPorts=6770-6770,OUT,UDP;6970-7170,IN,UDP; [SMTP (client)] PrimaryPort=25,OUT,TCP [Telnet] PrimaryPort=23,OUT,TCP [Time (TCP)] PrimaryPort=37,OUT,TCP SecondaryPorts=0-0,IN,UDP; [VDOLive]
continues
533
534
Appendix A
MICROSOFT PROXY SERVER 2.0 CONFIGURATION BACKUP
continued PrimaryPort=7000,OUT,TCP SecondaryPorts=0-0,IN,UDP; [VXtreme] PrimaryPort=12468,OUT,TCP SecondaryPorts=0-0,IN,UDP;1025-5000,IN,UDP;1025-5000,OUT,UDP;32768-65535,OUT,UDP; [WhoIs] PrimaryPort=43,OUT,TCP [@MSP_MemberArray] EnableArray=0 NodeComputerPortNum=80 IntraArrayAddress=990030016 NodeCacheSize=50 NodeLoadFactor=100 IIS Authentication=5 ConfigurationStamp=070000007B25513A7B25513ADD101600 ArrayName= EnableSynchronization=0 ResolveInArray=0 ArrayTTL=0 EnableAuthentication=0 ArrayUserName= ArrayPassword= MemberEntries=0 [@MSP_ChainedArray] RouteType=1 UpstreamServers= UpstreamServersPort=0 UpstreamDllUrl= EnableAuthentication=0 AuthenticationType=0 ArrayUserName= ArrayPassword= [@MSP_BackupRoute] RouteType=0 UpstreamServers= UpstreamServersPort=0 UpstreamDllUrl= EnableAuthentication=0 AuthenticationType=0 ArrayUserName= ArrayPassword= [@MSP_Publishing] AllowInternetHttpRequests=0 RouteType=7 DefaultLocalHostName= ReverseProxyHostName= TcpPort=0 [@MSP_ProxyLog] SmallLogFormat=1 LogType=1 LogFilePeriod=1 LogFileKeepOld=0 LogFileFsCompress=1 LogFileStopIfFull=1
Appendix A
MICROSOFT PROXY SERVER 2.0 CONFIGURATION BACKUP
LogFileTruncateSize=-1 LogFileDirectory=G:\WINNTNT\System32\msplogs LogSqlDataSource= LogSqlTableName= LogSqlUserName= LogSqlPassword= [@MSP_WspLog] SmallLogFormat=1 LogType=1 LogFilePeriod=1 LogFileKeepOld=0 LogFileFsCompress=1 LogFileStopIfFull=1 LogFileTruncateSize=-1 LogFileDirectory=G:\WINNTNT\System32\msplogs LogSqlDataSource= LogSqlTableName= LogSqlUserName= LogSqlPassword= [@MSP_SocksLog] SmallLogFormat=1 LogType=1 LogFilePeriod=1 LogFileKeepOld=0 LogFileFsCompress=1 LogFileStopIfFull=1 LogFileTruncateSize=-1 LogFileDirectory=G:\WINNTNT\System32\msplogs LogSqlDataSource= LogSqlTableName= LogSqlUserName= LogSqlPassword= [@MSP_PFDLog] SmallLogFormat=1 LogType=1 LogFilePeriod=1 LogFileKeepOld=0 LogFileFsCompress=1 LogFileStopIfFull=1 LogFileTruncateSize=-1 LogFileDirectory=G:\WINNTNT\System32\msplogs LogSqlDataSource= LogSqlTableName= LogSqlUserName= LogSqlPassword= [@MSP_AutoDial] Entry= User= Domain= Password= DialHours=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF AutoDialFlags=0 [@MSP_SocksPermissions] L1=# SOCKS.CFG L2=#
continues
535
536
Appendix A
MICROSOFT PROXY SERVER 2.0 CONFIGURATION BACKUP
continued L3=# Permissions configuration file for the Microsoft SOCKS server. Although L4=# the service will recognize the SOCKS 4.3 configuration file format, some L5=# of the fields have no affect: #NO_IDENTD, #BADID, *=user_list, ?=identd, L6=# :shell_command. L7=# L8=# By default, all requests are denied. To specify specific permitted and L9=# denied requests, place specification rules in this file. The first rule L10=# that matches an incoming request will be used to determine if the request L11=# is to be permitted or denied. A request that does not match any rule, is L12=# denied. A rule specification syntax is: L13=# L14=# action src_addr src_mask [dst_addr dst_mask] [op port] #comment L15=# - action is either permit or deny L16=# - src_addr is either an IP address in dotted format (x.x.x.x), a domain L17=# name (x.y.z), a zone (.b.c), or the token ALL to specify all L18=# addresses. L19=# - src_mask is an IP address mask in dotted format (x.x.x.x). It must always L20=# be present, although it is ignored if the src_addr is a domain L21=# or zone. L22=# - dst_addr & dst_mask are optional. If present, they specify the destination L23=# part of a request. If absent, any destination address in the L24=# requaest will match. L25=# - op Can be ‘eq’, ‘ne’, ‘gt’, ‘ge’, ‘lt’, or ‘le’. The operation L26=# specifies the relative range to the port that is matched. L27=# - port In conjunction with the op, specifies the range of ports that is L28=# matched for a request. L29= L30=# implied rule: L31=# deny ALL 0.0.0.0 [@MSP_PacketFilters] PF_0=1, 0, 0x0, 0x0, 0x35, 0x0, 0x11, 0xc0000000, 0x3, 0x0, 0xffffffff; PF_1=1, 0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x40000000, 0x33, 0x0, 0xffffffff; PF_2=1, 0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x80000000, 0x0, 0x0, 0xffffffff; PF_3=1, 0, 0x8, 0x0, 0x0, 0x0, 0x1, 0x80000000, 0x0, 0x0, 0xffffffff; PF_4=2, 0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc0000000, 0x0, 0x0, 0x0; PF_5=1, 0, 0xb, 0x0, 0x0, 0x0, 0x1, 0x80000000, 0x30, 0x0, 0xffffffff; PF_6=1, 0, 0x3, 0x0, 0x0, 0x0, 0x1, 0x80000000, 0x30, 0x0, 0xffffffff; PF_7=1, 0, 0x4, 0x0, 0x0, 0x0, 0x1, 0x80000000, 0x0, 0x0, 0xffffffff; PF_8=5, 0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000000, 0x0, 0x0, 0x0; PF_9=1, 0, 0x15, 0x0, 0x0, 0x0, 0x6, 0xc0000000, 0x30, 0x0, 0xffffffff; PF_10=1, 0, 0x17, 0x0, 0x0, 0x0, 0x6, 0xc0000000, 0x30, 0x0, 0xffffffff; [@MSP_Alerts] Alert0=0, 1, 1, 1, 20, 5; Alert1=1, 1, 1, 1, 1, 1; Alert2=2, 1, 0, 1, 1, 180; [@MSP_ClientIni] L1=[Internal] L2=scp=9,10 L3=Build=2.0.372.12 L4=[wspsrv] L5=Disable=1 L6=[inetinfo] L7=Disable=1 L8=[services] L9=Disable=1 L10=[spoolss]
Appendix A
MICROSOFT PROXY SERVER 2.0 CONFIGURATION BACKUP
L11=Disable=1 L12=[rpcss] L13=Disable=1 L14=[kernel32] L15=Disable=1 L16=[mapisp32] L17=Disable=0 L18=[exchng32] L19=Disable=0 L20=[outlook] L21=Disable=0 L22=[raplayer] L23=RemoteBindUdpPorts=6970-7170 L24=LocalBindTcpPorts=7070 L25=[rvplayer] L26=RemoteBindUdpPorts=6970-7170 L27=LocalBindTcpPorts=7070 L28=[net2fone] L29=ServerBindTcpPorts=0 L30=[icq] L31=RemoteBindUdpPorts=0 L32=ServerBindTcpPorts=0,1025-5000 L33=NameResolutionForLocalHost=P L34=[Common] L35=WWW-Proxy=ABC1 L36=Set Browsers to use Proxy=1 L37=Set Browsers to use Auto Config=0 L38=WebProxyPort=80 L39=Configuration Url=http://ABC1:80/array.dll?Get.Routing.Script L40=Port=1745 L41=Configuration Refresh Time (Hours)=6 L42=Re-check Inaccessible Server Time (Minutes)=10 L43=Refresh Give Up Time (Minutes)=15 L44=Inaccessible Servers Give Up Time (Minutes)=2 L45=Setup=Setup.exe L46=[Servers Ip Addresses] L47=Name=ABC1 L48=[Servers Ipx Addresses] L49=[Master Config] L50=Path1=\\ABC1\mspclnt\ [@MSP_Client] Name=ABC1 WWW-Proxy=ABC1 Configuration Url=http://ABC1:80/array.dll?Get.Routing.Script WebProxyPort=80 ClientAccessType=1 Set Browsers to use Proxy=1 Set Browsers to use Auto Config=0 ClientScriptBypassForLocal=1 ClientScriptReturnManul=0 ClientScriptUseDomainList=1 ClientScriptUseIpList=1 ClientScriptUseBackupRoute=1 ClientScriptBackupRoute=DIRECT ClientScriptReturnManualPath= ClientScriptBypassNames=
continues
537
538
Appendix A
MICROSOFT PROXY SERVER 2.0 CONFIGURATION BACKUP
continued ClientScriptBypassAddresses= [@MSP_Lat] LatText=10.0.0.0-10.255.255.255,172.16.0.0-172.31.255.255,192.168.0.0-192.168.255.255 [@MSP_RegKeys] Proxy_DnsCacheSize=3000 Proxy_DnsTTLinSecs=21600 Proxy_SocketIoTimeoutSecs=120 Proxy_RequestTimeoutSecs=60 Proxy_MaxFtpThreadsFactor=8 Proxy_SSLPortListMembers=443#443#563#563# Proxy_SSLPortListInclusion=1 Proxy_NonPassiveFTPTransfer=1 Proxy_ConnectCacheSize=32 Proxy_ConnectCacheTimeoutInSecs=290 SOCKS_SocksServiceEnabled=1 SOCKS_EnableBindRequests=1 SOCKS_SocksConfigFile=C:\msp\SOCKS.CFG SOCKS_SocketIoTimeoutSecs=900 WSP_ConnectionQuota=40 WSP_MappingQuota=40 WSP_UdpBufferSize=4096 WSP_TcpBufferSize=2048
A P P E N D I X
B
ISA Setup Log This appendix consists of a copy of an ISA setup log made during the migration of a Proxy 2.0 server. Isas.log Microsoft ISA Server Setup Log of 1-1-2001 21:46 ———————————————— ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
LangId=1033 VerifyISAConditions camf=0 ois=0 or=501 DstDir=NULL ——Server————————————————— ISA server Setup Build no: 3.0.1200.0 Machine Info: Processor Type : Intel Processor Level : 6 Number of Processors : 1 NT Version 5.0 NT build 2195 NT build additional Data : Service Pack 1 ——————————————————————
ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\MS SETUP ➥(ACME)\Table Files) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\MS SETUP ➥(ACME)\Table Files) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\MS SETUP ➥(ACME)\Table Files) ISA Setup: Unknown Type (0) for value [email protected] !!! ISA Setup: old proxy path is C:\msp\ ISA Setup: Identified Proxy 2.0 ISA Setup: LicenseDlg camf=0 ois=0 or=502 DstDir=NULL ISA Setup: EditionCheck::Init found setup edition: 81 ISA Setup: DSToStandardScenario::GetDefaultStorageType couldn’t find storage type. ➥Assuming new installation. ISA Setup: IsDbgComet returned OK!!! camf=1 ois=0 or=565 DstDir=NULL ISA Setup: ComponentChoosed camf=0 ois=0 or=901 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=0 ois=0 or=9970 ➥DstDir=NULL ISA Setup: ComponentChoosed camf=0 ois=0 or=1001 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: VerifyServerCondition camf=0 ois=0 or=1110 DstDir=NULL ISA Setup: pcd->rgchStfCwdDir=G:\~MSSETUP.T\~msstfqf.t\ ISA Setup: params=G:\~MSSETUP.T\~msstfqf.t\acmsetup.EXE /T setup.stf /S C:\ISASER~1\ISA\ ISA Setup: found K2 scripts dir g:\inetpub\scripts\
continues
540
Appendix B
ISA SETUP LOG
continued ISA Setup: found K2 installation ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\RemoteAccess) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\RemoteAccess) ISA Setup: fSteelHeadPresent=1 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ipx) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ipx) ISA Setup: fSteelHeadIpxPresent=0 ISA Setup: searching for driver : G:\WINNTNT\System32\drivers\ipfltdrv.sys ISA Setup: found for driver : G:\WINNTNT\System32\drivers\ipfltdrv.sys ISA Setup: pf filter in setup : version is 4.4.1200.0 ISA Setup: pf filter existing on machine : version is 5.0.2168.1 replace=0 ISA Setup: VerifyServerCondition returned DEFAULT!!! camf=0 ois=0 or=1110 DstDir=NULL ISA Setup: OldInstTrigger returned OK!!! camf=1 ois=0 or=8000 DstDir=NULL ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=0 ois=0 or=9970 DstDir=NULL ISA Setup: ComponentChoosed camf=0 ois=0 or=751 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=0 ois=0 or=901 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=0 ois=0 or=9970 DstDir=NULL ISA Setup: ComponentChoosed camf=0 ois=0 or=821 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=0 ois=0 or=831 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=0 ois=0 or=1001 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: OldInstTrigger returned OK!!! camf=1 ois=0 or=8000 DstDir=NULL ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=0 ois=0 or=9970 DstDir=NULL ISA Setup: IsDbgComet returned OK!!! camf=1 ois=0 or=565 DstDir=NULL ISA Setup: IsDbgComet returned OK!!! camf=1 ois=0 or=565 DstDir=NULL ISA Setup: ComponentChoosed camf=0 ois=0 or=751 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=0 ois=0 or=901 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=0 ois=0 or=9970 DstDir=NULL ISA Setup: ComponentChoosed camf=0 ois=0 or=821 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=0 ois=0 or=831 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=0 ois=0 or=1001 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: OldInstTrigger returned OK!!! camf=1 ois=0 or=8000 DstDir=NULL ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=0 ois=0 or=9970 DstDir=NULL ISA Setup: ComponentChoosed camf=10 ois=0 or=901 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=9 ois=0 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=10 ois=0 or=9970 DstDir=NULL ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=9 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=10 ois=0 or=1001 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=9 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: Current inst is C:\msp\. check for old installation to erase ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\WSPSrv\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is
Appendix B
541
ISA SETUP LOG
System\CurrentControlSet\Services\WSPSrv\Parameters) ISA Setup: Unknown Type (0) for value InstallRoot !!! ISA Setup: OldInstTrigger returned OK!!! camf=8 ois=0 or=8000 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=10 ois=0 or=751 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=9 ois=0 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=10 ois=0 or=821 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=9 ois=0 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=10 ois=0 or=831 DstDir=NULL ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=9 ois=0 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=18 ois=0 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=18 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=18 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=18 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=18 ois=0 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=18 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=18 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=18 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=14 ois=0 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=14 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=18 ois=0 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=18 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=14 ois=0 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=18 ois=0 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=18 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=18 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=10 ois=0 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=9 ois=0 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=10 ois=0 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=9 ois=0 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=10 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=9 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=10 ois=0 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=9 ois=0 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=10 ois=0 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1
continues
542
Appendix B
ISA SETUP LOG
continued ISA Setup: ComponentChoosed camf=9 ois=0 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=10 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=9 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: Current inst is C:\msp\. check for old installation to erase ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\WSPSrv\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\WSPSrv\Parameters) ISA Setup: Unknown Type (0) for value InstallRoot !!! ISA Setup: OldInstTrigger returned OK!!! camf=8 ois=0 or=8000 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=14 ois=0 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=14 ois=0 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=14 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=14 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=28 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=18 ois=0 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=18 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=18 ois=0 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=18 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=18 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=28 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=28 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: sma=0 ISA Setup: IsDbgComet returned OK!!! camf=13 ois=2 or=565 DstDir=NULL ISA Setup: ComponentChoosed camf=14 ois=0 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=0 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=14 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=12 ois=0 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=14 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=0 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: VerifyServerCondition camf=12 ois=0 or=1110 DstDir=C:\msp\ ISA Setup: VerifyServerCondition sma=0 ISA Setup: VerifyServerCondition camfSetModeOfObject returned DEFAULT!!! camf=12 ois=0 or=1110 DstDir=C:\msp\ ISA Setup: OldInstTrigger returned OK!!! camf=13 ois=2 or=8000 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=14 ois=2 or=9970 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=12 ois=2 or=9970 DstDir=C:\msp\ ISA Setup: VerifyServerCondition camf=12 ois=0 or=4005 DstDir=C:\msp\ ISA Setup: VerifyServerCondition sma=0
Appendix B
ISA SETUP LOG
543
ISA Setup: VerifyServerCondition camfSetModeOfObject returned DEFAULT!!! camf=12 ois=0 or=4005 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (Software\Microsoft\INetStp) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\INetStp) ISA Setup: Unknown Type (0) for value installpath !!! ISA Setup: FindGibraltarDir returned RC=1 camf=13 ois=2 or=4009 DstDir=G:\WINNTNT\System32\inetsrv\ ISA Setup: sma=0 ISA Setup: IsDbgComet returned OK!!! camf=13 ois=2 or=565 DstDir=NULL ISA Setup: VerifyServerCondition camf=12 ois=2 or=4005 DstDir=C:\msp\ ISA Setup: VerifyServerCondition sma=0 ISA Setup: VerifyServerCondition camfSetModeOfObject returned DEFAULT!!! camf=12 ois=2 or=4005 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=14 ois=0 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=0 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=14 ois=2 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=2 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=14 ois=2 or=9970 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=12 ois=2 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=14 ois=0 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=0 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=14 ois=0 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=0 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=14 ois=2 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=2 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: VerifyServerCondition camf=12 ois=2 or=1110 DstDir=C:\msp\ ISA Setup: VerifyServerCondition sma=0 ISA Setup: VerifyServerCondition camfSetModeOfObject returned DEFAULT!!! camf=12 ois=2 or=1110 DstDir=C:\msp\ ISA Setup: OldInstTrigger returned OK!!! camf=13 ois=2 or=8000 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=14 ois=2 or=9970 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=12 ois=2 or=9970 DstDir=C:\msp\ ISA Setup: sma=0 ISA Setup: IsDbgComet returned OK!!! camf=13 ois=2 or=565 DstDir=NULL ISA Setup: ComponentChoosed camf=14 ois=2 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=2 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=14 ois=2 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=2 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=14 ois=2 or=9970 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=12 ois=2 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=14 ois=2 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1
continues
544
Appendix B
ISA SETUP LOG
continued ISA Setup: ComponentChoosed camf=12 ois=2 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=14 ois=2 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=2 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=14 ois=2 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=2 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: VerifyServerCondition camf=12 ois=2 or=1110 DstDir=C:\msp\ ISA Setup: VerifyServerCondition sma=0 ISA Setup: VerifyServerCondition camfSetModeOfObject returned DEFAULT!!! camf=12 DstDir=C:\msp\ ISA Setup: OldInstTrigger returned OK!!! camf=13 ois=2 or=8000 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=14 ois=2 or=9970 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=12 ois=2 or=9970 ISA Setup: VerifyServerCondition camf=12 ois=2 or=4005 DstDir=C:\msp\ ISA Setup: VerifyServerCondition sma=0 ISA Setup: VerifyServerCondition camfSetModeOfObject returned DEFAULT!!! camf=12 DstDir=C:\msp\ ISA Setup: CheckCCV camf=15 ois=4 or=505 DstDir=C:\msp\ ISA Setup: At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: CCVR value is 23331072 ISA Setup: Unknown Type (0) !!! ISA Setup: Last CCVR value is 23331072 ISA Setup: At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: sma=1 ISA Setup: IsDbgComet returned OK!!! camf=13 ois=4 or=565 DstDir=NULL ISA Setup: DecideIfDbgComet: 0 ISA Setup: IsDbgComet - AnswerClause : 0 ISA Setup: IsDbgComet returned OK!!! camf=5 ois=4 or=565 DstDir=NULL ISA Setup: ComponentChoosed camf=15 ois=2 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=15 ois=2 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=15 ois=2 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=14 ois=2 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=2 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=14 ois=2 or=9970 ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=12 ois=2 or=9970 ISA Setup: ComponentChoosed camf=15 ois=4 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed Compid=2 ISA Setup: ComponentChoosed camf=14 ois=2 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=12 ois=2 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: VerifyServerCondition camf=12 ois=2 or=1110 DstDir=C:\msp\ ISA Setup: VerifyServerCondition sma=0 ISA Setup: VerifyServerCondition camfSetModeOfObject returned DEFAULT!!! camf=12
ois=2 or=1110
DstDir=C:\msp\ DstDir=C:\msp\
ois=2 or=4005
DstDir=C:\msp\ DstDir=C:\msp\
ois=2 or=1110
Appendix B
ISA SETUP LOG
545
DstDir=C:\msp\ ISA Setup: OldInstTrigger returned OK!!! camf=13 ois=4 or=8000 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=14 ois=2 or=9970 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=12 ois=2 or=9970 DstDir=C:\msp\ ISA Setup: ComponentChoosed camf=15 ois=4 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed Compid=1 ISA Setup: VerifyServerCondition camf=12 ois=2 or=1110 DstDir=C:\msp\ ISA Setup: VerifyServerCondition sma=1 ISA Setup: VerifyServerCondition camfSetModeOfObject returned DEFAULT!!! camf=12 ois=2 or=1110 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Control\ProductOptions) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Control\ProductOptions) ISA Setup: Unknown Type (0) for value ProductType !!! ISA Setup: At DecideOnStorageType ISA Setup: DecideOnStorageType did not GetDefaultStorageType (0x80070002) ISA Setup: At DecideOnCometStorageType ISA Setup: At VerifySchemaInstallation ISA Setup: Assuming DS unavailable (Error=0x8007054b) ISA Setup: DecideOnCometStorageType - decide 2 ISA Setup: ValidateStorageTypeSelection - chose continue Registry ISA Setup: JoinDomainArray camf=15 ois=4 or=1116 DstDir=C:\msp\ ISA Setup: At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: Unknown Type (0) !!! ISA Setup: Cannot read CurrentArrayGUID value ISA Setup: GetDefaultStorageType returned Error=0x80070002, setup will use StorageDecision ISA Setup: EnumGetFirstArrayName: OpenChild returned Error=0x80070002 ISA Setup: At DoesCurrentMachineBelongToAnyDomainArray ISA Setup: No array container found ISA Setup: IsCometStorageDS: GetDefaultStorageType returned Error=0x80070002, setup will use StorageDecision ISA Setup: IsCometStorageDS: GetDefaultStorageType returned Error=0x80070002, setup will use StorageDecision ISA Setup: IsCometStorageDS: GetDefaultStorageType returned Error=0x80070002, setup will use StorageDecision ISA Setup: NOT in ClusterMode. The Array ABC1 is new ISA Setup: PredictFullMigrate : Entered function ISA Setup: IsCometStorageDS: GetDefaultStorageType returned Error=0x80070002, setup will use StorageDecision ISA Setup: IsCometStorageDS: GetDefaultStorageType returned Error=0x80070002, setup will use StorageDecision ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\W3Proxy\Parameters\MemberArray) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3Proxy\Parameters\MemberArray) ISA Setup: Unknown Type (0) for value EnableArray !!! ISA Setup: userwantsmigration = 1 ISA Setup: NetStop camf=15 ois=4 or=1131 DstDir=C:\msp\ ISA Setup: NetStoping Fwsrv ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=1131 DstDir=C:\msp\ ISA Setup: NetStop camf=15 ois=4 or=1140 DstDir=C:\msp\ ISA Setup: NetStoping W3Proxy ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=1140 DstDir=C:\msp\ ISA Setup: NetStop camf=15 ois=4 or=1145 DstDir=C:\msp\ ISA Setup: NetStoping SMTPSvc ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=1145 DstDir=C:\msp\
continues
546
Appendix B
ISA SETUP LOG
continued ISA Setup: NetStop camf=15 ois=4 or=1146 DstDir=C:\msp\ ISA Setup: NetStoping w3svc ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=1146 DstDir=C:\msp\ ISA Setup: NetStop camf=15 ois=4 or=1147 DstDir=C:\msp\ ISA Setup: NetStoping SharedAccess ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=1147 DstDir=C:\msp\ ISA Setup: NetStop camf=15 ois=4 or=1150 DstDir=C:\msp\ ISA Setup: NetStoping GKSVC ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=1150 DstDir=C:\msp\ ISA Setup: NetStop camf=15 ois=4 or=1151 DstDir=C:\msp\ ISA Setup: NetStoping w3schdwn ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=1151 DstDir=C:\msp\ ISA Setup: NetStop camf=15 ois=4 or=1153 DstDir=C:\msp\ ISA Setup: NetStoping RemoteAccess ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=1153 DstDir=C:\msp\ ISA Setup: NetStop camf=15 ois=4 or=1160 DstDir=C:\msp\ ISA Setup: NetStoping snmp ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=1160 DstDir=C:\msp\ ISA Setup: NetStop camf=15 ois=4 or=1161 DstDir=C:\msp\ ISA Setup: NetStoping mspfltex ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=1161 DstDir=C:\msp\ ISA Setup: NetStop camf=15 ois=4 or=1165 DstDir=C:\msp\ ISA Setup: NetStoping IpFilterDriver ISA Setup: not stopping PF Filter driver since not replaced ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=1165 DstDir=C:\msp\ ISA Setup: SetCacheDir camf=15 ois=4 or=1170 DstDir=C:\msp\ ISA Setup: At REGMAP_CreateObject (SYSTEM\CurrentControlSet\Services\EXIFS\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SYSTEM\CurrentControlSet\Services\EXIFS\Parameters) ISA Setup: Unknown Type (0) for value DriveLetter !!! ISA Setup: At RcFindHardDrives ISA Setup: AddCacheInfo ISA Setup: At GetStorageCacheEntry ISA Setup: GetDefaultStorageType returned Error=0x80070002, setup will use StorageDecision ISA Setup: can’t get current array storage object ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path1) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path1) ISA Setup: Unknown Type (0) for value CachePath !!! ISA Setup: Unknown Type (0) for value CacheLimit !!! ISA Setup: Succeed in using Registry for CacheEntry 1 ISA Setup: found p2 cache ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path2) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path2) ISA Setup: Unknown Type (0) for value CachePath !!! ISA Setup: Unknown Type (0) for value CacheLimit !!! ISA Setup: Succeed in using Registry for CacheEntry 2 ISA Setup: found p2 cache ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path3) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path3) ISA Setup: Unknown Type (0) for value CachePath !!! ISA Setup: Unknown Type (0) for value CacheLimit !!! ISA Setup: Succeed in using Registry for CacheEntry 3 ISA Setup: found p2 cache
Appendix B
ISA SETUP LOG
547
ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path4) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path4) ISA Setup: Unknown Type (0) for value CachePath !!! ISA Setup: Unknown Type (0) for value CacheLimit !!! ISA Setup: Succeed in using Registry for CacheEntry 4 ISA Setup: found p2 cache ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path5) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path5) ISA Setup: Unknown Type (0) for value CachePath !!! ISA Setup: Unknown Type (0) for value CacheLimit !!! ISA Setup: Succeed in using Registry for CacheEntry 5 ISA Setup: found p2 cache ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path6) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path6) ISA Setup: Succeed in using Registry for CacheEntry 6 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: Unknown Type (0) !!! ISA Setup: SetCacheDir returned OK!!! camf=15 ois=4 or=1170 DstDir=C:\msp\ ISA Setup: SetNetConfig camf=15 ois=4 or=1180 DstDir=C:\msp\ ISA Setup: At GetStorageClientConfig ISA Setup: GetDefaultStorageType returned Error=0x80070002, setup will use StorageDecision ISA Setup: can’t get current array storage object. Error=0x80070002 ISA Setup: At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Lat Dump : after initialize from existing Lat file ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup:
Num of Lat Strings :3 Lat strings Are: 10.0.0.0 10.255.255.255 172.16.0.0172.31.255.255 192.168.0.0 192.168.255.255 End of Lat dump
ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup:
10.0.0.0 10.255.255.255 172.16.0.0172.31.255.255 192.168.0.0 192.168.255.255 adding button for adapter 169.254.14.41(NETGEAR FA310TX Fast Ethernet PCI Adapter) adding button for adapter 169.254.25.129(MS LoopBack Driver) Adding private address spaces
continues
548
Appendix B
ISA SETUP LOG
continued ISA Setup: Lat Dump : after Construct Table Dialog ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Num of Lat Strings :4 Lat strings Are: 10.0.0.0 10.255.255.255 192.168.0.0 192.168.255.255 172.16.0.0172.31.255.255 169.254.0.0 169.254.255.255 End of Lat dump
ISA ISA ISA ISA ISA ISA ISA ISA Lat
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Dump :
10.0.0.0 10.255.255.255 192.168.0.0 192.168.255.255 172.16.0.0172.31.255.255 169.254.0.0 169.254.255.255 adding button for adapter 169.254.14.41(NETGEAR FA310TX Fast Ethernet PCI Adapter) adding button for adapter 169.254.25.129(MS LoopBack Driver) Adding private address spaces
ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Num of Lat Strings :4 Lat strings Are: 10.0.0.0 10.255.255.255 192.168.0.0 192.168.255.255 172.16.0.0172.31.255.255 169.254.0.0 169.254.255.255 End of Lat dump
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
10.0.0.0 10.255.255.255 192.168.0.0 192.168.255.255 172.16.0.0172.31.255.255 169.254.0.0 169.254.255.255 SetNetConfig returned OK!!! camf=15 ois=4 or=1180 DstDir=C:\msp\ NetStop camf=15 ois=4 or=1193 DstDir=C:\msp\ NetStoping mspnat NetStop returned OK!!! camf=15 ois=4 or=1193 DstDir=C:\msp\ NetShare camf=15 ois=4 or=1468 DstDir=C:\msp\ Net stop Sharing mspclnt NWDelShare : Did not del volume path to mspclnt ret status=0x6ba
after Construct Table Dialog
ISA Setup: Delete share mspclnt Ok ISA Setup: NetShare returned OK!!! camf=15 ois=4 or=1468 DstDir=C:\msp\ ISA Setup: VerifyServerCondition camf=12 ois=2 or=4005 DstDir=C:\msp\ ISA Setup: VerifyServerCondition sma=1 ISA Setup: VerifyServerCondition camfSetModeOfObject returned DEFAULT!!! camf=12 ois=2 or=4005 DstDir=C:\msp\ ISA Setup: FindGibraltarDir - AnswerClause : 1 ISA Setup: FindGibraltarDir - InetmgrPath = G:\WINNTNT\System32\inetsrv\inetmgr.exe ISA Setup: NetStop camf=15 ois=4 or=4210 DstDir=C:\msp\ ISA Setup: NetStoping mspadmin ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=4210 DstDir=C:\msp\ ISA Setup: NetStop camf=15 ois=4 or=4220 DstDir=C:\msp\ ISA Setup: NetStoping wspsrv ISA Setup: NetStop returned OK!!! camf=15 ois=4 or=4220 DstDir=C:\msp\ ISA Setup: NetStop camf=15 ois=4 or=4230 DstDir=C:\msp\
Appendix B
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
549
ISA SETUP LOG
NetStoping mailalrt —-stopping mailalrt NetStop : verify state on exit mailalrt 1 NetStop returned OK!!! camf=15 ois=4 or=4230 DstDir=C:\msp\ NetStop camf=15 ois=4 or=4240 DstDir=C:\msp\ NetStoping MSFtpSvc NetStop returned OK!!! camf=15 ois=4 or=4240 DstDir=C:\msp\ NetStop camf=15 ois=4 or=4260 DstDir=C:\msp\ NetStoping GopherSvc NetStop returned OK!!! camf=15 ois=4 or=4260 DstDir=C:\msp\ NetStop camf=15 ois=4 or=4280 DstDir=C:\msp\ NetStoping NNTPSvc NetStop returned OK!!! camf=15 ois=4 or=4280 DstDir=C:\msp\ NetStop camf=15 ois=4 or=4300 DstDir=C:\msp\ NetStoping iisadmin —-stopping iisadmin service iisadmin state 4 checkpoint=0 service iisadmin state 3 checkpoint=1 NetStop : verify state on exit iisadmin 1 NetStop returned OK!!! camf=15 ois=4 or=4300 DstDir=C:\msp\ OldInstTrigger- AnswerClause : 0 OldInstTrigger returned OK!!! camf=5 ois=4 or=8000 DstDir=C:\msp\ DoServerAndAdminCommonStuff returned DEFAULT!!! camf=14 ois=4 or=9970 DoServerAndAdminCommonStuff returned DEFAULT!!! camf=12 ois=4 or=9970 DoServerAndAdminCommonStuff returned DEFAULT!!! camf=15 ois=4 or=9970 ComponentChoosed camf=16 ois=2 or=751 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=16 ois=2 or=821 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=16 ois=2 or=831 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=16 ois=4 or=901 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=16 ois=4 or=1001 DstDir=C:\msp\ ComponentChoosed sim=1 NetStop camf=16 ois=4 or=1065 DstDir=C:\msp\ NetStoping isactrl NetStop returned OK!!! camf=16 ois=4 or=1065 DstDir=C:\msp\ NetStop camf=16 ois=4 or=1155 DstDir=C:\msp\ NetStoping isactrl NetStop returned OK!!! camf=16 ois=4 or=1155 DstDir=C:\msp\ DoServerAndAdminCommonStuff returned DEFAULT!!! camf=16 ois=4 or=9970 ComponentChoosed camf=17 ois=2 or=751 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=17 ois=2 or=821 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=17 ois=2 or=831 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=17 ois=4 or=901 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=17 ois=4 or=1001 DstDir=C:\msp\ ComponentChoosed sim=1 DoServerAndAdminCommonStuff returned DEFAULT!!! camf=17 ois=4 or=9970 VerifyISAConditions camf=21 ois=4 or=501 DstDir=C:\msp\ At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc)
DstDir=C:\msp\ DstDir=C:\msp\ DstDir=C:\msp\
DstDir=C:\msp\
DstDir=C:\msp\
continues
550
Appendix B
ISA SETUP LOG
continued ISA Setup: RegSetValueExA: Succeeded to set property InstallDirectory to CometStorage ISA Setup: ComponentChoosed camf=21 ois=2 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=21 ois=2 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=21 ois=2 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=21 ois=4 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=21 ois=4 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: Calling CreateRootObjectAndSetVersion ISA Setup: At CreateRootObjectAndSetVersion ISA Setup: GetRootParent succeeded (UseDS=0) ISA Setup: CreateRootObjectAndSetVersion OK ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths) ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path1) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path1) ISA Setup: Unknown Type (0) !!! ISA Setup: delete directory G:\urlcache ISA Setup: delete directory G:\urlcache\dir1 ISA Setup: delete directory G:\urlcache\dir2 ISA Setup: delete directory G:\urlcache\dir3 ISA Setup: delete directory G:\urlcache\dir4 ISA Setup: delete directory G:\urlcache\dir5 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path2) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path2) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path3) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path3) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path4) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path4) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path5) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path5) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path6) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path6) ISA Setup: RcRemoveProxy2Cache returned 1 ISA Setup: At REGMAP_OpenObject (software\microsoft) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is software\microsoft) ISA Setup: At REGMAP_OpenObject (w3proxy) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is w3proxy) ISA Setup: At REGMAP_OpenObject (CurrentVersion) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is CurrentVersion) ISA Setup: Entering DeleteWAT ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files)
Appendix B
ISA SETUP LOG
551
ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: delete directory G:\WINNTNT\help\proxy ISA Setup: delete directory G:\WINNTNT\help\proxy\htm ISA Setup: delete directory G:\WINNTNT\help\proxy\htm\images ISA Setup: delete directory G:\WINNTNT\help\proxy\misc ISA Setup: delete directory G:\WINNTNT\help\proxy\winhelp ISA Setup: delete directory G:\WINNTNT\System32\msplogs ISA Setup: delete directory C:\msp\clients\alpha ISA Setup: delete directory C:\msp\clients\win3x ISA Setup: removing proxy2 files from g:\inetpub\scripts ISA Setup: delete directory g:\inetpub\scripts\Proxy ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=21 ois=4 or=9970 DstDir=C:\msp\ ISA Setup: entering MoveLogFile ISA Setup: MoveLogFile about to move log C:\msp\isas.log ISA Setup: ComponentChoosed camf=22 ois=2 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=22 ois=2 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=22 ois=2 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=22 ois=4 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=22 ois=4 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: CreateStorageObjects camf=22 ois=4 or=1117 DstDir=C:\msp\ ISA Setup: At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At GetSiteInfo ISA Setup: At OpenCometEnterpriseRoot ISA Setup: GetRoot succeeded ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\wspsrv\parameters\connectionquota -> msFPCConnectionQuota@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\wspsrv\parameters\mappingquota -> msFPCMappingQuota@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\wspsrv\parameters\tcpbuffersize -> msFPCTcpBufferSize@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\wspsrv\parameters\udpbuffersize -> msFPCUdpBufferSize@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\wspsrv\parameters\dnscachesize -> msFPCDnsCacheSize@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\wspsrv\parameters\dnsttlinsecs -> msFPCDnsCacheTtl@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\wspsrv\parameters -> Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-WSP@msFPCProxyWSP\ ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\mspadmin\parameters -> Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-Packet-Filters@msFPCProxyPacketFilters\ ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3pcache\parameters\pro➥tection factor (%) -> msFPCServerProtectFactor@DWORD ISA Setup: REGMAP_EntryAdd: continues
552
Appendix B
ISA SETUP LOG
continued local_machine\system\currentcontrolset\services\w3pcache\parameters\enable protect -> msFPCServerProtectionEnable@VARBOOL ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3pcache\parameters\enable ttl -> msFPCCacheEnableTTL@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3pcache\parameters\freshnessinterval -> msFPCFreshnessInterval@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3pcache\parameters\max. protection time (minutes) -> msFPCMaxProtectionTime@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3pcache\parameters -> Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD6-17814AD60401}@msFPCArray\Cache@msFPCCache\Proxy-CacheConfiguration@msFPCProxyCacheConfiguration\ ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3pcache\parameters\age factor (%) -> msFPCAgeFactor@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3pcache\parameters\max interval units -> MaxUnits@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3pcache\parameters\max interval value -> MaxValue@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3pcache\parameters\min interval (minutes) -> MinInterval@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3pcache\parameters\activerefreshaggressiveness -> ACachingPolicy@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3proxy\parameters\dnscachesize -> msFPCDnsCacheSize@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3proxy\parameters\dnsttlinsecs -> msFPCDnsCacheTtl@DWORD ISA Setup: REGMAP_EntryAdd: local_machine\system\currentcontrolset\services\w3proxy\parameters -> Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: At GenServerPublicKey ISA Setup: GenServerPublicKey OK ISA Setup: WritePIDInStorage called with pid=54168-000-0199986-44976 ISA Setup: At REGMAP_CreateObject (SYSTEM\CurrentControlSet\Services\EXIFS\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SYSTEM\CurrentControlSet\Services\EXIFS\Parameters) ISA Setup: Unknown Type (0) for value DriveLetter !!! ISA Setup: At RcFindHardDrives ISA Setup: AddCacheInfo ISA Setup: At GetStorageCacheEntry ISA Setup: Cache object is Proxy-Cache-Directory1 ISA Setup: can’t open/create object Proxy-Cache-Directory1 (hResult=0x80070002) ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path1) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path1) ISA Setup: Unknown Type (0) for value CachePath !!! ISA Setup: Unknown Type (0) for value CacheLimit !!! ISA Setup: Succeed in using Registry for CacheEntry 1 ISA Setup: found p2 cache ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path2) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path2) ISA Setup: Unknown Type (0) for value CachePath !!! ISA Setup: Unknown Type (0) for value CacheLimit !!!
Appendix B
ISA SETUP LOG
553
ISA Setup: Succeed in using Registry for CacheEntry 2 ISA Setup: found p2 cache ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path3) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path3) ISA Setup: Unknown Type (0) for value CachePath !!! ISA Setup: Unknown Type (0) for value CacheLimit !!! ISA Setup: Succeed in using Registry for CacheEntry 3 ISA Setup: found p2 cache ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path4) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path4) ISA Setup: Unknown Type (0) for value CachePath !!! ISA Setup: Unknown Type (0) for value CacheLimit !!! ISA Setup: Succeed in using Registry for CacheEntry 4 ISA Setup: found p2 cache ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path5) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path5) ISA Setup: Unknown Type (0) for value CachePath !!! ISA Setup: Unknown Type (0) for value CacheLimit !!! ISA Setup: Succeed in using Registry for CacheEntry 5 ISA Setup: found p2 cache ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path6) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters\Paths\Path6) ISA Setup: Succeed in using Registry for CacheEntry 6 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object WebProxy with class msFPCWebProxy ISA Setup: Unknown Type (0) !!! ISA Setup: At SetStorageCacheFlags ISA Setup: At Case 1: DiskCacheFlags ISA Setup: At CommonSetCache ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3PCache\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\Cache@msFPCCache\Proxy-Cache-Configuration@msFPCProxyCacheConfiguration\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\Cache@msFPCCache\Proxy-Cache-Configuration@msFPCProxyCacheConfiguration\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object Cache with class msFPCCache ISA Setup: Opening Object Proxy-Cache-Configuration with class msFPCProxyCacheConfiguration ISA Setup: At REGMAP_OpenObject (Paths) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Paths) ISA Setup: At REGMAP_OpenObject (Path1)
continues
554
Appendix B
ISA SETUP LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA Lat
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Dump :
At REGMAP_CreateOrOpenObject (reg key is Path1) At REGMAP_OpenObject (Path2) At REGMAP_CreateOrOpenObject (reg key is Path2) At REGMAP_OpenObject (Path3) At REGMAP_CreateOrOpenObject (reg key is Path3) At REGMAP_OpenObject (Path4) At REGMAP_CreateOrOpenObject (reg key is Path4) At REGMAP_OpenObject (Path5) At REGMAP_CreateOrOpenObject (reg key is Path5) At SetStorageCacheEntry GetCurrentArray returned 0. Name={692362C1-072C-4EA6-ACD6-17814AD60401} Cache object is Proxy-Cache-Directory1 Set Cache Entry OK SetNetConfig camf=22 ois=4 or=1180 DstDir=C:\msp\
ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Num of Lat Strings :4 Lat strings Are: 10.0.0.0 10.255.255.255 169.254.0.0 169.254.255.255 172.16.0.0172.31.255.255 192.168.0.0 192.168.255.255 End of Lat dump
before saving LAT
ISA Setup: Lat Was Saved ISA Setup: SetNetConfig returned OK!!! camf=22 ois=4 or=1180 DstDir=C:\msp\ ISA Setup: after GetInternalNetAddresses 801656 2 2 ISA Setup: CreateLink camf=22 ois=4 or=1400 DstDir=C:\msp\ ISA Setup: CreateLink - szData is msisaprf.msc ISA Setup: MyRemoveShortcutGroup ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Start menu path is G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: About to delete: G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: At Delnode of G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: Delnode OK ISA Setup: MyRemoveShortcutGroup ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Start menu path is G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: About to delete: G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: At Delnode of G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: MyRemoveShortcutGroup ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Start menu path is G:\WINNTNT\Profiles\All Users\Start Menu\Programs
Appendix B
ISA SETUP LOG
555
ISA Setup: About to delete: G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Comet Server ISA Setup: At Delnode of G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Comet Server ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Delete Shortcut G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft ISA Server\Monitor Microsoft ISA Server Performance.url returned 0 3 ISA Setup: Delete shortcut dir G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft ISA Server returned 0 2 ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Delete Shortcut G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft ISA Server\ISA Server Performance Monitor..url returned 0 2 ISA Setup: Delete shortcut dir G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft ISA Server returned 0 145 ISA Setup: CreateLink returned OK!!! camf=22 ois=4 or=1400 DstDir=C:\msp\ ISA Setup: CreateLink camf=22 ois=4 or=1405 DstDir=C:\msp\ ISA Setup: CreateLink - szData is adialcfg.exe ISA Setup: MyRemoveShortcutGroup ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Start menu path is G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: About to delete: G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: At Delnode of G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: MyRemoveShortcutGroup ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Start menu path is G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: About to delete: G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: At Delnode of G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: MyRemoveShortcutGroup ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Start menu path is G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: About to delete: G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Comet Server ISA Setup: At Delnode of G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Comet Server ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders)
continues
556
Appendix B
ISA SETUP LOG
continued ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Delete Shortcut G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft ISA Server\Auto-Dial Configuration.url returned 0 2 ISA Setup: Delete shortcut dir G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft ISA Server returned 0 145 ISA Setup: CreateLink returned OK!!! camf=22 ois=4 or=1405 DstDir=C:\msp\ ISA Setup: Install/RemoveGKSVCService returned DEFAULT!!! camf=22 ois=2 or=2730 DstDir=C:\msp\ ISA Setup: StartScheduler camf=22 ois=4 or=5003 DstDir=C:\msp\ ISA Setup: Starting Task Scheduler Service ISA Setup: Start Task Scheduler Ok ISA Setup: StartScheduler returned OK!!! camf=22 ois=4 or=5003 DstDir=C:\msp\ ISA Setup: AddDailySummarySchedule camf=22 ois=4 or=5004 DstDir=C:\msp\ ISA Setup: Adding the daily summary schedule ISA Setup: Did not activate the task IsaDailySummary (error 0x80070002) ISA Setup: AddDailySummarySchedule Ok ISA Setup: AddDailySummarySchedule Ok ISA Setup: AddDailySummarySchedule returned OK!!! camf=22 ois=4 or=5004 DstDir=C:\msp\ ISA Setup: SetLastDailySummmayRun camf=22 ois=4 or=5005 DstDir=C:\msp\ ISA Setup: Setting the date of the last daily summary run ISA Setup: At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc\Reports) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc\Reports) ISA Setup: RegSetValueExA: Succeeded to set property LastDailySummaryDate to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property LastMonthlySummaryDate to CometStorage ISA Setup: CreateLink camf=22 ois=4 or=9935 DstDir=C:\msp\ ISA Setup: CreateLink - szData is msisa.msc ISA Setup: MyRemoveShortcutGroup ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Start menu path is G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: About to delete: G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: At Delnode of G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: MyRemoveShortcutGroup ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Start menu path is G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: About to delete: G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: At Delnode of G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Proxy Server ISA Setup: MyRemoveShortcutGroup ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Start menu path is G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: About to delete: G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Comet Server ISA Setup: At Delnode of G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft Comet Server ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders)
Appendix B
ISA SETUP LOG
557
ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: Delete Shortcut G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft ISA Server\ISA Administration Tool.url returned 0 2 ISA Setup: Delete shortcut dir G:\WINNTNT\Profiles\All Users\Start Menu\Programs\Microsoft ISA Server returned 0 145 ISA Setup: At REGMAP_OpenObject (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) ISA Setup: Unknown Type (0) for value Common Programs !!! ISA Setup: will put shortcuts in G:\WINNTNT\Profiles\All Users\Start Menu\Programs ISA Setup: CreateLink returned OK!!! camf=22 ois=4 or=9935 DstDir=C:\msp\ ISA Setup: AddRepGenSchedule camf=22 ois=4 or=9964 DstDir=C:\msp\ ISA Setup: Adding the logon schedule for RepGen.exe ISA Setup: Did not activate the task ReportGenerator (error 0x80070002) ISA Setup: AddRepGenSchedule Ok ISA Setup: AddDailySummarySchedule returned OK!!! camf=22 ois=4 or=9964 DstDir=C:\msp\ ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=22 ois=4 or=9970 DstDir=C:\msp\ ISA Setup: RegisterDLL camf=22 ois=4 or=9992 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ wspadmin.dll registered OK ISA Setup: RegisterDLL camf=23 ois=4 or=540 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ msfpccom.dll registered OK ISA Setup: RegisterDLL camf=23 ois=4 or=550 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ alertreg.dll registered OK ISA Setup: ComponentChoosed camf=23 ois=2 or=751 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=23 ois=2 or=821 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=23 ois=2 or=831 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=23 ois=4 or=901 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: ComponentChoosed camf=23 ois=4 or=1001 DstDir=C:\msp\ ISA Setup: ComponentChoosed sim=1 ISA Setup: At AddCometDLLToMessageAndCategoryFile System\CurrentControlSet\Services\EventLog\Application\Microsoft ISA Server Control ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\EventLog\Application\Microsoft ISA Server Control) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\EventLog\Application\Microsoft ISA Server Control) ISA Setup: RegSetValueExA: Succeeded to set property EventMessageFile to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property CategoryMessageFile to CometStorage
continues
558
Appendix B
ISA SETUP LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Unknown Type (0) for value CategoryCount !!! RegSetValueExA: Succeeded to set property CategoryCount to CometStorage Unknown Type (0) for value TypesSupported !!! RegSetValueExA: Succeeded to set property TypesSupported to CometStorage AddCometDLLToMessageAndCategoryFile OK RegisterAppFilter camf=23 ois=4 or=1254 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ h323fltr.dll registered OK At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ h323fltr.dll installed OK RegisterAppFilter camf=23 ois=4 or=1259 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ SmtpFltr.dll registered OK At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ SmtpFltr.dll installed OK RegisterAppFilter camf=23 ois=4 or=1262 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ httpfltr.dll registered OK At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ httpfltr.dll installed OK RegisterAppFilter camf=23 ois=4 or=1263 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ socksflt.dll registered OK At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ socksflt.dll installed OK RegisterAppFilter camf=23 ois=4 or=1264 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ ftpfltr.dll registered OK At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc)
Appendix B
ISA SETUP LOG
559
ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ ftpfltr.dll installed OK ISA Setup: RegisterAppFilter camf=23 ois=4 or=1265 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ StrmFltr.dll registered OK ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ StrmFltr.dll installed OK ISA Setup: RegisterAppFilter camf=23 ois=4 or=1267 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ rpcfltr.dll registered OK ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ rpcfltr.dll installed OK ISA Setup: RegisterAppFilter camf=23 ois=4 or=1268 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ issfltr.dll registered OK ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ issfltr.dll installed OK ISA Setup: At AddCometDLLToMessageAndCategoryFile System\CurrentControlSet\Services\EventLog\Application\Microsoft Web Proxy ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\EventLog\Application\Microsoft ➥Web Proxy) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\EventLog\Application\Microsoft Web Proxy) ISA Setup: RegSetValueExA: Succeeded to set property EventMessageFile to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property CategoryMessageFile to CometStorage ISA Setup: Unknown Type (0) for value CategoryCount !!! ISA Setup: RegSetValueExA: Succeeded to set property CategoryCount to CometStorage ISA Setup: Unknown Type (0) for value TypesSupported !!! ISA Setup: RegSetValueExA: Succeeded to set property TypesSupported to CometStorage ISA Setup: AddCometDLLToMessageAndCategoryFile OK ISA Setup: At AddCometDLLToMessageAndCategoryFile System\CurrentControlSet\Services\EventLog\Application\Microsoft Scheduled Cache Content Download ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\EventLog\Application\Microsoft Scheduled Cache Content Download) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\EventLog\Application\Microsoft Scheduled Cache Content Download)
continues
560
Appendix B
ISA SETUP LOG
continued ISA Setup: RegSetValueExA: Succeeded to set property EventMessageFile to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property CategoryMessageFile to CometStorage ISA Setup: Unknown Type (0) for value CategoryCount !!! ISA Setup: RegSetValueExA: Succeeded to set property CategoryCount to CometStorage ISA Setup: Unknown Type (0) for value TypesSupported !!! ISA Setup: RegSetValueExA: Succeeded to set property TypesSupported to CometStorage ISA Setup: AddCometDLLToMessageAndCategoryFile OK ISA Setup: At AddCometDLLToMessageAndCategoryFile System\CurrentControlSet\Services\EventLog\Application\Microsoft ISA report generator ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\EventLog\Application\Microsoft ISA report generator) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\EventLog\Application\Microsoft ISA report generator) ISA Setup: RegSetValueExA: Succeeded to set property EventMessageFile to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property CategoryMessageFile to CometStorage ISA Setup: Unknown Type (0) for value CategoryCount !!! ISA Setup: RegSetValueExA: Succeeded to set property CategoryCount to CometStorage ISA Setup: Unknown Type (0) for value TypesSupported !!! ISA Setup: RegSetValueExA: Succeeded to set property TypesSupported to CometStorage ISA Setup: AddCometDLLToMessageAndCategoryFile OK ISA Setup: At AddCometDLLToMessageAndCategoryFile System\CurrentControlSet\Services\EventLog\Application\BwcPerf ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\EventLog\Application\BwcPerf) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\EventLog\Application\BwcPerf) ISA Setup: RegSetValueExA: Succeeded to set property EventMessageFile to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property CategoryMessageFile to CometStorage ISA Setup: Unknown Type (0) for value CategoryCount !!! ISA Setup: RegSetValueExA: Succeeded to set property CategoryCount to CometStorage ISA Setup: Unknown Type (0) for value TypesSupported !!! ISA Setup: RegSetValueExA: Succeeded to set property TypesSupported to CometStorage ISA Setup: AddCometDLLToMessageAndCategoryFile OK ISA Setup: At AddCometDLLToMessageAndCategoryFile System\CurrentControlSet\Services\EventLog\Application\SmtpEvt ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\EventLog\Application\SmtpEvt) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\EventLog\Application\SmtpEvt) ISA Setup: RegSetValueExA: Succeeded to set property EventMessageFile to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property CategoryMessageFile to CometStorage ISA Setup: Unknown Type (0) for value CategoryCount !!! ISA Setup: RegSetValueExA: Succeeded to set property CategoryCount to CometStorage ISA Setup: Unknown Type (0) for value TypesSupported !!! ISA Setup: RegSetValueExA: Succeeded to set property TypesSupported to CometStorage ISA Setup: AddCometDLLToMessageAndCategoryFile OK ISA Setup: At AddCometDLLToMessageAndCategoryFile System\CurrentControlSet\Services\EventLog\Application\Microsoft Firewall ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\EventLog\Application\Microsoft ➥Firewall) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\EventLog\Application\Microsoft Firewall) ISA Setup: RegSetValueExA: Succeeded to set property EventMessageFile to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property CategoryMessageFile to CometStorage ISA Setup: Unknown Type (0) for value CategoryCount !!! ISA Setup: RegSetValueExA: Succeeded to set property CategoryCount to CometStorage ISA Setup: Unknown Type (0) for value TypesSupported !!! ISA Setup: RegSetValueExA: Succeeded to set property TypesSupported to CometStorage
Appendix B
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
ISA SETUP LOG
561
AddCometDLLToMessageAndCategoryFile OK RegisterDLL camf=23 ois=4 or=5002 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ SumGen.dll registered OK RegisterDLL camf=23 ois=4 or=9940 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ msfpcsnp.dll registered OK RegisterDLL camf=23 ois=4 or=9941 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ issdnsad.dll registered OK RegisterDLL camf=23 ois=4 or=9942 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ httpadm.dll registered OK RegisterDLL camf=23 ois=4 or=9943 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ strmadmn.dll registered OK RegisterDLL camf=23 ois=4 or=9944 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ h323snap.dll registered OK RegisterDLL camf=23 ois=4 or=9947 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ socksadm.dll registered OK RegisterDLL camf=23 ois=4 or=9950 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ SmtpFAdm.dll registered OK RegisterDLL camf=23 ois=4 or=9962 DstDir=C:\msp\ At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) C:\msp\ SumGen.dll registered OK RegisterDLL camf=23 ois=4 or=9965 DstDir=C:\msp\
continues
562
Appendix B
ISA SETUP LOG
continued ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ RepSnap.dll registered OK ISA Setup: RegisterDLL camf=23 ois=4 or=9966 DstDir=C:\msp\ ISA Setup: At AddCometDLLToMessageAndCategoryFile System\CurrentControlSet\Services\EventLog\Application\Microsoft ISA report generator ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\EventLog\Application\Microsoft ➥ISA report generator) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\EventLog\Application\Microsoft ISA report generator) ISA Setup: RegSetValueExA: Succeeded to set property EventMessageFile to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property CategoryMessageFile to CometStorage ISA Setup: Unknown Type (0) for value CategoryCount !!! ISA Setup: Unknown Type (0) for value TypesSupported !!! ISA Setup: AddCometDLLToMessageAndCategoryFile OK ISA Setup: DoServerAndAdminCommonStuff returned DEFAULT!!! camf=23 ois=4 or=9970 DstDir=C:\msp\ ISA Setup: RegisterDLL camf=23 ois=4 or=9984 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: C:\msp\ VPS2.dll registered OK ISA Setup: VerifyISAConditions camf=24 ois=4 or=501 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc\) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc\) ISA Setup: RegSetValueExA: Succeeded to set property AcmeComonents to CometStorage ISA Setup: At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: RegSetValueExA: Succeeded to set property ImagePath to CometStorage ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_CreateObject (Software\Microsoft\Windows\CurrentVersion\UnInstall\Microsoft ISA ➥Server) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\UnInstall\Microsoft ISA Server) ISA Setup: RegSetValueExA: Succeeded to set property DisplayName to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property InstallationLocaltion to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property HelpLink to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property Publisher to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property DisplayVersion to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property VersionMajor to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property VersionMinor to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property DisplayIcon to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property ProductId to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property UninstallString to CometStorage ISA Setup: RegSetValueExA: Succeeded to set property ModifyPath to CometStorage ISA Setup: At REGMAP_CreateObject (Software\Microsoft\Windows\CurrentVersion\UnInstall) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Windows\CurrentVersion\UnInstall) ISA Setup: At REGMAP_OpenObject (Microsoft Proxy Server) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Microsoft Proxy Server) ISA Setup: At REGMAP_OpenObject (Microsoft Comet Server) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Microsoft Comet Server) ISA Setup: SetCPAddRemove camf=24 ois=4 or=560 DstDir=C:\msp\
Appendix B
ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: ISA Setup: Miniport
ISA SETUP LOG
563
SetStorageRegistry camf=24 ois=4 or=585 DstDir=C:\msp\ At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc) At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) At REGMAP_CreateObject (Software\Microsoft\Fpc\Notification Parameters) At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Fpc\Notification Parameters) Unknown Type (0) !!! Unknown Type (0) !!! SetStorageRegistry returned OK!!! camf=24 ois=4 or=585 DstDir=C:\msp\ ComponentChoosed camf=24 ois=2 or=751 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=24 ois=2 or=821 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=24 ois=2 or=831 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=24 ois=4 or=901 DstDir=C:\msp\ ComponentChoosed sim=1 ComponentChoosed camf=24 ois=4 or=1001 DstDir=C:\msp\ ComponentChoosed sim=1 whistler? Windows Version: 5.0.2195 Adding PSCHED Success Adding/Removing PSCHED TC_NOTIFY_IFC_UP - NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) - Packet Scheduler
ISA Setup: InstallMspAdminService camf=24 ois=4 or=1073 DstDir=C:\msp\ ISA Setup: RcInstallService: will installs isactrl as AUTO since it was in the selected components ISA Setup: Install/RemoveMspAdminService returned OK!!! camf=24 ois=4 or=1073 DstDir=C:\msp\ ISA Setup: DisableService camf=24 ois=4 or=1225 DstDir=C:\msp\ ISA Setup: DisableService raspptft ISA Setup: DisableService returned OK!!! camf=24 ois=4 or=1225 DstDir=C:\msp\ ISA Setup: SetMspRegistry camf=24 ois=4 or=1230 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: IISAdmin or smtpsvc not present or not enabled - will not set smtp properties ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\tcpip\parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\tcpip\ ➥parameters) ISA Setup: RegSetValueExA: Succeeded to set property MaxUserPort to CometStorage ISA Setup: At REGMAP_CreateObject (Software\Microsoft\Fpc\Notification Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Software\Microsoft\Fpc\Notification Parameters) ISA Setup: Unknown Type (0) !!! ISA Setup: RcMiscPostInstallStuff : tries to move G:\TEMP\\ldif.log to C:\msp\ldif.log ISA Setup: RcMiscPostInstallStuff: MoveFileEx returned Error 0x2 ISA Setup: RcMiscPostInstallStuff : tries to move G:\TEMP\\ldif.err to C:\msp\ldif.err ISA Setup: RcMiscPostInstallStuff: MoveFileEx returned Error 0x2 ISA Setup: RcMiscPostInstallStuff : tries to move G:\TEMP\\ldif.wrn to C:\msp\ldif.wrn ISA Setup: RcMiscPostInstallStuff: MoveFileEx returned Error 0x2 ISA Setup: RcMiscPostInstallStuff : tries to move G:\TEMP\\msisaent.log to C:\msp\msisaent.log ISA Setup: RcMiscPostInstallStuff: MoveFileEx returned Error 0x2 ISA Setup: RcMiscPostInstallStuff : tries to move G:\TEMP\\secwiz.log to C:\msp\secwiz.log ISA Setup: RcMiscPostInstallStuff: MoveFileEx returned Error 0x2 ISA Setup: At SetStorageClientConfig ISA Setup: Set Winsock Client sections ISA Setup: Deleting ClientConfigSettings
continues
564
Appendix B
ISA SETUP LOG
continued ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={14AFB26C-DF18-4288-B704-A94A00255694}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={C9C759C1-FA21-4A52-8257-DC43DEE3449F}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={C809864F-8C7C-40E4-A802-FE3710854F47}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={DC2388F9-8776-4131-B326-81E3D28D99D8}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={50CF967B-2F07-4F9B-8EE2-A5C81F6E1917}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={C0849E60-B0EA-43D1-BB11-976129104CF9}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={606594CB-A6DD-4833-BE89-A33951C87314}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={ED852FE1-D14C-444E-8431-52A0CA9F7DF2}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={B5380D82-C7D3-49FD-8E41-E5FDA271DC68}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={E52FB71F-680C-41EB-AF34-5D878A837FDB}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={2888B210-E62F-454C-9EE3-E6D63CC6D666}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={077FFB2C-182A-434A-AF8D-C2D231731C9B}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={6D1FBA7A-590D-4A92-BC10-83D6814992B7}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={0BE45A60-1FF8-45F9-930B-00A007A69CE0}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK
Appendix B
ISA SETUP LOG
565
ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={4385AEBA-47B8-4A33-9F87-176F715FFE69}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={28E176C1-A8DB-4265-9261-2AD87A073EDD}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={893B92A2-1BA4-4ABD-92D3-124CEA3A6D12}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={38277E13-E97E-4ADF-AAA2-344374CABA1C}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={7B4A16B4-095B-4F23-B653-03D37767B28B}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: At CreateGUIDChild ISA Setup: Creating child. GUID={4BCFF717-F2F0-4799-974A-2F23CF919685}. Type=msFPCClientSettingsSection ISA Setup: CreateChild OK ISA Setup: Set Direct destinations ISA Setup: Set backup route ISA Setup: pClientConfig->wszAutoScriptBackupRoute=DIRECT ISA Setup: Set Browser auto config URL ISA Setup: ConfigUrl=’http://ABC1:8080/array.dll?Get.Routing.Script’ ISA Setup: Set Winsock client config ISA Setup: SetStorageClientConfig finished OK ISA Setup: CoCreateInstance OK ISA Setup: DestroyProxyMetabaseKeys for filter in site 1. Err=0 ISA Setup: DestroyProxyMetabaseKeys for global filter. Err=0 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\W3Svc\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3Svc\Parameters) ISA Setup: Unknown Type (0) for value Filter DLLs !!! ISA Setup: RegSetValueExA: Succeeded to set property Filter DLLs to CometStorage ISA Setup: Doing CERN Reg Values ISA Setup: At RcSetClusterModeRegistry ISA Setup: Doing CERN Reg Values ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Creating path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Creating Object Arrays with class msFPCArrays ISA Setup: Creating Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Creating Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Creating Object WebProxy with class msFPCWebProxy ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!!
continues
566
Appendix B
ISA SETUP LOG
continued ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters\Gopher) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters\Gopher) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters\Ftp) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters\Ftp) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters\W3) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters\W3) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters\SSL) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters\SSL) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Creating path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Creating Object Arrays with class msFPCArrays ISA Setup: Creating Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Creating Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Creating Object WebProxy with class msFPCWebProxy ISA Setup: Unknown Type (0) !!! ISA Setup: dwConnectionNum=96 dwClientNum=300 (MaxHashTableSize=512) ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\Tcpip\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\Tcpip\Parameters) ISA Setup: Unknown Type (0) for value MaxHashTableSize !!! ISA Setup: RegSetValueExA: Succeeded to set property MaxHashTableSize to CometStorage ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Creating path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Creating Object Arrays with class msFPCArrays ISA Setup: Creating Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray
Appendix B
567
ISA SETUP LOG
ISA Setup: Creating Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Creating Object WebProxy with class msFPCWebProxy ISA Setup: At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters\Gopher) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters\Gopher) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters\Ftp) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters\Ftp) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters\W3) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters\W3) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters\SSL) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters\SSL) ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Creating path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Creating Object Arrays with class msFPCArrays ISA Setup: Creating Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Creating Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Creating Object WebProxy with class msFPCWebProxy ISA Setup: Unknown Type (0) !!! ISA Setup: dwConnectionNum=96 dwClientNum=300 (MaxHashTableSize=512) ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\Tcpip\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\Tcpip\Parameters) ISA Setup: Unknown Type (0) for value MaxHashTableSize !!! ISA Setup: Doing Cache Values ISA Setup: At REGMAP_CreateObject (System\CurrentControlSet\Services\W3PCache\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\W3PCache\Parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\Cache@msFPCCache\Proxy-Cache-Configuration@msFPCProxyCacheConfiguration\ ISA Setup: Creating path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\Cache@msFPCCache\Proxy-Cache-Configuration@msFPCProxyCacheConfiguration\ ISA Setup: Creating Object Arrays with class msFPCArrays ISA Setup: Creating Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray
continues
568
Appendix B
ISA SETUP LOG
continued ISA Setup: Creating Object Cache with class msFPCCache ISA Setup: Creating Object Proxy-Cache-Configuration with class msFPCProxyCacheConfiguration ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: SetMspRegistry returned OK!!! camf=24 ois=4 or=1230 DstDir=C:\msp\ ISA Setup: InstallW3ProxyService camf=24 ois=4 or=1244 DstDir=C:\msp\ ISA Setup: RcInstallService: will installs w3proxy as AUTO since it was in the selected components ISA Setup: Install/RemoveW3ProxyService returned OK!!! camf=24 ois=4 or=1244 DstDir=C:\msp\ ISA Setup: Install Services camf=24 ois=4 or=1245 DstDir=C:\msp\ ISA Setup: RcInstallService: will installs IpFilterDriver as AUTO since it was in the selected ➥components ISA Setup: RcInstallService: will installs MspFltEx as AUTO since it was in the selected components ISA Setup: RcInstallService: will installs MspNAT as AUTO since it was in the selected components ISA Setup: RcInstallService: will installs fwsrv as AUTO since it was in the selected components ISA Setup: RcInstallService: will installs w3schdwn as AUTO since it was in the selected components ISA Setup: InstallWspService returned OK!!! camf=24 ois=4 or=1245 DstDir=C:\msp\ ISA Setup: InstPerfmon camf=24 ois=4 or=1255 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents) ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents) ISA Setup: did not find snmp root registry for Proxy ISA Setup: At REGMAP_CreateObject (SOFTWARE\Microsoft\Fpc\CurrentVersion\H323FLTR) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc\CurrentVersion\H323FLTR) ISA Setup: RegSetValueExA: Succeeded to set property Pathname to CometStorage ISA Setup: InstPerfmon returned OK!!! camf=24 ois=4 or=1255 DstDir=C:\msp\ ISA Setup: NetStart camf=24 ois=4 or=1266 DstDir=C:\msp\ ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\MS SETUP (ACME)\Table Files) ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: At SetProtRulesAndDefsFromProxy2 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\wspsrv\parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\wspsrv\ ➥parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-WSP@msFPCProxyWSP\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-WSP@msFPCProxyWSP\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object Proxy-WSP with class msFPCProxyWSP ISA Setup: Unknown Type (0) for value Authentication !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\wspsrv\parameters\protocols) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\wspsrv\ ➥parameters\protocols) ISA Setup: Reading Proxy2.0 protocols (largest protocol value size is 68) ISA Setup: Handling Proxy2.0 Protocol SuperUserPseudoProtocol ISA Setup: ————————————————————— ISA Setup: ProtDir : NoOfObjects=2 OffProtoDef=0x0 OffProtEACL=0xc ISA Setup: ProtBuf : 0x13ff988
Appendix B
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
ISA SETUP LOG
569
PRIMARY_PROT_PTR : 0x13ff988 Has ACL=0 EACL_PTR : 0x13ff994 EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol AlphaWorld ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x3c ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff9c4 EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x5 ————————————————————— Need to update protocol definition Writing 5 protocol connections Updated Secondary protocols No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol AOL ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Archie ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x1c ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff9a4 EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x1 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol DNS ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x1c ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0
continues
570
Appendix B
ISA SETUP LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
EACL_PTR : 0x13ff9a4 EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x1 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Echo (TCP) ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Echo (UDP) ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Enliven ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— Need to update protocol definition Writing 0 protocol connections Updated Secondary protocols No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Finger ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4
Appendix B
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
ISA SETUP LOG
571
NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol FTP ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x2c ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff9b4 EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x3 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Gopher ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol HTTP ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol HTTP-S ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol
continues
572
Appendix B
ISA SETUP LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Read next protocol... Handling Proxy2.0 Protocol ICQ ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x34 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff9bc EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x4 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol IMAP4 ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol IRC ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol LDAP ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol MS NetShow ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x1c
Appendix B
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
ISA SETUP LOG
573
ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff9a4 EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x1 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol MSN ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Net2Phone ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x2c ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff9b4 EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x3 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Net2Phone registration ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol NNTP ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c
continues
574
Appendix B
ISA SETUP LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol POP3 ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Real Audio (7070) ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x24 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff9ac EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x2 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Real Audio (7075) ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x24 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff9ac EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x2 ————————————————————— Handling Proxy2.0 Protocol SMTP (client) ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Telnet
Appendix B
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
ISA SETUP LOG
575
————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff99c EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x0 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol Time (TCP) ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x1c ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff9a4 EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x1 ————————————————————— No need to import Proxy2.0 definition for this protocol No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol VDOLive ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x1c ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff9a4 EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x1 ————————————————————— Need to update protocol definition Writing 1 protocol connections Updated Secondary protocols No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol VXtreme ————————————————————— ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x34 ProtBuf : 0x13ff988 PRIMARY_PROT_PTR : 0x13ff994 Has ACL=0 EACL_PTR : 0x13ff9bc EACL_SIZEPTR : 0x4 NUM_OF_SEC : 0x4 ————————————————————— Need to update protocol definition Writing 4 protocol connections Updated Secondary protocols No need to create a protocol rule for this protocol Read next protocol... Handling Proxy2.0 Protocol WhoIs
continues
576
Appendix B
ISA SETUP LOG
continued ISA Setup: ————————————————————— ISA Setup: ProtDir : NoOfObjects=2 OffProtoDef=0xc OffProtEACL=0x14 ISA Setup: ProtBuf : 0x13ff988 ISA Setup: PRIMARY_PROT_PTR : 0x13ff994 ISA Setup: Has ACL=0 ISA Setup: EACL_PTR : 0x13ff99c ISA Setup: EACL_SIZEPTR : 0x4 ISA Setup: NUM_OF_SEC : 0x0 ISA Setup: ————————————————————— ISA Setup: No need to import Proxy2.0 definition for this protocol ISA Setup: No need to create a protocol rule for this protocol ISA Setup: Read next protocol... ISA Setup: No more Proxy2.0 protocols to handle index=31 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\wspsrv\parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\wspsrv\ ➥parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-WSP@msFPCProxyWSP\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-WSP@msFPCProxyWSP\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object Proxy-WSP with class msFPCProxyWSP ISA Setup: At REGMAP_OpenObject (protocols) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is protocols) ISA Setup: Return 1 ISA Setup: At SetProxyRulsFromProxy2DomainFilters ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\parameters\DoFilter) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\ ➥parameters\DoFilter) ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value NumDenySites !!! ISA Setup: Unknown Type (0) for value NumGrantSites !!! ISA Setup: Creating DenySites ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\parameters\DoFilter\DenySites) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\ ➥parameters\DoFilter\DenySites) ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\ ➥parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object WebProxy with class msFPCWebProxy ISA Setup: At REGMAP_OpenObject (DoFilter) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is DoFilter) ISA Setup: At REGMAP_OpenObject (DenySites) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is DenySites)
Appendix B
ISA SETUP LOG
577
ISA Setup: At REGMAP_OpenObject (GrantSites) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is GrantSites) ISA Setup: At CreatDODScheduleFromProxy2 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\ ➥parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object WebProxy with class msFPCWebProxy ISA Setup: Unknown Type (0) for value DialHours !!! ISA Setup: can’t open value DialHours ISA Setup: At SetRoutingRulesFromProxy2 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\parameters\ChainedArray) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\ ➥parameters\ChainedArray) ISA Setup: Unknown Type (0) for value RouteType !!! ISA Setup: can’t open value RouteType ISA Setup: At SetPublishingRulesFromProxy2 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\ ➥parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object WebProxy with class msFPCWebProxy ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\parameters\ReverseProxy) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\ ➥parameters\ReverseProxy) ISA Setup: Unknown Type (0) for value RouteType !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\parameters\ReverseProxy\Mapping) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\ ➥parameters\ReverseProxy\Mapping) ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\ ➥parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object WebProxy with class msFPCWebProxy ISA Setup: At REGMAP_OpenObject (ReverseProxy) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is ReverseProxy)
continues
578
Appendix B
ISA SETUP LOG
continued ISA Setup: At REGMAP_OpenObject (Mapping) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Mapping) ISA Setup: At SetAlertsFromProxy2Alerts ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\parameters\Alerting) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\ ➥parameters\Alerting) ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\parameters\Alerting\Packet rate) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\parameters\Alerting\Packet rate) ISA Setup: Unknown Type (0) for value EnableAlerting !!! ISA Setup: Unknown Type (0) for value AlertTriggerRate (per second) !!! ISA Setup: Unknown Type (0) for value DelayBetweenAlerts (minutes) !!! ISA Setup: Unknown Type (0) for value LogEventOnAlert !!! ISA Setup: Unknown Type (0) for value SetEventOnAlert !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\parameters\Alerting\Protocol violation) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\ ➥parameters\Alerting\Protocol violation) ISA Setup: Unknown Type (0) for value EnableAlerting !!! ISA Setup: Unknown Type (0) for value AlertTriggerRate (per second) !!! ISA Setup: Unknown Type (0) for value DelayBetweenAlerts (minutes) !!! ISA Setup: Unknown Type (0) for value LogEventOnAlert !!! ISA Setup: Unknown Type (0) for value SetEventOnAlert !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\ ➥parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-Packet-Filters@msFPCProxyPacketFilters\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-Packet-Filters@msFPCProxyPacketFilters\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object Proxy-Packet-Filters with class msFPCProxyPacketFilters ISA Setup: At REGMAP_OpenObject (Alerting) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Alerting) ISA Setup: At REGMAP_OpenObject (Disk full) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Disk full) ISA Setup: At REGMAP_OpenObject (Packet rate) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Packet rate) ISA Setup: At REGMAP_OpenObject (Protocol violation) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is Protocol violation) ISA Setup: At SetPacketFiltersFromProxy2 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-Packet-Filters@msFPCProxyPacketFilters\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-Packet-Filters@msFPCProxyPacketFilters\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray
Appendix B
ISA SETUP LOG
579
ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object Proxy-Packet-Filters with class msFPCProxyPacketFilters ISA Setup: Unknown Type (0) for value PacketFilterEnabled !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters) ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters\00000001) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters\00000001) ISA Setup: At FindPredefinedFilter ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: At SetLocalAndRemotePFHost ISA Setup: Unknown Type (0) for value LocalAddress !!! ISA Setup: can’t open value LocalAddress ISA Setup: Unknown Type (0) for value RemoteAddress !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters\00000002) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters\00000002) ISA Setup: At FindPredefinedFilter ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: At SetLocalAndRemotePFHost ISA Setup: Unknown Type (0) for value LocalAddress !!! ISA Setup: can’t open value LocalAddress ISA Setup: Unknown Type (0) for value RemoteAddress !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters\00000003) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters\00000003) ISA Setup: At FindPredefinedFilter ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!!
continues
580
Appendix B
ISA SETUP LOG
continued ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: At SetLocalAndRemotePFHost ISA Setup: Unknown Type (0) for value LocalAddress !!! ISA Setup: can’t open value LocalAddress ISA Setup: Unknown Type (0) for value RemoteAddress !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters\00000004) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters\00000004) ISA Setup: At FindPredefinedFilter ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh
Appendix B
ISA SETUP LOG
581
ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters\00000005) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters\00000005) ISA Setup: At FindPredefinedFilter ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!!
continues
582
Appendix B
ISA SETUP LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value
for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh
Appendix B
ISA SETUP LOG
583
ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Error: unexpected value for FilterType(=2) ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters\00000006) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters\00000006) ISA Setup: At FindPredefinedFilter ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!!
continues
584
Appendix B
ISA SETUP LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Unknown Type (0) for value LocalPortHigh !!! Unknown Type (0) for value RemotePort !!! Unknown Type (0) for value RemotePortHigh !!! can’t open value RemotePortHigh Unknown Type (0) for value Protocol !!! Unknown Type (0) for value Direction !!! Unknown Type (0) for value PortControlFlags !!! Unknown Type (0) for value FilterType !!! Unknown Type (0) for value LocalPort !!! Unknown Type (0) for value LocalPortHigh !!! Unknown Type (0) for value RemotePort !!! Unknown Type (0) for value RemotePortHigh !!! can’t open value RemotePortHigh Unknown Type (0) for value Protocol !!! Unknown Type (0) for value Direction !!! Unknown Type (0) for value PortControlFlags !!! Unknown Type (0) for value FilterType !!! Unknown Type (0) for value LocalPort !!! Unknown Type (0) for value LocalPortHigh !!! Unknown Type (0) for value RemotePort !!! Unknown Type (0) for value RemotePortHigh !!! can’t open value RemotePortHigh Unknown Type (0) for value Protocol !!! Unknown Type (0) for value Direction !!! Unknown Type (0) for value PortControlFlags !!! Unknown Type (0) for value FilterType !!! Unknown Type (0) for value LocalPort !!! Unknown Type (0) for value LocalPortHigh !!! Unknown Type (0) for value RemotePort !!! Unknown Type (0) for value RemotePortHigh !!! can’t open value RemotePortHigh Unknown Type (0) for value Protocol !!! Unknown Type (0) for value Direction !!! Unknown Type (0) for value PortControlFlags !!! Unknown Type (0) for value FilterType !!! Unknown Type (0) for value LocalPort !!! Unknown Type (0) for value LocalPortHigh !!! Unknown Type (0) for value RemotePort !!! Unknown Type (0) for value RemotePortHigh !!! can’t open value RemotePortHigh Unknown Type (0) for value Protocol !!! Unknown Type (0) for value Direction !!! Unknown Type (0) for value PortControlFlags !!! Unknown Type (0) for value FilterType !!! Unknown Type (0) for value LocalPort !!! Unknown Type (0) for value LocalPortHigh !!! Unknown Type (0) for value RemotePort !!! Unknown Type (0) for value RemotePortHigh !!! can’t open value RemotePortHigh Unknown Type (0) for value Protocol !!! Unknown Type (0) for value Direction !!! Unknown Type (0) for value PortControlFlags !!! At SetLocalAndRemotePFHost Unknown Type (0) for value LocalAddress !!! can’t open value LocalAddress Unknown Type (0) for value RemoteAddress !!!
Appendix B
ISA SETUP LOG
585
ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters\00000007) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters\00000007) ISA Setup: At FindPredefinedFilter ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!!
continues
586
Appendix B
ISA SETUP LOG
continued ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: At SetLocalAndRemotePFHost ISA Setup: Unknown Type (0) for value LocalAddress !!! ISA Setup: can’t open value LocalAddress ISA Setup: Unknown Type (0) for value RemoteAddress !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters\00000008) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters\00000008) ISA Setup: At FindPredefinedFilter ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!!
Appendix B
ISA SETUP LOG
587
ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: At SetLocalAndRemotePFHost ISA Setup: Unknown Type (0) for value LocalAddress !!! ISA Setup: can’t open value LocalAddress ISA Setup: Unknown Type (0) for value RemoteAddress !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters\00000009) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters\00000009) ISA Setup: At FindPredefinedFilter ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!!
continues
588
Appendix B
ISA SETUP LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value
for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh
Appendix B
ISA SETUP LOG
589
ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Error: unexpected value for FilterType(=5) ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters\0000000a) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters\0000000a) ISA Setup: At FindPredefinedFilter ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!!
continues
590
Appendix B
ISA SETUP LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0)
for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!!
Appendix B
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value
ISA SETUP LOG
591
for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh
continues
592
Appendix B
ISA SETUP LOG
continued ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: At SetLocalAndRemotePFHost ISA Setup: Unknown Type (0) for value LocalAddress !!! ISA Setup: can’t open value LocalAddress ISA Setup: Unknown Type (0) for value RemoteAddress !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Filters\0000000b) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Filters\0000000b) ISA Setup: At FindPredefinedFilter ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!! ISA Setup: Unknown Type (0) for value RemotePortHigh !!! ISA Setup: can’t open value RemotePortHigh ISA Setup: Unknown Type (0) for value Protocol !!! ISA Setup: Unknown Type (0) for value Direction !!! ISA Setup: Unknown Type (0) for value PortControlFlags !!! ISA Setup: Unknown Type (0) for value FilterType !!! ISA Setup: Unknown Type (0) for value LocalPort !!! ISA Setup: Unknown Type (0) for value LocalPortHigh !!! ISA Setup: Unknown Type (0) for value RemotePort !!!
Appendix B
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value
ISA SETUP LOG
593
for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh
continues
594
Appendix B
ISA SETUP LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) Unknown Type (0) can’t open value Unknown Type (0) Unknown Type (0)
for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!! for value PortControlFlags !!! for value FilterType !!! for value LocalPort !!! for value LocalPortHigh !!! for value RemotePort !!! for value RemotePortHigh !!! RemotePortHigh for value Protocol !!! for value Direction !!!
Appendix B
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup: Setup:
595
ISA SETUP LOG
Unknown Type (0) for value PortControlFlags !!! Unknown Type (0) for value FilterType !!! Unknown Type (0) for value LocalPort !!! Unknown Type (0) for value LocalPortHigh !!! Unknown Type (0) for value RemotePort !!! Unknown Type (0) for value RemotePortHigh !!! can’t open value RemotePortHigh Unknown Type (0) for value Protocol !!! Unknown Type (0) for value Direction !!! Unknown Type (0) for value PortControlFlags !!! Unknown Type (0) for value FilterType !!! Unknown Type (0) for value LocalPort !!! Unknown Type (0) for value LocalPortHigh !!! Unknown Type (0) for value RemotePort !!! Unknown Type (0) for value RemotePortHigh !!! can’t open value RemotePortHigh Unknown Type (0) for value Protocol !!! Unknown Type (0) for value Direction !!! Unknown Type (0) for value PortControlFlags !!! Unknown Type (0) for value FilterType !!! Unknown Type (0) for value Protocol !!! Unknown Type (0) for value Direction !!! Unknown Type (0) for value LocalPort !!! Unknown Type (0) for value RemotePort !!! At SetLocalAndRemotePFHost Unknown Type (0) for value LocalAddress !!! can’t open value LocalAddress Unknown Type (0) for value RemoteAddress !!! At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin) At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin) At REGMAP_OpenObject (Filters) At REGMAP_CreateOrOpenObject (reg key is Filters) At REGMAP_OpenObject (00000001) At REGMAP_CreateOrOpenObject (reg key is 00000001) At REGMAP_OpenObject (00000002) At REGMAP_CreateOrOpenObject (reg key is 00000002) At REGMAP_OpenObject (00000003) At REGMAP_CreateOrOpenObject (reg key is 00000003) At REGMAP_OpenObject (00000004) At REGMAP_CreateOrOpenObject (reg key is 00000004) At REGMAP_OpenObject (00000005) At REGMAP_CreateOrOpenObject (reg key is 00000005) At REGMAP_OpenObject (00000006) At REGMAP_CreateOrOpenObject (reg key is 00000006) At REGMAP_OpenObject (00000007) At REGMAP_CreateOrOpenObject (reg key is 00000007) At REGMAP_OpenObject (00000008) At REGMAP_CreateOrOpenObject (reg key is 00000008) At REGMAP_OpenObject (00000009) At REGMAP_CreateOrOpenObject (reg key is 00000009) At REGMAP_OpenObject (0000000a) At REGMAP_CreateOrOpenObject (reg key is 0000000a) At REGMAP_OpenObject (0000000b) At REGMAP_CreateOrOpenObject (reg key is 0000000b) At SetLogConfigProxy2LogConfig At REGMAP_OpenObject (System\CurrentControlSet\Services\wspsrv\Parameters)
continues
596
Appendix B
ISA SETUP LOG
continued ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\wspsrv\Parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-WSP@msFPCProxyWSP\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-WSP@msFPCProxyWSP\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object Proxy-WSP with class msFPCProxyWSP ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\Parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object WebProxy with class msFPCWebProxy ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\mspadmin\Parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\mspadmin\Parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-Packet-Filters@msFPCProxyPacketFilters\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\Proxy-Packet-Filters@msFPCProxyPacketFilters\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object Proxy-Packet-Filters with class msFPCProxyPacketFilters ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: At SetSSLPortListFromProxy2 ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\ ➥parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\
Appendix B
ISA SETUP LOG
ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object WebProxy with class msFPCWebProxy ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: Unknown Type (0) !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3pcache\parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3pcache\ ➥parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\Cache@msFPCCache\Proxy-Cache-Configuration@msFPCProxyCacheConfiguration\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\Cache@msFPCCache\Proxy-Cache-Configuration@msFPCProxyCacheConfiguration\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object Cache with class msFPCCache ISA Setup: Opening Object Proxy-Cache-Configuration with class msFPCProxyCacheConfiguration ISA Setup: Unknown Type (0) for value EnableMaxObjectSize !!! ISA Setup: Unknown Type (0) for value MaxObjectSize !!! ISA Setup: At REGMAP_OpenObject (System\CurrentControlSet\Services\w3proxy\parameters) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is System\CurrentControlSet\Services\w3proxy\ ➥parameters) ISA Setup: REGMAP_Lookup return Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening path Arrays@msFPCArrays\{692362C1-072C-4EA6-ACD617814AD60401}@msFPCArray\ArrayPolicy@msFPCArrayPolicy\WebProxy@msFPCWebProxy\ ISA Setup: Opening Object Arrays with class msFPCArrays ISA Setup: Opening Object {692362C1-072C-4EA6-ACD6-17814AD60401} with class msFPCArray ISA Setup: Opening Object ArrayPolicy with class msFPCArrayPolicy ISA Setup: Opening Object WebProxy with class msFPCWebProxy ISA Setup: Unknown Type (0) for value FtpTTLSecs !!! ISA Setup: UpgradeProxy2UsingCom was OK ISA Setup: At REGMAP_OpenObject (SOFTWARE\Microsoft\Fpc) ISA Setup: At REGMAP_CreateOrOpenObject (reg key is SOFTWARE\Microsoft\Fpc) ISA Setup: NetStarting IpFilterDriver ForceFlag=1 ISA Setup: IpFilterDriver has 11 dependent services ISA Setup: attempting to restart dependent service mailalrt ISA Setup: will not restart mailalrt since it is Should Never Start On Install ISA Setup: NetStart returned OK!!! camf=24 ois=4 or=1266 DstDir=C:\msp\ ISA Setup: NetStart camf=24 ois=4 or=1271 DstDir=C:\msp\ ISA Setup: NetStarting w3svc ForceFlag=0 ISA Setup: NetStart returned OK!!! camf=24 ois=4 or=1271 DstDir=C:\msp\ ISA Setup: NetStart camf=24 ois=4 or=1272 DstDir=C:\msp\ ISA Setup: NetStarting SharedAccess ForceFlag=0 ISA Setup: NetStart returned OK!!! camf=24 ois=4 or=1272 DstDir=C:\msp\ ISA Setup: NetStart camf=24 ois=4 or=1275 DstDir=C:\msp\ ISA Setup: NetStarting force isactrl ForceFlag=0 ISA Setup: will not restart force isactrl since it was not running before setup ISA Setup: NetStart returned OK!!! camf=24 ois=4 or=1275 DstDir=C:\msp\ ISA Setup: UpgradeProxy2Configuration returned DEFAULT!!! camf=24 ois=4 or=1276 DstDir=C:\msp\ ISA Setup: NetStart camf=24 ois=4 or=1278 DstDir=C:\msp\ ISA Setup: NetStarting smtpsvc ForceFlag=0 ISA Setup: will not restart smtpsvc since it was not running before setup ISA Setup: NetStart returned OK!!! camf=24 ois=4 or=1278 DstDir=C:\msp\ ISA Setup: NetStart camf=24 ois=4 or=1280 DstDir=C:\msp\ ISA Setup: NetStarting Fwsrv ForceFlag=1 ISA Setup: service isactrl state 2 checkpoint=0
597
A P P E N D I X
C
ISA Upgrade Log This appendix consists of an ISA upgrade log made during a Proxy Server 2.0 migration. Isaupgrade.log Microsoft ISA Server Upgrade Log of 1-1-2001 21:54 ———————————————— ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA was ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: selected Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade:
—-Upgrading cache drives Drive C Current cache limit 0 File system name FAT Drive D Current cache limit 0 File system name NTFS Drive E Current cache limit 0 File system name NTFS Drive F Current cache limit 0 File system name NTFS Drive G Current cache limit 50 File system name NTFS Upgrade of cache drives succeeded ---Upgrading client configuration RWS Name - ABC1 IIS Site Name Proxy Name - ABC1 Configuration URL - http://ABC1:8080/array.dll?Get.Routing.Script IP address - 169.254.14.41 - WARNING: the specific IP address that for firewall client configuration from a list of server IP addresses. Proxy port - 8080 Updated port - 8080 Set type - 1 Set proxy on client - 1 Auto configuration on client - 0 Auto script bypass for local servers - 1 Auto script use backup - 1 Auto script backup route - DIRECT Auto script bypass names - (null) Auto script bypass IPs - (null) Upgrade of client configuration succeeded ---Upgrading protocols WARNING: Web Proxy Permissions are not migraded by design Protocol Name AlphaWorld Connection Protocol - TCP-IP Connection Direction Type - Outbound connection
continues
600
Appendix C
ISA UPGRADE LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade:
ISA Protocol - FALSE Connection port - 5670 Upgraded successfully Protocol Name AOL Instant Messenger Connection Protocol - TCP-IP Connection Direction Type - Outbound connection ISA Protocol - TRUE Connection port - 5190 Upgraded successfully Protocol Name Archie Connection Protocol - UDP-IP UDP Connection Direction Type - SendReceive connection ISA Protocol - TRUE Connection port - 1525 Upgraded successfully Protocol Name DNS Query Connection Protocol - UDP-IP UDP Connection Direction Type - SendReceive connection ISA Protocol - TRUE Connection port - 53 Upgraded successfully Protocol Name Echo (TCP) Connection Protocol - TCP-IP Connection Direction Type - Outbound connection ISA Protocol - TRUE Connection port - 7 Upgraded successfully Protocol Name Echo (UDP) Connection Protocol - UDP-IP UDP Connection Direction Type - SendReceive connection ISA Protocol - TRUE Connection port - 7 Upgraded successfully Protocol Name Enliven Connection Protocol - TCP-IP Connection Direction Type - Outbound connection ISA Protocol - FALSE Connection port - 537 Upgraded successfully Protocol Name Finger Connection Protocol - TCP-IP Connection Direction Type - Outbound connection ISA Protocol - TRUE Connection port - 79 Upgraded successfully Protocol Name Gopher Connection Protocol - TCP-IP Connection Direction Type - Outbound connection ISA Protocol - TRUE Connection port - 70 Upgraded successfully Protocol Name HTTP Connection Protocol - TCP-IP Connection Direction Type - Outbound connection ISA Protocol - TRUE Connection port - 80
Appendix C
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade:
Upgraded successfully Protocol Name HTTPS Connection Protocol - TCP-IP Connection Direction Type - Outbound ISA Protocol - TRUE Connection port - 443 Upgraded successfully Protocol Name ICQ Connection Protocol - UDP-IP UDP Connection Direction Type - Send ISA Protocol - TRUE Connection port - 4000 Upgraded successfully Protocol Name IMAP4 Connection Protocol - TCP-IP Connection Direction Type - Outbound ISA Protocol - TRUE Connection port - 143 Upgraded successfully Protocol Name IRC Connection Protocol - TCP-IP Connection Direction Type - Outbound ISA Protocol - TRUE Connection port - 6667 Upgraded successfully Protocol Name LDAP Connection Protocol - TCP-IP Connection Direction Type - Outbound ISA Protocol - TRUE Connection port - 389 Upgraded successfully Protocol Name MSN Connection Protocol - TCP-IP Connection Direction Type - Outbound ISA Protocol - TRUE Connection port - 569 Upgraded successfully Protocol Name Net2Phone Connection Protocol - UDP-IP UDP Connection Direction Type - Send ISA Protocol - TRUE Connection port - 6801 Upgraded successfully Protocol Name Net2Phone registration Connection Protocol - TCP-IP Connection Direction Type - Outbound ISA Protocol - TRUE Connection port - 6500 Upgraded successfully Protocol Name NNTP Connection Protocol - TCP-IP Connection Direction Type - Outbound ISA Protocol - TRUE Connection port - 119 Upgraded successfully Protocol Name POP3
ISA UPGRADE LOG
connection
connection
connection
connection
connection
connection
connection
connection
connection
continues
601
602
Appendix C
ISA UPGRADE LOG
continued ISA Upgrade: Connection Protocol - TCP-IP ISA Upgrade: Connection Direction Type - Outbound connection ISA Upgrade: ISA Protocol - TRUE ISA Upgrade: Connection port - 110 ISA Upgrade: Upgraded successfully ISA Upgrade: Protocol Real Audio (7075) is not supported in the migration ISA Upgrade: Protocol Name SMTP ISA Upgrade: Connection Protocol - TCP-IP ISA Upgrade: Connection Direction Type - Outbound connection ISA Upgrade: ISA Protocol - TRUE ISA Upgrade: Connection port - 25 ISA Upgrade: Upgraded successfully ISA Upgrade: Protocol Name Telnet ISA Upgrade: Connection Protocol - TCP-IP ISA Upgrade: Connection Direction Type - Outbound connection ISA Upgrade: ISA Protocol - TRUE ISA Upgrade: Connection port - 23 ISA Upgrade: Upgraded successfully ISA Upgrade: Protocol Name Time (TCP) ISA Upgrade: Connection Protocol - TCP-IP ISA Upgrade: Connection Direction Type - Outbound connection ISA Upgrade: ISA Protocol - TRUE ISA Upgrade: Connection port - 37 ISA Upgrade: Upgraded successfully ISA Upgrade: Protocol Name VDOLive ISA Upgrade: Connection Protocol - TCP-IP ISA Upgrade: Connection Direction Type - Outbound connection ISA Upgrade: ISA Protocol - FALSE ISA Upgrade: Connection port - 7000 ISA Upgrade: Upgraded successfully ISA Upgrade: Protocol Name VXtreme ISA Upgrade: Connection Protocol - TCP-IP ISA Upgrade: Connection Direction Type - Outbound connection ISA Upgrade: ISA Protocol - FALSE ISA Upgrade: Connection port - 12468 ISA Upgrade: Upgraded successfully ISA Upgrade: Protocol Name WhoIs ISA Upgrade: Connection Protocol - TCP-IP ISA Upgrade: Connection Direction Type - Outbound connection ISA Upgrade: ISA Protocol - TRUE ISA Upgrade: Connection port - 43 ISA Upgrade: Upgraded successfully ISA Upgrade: Upgrade of protocols succeeded ISA Upgrade: ---Upgrading ISA Server rules from Proxy2.0 domain filters ISA Upgrade: Rule#1 ISA Upgrade: Name - Proxy2.0’s DomainFilter - Deny site access ISA Upgrade: Description - Denies access to sites, as specified by Microsoft Proxy 2.0 domain filters. Created as part of migration process ISA Upgrade: Redirect URL ISA Upgrade: Action - Deny access to the requested web page ISA Upgrade: Enabled - TRUE ISA Upgrade: Applies to content method type - Rule applies to all types of content ISA Upgrade: Applies to destination - Destinations that are part of a specified set ISA Upgrade: Applies to method - All requests regardless of origin
Appendix C
ISA UPGRADE LOG
603
ISA Upgrade: Applies always - TRUE ISA Upgrade: Upgraded successfully ISA Upgrade: Rule#2 ISA Upgrade: Name - Proxy2.0 Allow all ISA Upgrade: Description - Allows access to sites, as specified by Microsoft Proxy 2.0 domain filters. Created as part of migration process ISA Upgrade: Redirect URL ISA Upgrade: Action - Permit access to the requested web page ISA Upgrade: Enabled - TRUE ISA Upgrade: Applies to content method type - Rule applies to all types of content ISA Upgrade: Applies to destination - All destinations ISA Upgrade: Applies to method - All requests regardless of origin ISA Upgrade: Applies always - TRUE ISA Upgrade: Upgraded successfully ISA Upgrade: Upgrade of ISA Server rules from Proxy2.0 domain filters succeeded ISA Upgrade: —-Upgrading dial-on-demand schedule ISA Upgrade: No items to upgrade ISA Upgrade: —-Upgrading Routing Rules ISA Upgrade: No items to upgrade ISA Upgrade: —-Upgrading Publishing Rules ISA Upgrade: No items to upgrade ISA Upgrade: —-Upgrading alerts ISA Upgrade: WARNING: Alert Disk Full was removed from ISA and is not migrated ISA Upgrade: Alert#1 ISA Upgrade: Enabled - TRUE ISA Upgrade: Event GUID - {FFFF8E96-94EC-11D2-AF53-00E02C069419} ISA Upgrade: Description - IP packet was dropped according to specified policy. ISA Upgrade: Server name ISA Upgrade: Additional key - -1 ISA Upgrade: Events per second - 20 ISA Upgrade: Minutes before reraise - 5 ISA Upgrade: Events before raise - 0 ISA Upgrade: Name - IP packet dropped ISA Upgrade: User name ISA Upgrade: Alert action name - LogEvent ISA Upgrade: Alert action type - Log event to System Event Log ISA Upgrade: Alert action name - SendMail ISA Upgrade: Alert action type - Send Mail message ISA Upgrade: SERVER=fredf ISA Upgrade: [email protected] ISA Upgrade: CC= ISA Upgrade: [email protected] ISA Upgrade: Upgraded successfully ISA Upgrade: Alert#2 ISA Upgrade: Enabled - TRUE ISA Upgrade: Event GUID - {FFFF8E97-94EC-11D2-AF53-00E02C069419} ISA Upgrade: Description - A packet with invalid IP options was detected and the packet dropped. ISA Upgrade: Server name ISA Upgrade: Additional key - -1 ISA Upgrade: Events per second - 1 ISA Upgrade: Minutes before reraise - 1 ISA Upgrade: Events before raise - 0 ISA Upgrade: Name - IP Protocol violation ISA Upgrade: User name -
continues
604
Appendix C
ISA UPGRADE LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade:
Alert action name - LogEvent Alert action type - Log event to System Event Log Alert action name - SendMail Alert action type - Send Mail message SERVER=fredf [email protected] CC= [email protected] Upgraded successfully Upgrade of alerts succeeded ---Upgrading packet filters Packet Filter#1 Name - DNS filter Description Enabled - TRUE All servers - TRUE Server name Filter mode - Allow the packets to pass Filter type - DNS lookup predefined static filter Protocol number - 17 Direction type - Send Receive directions (in and out) Local port type - Any port Local port number - 0 Remote port type - Fixed port (followed by port number) Remote port number - 53 ICMP type - Any ICMP type ICMP type number - 0 ICMP code - Any ICMP code ICMP code number - 0 Local host type - No host specified (default external IP address) Local host IP address - 0.0.0.0 Local host IP mask Remote host type - Any host possible Remote host IP address - 0.0.0.0 Remote host IP mask Log matching packets - FALSE Upgraded successfully Packet Filter#2 Name - ICMP outbound Description Enabled - TRUE All servers - TRUE Server name Filter mode - Allow the packets to pass Filter type - ICMP outbound predefined static filter Protocol number - 1 Direction type - Out direction Local port type - Any port Local port number - 0 Remote port type - Any port Remote port number - 0 ICMP type - Any ICMP type ICMP type number - 0 ICMP code - Any ICMP code ICMP code number - 0 Local host type - No host specified (default external IP address)
Appendix C
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade:
ISA UPGRADE LOG
Local host IP address - 0.0.0.0 Local host IP mask Remote host type - Any host possible Remote host IP address - 0.0.0.0 Remote host IP mask Log matching packets - FALSE Upgraded successfully Packet Filter#3 Name - ICMP ping response (in) Description Enabled - TRUE All servers - TRUE Server name Filter mode - Allow the packets to pass Filter type - ICMP ping response predefined static filter Protocol number - 1 Direction type - In direction Local port type - Any port Local port number - 0 Remote port type - Any port Remote port number - 0 ICMP type - Fixed ICMP type ICMP type number - 0 ICMP code - Fixed ICMP code ICMP code number - 0 Local host type - No host specified (default external IP address) Local host IP address - 0.0.0.0 Local host IP mask Remote host type - Any host possible Remote host IP address - 0.0.0.0 Remote host IP mask Log matching packets - FALSE Upgraded successfully WARNING: ICMP Ping Query packet filter is not migrated by design Packet Filter#4 Name - ICMP timeout in Description Enabled - TRUE All servers - TRUE Server name Filter mode - Allow the packets to pass Filter type - ICMP timeout predefined static filter Protocol number - 1 Direction type - In direction Local port type - Any port Local port number - 0 Remote port type - Any port Remote port number - 0 ICMP type - Fixed ICMP type ICMP type number - 11 ICMP code - Any ICMP code ICMP code number - 0 Local host type - No host specified (default external IP address) Local host IP address - 0.0.0.0 Local host IP mask Remote host type - Any host possible
continues
605
606
Appendix C
ISA UPGRADE LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade:
Remote host IP address - 0.0.0.0 Remote host IP mask Log matching packets - FALSE Upgraded successfully Packet Filter#5 Name - ICMP unreachable in Description Enabled - TRUE All servers - TRUE Server name Filter mode - Allow the packets to pass Filter type - ICMP unreachable predefined static filter Protocol number - 1 Direction type - In direction Local port type - Any port Local port number - 0 Remote port type - Any port Remote port number - 0 ICMP type - Fixed ICMP type ICMP type number - 3 ICMP code - Any ICMP code ICMP code number - 0 Local host type - No host specified (default external IP address) Local host IP address - 0.0.0.0 Local host IP mask Remote host type - Any host possible Remote host IP address - 0.0.0.0 Remote host IP mask Log matching packets - FALSE Upgraded successfully Packet Filter#6 Name - ICMP source quench Description Enabled - TRUE All servers - TRUE Server name Filter mode - Allow the packets to pass Filter type - ICMP source quench predefined static filter Protocol number - 1 Direction type - In direction Local port type - Any port Local port number - 0 Remote port type - Any port Remote port number - 0 ICMP type - Fixed ICMP type ICMP type number - 4 ICMP code - Fixed ICMP code ICMP code number - 0 Local host type - No host specified (default external IP address) Local host IP address - 0.0.0.0 Local host IP mask Remote host type - Any host possible Remote host IP address - 0.0.0.0 Remote host IP mask Log matching packets - FALSE Upgraded successfully
Appendix C
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade:
ISA UPGRADE LOG
Packet Filter#7 Name - Proxy2.0’s custom packet filter #1 Description Enabled - TRUE All servers - TRUE Server name Filter mode - Allow the packets to pass Filter type - No predefined filter. See the custom filter options Protocol number - 6 Direction type - Both directions (in and out) Local port type - Fixed port (followed by port number) Local port number - 21 Remote port type - Any port Remote port number - 0 ICMP type - Any ICMP type ICMP type number - 0 ICMP code - Any ICMP code ICMP code number - 0 Local host type - No host specified (default external IP address) Local host IP address Local host IP mask Remote host type - Any host possible Remote host IP address Remote host IP mask Log matching packets - TRUE Upgraded successfully Packet Filter#8 Name - Proxy2.0’s custom packet filter #2 Description Enabled - TRUE All servers - TRUE Server name Filter mode - Allow the packets to pass Filter type - No predefined filter. See the custom filter options Protocol number - 6 Direction type - Both directions (in and out) Local port type - Fixed port (followed by port number) Local port number - 23 Remote port type - Any port Remote port number - 0 ICMP type - Any ICMP type ICMP type number - 0 ICMP code - Any ICMP code ICMP code number - 0 Local host type - No host specified (default external IP address) Local host IP address Local host IP mask Remote host type - Any host possible Remote host IP address Remote host IP mask Log matching packets - TRUE Upgraded successfully Upgrade of packet filters succeeded —-Upgrading log configuration Log#1 Component type - Firewall log
continues
607
608
Appendix C
ISA UPGRADE LOG
continued ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade: Upgrade:
Log type - Logging W3C extended format to text log files Log period - one file per day Log field selection - 103022263 Log enabled - TRUE Log files compress - TRUE Log file keep old - 0 Log file directory - G:\WINNTNT\System32\msplogs Log database data source - db1 Log database table name - Table1 Log database user name Log file directory type - The directory of the log files is specified as full path Upgraded successfully Log#2 Component type - Web Proxy log Log type - Logging W3C extended format to text log files Log period - one file per day Log field selection - 3604407 Log enabled - TRUE Log files compress - TRUE Log file keep old - 0 Log file directory - G:\WINNTNT\System32\msplogs Log database data source - db1 Log database table name - Table1 Log database user name Log file directory type - The directory of the log files is specified as full path Upgraded successfully Log#3 Component type - Packet filters log Log type - Logging W3C extended format to text log files Log period - one file per day Log field selection - 895 Log enabled - TRUE Log files compress - TRUE Log file keep old - 0 Log file directory - G:\WINNTNT\System32\msplogs Log database data source - db1 Log database table name - Table1 Log database user name Log file directory type - The directory of the log files is specified as full path Upgraded successfully Upgrade of log configuration succeeded ---Upgrading SSL Port List Tunnel port range#1 Name - Range1 Tunnel low port - 443 Tunnel high port - 443 Upgraded successfully Tunnel port range#2 Name - Range2 Tunnel low port - 563 Tunnel high port - 563 Upgraded successfully Upgrading of SSL Port List succeeded ---Upgrading cache configuration WARNING: Cache filters are not migraded by design Size limit enabled - FALSE
Appendix C
ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA ISA
ISA UPGRADE LOG
Upgrade: Object size limit - 1 Upgrade: Server protection enable - TRUE Upgrade: Server protect factor - 50 Upgrade: Max protect time - 60 Upgrade: Cache question URLs - FALSE Upgrade: Max URL Size - 12800 Upgrade: WARNING: Enable Active Cache is always disabled by design Upgrade: Active caching policy - Avarege behavior Upgrade: FTP caching enabled - TRUE Upgrade: FTP TTL value - 1440 Upgrade: HTTP caching enabled - TRUE Upgrade: Expiration policy - Avarege behavior Upgrade: Age factor - 20 Upgrade: Minimum Time-to-Live interval - 1 Upgrade: Maximum Time-to-Live interval - 15 Upgrade: Upgrade of cache configuration succeeded Upgrade: WARNING: Socks are not migrated by design
continues
609
A P P E N D I X
D
Glossary 3-homed perimeter network A network configuration in which the firewall has three network cards; one for the internal, one for the external, and one for the perimeter network.
back-to-back perimeter network A network configuration in which two firewalls are used to create an external network, a midground network (between the two firewalls), and an internal network.
active caching When objects are preconfigured to be periodically downloaded from Web sites without corresponding real-time requests they are said to be actively cached. In active caching, the ISA Server refreshes the cache on its own before the object expires.
backup connection If the primary connection is unavailable, the backup connection will be tried.
Active Directory Schema The collection of classes and attributes available in the Active Directory. This is the metadata of the AD. alias A substitute friendly name for a network address. An email address can be an alias in a H.323 registration database. all ports scan attack An attempt to access at more than the configured number of ports (settable threshold). allocation priorities When a limited amount of resources (money, people) is available, necessary functions, upgrades, and repairs are prioritized and resources allocated accordingly. Array mode Array modes are similar to server installation modes. The first array of the enterprise is created in the mode in which is first member is. Additional arrays must choose an array mode: caching, firewall, or integrated. array policy Policies set at the Array level. automatic discovery The process of finding the ISA Server computer either thorough broadcast or using the DHCP or DNS configuration.
bandwidth priorities Policy elements that give a logical indication of the relative amount of bandwidth. bandwidth rules Rules that indicate the bandwidth priority available. Basic Authentication An authentication algorithm that relies on the clear-text presentation of a password or key. Here credentials are encoded, not encrypted. bridging Requests from a Web client are bridged across the interface of the firewall. In the case of SSL bridging, the client SSL connection ends with the firewall and a new SSL connection is made between the firewall and the Web server. Cache Array Routing Protocol (CARP) The algorithm used by ISA Server to perform distributed caching. Caching mode The ISA Server mode that provides Web caching and Web hosting. When the ISA Server receives a Web request, it first attempts to provide the response from its cache. If the necessary pages are not available, the ISA Server makes the request for the client and provides the response to the client as well as placing the pages in its cache.
612
Appendix D
GLOSSARY
capacity planning The process of using the past history of a project or system to determine the necessary capacity for the future.
destination sets A policy element that indicates a group of IP addresses, which represent potential internal or external destinations.
certificate A construct that can be used for authentication. It holds information that can validate or identify the owner. Certificates are digital credentials that can be used to prove trust and thus be used in digital authentication schemes independent of or in conjunction with the passwords.
DHCP Options DHCP can communicate to its clients a number of options—pieces of information such as router and WPAD location. The Server Options page of the DHCP server console can be used to specify these options.
Certificate Authority The certificate producing service of the PKI. chained authentication The process in which authentication credentials are passed from the downstream ISA Server to the upstream ISA Server. chaining
See hierarchical caching.
circuit-level filtering The process of inspecting the session level by looking at application requests using the Winsock and SOCKS protocols. client address sets A policy element that represents a range of IP addresses for client systems. computer browser service The service that broadcasts the location of Windows computers. Connection Initiator The tunnel endpoint that can request the connection. Connection Receiver The tunnel endpoint that receives the connection request. content groups Policy elements that include either mime groups or file extensions. data pumping Another name for fast kernel mode. demilitarized zone (DMZ) An arrangement of internal, external and perimeter networks so as to create a protected zone reachable from internal and external networks. Typically, two firewalls are used.
dial-on-demand A process that dials the number configured when access to that location is necessary. dial-up entries Policy elements that define Windows 2000 dial-up networking elements available for use in ISA Server. Digest Authentication An authentication protocol that compares the results of two one-way encryptions over the same string. One of the digests is prepared by the client, and one by the server. Because the same algorithm is used over the same data, the resulting digests should match. If they do, the client can be authenticated. With Digest Authentication, credentials are encrypted, and a message digest is used to validate the credentials. distributed caching The process of distributed cached Web pages across multiple caching servers in an array. Distributed Component Object Model (DCOM) A service that enables object communication across a network from one computer to another. distributed file system service A Windows 2000 service that makes it easier for users to access files distributed across the network. distributed link tracking service A Windows 2000 service that is used to track linked resources that might have been moved.
Appendix D
DNS resource record A type of DNS record that allows clients to locate a service on an IP network. The client receives a FQDN of the host which provides the service and then can use DNS lookup to resolve the IP address. Domain Filter Proxy Server 2.0 name for site and contact access rules. E164 One of three possible alias forms, it specifies a phone number. E-Mail-ID One of three possible alias forms, it requires a real email address. encoded Encoding is the application of a specific definition to data so that it meets some specification. The data is obscured, and not in clear text, but it is not encrypted. Anyone who knows the encoding standard can easily reformat the data and read it. Enterprise Admin A Windows 2000 group. Membership in this group is required in order to modify the schema. Enterprise CA A CA that is integrated with the Active Directory. Enterprise policy A policy that details the configuration of access policy for the forest. Policies set at the Enterprise level affect how array level policy is implemented. They can disallow any modifications or allow Array policies to further restrict Enterprise level policy settings. enumerated port scan attack An attempt to count the services running. external network The network on the outside of the firewall—the public network. fast kernel mode When IP routing is enabled on the ISA Server, secondary connections can be processed in kernel mode instead of requiring additional process for authorization.
GLOSSARY
613
fax service The service required to implement fax services. firewall chaining The process of sending outbound requests to an upstream SA Server for resolution. firewall clients Clients with the Firewall Client software installed. Firewall mode The ISA Server mode in which the server is configured a as a firewall. This installation mode provides firewall services, Web and server hosting, and inbound and outbound access control. Firewall service The ISA Server service that manages inbound access control and works in concert with application filters to provide non-HTTP Web request forwarding. forward caching The caching of Web requests. gateway-to-gateway demand-dial interface In Routing and Remote Access console, the representation of a VPN. H.323 An ITU communications standard that specifies how audio and video conferencing occur over an IP network. H.323 Gatekeeper A device that controls, and manages H.323 communication. Provides registered clients with call routing and directory services. Works with the H.323 protocol to provide communication services. H.323 Gateway A device that translates H.323 communications between an IP network and the PSTN. H.323 Gateway Service A service that provides management of public access to NetMeeting sessions on the private network. H.323 Protocol filters Protocol filters that restrict the use of the H.323 protocol across the firewall. H.323 Proxy Allows the transfer of H.323 communications across firewalls.
614
Appendix D
GLOSSARY
H.323-ID One of three possible alias forms, it can use a email addresses and other types of addresses. hierarchical caching The process of chaining caching server arrays so that arrays lower in the chain point to and refer Web requests to arrays higher in the chain. At the top of the hierarchy, the array passes requests to the Internet. All arrays, from the first array requesting the page all the way to the top-level array will cache the Web request result. Identd When a client operates behind a firewall it cannot respond to some types of requests for identification from Internet servers. The Identd simulation service, when installed on an ISA Server, can respond to the Internet server on behalf of the client. Integrated mode An installation mode for ISA Server, which provides both the features and benefits of both the Firewall mode and the Caching mode. In this mode, the ISA Server is both a firewall and a caching server. internal network firewall.
The network protected by the
International Telecommunications Union (ITU) standards body.
A
Internet Assigned Numbers Authority (IANA) An organization that controls the assignment of common numbering schemes, for example the assignment of port numbers. Internet Connection Sharing A service of Windows 2000 that allows a connection to the Internet made on one computer to be shared with another. This service should not be available on the ISA Server Windows 2000 computer because to do so could compromise the network by allowing traffic around the firewall or Web caching server.
Internet Control Message Protocol (ICMP) This protocol is used by TCP/IP hosts to provide information about the status of other hosts and communications on the network. Internet Locator Server (ILS) A server that acts as a H.323 MCU. Internet Message Access Protocol 4 (IMAP4) A protocol used to download email from a mail server. Intrusion Detection The process of detecting an attack against a system and responding with some form of logging or alerting or other activity. IP half scan attack Many attempts at connection to a computer made, but no corresponding ACK packets communicated. IPSec A protocol that adds many security features to TCP/IP. It is used in a VPN for encryption. ISA COM objects COM objects used by ISA Server. They must be registered in order to be used. This process is done during installation. ISA Management The MMC console used to administer ISA Server. L2TP A tunneling protocol used in Windows 2000 VPNs. Land attack A TCP SYN packet sent with a spoofed source IP address and port number matching the destination IP address and port. Layer 2 Tunneling Protocol over IP Security (L2TP/IPSec) A combination of a tunneling protocol (L2TP) and an encryption and security protocol that is used to create and secure a VPN. license logging service information.
The service that logs license
Appendix D
GLOSSARY
615
listener A computer interface that listens for a particular type of traffic on the external interface of the firewall.
MS_FWC.msi The msi installation file provided by the ISA Server that can be used in Group Policy to assign installation to multiple client computers.
Local Address Table (LAT) (1)The LAT is the list of subnets that are on the private network side of the ISA Server in Firewall or Integrated mode. The LAT is used by firewall clients to determine if they should send a request to the ISA Server. It is used by the ISA Server to determine if it should forward a request to the private network. (2)A table of IP address ranges that represent ranges present on the internal or private network. It is used by the firewall service to determine which requests it should forward to the Internet.
msisaund.ini file The file used in an unattended install of ISA Server to provide installation information specific to the current ISA install.
Local Domain Table (LDT) A collection of the names of domains that exist on the internal or private side of the ISA Server. Locallat.txt If the client needs special configuration of the LAT file, this should be done by creating a file on the client and naming it locallat.txt. The firewall client then uses both the locallat.txt and the msplat.txt files. Message Digest The hashing of a string using a oneway algorithm (one that cannot be reversed).
mspclnt.ini The client configuration file which also contains a copy of the ISA Server Local Domain Table (LDT). msplat.txt (1)The client copy of the ISA Server Local Address Table (LAT);(2)The firewall client copy of the LAT. Multipoint Control Unit (MCU) server.
A conferencing
Network Address Translation (NAT) The process of replacing the client’s outgoing packet source IP address with the NAT server’s external IP address and substituting the returned packets destination IP address with the requesting clients IP address. Network Load Balancing A software-based Windows 2000 clustering solution. Multiple computers running the same application can be linked.
Messaging Application Programming Interface (MAPI) An API that is used for communication between clients and messaging servers—for example, between Microsoft Outlook and Microsoft Exchange Server.
Network News Transfer Protocol (NNTP) A protocol used to provide news groups communication.
Microsoft Certificate Services The service that can be loaded on Windows 2000 Server or Advanced Server and provide a Certificate Authority and other elements of a Public Key Infrastructure.
packet filtering The process by which the header of a packet is inspected and the packet is accepted or dropped according to preset packet filtering rules.
migration A process in which some features, but not all, are moved from one version of a product to another.
ODBC Data Source Name (DSN) The logical connection device between the database and another application.
pass-through authentication The Web proxy client’s credentials are passed through the firewall and to the server he wants to contact.
616
Appendix D
GLOSSARY
Performance Monitor counters Measurable characteristics of a system or hardware device.
Real-Time Control Protocol (RTCP) that is part of the H.323 standard.
Performance Monitor objects A logical collection of characteristic (counters) related to some system or hardware device.
Real-Time Protocol (RTP) the H.323 standard.
Ping of death attack A large amount of information is appended to an Internet Control Message Protocol (ICMP) echo request (ping) packet. Point-to-Point Tunneling Protocol A tunneling protocol that provides tunneling services for a VPN. policy elements In ISA Server, policy elements define objects such as IP address ranges, schedules, bandwidth priorities, and so on. These elements can then be used in rules. Post Office Protocol 3 (POP3) A protocol used to download email from a mail server. primary connection Server tries.
The first connection the ISA
primary network address The address of the cluster. private address ranges Address ranges assigned by IANA and published in RFC 1918. These addresses are not to be used on the Internet but can be used by private networks. private network The internal network. protocol definitions Definitions of protocols that include ports, protocol ids, and so on. protocol rules Rules that express the protocols that can be used to access objects. Public Key Infrastructure (PKI) The sum of the services, utilities, and constructs that provide certificate services to the enterprise. public network The external network.
A protocol
A protocol that is part of
registration database The H.323 Gatekeeper collection of aliases matched to IP addresses of clients. Registration, Admission, and Status protocol (RAS) The protocol that specifies how clients register their names in the H.323 registration database. Request for Comment (RFC) A device by which the Internet community formulates a standard for the Internet. reverse caching pages.
The caching of hosted Web site
Root CA The first CA, the one from which trust emanates. schedule A policy element that expresses the time of day and the days of a week. Schema Admin A Windows 2000 group. Membership is required in this group in order to modify the schema. Secure Sockets Layer (SSL) A protocol designed by Netscape Communications to provide encrypted communications between a client and a server on the Internet. SecureNAT An extension of Windows 2000 NAT to provide access control. SecureNAT clients Clients that are not firewall or Web proxy clients but who make requests for external network services through the ISA Server. Security Configuration and Analysis A Windows 2000 tool that allows the comparison of the current computer security configuration to that of a template.
Appendix D
GLOSSARY
617
server publishing rules Rules that are created to publish internal servers to the external network.
The Allow Rule A generic site and content rule is created during installation that allows access to all sites.
single-path internetwork An internetwork in which no two subnetworks have more than one path of access to each other.
three-pronged approach The use of three network cards in a firewall to create three paths; one to the external , public network. One to the internal, private network, and one to a perimeter network.
site In Windows 2000, a collection of subnets at a distinct physical location. The site is configured in the Active Directory. site and content rules Rules that express the destination sites and what types of data can be retrieved from them. SMTP service
A protocol used in mail delivery.
SNMP A network management protocol required by some network management products. If it is not required in your network, it should not be implemented. SOCKS applications Unix and Macintosh applications that use the SOCKS protocol for communications. Standalone CA A CA that is not integrated with the Active Directory. Stateful Inspection Also known as dynamic packet filtering, stateful inspection refers to the process that allows ports to open on demand and only stay open until the communication is done. This minimizes the exposure of ports in your environment. static routes Manually configured routes versus those configured automatically by some routing protocol.
tiered policy A policy that consists of Enterprise level and Array level policies in a distributed environment. The Array policies modify the application of Enterprise level policy to provide a varied environment. trend analysis The process of taking measurements over time to look for patterns in the changes. UDP bomb attack UDP packets constructed with illegal values in some fields are being sent. unreachable state A connection to a demand-dial router fails therefore the interface is in an unreachable state. upgrade A process where new features and fixes are added to a product. Virtual Private Networking The extension of a private network by creating a protected path between two networks across a third. The end result is the connection is a “virtual” point-to-point connection. Virtual Private Networks (VPNs) A logical connection between two networks over at least one other network. The connection acts as if it were a physical point-to-point connection although it is not. VPN endpoint The termination point of a VPN.
system hardening The process of applying security patches, modifying resource access permissions, removing unnecessary services, files and permissions and any other known security defense.
VPN pass-through A mode in which the ISA Server allows a tunnel created between two endpoints, one on its internal network and one on its external network to “pass-through.”
T.120 An ITU communications standard that specifies how data conferences occur over an IP network.
Web caching server An ISA Server that provides Web caching services.
618
Appendix D
GLOSSARY
Web Proxy Autodiscovery Protocol (WPAD) A protocol used by the ISA Server client computer to locate the ISA Server. Web Proxy clients Windows clients whose browser is pointed to the ISA Server. Web Proxy service The ISA Server service that forwards internal client HTTP requests to the Internet. Web publishing rules Rules that are created to publish internal Web sites to the external network. well-known ports The ports commonly used by many systems for specific services. These ports have numbers assigned by IANA. Win Proxy Automatic Discover protocol (WPAD) The protocol used to provide automatic discovery of the location of a Win Proxy server such as ISA Server.
Windows Integrated Authentication An authentication algorithm that includes the use of a one-way encrypted hash of a password that is used to encrypt a challenge string. The result is compared to another one-way encrypted hash of the same password (from the server’s database) and the encryption of the same string. The password is never passed across the network. Windows out-of-band attack An out-of-band denial-of-service attack attempt against an internal computer. Winsock applications Applications that use the Winsock protocol. The Winsock protocol is the Windows implementation of network sockets. Sockets are combinations of IP addresses and ports used to obtain connections between application clients and servers.
A P P E N D I X
E
Overview of the Certification Process You must pass rigorous certification exams to become a Microsoft Certified Professional. These closed-book exams provide a valid and reliable measure of your technical proficiency and expertise. Developed in consultation with computer industry professionals who have experience with Microsoft products in the workplace, the exams are conducted by two independent organizations. Virtual University Enterprises (VUE) testing centers offer exams at more than 1,400 locations. Sylvan Prometric offers the exams at more than 2,000 Authorized Prometric Testing Centers around the world . To schedule an exam, call VUE at 888-837-8734 (or register online at http://www.vue.com/ms/msexam.html) or Sylvan Prometric Testing Centers at 800-755-EXAM (3926) (or register online at http://www.2test.com/ register). At the time of this writing, Microsoft offered eight types of certification, each based on specific areas of expertise. Please check the Microsoft Certified Professional Web site for the most up-to-date information (www.microsoft.com/mcp/).
TYPES
OF
CERTIFICATION
á Microsoft Certified Professional (MCP). Persons with this credential are qualified to support at least one Microsoft product. Candidates can take elective exams to develop areas of specialization. MCP is the base level of expertise.
á Microsoft Certified Database Administrator (MCDBA). Qualified individuals can derive physical database designs, develop logical data models, create physical databases, create data services by using Transact-SQL, manage and maintain databases, configure and manage security, monitor and optimize databases, and install and configure Microsoft SQL Server. á Microsoft Certified Systems Engineer (MCSE). These individuals are qualified to analyze the business requirements for a system architecture, design solutions, deploy, install, and configure architecture components, and troubleshoot system problems. á Microsoft Certified Solution Developer (MCSD). These individuals are qualified to design and develop custom business solutions by using Microsoft development tools, technologies, and platforms. The new track includes certification exams that test users’ abilities to build Webbased, distributed, and commerce applications by using Microsoft products such as Microsoft SQL Server, Microsoft Visual Studio, and Microsoft Component Services. á Microsoft Certified Trainer (MCT). Persons with this credential are instructionally and technically qualified by Microsoft to deliver Microsoft Education Courses at Microsoft-authorized sites. An MCT must be employed by a Microsoft
Appendix E
OVERVIEW OF THE CERTIFICATION PROCESS
Solution Provider Authorized Technical Education Center or a Microsoft Authorized Academic Training site.
NOTE
620
For up-to-date information about each type of certification, visit the Microsoft Training and Certification Web site at http://www.micro-soft.com/trainingandservices.
RETIRING CERTIFICATIONS With the advent of Windows 2000, several certifications are being retired. These include the following:
• Microsoft Certified Professional+Internet (MCP+Internet). Although still listed on the Microsoft Training and Certification site at the time of this writing, this certification is retiring. Although the certification for current holders stays in effect until December 31, 2001, all the exams retired February 28, 2001.
• Microsoft Certified Professional+Site Building (MCP+Site Building). Although it is still listed on the Microsoft Training and Certification site at the time of this writing, this certification is retiring. The Microsoft Certified Professional+Site Building certification retires on June 30, 2002. An upgrade certification path is not planned.
• Microsoft Certified Systems Engineer+Internet (MCSE+Internet). Microsoft retired most of the exams leading to the Microsoft Certified Systems Engineer+Internet certification on February 28, 2001. All those who already earned the MCSE+Internet certification will retain the certification until December 31, 2001. An upgrade certification path is not planned.
You also can contact Microsoft through the following sources: • Microsoft Certified Professional Program: 800-636-7544 •
http://register.microsoft.com/ contactus/contactus.asp
CERTIFICATION REQUIREMENTS An asterisk following an exam in any of the following lists means that it is slated for retirement.
How to Become a Microsoft Certified Professional To become certified as a MCP, you need only pass any Microsoft exam (with the exception of Microsoft Windows 2000 Accelerated Exam for MCPs Certified on Microsoft Windows NT 4.0, #70-240).
How to Become a Microsoft Certified Database Administrator There are two MCDBA tracks still listed on the Microsoft Training and Certification site: one tied to Windows 2000, the other based on Windows NT 4.0.
Appendix E
OVERVIEW OF THE CERTIFICATION PROCESS
However, most of the exams for the Windows NT 4.0 track retired on February 28, 2001. Thus, only the Windows 2000 track is covered.
Windows 2000 Track
621
or Microsoft Windows 2000 Accelerated Exam for MCPs Certified on Microsoft Windows NT 4.0, #70-240 (only for those who have passed exams #70-067*, #70-068*, and #70-073*)
To become an MCDBA in the Windows 2000 Track, you must pass three core exams described in the next section.
á Designing and Implementing Distributed Applications with Microsoft Visual C++ 6.0, #70-015
Core Exams
á Designing and Implementing Data Warehouses with Microsoft SQL Server 7.0 and Microsoft Decision Support Services 1.0, #70-019
á Installing, Configuring, and Administering Microsoft Windows 2000 Server, #70-215 or Microsoft Windows 2000 Accelerated Exam for MCPs Certified on Microsoft Windows NT 4.0, #70-240 (only for those who have passed exams #70-067*, #70-068*, and #70-073*) á Administering Microsoft SQL Server 7.0, #70-028 or Installing, Configuring, and Administering Microsoft SQL Server 2000, Enterprise Edition, #70-228 á Designing and Implementing Databases with Microsoft SQL Server 7.0, #70-029 or Designing and Implementing Databases with Microsoft SQL Server 2000, Enterprise Edition, #70-229
Elective Exams You must also pass one elective exam from the following list (note that #70-240 can be counted twice—as both a core and elective exam in the MCDBA track): á Implementing and Administering a Microsoft Windows 2000 Network Infrastructure, #70-216 (only for those who have not already passed #70067*, #70-068*, and #70-073*)
á Implementing and Supporting Microsoft Internet Information Server 4.0, #70-087* á Designing and Implementing Distributed Applications with Microsoft Visual FoxPro 6.0, 70-155 á Designing and Implementing Distributed Applications with Microsoft Visual Basic 6.0, #70-175
How to Become a Microsoft Certified Systems Engineer You must pass operating system exams and two elective exams to become an MCSE. The MCSE certification path is divided into two tracks: Windows 2000 and Windows NT 4.0. However, most of the core exams for the Windows NT 4.0 track will have been retired by February 28, 2001 . Thus, only the Windows 2000 track is covered. To retain the MCSE certification, those certified in the Windows NT 4.0 track must upgrade their certification to the Windows 2000 requirements by December 31, 2001.
622
Appendix E
OVERVIEW OF THE CERTIFICATION PROCESS
Windows 2000 Track The Windows 2000 track requires you to pass five core exams (or an accelerated exam and another core exam) You must also pass two elective exams.
or Designing Highly Available Web Solutions with Microsoft Windows 2000 Server Technologies, #70-226 (This exam is in development. It was released in its beta version in May 2001.)
Core Exams The Windows 2000 track core requirements for MCSE certification include the following for those who have not passed #70-067,#70-068, and #70-073: á Installing, Configuring, and Administering Microsoft Windows 2000 Professional, #70-210 á Installing, Configuring, and Administering Microsoft Windows 2000 Server, #70-215 á Implementing and Administering a Microsoft Windows 2000 Network Infrastructure, #70-216 á Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure, #70-217 The Windows 2000 track core requirements for MCSE certification include the following for those who have passed #70-067*, #70-068*, and #70-073*: á Microsoft Windows 2000 Accelerated Exam for MCPs Certified on Microsoft Windows NT 4.0, #70-240 All candidates must pass one of these additional Core Exams: á Designing a Microsoft Windows 2000 Directory Services Infrastructure, #70-219 or Designing Security for a Microsoft Windows 2000 Network, #70-220 or Designing a Microsoft Windows 2000 Infrastructure, #70-221
Elective Exams Any MCSE elective exams that are current (not slated for retirement) when the Windows 2000 core exams are released can be used to fulfill the requirement of two elective exams. In addition, Core Exams 219-221 can be used as elective exams as well, as long as they are not already being used to fulfill the “additional Core Exams” requirement previously outlined. Exam #70222, Upgrading from Microsoft Windows NT 4.0 to Microsoft Windows 2000, can also fulfill this requirement. Finally, selected third-party certifications that focus on interoperability might count for this requirement although none has been identified at this time.
How to Become a Microsoft Certified Solution Developer The MCSD certification is outlined in the following sections. Undoubtedly, changes will be made to this certification with the release of the .NET technologies. However, no changes were announced at the time of this writing.
The MCSD Track You must pass three core exams and one elective exam. The three core exam areas are listed here, as are the elective exams from which you can choose.
Appendix E
OVERVIEW OF THE CERTIFICATION PROCESS
Core Exams The core exams include the following: Desktop Applications Development (One Required) á Designing and Implementing Desktop Applications with Microsoft Visual C++ 6.0, #70-016 or Designing and Implementing Desktop Applications with Microsoft Visual FoxPro 6.0, #70-156 or Designing and Implementing Desktop Applications with Microsoft Visual Basic 6.0, #70-176 Distributed Applications Development (One Required) á Designing and Implementing Distributed Applications with Microsoft Visual C++ 6.0, #70-015 or Designing and Implementing Distributed Applications with Microsoft Visual FoxPro 6.0, #70-155 or Designing and Implementing Distributed Applications with Microsoft Visual Basic 6.0, #70-175 Solution Architecture (Required) á Analyzing Requirements and Defining Solution Architectures, #70-100
Elective Exam You must pass one of the following elective exams: á Designing and Implementing Distributed Applications with Microsoft Visual C++ 6.0, #70-015
623
á Designing and Implementing Desktop Applications with Microsoft Visual C++ 6.0, #70-016 á Designing and Implementing Data Warehouses with Microsoft SQL Server 7.0, #70-019 á Developing Applications with C++ Using the Microsoft Foundation Class Library, #70-024 á Implementing OLE in Microsoft Foundation Class Applications, #70-025 á Implementing a Database Design on Microsoft SQL Server 6.5, #70-027 á Designing and Implementing Databases with Microsoft SQL Server 7.0, #70-029 á Designing and Implementing Databases with Microsoft SQL Server 2000 Enterprise Edition, #70-229 á Designing and Implementing Web Sites with Microsoft FrontPage 98, #70-055* á Designing and Implementing Commerce Solutions with Microsoft Site Server 3.0, Commerce Edition, #70-057 á Application Development with Microsoft Access for Windows 95 and the Microsoft Access Developer’s Toolkit, #70-069* á Designing and Implementing Solutions with Microsoft Office 2000 and Microsoft Visual Basic for Applications, #70-091 á Designing and Implementing Collaborative Solutions with Microsoft Outlook 2000 and Microsoft Exchange Server 5.5, #70-105 á Designing and Implementing Web Solutions with Microsoft Visual InterDev 6.0, #70-152 á Designing and Implementing Distributed Applications with Microsoft Visual FoxPro 6.0, #70-155
Appendix E
OVERVIEW OF THE CERTIFICATION PROCESS
á Designing and Implementing Desktop Applications with Microsoft Visual FoxPro 6.0, #70-156 á Developing Applications with Microsoft Visual Basic 5.0, #70-165* á Designing and Implementing Distributed Applications with Microsoft Visual Basic 6.0, #70-175 á Designing and Implementing Desktop Applications with Microsoft Visual Basic 6.0, #70-176
Becoming a Microsoft Certified Trainer As of January 1, 2001, all MCTs must hold a premier Microsoft Certified Professional (MCP) certification (Microsoft Certified Systems Engineer, Microsoft Certified Solution Developer, or Microsoft Certified Database Administrator). To fully understand the requirements and process for becoming an MCT, you need to obtain the Microsoft Certified Trainer Guide document from: http://www.microsoft.com/trainingandservices/ content/downloads/MCT_guide.doc
At this site, you can read the document as a Web page or display and download it as a Word file. You can also download the application form from the site. The MCT Guide explains the process for becoming an MCT. The general steps for the MCT certification are as follows: 1. Complete and mail a Microsoft Certified Trainer application to Microsoft. You must include proof of your skills for presenting instructional material. The options for doing so are described in the MCT Guide.
2. Obtain and study the Microsoft Trainer Kit for the Microsoft Official Curricula (MOC) courses for which you want to be certified. Microsoft Trainer Kits can be ordered by calling 800-6880496 in North America. Those of you in other regions should review the MCT Guide for information on how to order a Trainer Kit. 3. Take and pass any required prerequisite MCP exam(s) to measure your current technical knowledge. 4. Prepare to teach a MOC course. Begin by attending the MOC course for the course for which you want to be certified. This is required so you understand how the course is structured, how labs are completed, and how the course flows. 5. Pass any additional exam requirement(s) to measure any additional product knowledge that pertains to the course. 6. Submit your course preparation checklist to Microsoft so that your additional accreditation may be processed and reflect on your transcript.
WA R N I N G
624
You should consider the preceding steps a general overview of the MCT certification process. The precise steps that you need to take are described in detail on the Web site mentioned earlier. Do not misinterpret the preceding steps as the exact process that you must undergo.
If you are interested in becoming an MCT, you can obtain more information by visiting the Microsoft Certified Training Web site at http://www.microsoft.com/trainingandservices
and choosing MCT under Technical Certifications or by calling 800-688-0496.
A P P E N D I X
F
What’s on the CD-ROM This appendix is a brief rundown of what you’ll find on the CD-ROM that comes with this book. For a more detailed description of the ExamGear, Training Guide Edition exam simulation software, see Appendix G, “Using the ExamGear Training, Guide Edition Software.” All items on the CD-ROM are easily accessible from the simple interface. In addition to ExamGear, Training Guide Edition, the CD-ROM includes an electronic version of the book in Portable Document Format (PDF), utility and application programs, and a complete listing of the test objectives and where they are covered in the book.
EXAMGEAR, TRAINING GUIDE EDITION ExamGear is an exam environment developed exclusively for New Riders Publishing. It is, we believe, the best exam software available. In addition to providing a means of evaluating your knowledge of the Training Guide material, ExamGear, Training Guide Edition features several innovations that help you to improve your mastery of the subject matter. For example, the practice tests allow you to check your score by exam area or category to determine which topics you need to study more. In another mode, ExamGear, Training Guide Edition allows you to obtain immediate feedback on your responses in the form of explanations for the correct and incorrect answers.
Although ExamGear, Training Guide Edition exhibits most of the full functionality of the retail version of ExamGear, including the exam format and question types, this special version is written to the training guide content. It is designed to aid you in assessing how well you understand the Training Guide material and enable you to experience most of the question formats you will see on the actual exam. It is not as a complete simulation of the exam as the full ExamGear retail product. It also does not include some of the features of the full retail product, such as access to the mentored discussion groups. However, it serves as an excellent method for assessing your knowledge of the Training Guide content and gives you the experience of taking an electronic exam. Again, for a more complete description of ExamGear, Training Guide Edition features see Appendix G, “Using the ExamGear Training, Guide Edition Software.”
EXCLUSIVE ELECTRONIC VERSION OF THE TEXT The CD-ROM also contains the electronic version of this book in PDF. The electronic version comes complete with all figures as they appear in the book. You will find that the search capabilities of the reader come in handy for study and review purposes.
626
Appendix F
LISTING
OF
WHAT’S ON THE CD-ROM
TEST OBJECTIVES
Also included on the CD-ROM are a list of the test objectives and where each objective is covered in the book (with the page number on where to find this information). This list includes the review questions and exercises pertinent to each objective.
HELPFUL URLS SITES
AND
WEB
There is a list of URLs and Web sites mentioned in the book included on the CD-ROM. This list is a helpful resource if you are looking for specific information on one of the test topics or objectives.
COPYRIGHT INFORMATION DISCLAIMER
AND
New Riders Publishing’s ExamGear test simulator: Copyright 2000 by New Riders Publishing. All rights reserved. Made in U.S.A.
A P P E N D I X
G
Using the ExamGear, Training Guide Edition Software This training guide includes a special version of ExamGear—a revolutionary new test engine that is designed to give you the best in certification exam preparation. ExamGear offers sample and practice exams for many of today’s most in-demand technical certifications. This special Training Guide edition is included with this book as a tool to utilize in assessing your knowledge of the Training Guide material while also providing you with the experience of taking an electronic exam. In the rest of this appendix, we describe in detail what ExamGear, Training Guide Edition is, how it works, and what it can do to help you prepare for the exam. Note that although the Training Guide edition includes nearly all the test simulation functions of the complete, retail version, the questions focus on the Training Guide content rather than on simulating the actual Microsoft exam.
EXAM SIMULATION One of the main functions of ExamGear, Training Guide Edition is exam simulation. To prepare you to take the actual vendor certification exam, the Training Guide edition of this test engine is designed to offer the most effective exam simulation available.
Question Quality The questions provided in the ExamGear, Training Guide Edition simulations are written to high standards of technical accuracy. The questions tap the content of the Training Guide chapters and help you review and assess your knowledge before you take the actual exam.
Interface Design The ExamGear, Training Guide Edition exam simulation interface provides you with the experience of taking an electronic exam. This enables you to effectively prepare for taking the actual exam by making the test experience a familiar one. Using this test simulation can help eliminate the sense of surprise or anxiety that you might experience in the testing center, because you will already be acquainted with computerized testing.
STUDY TOOLS ExamGear provides you with several learning tools to help prepare you for the actual certification exam.
628
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
Effective Learning Environment The ExamGear, Training Guide Edition interface provides a learning environment that not only tests you through the computer, but also teaches the material you need to know to pass the certification exam. Each question comes with a detailed explanation of the correct answer and provides reasons why the other options were incorrect. This information helps to reinforce the knowledge you have already and also provides practical information you can use on the job.
Automatic Progress Tracking ExamGear, Training Guide Edition automatically tracks your progress as you work through the test questions. From the Item Review tab (discussed in detail later in this appendix), you can see at a glance how well you are scoring by objective, by chapter, or on a question-byquestion basis (see Figure G.1). You can also configure ExamGear to drill you on the skills you need to work on most.
HOW EXAMGEAR, TRAINING GUIDE EDITION WORKS ExamGear comprises two main elements: the interface and the database. The interface is the part of the program that you use to study and to run practice tests. The database stores all the question-and-answer data.
Interface The ExamGear, Training Guide Edition interface is designed to be easy to use and provides the most effective study method available. The interface enables you to select from the following modes: á Study Mode. In this mode, you can select the number of questions you want to see and the time you want to allow for the test. You can select questions from all the chapters or from specific chapters. This enables you to reinforce your knowledge in a specific area or strengthen your knowledge in areas pertaining to a specific objective. During the exam, you can display the correct answer to each question along with an explanation of why it is correct. á Practice Exam. In this mode, you take an exam that is designed to simulate the actual certification exam. Questions are selected from all testobjective groups. The number of questions selected and the time allowed are set to match those parameters of the actual certification exam.
FIGURE G.1 Item review.
á Adaptive Exam. In this mode, you take an exam simulation using the adaptive testing technique. Questions are taken from all test-objective groups. The questions are presented in a way that ensures your mastery of all the test objectives. After you have a passing score or if you reach a
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
point where it is statistically impossible for you to pass, the exam is ended. This method provides a rapid assessment of your readiness for the actual exam.
629
á 20MB to 30MB of hard drive space. á A minimum of 32MB of RAM. As with any Windows application, the more memory, the better your performance. á A connection to the Internet.
Database The ExamGear, Training Guide Edition database stores a group of test questions along with answers and explanations. At least three databases are included for each Training Guide edition product. One includes the questions from the ends of the chapters. Another includes the questions from the Practice Exam. The third is a database of new questions that have not appeared in the book. Additional exam databases may also be available for purchase online and are simple to download. Look ahead to the section “Obtaining Updates” in this appendix to find out how to download and activate additional databases.
INSTALLING AND REGISTERING EXAMGEAR, TRAINING GUIDE EDITION This section provides instructions for ExamGear, Training Guide Edition installation and describes the process and benefits of registering your Training Guide edition product.
Requirements ExamGear requires a computer with the following: á Microsoft Windows 95, Windows 98, Windows ME, Windows NT 4.0, or Windows 2000. A Pentium or later processor is recommended.
An Internet connection is not required for the software to work, but it is required for online registration, product updates, downloading bonus question sets, and for unlocking other exams. These processes are described in more detail later. á A Web Browser A Web browser is not required for the software to work, but is invoked from the Online, Web Sites menu option.
Installing ExamGear, Training Guide Edition Install ExamGear, Training Guide Edition by running the setup program that you found on the ExamGear, Training Guide Edition CD. Follow these instructions to install the Training Guide edition on your computer: 1. Insert the CD in your CD-ROM drive. The Autorun feature of Windows should launch the software. If you have Autorun disabled, click Start, and choose Run. Go to the root directory of the CD and choose START.EXE. Click Open, and then OK. 2. Click the button in the circle, and you see the welcome screen. From here you can install ExamGear. Click the ExamGear button to begin installation.
630
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
3. The Installation Wizard appears onscreen and prompts you with instructions to complete the installation. Select a directory on which to install ExamGear, Training Guide Edition. 4. The Installation Wizard copies the ExamGear, Training Guide Edition files to your hard drive, adds ExamGear, Training Guide Edition to your Program menu, adds values to your Registry, and installs test engine’s DLLs to the appropriate system folders. To ensure that the process was successful, the Setup program finishes by running ExamGear, Training Guide Edition. 5. The Installation Wizard logs the installation process and stores this information in a file named INSTALL.LOG. This log file is used by the uninstall process in the event that you choose to remove ExamGear, Training Guide Edition from your computer. Because the ExamGear installation adds Registry keys and DLL files to your computer, it is important to uninstall the program appropriately (see the section “Removing ExamGear, Training Guide Edition from Your Computer”).
Registering ExamGear, Training Guide Edition The Product Registration Wizard appears when ExamGear, Training Guide Edition is started for the first time, and ExamGear checks at startup to see whether you are registered. If you are not registered, the main menu is hidden, and a Product Registration Wizard appears. Remember that your computer must have an Internet connection to complete the Product Registration Wizard.
The first page of the Product Registration Wizard details the benefits of registration; however, you can always elect not to register. The Show This Message at Startup Until I Register option enables you to decide whether the registration screen should appear every time ExamGear, Training Guide Edition is started. If you click the Cancel button, you return to the main menu. You can register at any time by selecting Online, Registration from the main menu. The registration process is composed of a simple form for entering your personal information, including your name and address. You are asked for your level of experience with the product on which you are testing and whether you purchased ExamGear, Training Guide Edition from a retail store or over the Internet. The information will be used by our software designers and marketing department to provide us with feedback about the usability and usefulness of this product. It takes only a few seconds to fill out and transmit the registration data. A confirmation dialog box appears when registration is complete. After you have registered and transmitted this information to New Riders, the registration option is removed from the pull-down menu.
Registration Benefits Registering allows New Riders to notify you of product updates and new releases.
Removing ExamGear, Training Guide Edition from Your Computer In the event that you elect to remove the ExamGear, Training Guide Edition product from your computer,
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
an uninstall process has been included to ensure that it is removed from your system safely and completely. Follow these instructions to remove ExamGear from your computer: 1. Click Start, Settings, Control Panel. 2. Double-click the Add/Remove Programs icon. 3. You are presented with a list of software that is installed on your computer. Select ExamGear, Training Guide Edition from the list and click the Add/Remove button. The ExamGear, Training Guide Edition software is then removed from your computer. It is important that the INSTALL.LOG file be present in the directory where you have installed ExamGear, Training Guide Edition should you ever choose to uninstall the product. Do not delete this file. The INSTALL.LOG file is used by the uninstall process to safely remove the files and Registry settings that were added to your computer by the installation process.
All three sections have the same easy-to-use interface. Using Study Mode, you can hone your knowledge as well as your test-taking abilities through the use of the Show Answers option. While you are taking the test, you can expose the answers along with a brief description of why the given answers are right or wrong. This gives you the ability to better understand the material presented. The Practice Exam section has many of the same options as Study Mode, but you cannot reveal the answers. This way, you have a more traditional testing environment with which to practice. The Adaptive Exam questions continuously monitor your expertise in each tested topic area. If you reach a point at which you either pass or fail, the software ends the examination. As in the Practice Exam, you cannot reveal the answers.
USING EXAMGEAR, TRAINING GUIDE EDITION ExamGear is designed to be user-friendly and very intuitive, eliminating the need for you to learn some confusing piece of software just to practice answering questions. Because the software has a smooth learning curve, your time is maximized because you start practicing almost immediately.
General Description of How the Software Works ExamGear has three modes of operation: Study Mode, Practice Exam, and Adaptive Exam (see Figure G.2).
631
FIGURE G.2 The opening screen offers three testing modes.
632
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
Menu Options
Registration
The ExamGear, Training Guide Edition interface has an easy-to-use menu that provides the following options:
Registration is free and allows you access updates. Registration is the first task that ExamGear, Training Guide Edition asks you to perform. You will not have access to the free product updates if you do not register.
Menu
Command
Description
File
Print
Prints the current screen.
Print Setup
Allows you to select the printer.
Exit ExamGear
Exits the program.
Registration
Starts the Registration Wizard and allows you to register online. This menu option is removed after you have successfully registered the product.
This option takes you to ExamGear, Training Guide Edition’s Web site, where you can update the software. You must also be connected to the Internet to use this option. The ExamGear Web site lists the options that have been made available since your version of ExamGear was installed on your computer.
Check for Product Updates
Opens the ExamGear Web site with available updates.
Web Sites
Web Browser
Opens your Web browser with either the New Riders Publishing or ExamGear home pages.
Contents
Opens ExamGear, Training Guide Edition’s help file.
Help
About
Displays information about ExamGear, Training Guide Edition, including serial number, registered owner, and so on.
As it suggests, this menu option gives you access to ExamGear’s help system. It also provides important information such as your serial number, software version, and so on.
Online
Help
File The File menu allows you to exit the program and configure print options.
Check for Product Updates
This option provides a convenient way to start your Web browser and connect to either the New Riders or ExamGear home page.
Starting a Study Mode Session Study Mode enables you to control the test in ways that actual certification exams do not allow: á You can set your own time limits.
Online In the Online menu, you can register ExamGear, Training Guide Edition, check for product updates (update the ExamGear executable as well as check for free, updated question sets), and surf applicable Web sites. The Online menu is always available, except when you are taking a test.
á You can concentrate on selected skill areas (chapters). á You can reveal answers or have each response graded immediately with feedback.
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
á You can restrict the questions you see again to those missed or those answered correctly a given number of times. á You can control the order in which questions are presented—random order or in order by skill area (chapter). To begin testing in Study Mode, click the Study Mode button from the main Interface screen. You are presented with the Study Mode configuration page (see Figure G.3).
633
question set or any combination of the question sets if there is more than one available for the selected exam. Below the Question Set list is a list of skill areas or chapters on which you can concentrate. These skill areas or chapters reflect the units of exam objectives defined by Microsoft for the exam. Within each skill area you will find several exam objectives. You can select a single skill area or chapter to focus on, or you can select any combination of the available skill areas/chapters to customize the exam to your individual needs. In addition to specifying which question sets and skill areas you want to test yourself on, you can also define which questions are included in the test based on your previous progress working with the test. ExamGear, Training Guide Edition automatically tracks your progress with the available questions. When configuring the Study Mode options, you can opt to view all the questions available within the question sets and skill areas you have selected, or you can limit the questions presented. Choose from the following options:
FIGURE G.3 The Study Mode configuration page.
At the top of the Study Mode configuration screen, you see the Exam drop-down list. This list shows the activated exam that you have purchased with your ExamGear, Training Guide Edition product, as well as any other exams you may have downloaded or any Preview exams that were shipped with your version of ExamGear. Select the exam with which you want to practice from the drop-down list. Below the Exam drop-down list, you see the questions that are available for the selected exam. Each exam has at least one question set. You can select the individual
á Select from All Available Questions. This option causes ExamGear, Training Guide Edition to present all available questions from the selected question sets and skill areas. á Exclude Questions I Have Answered Correctly X or More Times. ExamGear offers you the option to exclude questions that you have previously answered correctly. You can specify how many times you want to answer a question correctly before ExamGear considers you to have mastered it (the default is two times). á Select Only Questions That I Have Missed X or More Times. This option configures ExamGear, Training Guide Edition to drill you only on questions that you have missed repeatedly. You may specify how many times you must miss a question before ExamGear determines that you have not mastered it (the default is two times).
634
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
At any time, you can reset ExamGear, Training Guide Edition’s tracking information by clicking the Reset button for the feature you want to clear. At the top-right side of the Study Mode configuration sheet, you can see your access level to the question sets for the selected exam. Access levels are either Full or Preview. For a detailed explanation of each of these access levels, see the section “Obtaining Updates” in this appendix. Under your access level, you see the score required to pass the selected exam. Below the required score, you can select whether the test will be timed and how much time will be allowed to complete the exam. Select the Stop Test After 90 Minutes check box to set a time limit for the exam. Enter the number of minutes you want to allow for the test (the default is 90 minutes). Deselecting this check box allows you to take an exam with no time limit. You can also configure the number of questions included in the exam. The default number of questions changes with the specific exam you have selected. Enter the number of questions you want to include in the exam in the Select No More than X Questions option. You can configure the order in which ExamGear, Training Guide Edition presents the exam questions. Select from the following options: á Display Questions in Random Order. This option is the default option. When selected, it causes ExamGear, Training Guide Edition to present the questions in random order throughout the exam. á Order by Skill Area. This option causes ExamGear to group the questions presented in the exam by skill area. All questions for each selected skill area are presented in succession. The test progresses from one selected skill area to the next, until all the questions from each selected skill area have been presented.
ExamGear offers two options for scoring your exams. Select one of the following options: á Grade at the End of the Test. This option configures ExamGear, Training Guide Edition to score your test after you have been presented with all the selected exam questions. You can reveal correct answers to a question, but if you do, that question is not scored. á Grade as I Answer Each Question. This option configures ExamGear to grade each question as you answer it, providing you with instant feedback as you take the test. All questions are scored unless you click the Show Answer button before completing the question. You can return to the ExamGear, Training Guide Edition main startup screen from the Study Mode configuration screen by clicking the Main Menu button. If you need assistance configuring the Study Mode exam options, click the Help button for configuration instructions. When you have finished configuring all the exam options, click the Start Test button to begin the exam.
Starting Practice Exams and Adaptive Exams This section describes the Practice and Adaptive Exams, defines the differences between these exam options and the Study Mode option, and provides instructions for starting them.
Differences Between the Practice and Adaptive Exams and Study Modes Question screens in the Practice and Adaptive Exams are identical to those found in Study Mode, except that
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
the Show Answer, Grade Answer, and Item Review buttons are not available while you are in the process of taking a practice or adaptive exam. The Practice Exam provides you with a report screen at the end of the exam. The Adaptive Exam gives you a brief message indicating whether you’ve passed or failed the exam. When taking a practice exam, the Item Review screen is not available until you have answered all the questions. This is consistent with the behavior of most vendors’ current certification exams. In Study Mode, Item Review is available at any time. When the exam timer expires, or if you click the End Exam button, the Examination Score Report screen comes up.
Starting an Exam From the ExamGear, Training Guide Edition main menu screen, select the type of exam you want to run. Click the Practice Exam or Adaptive Exam button to begin the corresponding exam type.
What Is an Adaptive Exam? To make the certification testing process more efficient and valid and therefore make the certification itself more valuable, some vendors in the industry are using a testing technique called adaptive testing. In an adaptive exam, the exam “adapts” to your abilities by varying the difficulty level of the questions presented to you. The first question in an adaptive exam is typically an easy one. If you answer it correctly, you are presented with a slightly more difficult question. If you answer that question correctly, the next question you see is even more difficult. If you answer the question incorrectly, however, the exam “adapts” to your skill level by presenting you with another question of equal or lesser
635
difficulty on the same subject. If you answer that question correctly, the test begins to increase the difficulty level again. You must correctly answer several questions at a predetermined difficulty level to pass the exam. After you have done this successfully, the exam is ended and scored. If you do not reach the required level of difficulty within a predetermined time (typically 30 minutes) the exam is ended and scored.
Why Do Vendors Use Adaptive Exams? Many vendors who offer technical certifications have adopted the adaptive testing technique. They have found that it is an effective way to measure a candidate’s mastery of the test material in as little time as necessary. This reduces the scheduling demands on the test taker and allows the testing center to offer more tests per test station than they could with longer, more traditional exams. In addition, test security is greater, and this increases the validity of the exam process.
Studying for Adaptive Exams Studying for adaptive exams is no different from studying for traditional exams. You should make sure that you have thoroughly covered all the material for each of the test objectives specified by the certification exam vendor. As with any other exam, when you take an adaptive exam, either you know the material or you don’t. If you are well prepared, you will be able to pass the exam. ExamGear, Training Guide Edition allows you to familiarize yourself with the adaptive exam testing technique. This will help eliminate any anxiety you might experience from this testing technique and allow you to focus on learning the actual exam material.
636
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
ExamGear’s Adaptive Exam
Overall Scores
The method used to score the Adaptive Exam requires a large pool of questions. For this reason, you cannot use this exam in Preview mode. The Adaptive Exam is presented in much the same way as the Practice Exam. When you click the Start Test button, you begin answering questions. The Adaptive Exam does not allow item review, and it does not allow you to mark questions to skip and answer later. You must answer each question when it is presented.
To pass the exam, you must pass all chapters and achieve an overall score of 86% or higher.
Assumptions This section describes the assumptions made when designing the behavior of the ExamGear, Training Guide Edition adaptive exam. á You fail the test if you fail any chapter, earn a failing overall score, or reach a threshold at which it is statistically impossible for you to pass the exam. á You can fail or pass a test without cycling through all the questions. á The overall score for the adaptive exam is Pass or Fail. However, to evaluate user responses dynamically, percentage scores are recorded for chapters and the overall score.
Algorithm Assumptions This section describes the assumptions used in designing the ExamGear, Training Guide Edition Adaptive Exam scoring algorithm.
Chapter Scores You fail a chapter (and the exam) if any chapter score falls below 66%.
You fail if the overall score percentage is less than or equal to 85% or if any chapter score is less than 66%.
Inconclusive Scores If your overall score is between 67% and 85%, it is considered to be inconclusive. Additional questions will be asked until you pass or fail or until it becomes statistically impossible to pass without asking more than the maximum number of questions allowed.
Question Types and How to Answer Them Because certification exams from different vendors vary, you will face many types of questions on any given exam. ExamGear, Training Guide Edition presents you with different question types to allow you to become familiar with the various ways an actual exam may test your knowledge. The Solution Architectures exam, in particular, offers a unique exam format and utilizes question types other than multiple choice. This version of ExamGear includes cases—extensive problem descriptions running several pages in length, followed by a number of questions specific to that case. Microsoft refers to these case/question collections as testlets. This version of ExamGear, Training Guide Edition also includes regular questions that are not attached to a case study. We include these question types to make taking the actual exam easier because you will already be familiar with the steps required to answer each question type. This section describes each of the question types presented by ExamGear and provides instructions for answering each type.
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
Multiple Choice Most of the questions you see on a certification exam are multiple choice (see Figure G.4). This question type asks you to select an answer from the list provided. Sometimes you must select only one answer, often indicated by answers preceded by option buttons (round selection buttons). At other times, multiple correct answers are possible, indicated by check boxes preceding the possible answer combinations.
637
You can use any one of three methods to clear an option button: á Click another option button. á Click the text of another answer. á Press the alphabetic key that corresponds to another answer. You can use any one of three methods to clear a check box: á Click the check box next to the selected answer. á Click the text of the selected answer. á Press the alphabetic key that corresponds to the selected answer. To clear all answers, click the Reset button.
FIGURE G.4 A typical multiple-choice question.
You can use three methods to select an answer: á Click the option button or check box next to the answer. If more than one correct answer to a question is possible, the answers will have check boxes next to them. If only one correct answer to a question is possible, each answer will have an option button next to it. ExamGear, Training Guide Edition prompts you with the number of answers you must select. á Click the text of the answer. á Press the alphabetic key that corresponds to the answer.
Remember that some of the questions have multiple answers that are correct. Do not let this throw you off. The multiple correct questions do not have one answer that is more correct than another. In the single correct format, only one answer is correct. ExamGear, Training Guide Edition prompts you with the number of answers you must select.
Drag and Drop One form of drag and drop question is called a Drop and Connect question. These questions present you with a number of objects and connectors. The question prompts you to create relationships between the objects by using the connectors. The gray squares on the left side of the question window are the objects you can select. The connectors are listed on the right side of the question window in the Connectors box. An example is shown in Figure G.5.
638
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
FIGURE G.6 The error message.
Initially, the direction of the relationship established by the connector is from the first object selected to the second object selected. To change the direction of the connector, right-click the connector and choose Reverse Connection. FIGURE G.5 A typical Drop and Connect question.
To select an object, click it with the mouse. When an object is selected, it changes color from a gray box to a white box. To drag an object, select it by clicking it with the left mouse button and holding down the left mouse button. You can move (or drag) the object to another area on the screen by moving the mouse while holding down the left mouse button. To create a relationship between two objects, take the following actions: 1. Select an object and drag it to an available area on the screen. 2. Select another object and drag it to a location near where you dragged the first object. 3. Select the connector that you want to place between the two objects. The relationship should now appear complete. Note that to create a relationship, you must have two objects selected. If you try to select a connector without first selecting two objects, you are presented with an error message like that illustrated in Figure G.6.
You can use either of two methods to remove the connector: á Right-click the text of the connector that you want to remove, and then choose Delete. á Select the text of the connector that you want to remove, and then press the Delete key. To remove from the screen all the relationships you have created, click the Reset button. Keep in mind that connectors can be used multiple times. If you move connected objects, it will not change the relationship between the objects; to remove the relationship between objects, you must remove the connector that joins them. When ExamGear, Training Guide Edition scores a drag-and-drop question, only objects with connectors to other objects are scored. Another form of drag and drop question is called the Select and Place question. Instead of creating a diagram as you do with the Drop and Connect question, you are asked a question about a diagram. You then drag and drop labels onto the diagram to correctly answer the question.
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
Ordered-List Questions In the ordered-list question type (see Figure G.7), you are presented with a number of items and are asked to perform two tasks: 1. Build an answer list from items on the list of choices. 2. Put the items in a particular order.
639
To remove an item from the answer list, you can use any one of the following four methods: á Drag the item you want to remove from the answer list on the left side of the screen back to the list of choices on the right side of the screen. á On the left side of the screen, double-click the item you want to remove from the answer list. á On the left side of the screen, select the item you want to remove from the answer list, and then click the Remove button. á On the left side of the screen, select the item you want to remove from the answer list, and then press the Delete key. To remove all items from the answer list, click the Reset button. If you need to change the order of the items in the answer list, you can do so using either of the following two methods:
FIGURE G.7 A typical ordered-list question.
You can use any one of the following three methods to add an item to the answer list: á Drag the item from the list of choices on the right side of the screen to the answer list on the left side of the screen. á From the available items on the right side of the screen, double-click the item you want to add. á From the available items on the right side of the screen, select the item you want to add; then click the Move button.
á Drag each item to the appropriate location in the answer list. á In the answer list, select the item that you want to move, and then click the up or down arrow button to move the item. Keep in mind that items in the list can be selected twice. You may find that an ordered-list question will ask you to list in the correct order the steps required to perform a certain task. Certain steps may need to be performed more than once during the process. Don’t think that after you have selected a list item, it is no longer available. If you need to select a list item more than once, you can simply select that item at each appropriate place as you construct your list.
640
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
Ordered-Tree Questions The ordered-tree question type (see Figure G.8) presents you with a number of items and prompts you to create a tree structure from those items. The tree structure includes two or three levels of nodes.
Like the ordered-list question, realize that any item in the list can be selected twice. If you need to select a list item more than once, you can simply select that item for the appropriate node as you construct your tree. Also realize that not every tree question actually requires order to the lists under each node. Think of them as simply tree questions rather than ordered-tree questions. Such questions are just asking you to categorize hierarchically. Order is not an issue. You can use either of the following two methods to add an item to the tree: á Drag the item from the list of choices on the right side of the screen to the appropriate node of the tree on the left side of the screen. á Select the appropriate node of the tree on the left side of the screen. Select the appropriate item from the list of choices on the right side of the screen. Click the Add button.
FIGURE G.8 A typical ordered-tree question.
An item in the list of choices can be added only to the appropriate node level. If you attempt to add one of the list choices to an inappropriate node level, you are presented with the error message shown in Figure G.9
You can use either of the following two methods to remove an item from the tree: á Drag an item from the tree to the list of choices. á Select the item and click the Remove button. To remove from the tree structure all the items you have added, click the Reset button.
Simulations FIGURE G.9 The Invalid Destination Node error message.
Simulation questions (see Figure G.10) require you to actually perform a task.
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
641
Hot Spot Questions Hot spot questions (see Figure G.11) ask you to correctly identify an item by clicking an area of the graphic or diagram displayed. To respond to the question, position the mouse cursor over a graphic. Then press the right mouse button to indicate your selection. To select another area on the graphic, you do not need to deselect the first one. Just click another region in the image.
FIGURE G.10 A typical simulation question.
The main screen describes a situation and prompts you to provide a solution. When you are ready to proceed, you click the Run Simulation button in the lower-left corner. A screen or window appears on which you perform the solution. This window simulates the actual software that you would use to perform the required task in the real world. When a task requires several steps to complete, the simulator displays all the necessary screens to allow you to complete the task. When you have provided your answer by completing all the steps necessary to perform the required task, you can click the OK button to proceed to the next question. You can return to any simulation to modify your answer. Your actions in the simulation are recorded, and the simulation appears exactly as you left it. Simulation questions can be reset to their original state by clicking the Reset button.
FIGURE G.11 A typical hot spot question.
Standard ExamGear, Training Guide Edition Options Regardless of question type, a consistent set of clickable buttons enables you to navigate and interact with questions. The following list describes the function of each of the buttons you may see. Depending on the question type, some of the buttons will be grayed out and will be inaccessible. Buttons that are appropriate to the question type are active.
642
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
á Run Simulation. This button is enabled if the question supports a simulation. Clicking this button begins the simulation process. á Exhibits. This button is enabled if exhibits are provided to support the question. An exhibit is an image, video, sound, or text file that provides supplemental information needed to answer the question. If a question has more than one exhibit, a dialog box appears, listing exhibits by name. If only one exhibit exists, the file is opened immediately when you click the Exhibits button. á Reset. This button clears any selections you have made and returns the question window to the state in which it appeared when it was first displayed. á Instructions. This button displays instructions for interacting with the current question type. á Item Review. This button leaves the question window and opens the Item Review screen. For a detailed explanation of the Item Review screen, see the “Item Review” section later in this appendix. á Show Answer. This option displays the correct answer with an explanation of why it is correct. If you choose this option, the current question will not be scored. á Grade Answer. If Grade at the End of the Test is selected as a configuration option, this button is disabled. It is enabled when Grade as I Answer Each Question is selected as a configuration option. Clicking this button grades the current question immediately. An explanation of the correct answer is provided, just as if the Show Answer button were pressed. The question is graded, however. á End Exam. This button ends the exam and displays the Examination Score Report screen.
á >. This button displays the next question on the exam. á . This button is displayed if you have opted to review questions that you have marked using the Item Review screen. This button displays the next marked question. Marking questions is discussed in more detail later in this appendix. á Next Incomplete>>. This button is displayed if you have opted to review questions, using the Item Review screen, that you have not answered. This button displays the next unanswered question.
Mark Question and Time Remaining ExamGear provides you with two methods to aid in dealing with the time limit of the testing process. If you find that you need to skip a question or if you want to check the time remaining to complete the test, use one of the options discussed in the following sections.
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
643
Mark Question
The Item Review Questions Tab
Check this box to mark a question so that you can return to it later using the Item Review feature. The adaptive exam does not allow questions to be marked because it does not support item review.
The Questions tab on the Item Review screen (see Figure G.12) presents the exam questions and question information in a table. You can select any row you want by clicking in the grid. The Go To button is enabled whenever a row is selected. Clicking the Go To button displays the question on the selected row. You can also display a question by double-clicking that row.
Time Remaining If the test is timed, the Time Remaining indicator is enabled. It counts down minutes remaining to complete the test. The adaptive exam does not offer this feature because it is not timed.
Item Review The Item Review screen allows you to jump to any question. ExamGear, Training Guide Edition considers an incomplete question to be any unanswered question or any multiple-choice question for which the total number of required responses has not been selected. For example, if the question prompts for three answers and you selected only A and C, ExamGear considers the question to be incomplete. The Item Review screen enables you to review the exam questions in different ways. You can enter one of two browse sequences (series of similar records): Browse Marked Questions or Browse Incomplete Questions. You can also create a custom grouping of the exam questions for review based on a number of criteria.
FIGURE G.12 The Questions tab on the Item Review screen.
Columns The Questions tab contains the following six columns of information:
When using Item Review, if Show Answer was selected for a question while you were taking the exam, the question is grayed out in item review. The question can be answered again if you use the Reset button to reset the question status.
á Seq. Indicates the sequence number of the question as it was displayed in the exam.
The Item Review screen contains two tabs. The Questions tab lists questions and question information in columns. The Current Score tab provides your exam score information, presented as a percentage for each chapter and as a bar graph for your overall score.
á Marked. Indicates a question that you have marked using the Mark Question check box.
á Question Number. Displays the question’s identification number for easy reference.
á Status. The status can be M for Marked, ? for Incomplete, C for Correct, I for Incorrect, or X for Answer Shown.
644
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
á Chapter Name. The chapter associated with each question. á Type. The question type, which can be Multiple Choice, Drag and Drop, Simulation, Hot Spot, Ordered List, or Ordered Tree. To resize a column, place the mouse pointer over the vertical line between column headings. When the mouse pointer changes to a set of right and left arrows, you can drag the column border to the left or right to make the column more or less wide. Simply click with the left mouse button and hold that button down while you move the column border in the desired direction. The Item Review screen enables you to sort the questions on any of the column headings. Initially, the list of questions is sorted in descending order on the sequence number column. To sort on a different column heading, click that heading. You will see an arrow appear on the column heading indicating the direction of the sort (ascending or descending). To change the direction of the sort, click the column heading again. The Item Review screen also allows you to create a custom grouping. This feature enables you to sort the questions based on any combination of criteria you prefer. For instance, you might want to review the question items sorted first by whether they were marked, then by the chapter name, then by sequence number. The Custom Grouping feature allows you to do this. Start by checking the Custom Grouping check box (see Figure G.13). When you do so, the entire questions table shifts down a bit onscreen, and a message appear at the top of the table that reads Drag a column header here to group by that column.
FIGURE G.13 The Custom Grouping check box allows you to create your own question sort order.
Simply click the column heading you want with the left mouse button, hold that button down, and move the mouse into the area directly above the questions table (the custom grouping area). Release the left mouse button to drop the column heading into the custom grouping area. To accomplish the custom grouping previously described, first check the Custom Grouping check box. Then drag the Marked column heading into the custom grouping area above the question table. Next, drag the Chapter Name column heading into the custom grouping area. You will see the two column headings joined together by a line that indicates the order of the custom grouping. Finally, drag the Seq column heading into the custom grouping area. This heading will be joined to the Chapter Name heading by another line indicating the direction of the custom grouping.
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
645
Notice that each column heading in the custom grouping area has an arrow indicating the direction in which items are sorted under that column heading. You can reverse the direction of the sort on an individual column-heading basis using these arrows. Click the column heading in the custom grouping area to change the direction of the sort for that column heading only. For example, using the custom grouping created previously, you can display the question list sorted first in descending order by whether the question was marked, in descending order by chapter name, and then in ascending order by sequence number. The custom grouping feature of the Item Review screen gives you enormous flexibility in how you choose to review the exam questions. To remove a custom grouping and return the Item Review display to its default setting (sorted in descending order by sequence number), simply uncheck the Custom Grouping check box.
The Current Score Tab The Current Score tab of the Item Review screen (see Figure G.14) provides a real-time snapshot of your score. The top half of the screen is an expandable grid. When the grid is collapsed, scores are displayed for each chapter. Chapters can be expanded to show percentage scores for objectives and subobjectives. Information about your exam progress is presented in the following columns: á Chapter Name. This column shows the chapter name for each objective group.
FIGURE G.14 The Current Score tab on the item review screen.
á Percentage. This column shows the percentage of questions for each objective group that you answered correctly. á Attempted. This column lists the number of questions you answered either completely or partially for each objective group. á Correct. This column lists the actual number of questions you answered correctly for each objective group. á Answer Shown. This column lists the number of questions for each objective group that you chose to display the answer to using the Show Answer button.
646
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
The columns in the scoring table are resized and sorted in the same way as those in the questions table on the Item Review Questions tab. Refer to the earlier section “The Item Review Questions Tab” for more details. A graphical overview of the score is presented below the grid. The graph depicts two red bars: The top bar represents your current exam score, and the bottom bar represents the required passing score. To the right of the bars in the graph is a legend that lists the required score and your score. Below the bar graph is a statement that describes the required passing score and your current score. In addition, the information can be presented on an overall basis or by exam chapter. The Overall tab shows the overall score. The By Chapter tab shows the score by chapter. Clicking the End Exam button terminates the exam and passes control to the Examination Score Report screen. The Return to Exam button returns to the exam at the question from which the Item Review button was clicked.
Review Incomplete The Item Review screen allows you to enter a browse sequence for incomplete questions. When you click the Review Incomplete button, the questions you did not answer or did not completely answer are displayed for your review. While browsing the incomplete questions, you will see the following changes to the buttons: á The caption of the Next button becomes Next Incomplete. á The caption of the Previous button becomes Previous Incomplete.
Examination Score Report Screen The Examination Score Report screen (see Figure G.15) appears when the Study Mode, Practice Exam, or Adaptive Exam ends—as the result of timer expiration, completion of all questions, or your decision to terminate early.
Review Marked Items The Item Review screen allows you to enter a browse sequence for marked questions. When you click the Review Marked button, questions that you have previously marked using the Mark Question check box are presented for your review. While browsing the marked questions, you will see the following changes to the buttons available: á The caption of the Next button becomes Next Marked. á The caption of the Previous button becomes Previous Marked.
FIGURE G.15 The Examination Score Report screen.
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
This screen provides you with a graphical display of your test score, along with a tabular breakdown of scores by chapter. The graphical display at the top of the screen compares your overall score with the score required to pass the exam. Buttons below the graphical display allow you to open the Show Me What I Missed browse sequence, print the screen, or return to the main menu.
Show Me What I Missed Browse Sequence The Show Me What I Missed browse sequence is invoked by clicking the Show Me What I Missed button from the Examination Score Report or from the configuration screen of an adaptive exam. Note that the window caption is modified to indicate that you are in the Show Me What I Missed browse sequence mode. Question IDs and position within the browse sequence appear at the top of the screen, in place of the Mark Question and Time Remaining indicators. Main window contents vary, depending on the question type. The following list describes the buttons available within the Show Me What I Missed browse sequence and the functions they perform: á Return to Score Report. Returns control to the Examination Score Report screen. In the case of an adaptive exam, this button’s caption is Exit, and control returns to the adaptive exam configuration screen. á Run Simulation. Opens a simulation in Grade mode, causing the simulation to open displaying your response and the correct answer. If the current question does not offer a simulation, this button is disabled. á Exhibits. Opens the Exhibits window. This button is enabled if one or more exhibits are available for the question.
647
á Instructions. Shows how to answer the current question type. á Print. Prints the current screen. á Previous or Next. Displays missed questions.
Checking the Web Site To check the New Riders Home Page or the ExamGear, Training Guide Edition Home Page for updates or other product information, choose the desired Web site from the Web Sites option of the Online menu. You must be connected to the Internet to reach these Web sites.
OBTAINING UPDATES The procedures for obtaining updates are outlined in this section.
The Catalog Web Site for Updates Selecting the Check for Product Updates option from the Online menu shows you the full range of products you can either download for free or purchase from your Web browser. You must be connected to the Internet to reach these Web sites.
Types of Updates Several types of updates may be available for download, including various free updates and additional items available for purchase.
648
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
Free Program Updates Free program updates include changes to the ExamGear, Training Guide Edition executables, and runtime libraries (DLLs). When any of these items are downloaded, ExamGear automatically installs the upgrades. ExamGear, Training Guide Edition will be reopened after the installation is complete.
Free Database Updates Free database updates include updates to the exam or exams that you have registered. Exam updates are contained in compressed, encrypted files and include exam databases, simulations, and exhibits. ExamGear, Training Guide Edition automatically decompresses these files to their proper location and updates the ExamGear software to record version changes and import new question sets.
CONTACTING NEW RIDERS PUBLISHING
Technical Support Technical support is available at the following phone number during the hours specified: Phone: 317-581-3833 Email: [email protected] Monday through Friday, 10:00 a.m.–3:00 p.m. Central Standard Time. You can visit the online support Web site at http://www.newriders.com/support and submit a support request over the Internet.
Customer Service If you have a damaged product and need a replacement or refund, please call the following phone number: 800-858-7674
Product Updates
At New Riders, we strive to meet and exceed the needs of our customers. We have developed ExamGear, Training Guide Edition to surpass the demands and expectations of network professionals seeking technical certifications, and we think it shows. What do you think?
Product updates can be obtained by choosing ExamGear, Training Guide Edition’s Online pull-down menu and selecting Check For Products Updates. You’ll be taken to a Web site with full details.
If you need to contact New Riders regarding any aspect of the ExamGear, Training Guide Edition product line, feel free to do so. We look forward to hearing from you. Contact us at the following address or phone number:
Product Suggestions and Comments
New Riders Publishing 201 West 103 Street Indianapolis, IN 46290 800-545-5914
[email protected]
You can also reach us on the World Wide Web: http://www.newriders.com
We value your input! Please email your suggestions and comments to the following address:
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
LICENSE AGREEMENT
649
SOFTWARE AND DOCUMENTATION
YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE BREAKING THE SEAL ON THE PACKAGE. AMONG OTHER THINGS, THIS AGREEMENT LICENSES THE ENCLOSED SOFTWARE TO YOU AND CONTAINS WARRANTY AND LIABILITY DISCLAIMERS. BY BREAKING THE SEAL ON THE PACKAGE, YOU ARE ACCEPTING AND AGREEING TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO NOT BREAK THE SEAL. YOU SHOULD PROMPTLY RETURN THE PACKAGE UNOPENED.
The term of this license commences upon delivery of the Software to you and is perpetual unless earlier terminated upon default or as otherwise set forth herein.
LICENSE
TITLE
Subject to the provisions contained herein, New Riders Publishing (NRP) hereby grants to you a nonexclusive, nontransferable license to use the object-code version of the computer software product (Software) contained in the package on a single computer of the type identified on the package.
Title, ownership right, and intellectual property rights in and to the Software and Documentation shall remain in NRP and/or in suppliers to NRP of programs contained in the Software. The Software is provided for your own internal use under this license. This license does not include the right to sublicense and is personal to you and therefore may not be assigned (by operation of law or otherwise) or transferred without the prior written consent of NRP. You acknowledge that the Software in source code form remains a confidential trade secret of NRP and/or its suppliers and therefore you agree not to attempt to decipher or decompile, modify, disassemble, reverse engineer, or prepare derivative works of the Software or develop source code for the Software or knowingly allow others to do so. Further, you may not copy the Documentation or other written materials accompanying the Software.
NRP shall furnish the Software to you on media in machine-readable object-code form and may also provide the standard documentation (Documentation) containing instructions for operation and use of the Software.
LICENSE TERM
AND
CHARGES
650
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
UPDATES This license does not grant you any right, license, or interest in and to any improvements, modifications, enhancements, or updates to the Software and Documentation. Updates, if available, may be obtained by you at NRP’s then-current standard pricing, terms, and conditions.
LIMITED WARRANTY DISCLAIMER
AND
NRP warrants that the media containing the Software, if provided by NRP, is free from defects in material and workmanship under normal use for a period of sixty (60) days from the date you purchased a license to it. THIS IS A LIMITED WARRANTY AND IT IS THE ONLY WARRANTY MADE BY NRP. THE SOFTWARE IS PROVIDED “AS IS” AND NRP SPECIFICALLY DISCLAIMS ALL WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FURTHER, COMPANY DOES NOT WARRANT, GUARANTEE, OR MAKE ANY REPRESENTATIONS REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE IN TERMS OR CORRECTNESS, ACCURACY, RELIABILITY, CURRENTNESS, OR OTHERWISE AND DOES NOT WARRANT THAT THE OPERATION OF ANY SOFTWARE WILL BE UNINTERRUPTED OR ERROR FREE. NRP EXPRESSLY DISCLAIMS ANY WARRANTIES NOT STATED HEREIN. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY NRP, OR ANY NRP DEALER, AGENT, EMPLOYEE, OR OTHERS SHALL CREATE, MODIFY, OR EXTEND A WAR-
RANTY OR IN ANY WAY INCREASE THE SCOPE OF THE FOREGOING WARRANTY, AND NEITHER SUBLICENSEE OR PURCHASER MAY RELY ON ANY SUCH INFORMATION OR ADVICE. If the media is subjected to accident, abuse, or improper use, or if you violate the terms of this Agreement, then this warranty shall immediately be terminated. This warranty shall not apply if the Software is used on or in conjunction with hardware or programs other than the unmodified version of hardware and programs with which the Software was designed to be used as described in the Documentation.
LIMITATION
OF
LIABILITY
Your sole and exclusive remedies for any damage or loss in any way connected with the Software are set forth below. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, TORT, CONTRACT, OR OTHERWISE, SHALL NRP BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, LOSS OF PROFIT, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, OR FOR ANY OTHER DAMAGES EVEN IF NRP SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANOTHER PARTY. NRP’S THIRD-PARTY PROGRAM SUPPLIERS MAKE NO WARRANTY, AND HAVE NO LIABILITY WHATSOEVER, TO YOU. NRP’s sole and exclusive obligation and liability and your exclusive remedy shall be: upon NRP’s election, (i) the replacement of our defective media; or (ii) the repair or correction of your defective media if NRP is
Appendix G
USING THE EXAMGEAR, TRAINING GUIDE EDITION SOFTWARE
able, so that it will conform to the above warranty; or (iii) if NRP is unable to replace or repair, you may terminate this license by returning the Software. Only if you inform NRP of your problem during the applicable warranty period will NRP be obligated to honor this warranty. SOME STATES OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATION OR EXCLUSION OF CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS AND YOU MAY ALSO HAVE OTHER RIGHTS, WHICH VARY BY STATE OR JURISDICTION.
MISCELLANEOUS If any provision of the Agreement is held to be ineffective, unenforceable, or illegal under certain circumstances for any reason, such decision shall not affect the validity or enforceability (i) of such provision under other circumstances or (ii) of the remaining provisions hereof under all circumstances, and such provision shall be reformed to and only to the extent necessary to make it effective, enforceable, and legal under such circumstances. All headings are solely for convenience and shall not be considered in interpreting this Agreement. This Agreement shall be governed by and construed under New York law as such law applies to agreements between New York residents entered into and to be performed entirely within New York, except as required by U.S. Government rules and regulations to be governed by Federal law. YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT, UNDERSTAND IT, AND AGREE TO BE BOUND BY ITS TERMS AND CONDITIONS. YOU FURTHER AGREE THAT IT IS THE COMPLETE AND EXCLUSIVE STATEMENT OF THE AGREEMENT BETWEEN US
651
THAT SUPERSEDES ANY PROPOSAL OR PRIOR AGREEMENT, ORAL OR WRITTEN, AND ANY OTHER COMMUNICATIONS BETWEEN US RELATING TO THE SUBJECT MATTER OF THIS AGREEMENT.
U.S. GOVERNMENT RESTRICTED RIGHTS Use, duplication, or disclosure by the Government is subject to restrictions set forth in subparagraphs (a) through (d) of the Commercial Computer-Restricted Rights clause at FAR 52.227-19 when applicable, or in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, and in similar clauses in the NASA FAR Supplement.
Index A access firewalls, troubleshooting, 330-331 policies configuring, 370-371 Enterprise, 369-371 functional framework, 364-367 permissions, 368 settings, 142-143 problems, troubleshooting, 372-375 Active Directory integration, 50-51 ISA Server, installation, 83-85 Active Sessions (firewall) counter, 465 Active TCP Sessions (firewall) counter, 465 active-study strategies, 498 Adaptive Exam mode (ExamGear, Training Guide Edition software), 628-631, 636 assumptions made for scoring, 636 compared to Study Mode, 634-635 starting, 635 adaptive exams, 635 reasons for using, 635 studying for, 635 Add Destination Wizard, 224 administration H.323 Gatekeeper, 222-223 remote administration, 253-254 alerts configuring, 433-434 automating, 435 network usage, monitoring, 423-435 outbound Internet access, 146
security, monitoring, 423-435 status, monitoring, 435 all ports scan attacks, 18 allocating memory, caches, 79 analyzing ISA Server, reports, 451-458 performance logging, 468-469 reporting, 468-469 and/or array policies, 16 application extensions, configuring, 318 application filters, 33, 431, 482 configuring, 318 application usage reports, 37, 456-457, 485 application-level filtering, 17 architecture core services, 12 ISA Server, 12-14 array level configuration, policies, 35-36 arrays backing up, 347-348 configuring, 339-350 scalability, 350-355 considerations, 49 creating, 343-345 distributed arrays, 340 Enterprise ISA Server, 488 enterprise policies, scope, 340-341 hiearchical arrays, 340 installing, 343 additional servers in, 92-94 troubleshooting, 95 managing, 339-350 migration, 118-119
654
INDEX
modes, 345 NLB (Network Load Balancing,) 352-355 policies, 341 attachments, rejecting, 197 attack signatures, selecting, 431 attacks all ports scan attacks, 18 common, detecting, 429 enumerated port scan attacks, 18 IP half scan attacks, 18 land attacks, 18 Ping of death attacks, 18 UDP bomb attacks, 18 Windows out-of-band attacks, 18 authentication, 485-486 chained authentication, 391, 487 client computers, infrastructure changes, 391-392 clients, 390 outbound Internet access, 158 remote access authentication, 486 rules, firewalls, 322-327 troubleshooting, 413-414 authentication methods configuring, Web publishing, 189-190 outgoing Web request properties, 148 autodetection, troubleshooting, 412-413 autodiscovery port, 403 automating alert configuration, 435
B-C backups arrays, 347-348 Proxy 2.0 Server configurations, 114-115 bandwidth policies, configuring, 370-371 bandwidth priorities, 32 bandwidth rules, 33, 36-37 outbound Internet rules, 164-165
built-in intrusion detection, 18 button options (ExamGear, Training Guide Edition software), 641-642 Cache Array Routing Protocol (CARP). See CARP cache disk requirements, estimating, 479 caches adjustments, 469, 485 configuring, 77, 89-90 forward caching, requirements, 77 memory allocation, 79 minimum system requirments, 54 outbound Internet access, 145 placement, 78 sizes, calculating, 78 caching CARP, 23-24 Configuring, frequently used objects, 19-27 distributed caching, 23-24 forward caching, 21-22 hierarchical caching, 24-27, 60 outbound Internet access, configuring, 161-163 RAM, controlling, 469-470 reverse caching, 20-21 scheduling, 22-23 caching mode, 11, 14, 483 calculating caches sizes, 78 call routing rules, H.323 Gatekeeper, configuring, 223-228 CARP (Cache Array Routing Protocol), 23-24, 337, 351 configuring, 163 enabling, Web publishing, 188 Enterprise ISA Server, 489 Scalibility, 350-351 centralized management, 28-30, 32-37 certificates, 189 configuring, 289-292 requesting, standalone CA, 292-295 verifying, 296
INDEX
certification process, 619 requirements, 620 for MCDBA, 620-621 for MCP, 620 for MCSD, 622-624 for MCSE, 621-622 for MCT, 624 scheduling exams, 619 types of certification, 619-620 chained authentication, 391, 487 chaining (hierarchical caching), 24-27 circuit-level filtering, 17 client address sets, 32 clients, 15, 489-490 access, troubleshooting, 169-172 authentication, 390 infrastructure changes, 391-392 configuration scripts, 406 configuring, 407-411 firewall clients, 409-411 SecureNAT, 407 Web proxy clients, 408 deploying complexity, 390-393 cost, 390-393 current infrastructure issues, 385-390 firewall clients, 15, 386-88 installing, 56-57, 407-411 firewall clients, 409-411 troubleshooting, 412 knowledge requirements, 391 multiple clients, single computer, 389, 411 needs, assessing, 392-393 network infrastructure, evaluating, 393 Proxy 2.0 clients, migrating, 389 requirements, 391 SecureNAT clients, 15-16, 386 settings, configuring, 404-406 support, configuring, 401-406
655
troubleshooting, 411 authentication, 413-414 types, 386 Web proxy clients, 15, 386-387 common attacks, detecting, 429 common-sense strategies, 499 complexity, client computers, 390-393 CompTIA, fixed-form exams, 499-500 configuration, 89-90 Access policies, 142-143 alerts, automating, 435 application filters, 318 arrays, 339-350 scalibility, 350-355 caches, 77 frequently used objects, 19-27 CARP (Cache Array Routing Protocol), 163 clients, 407-411 firewall clients, 409-411 SecureNAT, 407 support, 401-406 Web proxy clients, 408 dial-up connections, 239 Enterprise Root CAs, 291 firewalls, system hardening, 321-327 H.323 Gatekeeper, 218-221 call routing rules, 223-228 high-performance Web caching servers, 19-27 ISA Servers, 57 client support, 401-406 installing, 74-78 VPN endpoints, 275-289 L2TP over IPSec VPN Tunnel, 292 LAT, 89, 142, 329 logging, 37, 424-428 Microsoft certificate services, 289-292 Microsoft Proxy Server 2.0 configuration backup, 531-538 network connections, 239
656
INDEX
outbound Internet access caching, 161-163 content rules, 153-154 protocol rules, 154-157 routing rules, 167 server chains, 168 site rules, 153-154 outgoing Web request properties, 147-148 packet filters, rules, 312-317 performance monitoring, 461-462 permissions, 140-141 policies, 346-347 access policies, 370-371 Array level, 35-36 bandwidth policies, 370-371 Enterprise level, 35-36 policy-based rules, 31-36 preinstallation network configuration, 58-63 reporting, 37 Root CAs, 290-291 scripts, clients, 406 security alerts, 433-435 intrusion detection, 429-433 server proxy, 193-197 content filtering, 195-197 DNS, 194 mail proxy, 194 server publishing, 197-200 TCP/IP network cards, 61 VPNs as VPN endpoints, 269-274 for pass-throughs, 274-275 Web publishing, 184-193 authentication methods, 189-190 destination sets, 186 listeners, 186-187 rules, 187-188 server certificates, 189-190
connections detecting, Netstat, 438-440 dial-on-demand connections Routing and Remote Access Service, 249-252 troubleshooting, 238-242 dial-up connections configuring, 239 limiting, 243 managing, 243 troubleshooting, 243, 245 establishing, 63 network connections, configuring, 239 outgoing Web request properties, 147 connectivity Internet, verification, 62 minimum system requirement, 62 testing, 62 verification, 58 content filtering, server proxy, 195-197 content groups, 32 content rules, outbound Internet access, configuring, 153-154 conversion, NTFS, 78 core services, 12 cost, client computers, 390-393 counters adding, 463 monitoring, 467 analysis, 461 CPUs (central processing units), minimum system requirements, 54 Current Score tab (Item Review screen), ExamGear, Training Guide Edition software, 645-646 custom HTML error messages, outbound Internet access, 158-160
INDEX
657
D
E
daily summaries, reports, 452 data pumping, H.323 Gatekeeper, enabling, 222 Data Source Names, creating, 427 databases, ExamGear, Training Guide Edition software, 629 Dedicated security level, 19 default packet filters, 313 default rules, 483 design, networks, considerations, 47-57 destination sets, 32 Web publishing, configuring, 186 detection, connections, Netstat, 438-440 DHCP Client rule (packet filters), 313, 484 DHCP settings, adding, 402-403 dial-on-demand connections Routing and Remote Access Service, 249-252 troubleshooting, 238-242 dial-up connections configuring, 239 limiting, 243 managing, 243 troubleshooting, 243-245 dial-up entries creating, 240 enabling firewall chaining configuration, 242 dial-up routing rules, creating, 240-241 disabling logs, 424 distributed arrays, 340 distributed caching, 23-24 perimeter arrays, 59 DNS (domain name system), 194 configuring, H.323 Gatekeeper, 220-221 DNS filter rule (packet filters), 313, 484 DNS settings, adding, 402-403 Drag and Drop questions (ExamGear, Training Guide Edition software), 637-638 Drop and Connect questions (ExamGear, Training Guide Edition software), 637-638
editions, ISA Server, 483 elements, policies, 484 email address rules, H.323 Gatekeeper, configuring, 225-226 enabling CARP (Cache Array Routing Protocol), Web publishing, 188 dial-up entries, firewall chaining configuration, 242 H.323 Gatekeeper, 218-220 logs, 424 encryption, certificates, 189 Enterprise ISA Server, 29-30, 487-489 Access policies, 369-371 arrays, 488 CARP algorithm, 489 installing, 82, 84-89 network load balancing, 489 policies, 488 assigning, 345 creating, 345 scope, 340-341 promotion, 488 Enterprise level configuration, policies, 35-36 Enterprise Root CAs, installing and configuring, 291 enumerated port scan attacks, 18 error messages Proxy 2.0 Server, 114 Windows 2000 install error message, 114 exam sessions, 501 ExamGear, Training Guide Edition software, 627 Adaptive Exam mode, 636 assumptions made for scoring, 636 starting, 635 button options, 641-642 checking Home Page, 647 databases, 629 exam simulation, 627 Examination Score Report screen, 646-647
658
INDEX
general overview, 631 installing, 629-630 interface, 628-629 menu options, 632 Item Review screen, 643-646 Practice Exam mode, starting, 635 question types, 636 drag and drop, 637-638 hot spot, 641 multiple choice, 637 ordered list, 639 ordered tree, 640 simulations, 640-641 registering, 630 Study Mode session compared to Practice Exam mode and Adaptive Exam mode, 634-635 starting, 632-634 study tools provided, 627-628 system requirements, 629 time management options, 642-643 uninstalling, 630-631 updates, 647-648 Examination Score Report screen (ExamGear, Training Guide Edition software), 646-647 exams adaptive exams defined, 635 reasons for using, 635 studying for, 635 certification process, 619 requirements, 620-624 types of certification, 619-620 fixed-form exams, 499-500 number of questions, 500 practicing. See ExamGear, Training Guide Edition software, 627 scheduling, 619
study tips, 498, 500-501 active-study strategies, 498 common-sense strategies, 499 learning as a process, 497 macro and micro strategies, 498 pretesting yourself, 499 preparation, 500 sessions, 501 time limit, 500
F failed installation, troubleshooting, 95-96 fast kernel mode, H.323 Gatekeeper, enabling, 222 fields, logs, 424 File Transfer Protocol (FTP) access filters, 33, 318-319, 482 filters application filters, 482 configuring, 318 FTP access filters, 318-319 H.323 protocol filters, 33, 482 HyperText Transfer Protocol (HTTP) redirector filters, 33, 319-320, 482 intrusion detection filters, 33, 482 packet filters, 143, 312, 482 rules, 312-317 Remote Procedure Call (RPC) filters, 33, 482 RPC filters, 320 Simple Mail Transfer Protocol (SMTP) filters, 482 SOCKS filters, 34, 321, 482 Streaming media filter, 34, 482 firewall chaining configuration, dial-up entries, enabling, 242 firewall clients, 15, 386, 388 configuring, 409-411 firewall mode, 11, 14, 480 Firewall service, 12
INDEX
firewalls access, troubleshooting, 330-331 application-level filtering, 17 authentication rules, 322-327 built-in intrusion detection, 18 circuit-level filtering, 17 configuring, system hardening, 321-327 LAT (Local Address Table), constructing and modifying, 75 packet filtering, 17 perimeter networks, considerations, 328-330 placement, 59 stateful inspection, 18 system-hardening templates, 19 VPNs (Virtual Private Networks), 19 fixed-form exams, 499-500 forward caching, 21-22 requirements, 77, 479 FTP access filters, 33, 318-319
G Gatekeepers, 211 Gateway to Gateway VPNs, 494-495 gateways, H.323 Gateway, compared, 211 generations, reports, summaries, 452 groups, 32
H H.323 Gatekeeper Services, 208-217, 493 adding, 221 adding to ISA Server, 217-223 administration, 222-223 configuring, 218-220 call routing rules, 223-228 DNS, 220-221 data pumping, enabling, 222 enabling, 218-220
659
fast kernel mode, enabling, 222 gateways, compared, 211 limitations, 216-217 protocol, 209-210 protocol filters, 212 registration admission and status, 213-214 registration database, 212-213 registration process, 214-215 rule processing, 215-216 scenarios, 227-228 services, 212 T-120, 210 H.323 protocol filters, 33, 482 hard disk spaces, minimum system requirements, 53 hard disk volumes, minimum system requirements, 54 hard disks, minimum system requirements, 55 hardware choosing, 53 minimum system requirements, 53-54 hierarchical arrays, 340 hierarchical caching, 24-27, 60 high-performance Web caching servers, configuring, 19-27 hosting services, 27-28 hot spot questions (ExamGear, Training Guide Edition software), 641 hotfix rollups, release, 57 HTML error messages, outbound Internet access, 158-160 HTTP Redirector Filters, 33, 319-320, 482 HTTP requests, redirecting, Web publishing, 190-193
I I.E., 53 IANA (Internet Assigned Numbers Authority), 75, 432 ICMP (Internet Control Message Protocol), 143 ICMP outbound rule (packet filters), 313, 483
660
INDEX
ICMP ping response(in) rule (packet filters), 313, 483 ICMP source quench rule (packet filters), 313, 483 ICMP timeout (in) rule (packet filters), 313, 484 ICMP unreachable rule (packet filters), 313, 484 ICS, interoperability, 487 IIS server, interoperability, 487 implementataion plans, creating, 371 Indentd simulation service, 49 infrastructure, client computers considerations, 385-390 evaluating, 393 installation arrays, 343 clients, 56-57, 407-411 firewall clients, 409-411 troubleshooting, 412 Enterprise Root CAs, 291 ExamGear, Training Guide Edition software, 629-630 ISA Server, 57, 74-79 Active Directory schema, 83-85 additional, 92-94 defaults, 80 Enterprise version, 82-89 post-installation default settings, 136-146 preinstallation network configuration, 58-63 Standard version, 80-82 troubleshooting, 94-98 unattended setup, 90-92 unistalling, 98-99 verifying, 96-97 minimum system requirements, 478-479 modes, 30-31, 477-478 post-installation process, 479-480 preinstallation process, 478 Root CAs, 290-291 software options, 48-49 installation modes, 14 installation switches, 92
instances, 462 Integrated mode, 14 integration, Active Directory, 50-51 interfaces, 16 ExamGear, Training Guide Edition software, 628-629 menu options, 632 network interfaces, preconfiguring, 58-63 Internet, connectivity, verifying, 62 Internet Assigned Numbers Authority (IANA), 75, 432 Internet Connection Sharing (ICS), interoperability, 487 Internet Control Message Protocol (ICMP), 143 Internet Security and Acceleration (ISA) Server. See ISA Server interoperability, 487 ICS (Internet Connection Sharing), 487 IIS server, 487 IPSec, 487 ISA Server arrays in a Windows NT 4.0 domain, 487 requirements, 51-53 RRAS, 487 SNMP, 487 Terminal services, 487 Windows NT 4.0 domains, 487 intrusion detection, 13, 481 configuring, 429, 431-433 filters, 33, 482 IP address rules, H.323 Gatekeeper, configuring, 226-228 IP half scan attacks, 18 IP routing, packet filters, 312 IPSec, interoperability, 487 ISA (Internet Security and Acceleration) Server, 11 3-homed ISA Server, 495 analyzing reports, 451-458 architecture, 12-14
INDEX
arrays in a Windows NT 4.0 domain, interoperability, 487 configuring, 57 as VPN endpoints, 275-289 client support, 401-406 server proxy, 193-197 server publishing, 197-200 editions, 483 Enterprise ISA Server, 487-489 Enterprise version, 29-30 installing, 57, 74-79 Active Directory schema, 83-85 additional, 92-94 defaults, 80 Enterprise version, 82, 84-89 modes, 30-31 post-installation default settings, 136-138, 140-146 preinstallation network configuration, 58-63 Standard version, 80-82 unattended setup, 90-92 verifying, 96-97 interfaces, 16 object permissions, 137-141 optimizing, Performance Monitor, 464-466 outbound Internet access, rules and tools, 146-160 performance, optimizing, 459-464, 468-470 Routing and Remote Access Service, compared, 245-248 server chains, configuring, 168 setup logs, Proxy 2.0 server migration, 539-597 Standard version, 29-30 troubleshooting, 94-98 uninstalling, 98-99 upgrade logs, Proxy 2.0 server migration, 599-609 Web publishing, configuring, 184-193 ISA VPN Wizard, 276-283 Item Review screen (ExamGear, Training Guide Edition software), 643-646
661
K–L knowledge requirements, client computers, 391 L2TP over IPSec VPN Tunnel, configuring, 292, 297 land attacks, 18, 430 LAT (Local Address Table) files configuring, 89, 142, 329 constructing and modifying, 75 customizing, 410 outbound Internet access, 166 learning as a process, 497 Limited Services security level, 19 listeners configuring, 352 outgoing Web request properties, 147 Web publishing, configuring, 186-187 load factors, configuring, 352 local domain tables, outbound Internet access, 166 logging network usage, monitoring, 423-435 ODBC databases, 425-426 packets, allowing, 424 performance, analyzing, 468-469 scheduling, 463 security, monitoring, 423-435 logs, 485 configurable areas, 424 configuring, 37, 424-428 disabling, 424 enabling, 424 fields, 424 options, 424 storage formats, 424
662
INDEX
M macro study strategies, 498 mail proxy, 194 Mail Server Security Wizard, 194 mail servers, 194-196 management, restricting, 341 MCDBA (Microsoft Certified Database Administrator), 619-621 MCP (Microsoft Certified Professional), 619-620 MCP+Internet certification, 620 MCP+Site Building certification, 620 MCSD (Microsoft Certified Solution Developer), 619-624 MCSE (Microsoft Certified Systems Engineer), 619-622 MCSE+Internet certification, 620 MCT (Microsoft Certified Trainer), 619, 624 MCUs (Multipoint Control Units), 211 memory, allocating, caches, 79 menu options, ExamGear, Training Guide Edition software, 632 meta-learning, 499 micro study strategies, 498 microprocessors, minimum system requirements, 54 Microsoft certificate services, configuring, 289-292 Microsoft Proxy 2.0 clients, migrating, 389 Microsoft Proxy 2.0 Servers array memberships, migration, 121 configuration, backing up, 114-115, 531-538 migration, 112-124, 490-491 configurations, 121 ISA setup log, 539-597 ISA upgrade log, 599-609 predetermined migration effects, 120 services, stopping and disabling, 115-116 upgrading, 111-112 migrating, 112-124
Microsoft Training and Certification Web site, 620 migration arrays, 118-119 Microsoft Proxy Server 2.0, 112-124 array memberships, 121 configuration ISA setup log, 539-597 ISA upgrade log, 599-609 backing up, 114-115 predetermined effects, 120 stopping and disabling services, 115-116 variables, 113 minimum system requirements caches, 54 client computers, 391 connectivity, 62 hard disks, 55 hardware, VPNs, 56 installation, 478-479 modems, 54 network cards, 55 publishing, 54 remote administration, 56 modems, minimum system requirements, 54 modes arrays, 345 caching, 11, 14 considerations, 49 firewall, 11, 14 installation, 30-31, 477-478 installation modes, 14 Integrated, 14 monitoring alerts, status, 435 counters, 467 network usage alerting, 423-435 logging, 423-435 objects, 467 security, 423-435
INDEX
monthly summaries, reports, 452 MSISAund.ini file, 91 multihomed systems, monitoring, Network Monitor, 441 multiple choice questions (ExamGear, Training Guide Edition software), 637 multiple clients, single computer, 411 Multipoint Control Unit (MCU), 211
N name resolution, verifying, 63 NAT clients, SecureNAT clients, compared, 386 Netstat connections, detecting, 438-440 network adapters, minimum system requirments, 54 network connectivity, verification, 58 network cards, minimum system requirements, 55 network connections, configuring, 239 network interfaces, preconfiguring, 58-63 network load balancing, Enterprise ISA Server, 489 Network Load Balancing (NLB). See NLB Network Monitor ports, testing, 440-442 network usage monitoring, 423-435 troubleshooting, 436-442 networks design, 47-57 planning, 47-57 size, 48 New Filter wizard, 314 NIC cards, IPSec, offloading, 56 NLB (Network Load Balancing), 339, 352-355 NTFS (NT File System), conversion, 78
O object permissions, 137-141 objectives access controls, configuring, 361 access problems, troubleshooting, 361-362
663
arrays, managing, 337 bandwidth policies, configuring, 361 client computers, deploying, 383 configure and troubleshoot outbound Internet access, 133-135 configuring firewalls, 309 client computer for SecureNAT, 399 client computer’s Web browser to use ISA Server as HTTP proxy, 399 ISA Server hosting roles, 181 dial-on-demand connection troubleshooting, 235 dial-up connection access troubleshooting, 235 H.323 Gatekeeper, configuring for audio and video conferencing, 205 ISA Server analyzing, 449 installing, 71 versions, 71-72 Microsoft Proxy 2.0 Server, upgrading, 109 policy elements, creating, 362 preconfiguring network interfaces, 45 remote access troubleshooting, 235 routing access troubleshooting, 235 setup problems, troubleshooting, 72 troubleshooting autodetection, 399 security and network usage, 421 VPNs (Virtual Private Networks) configuring, 265-266 endpoint configuration, 266 pass-throughs, 266 objects caching frequently used objects, 19-27 monitoring, 467 performance, analysis, 461 ODBC databases, logging to, 425-426 optimization ISA Server, Performance Monitor, 459-470
664
INDEX
options, software, installing, 48-49 ordered-list questions (ExamGear, Training Guide Edition software), 639 ordered-tree questions (ExamGear, Training Guide Edition software), 640 outbound Internet access alerts, 146 authentication, 158 caching, 145 configuring, 161-163 client access problems, troubleshooting, 169-172 client addresses, configuring, 152 custom HTML error messages, 158-160 destination address sets, configuring, 153 hierarchical access, configuring, 161 LAT, 166 local domain tables, 166 outgoing Web request properties, configuring, 147-148 packet filters, 143 policy elements, creating, 149-151 post-installation default settings, 136-138, 140-146 publishing, 145-146 routing, 144-145 rules, 146-160 bandwidth rules, 164-165 content, 153-154 evaluation, 149 protocol rules, 154-157 routing rules, 167 sites, 153-154 server chains, 168 single system configuration, 160 tools, 146-160 Outgoing Web request properties, 403 authentication methods, 148 configuring, 147-148 connections, 147 listeners, 147
P packet filters, 17, 143, 312, 482 default packet filters, 313 IP routing, 312 logging, allowing, 424 properties, configuring/enabling, 316-317 rules, configuring, 312, 314-317 packet-based access problems, troubleshooting, 373-375 pass-throughs, VPNs, configuring for, 274-275 performance analyzing logging, 468-469 reporting, 468-469 reports, 451-458 optimizing, 459-464, 468-470 performance counters, 465-466 Performance Monitor ISA Server, optimizing, 464-466 performance analysis, 460-461 performance monitoring, configuring, 461-462 perimeter arrays, distributed caching, 59 perimeter networks firewalls, considerations, 328-330 publishing, 330 permissions access policies, 368 configuring, 140-141 default security group file permissions, 460 object permissions, 137-141 Read permissions, limiting, 138 Service permissions, 141 phone number rules, H.323 Gatekeeper, configuring, 224-225 ping of death attacks, 18, 430 planning networks, 47-49, 51, 53-57
INDEX
policies access policies configuring, 370-371 Enterprise, 369-371 functional framework, 364-367 permissions, 368 and/or array policies, 16 arrays, 341 bandwidth policies, configuring, 370-371 configuring, 346-347 Array level, 35-36 Enterprise level, 35-36 creating, 483 destination sets, 32 elements, 484 creating, 369-370 outbound Internet access, creating, 149-151 Enterprise ISA Server, 488 enterprise policies, scope, 340-341 modifying, 347 policy elements, creating, 369-370 policy-based rules, 31-36 ports autodiscovery port, 403 Outgoing Web request port, 403 testing, 440-442 well-known, 432 post-installation default settings, 136-146 post-installation process, 479-480 Practice Exam mode (ExamGear, Training Guide Edition software), 628-631 compared to Study Mode, 634-635 starting, 635 preinstallation network configuration, 58-63 preinstallation process, 478 pretesting yourself (study tips), 499 preparations for exam, 500 learning as a process, 497 study tips, 498, 500-501 active-study strategies, 498 common-sense strategies, 499
665
macro and micro strategies, 498 pretesting yourself, 499 processing rules, 372-373 processors, minimum system requirements, 54 promoting Enterprise ISA Server, 488 standalone servers, 348-349 properties configuring, 403 packet filters, configuring/enabling, 316-317 protocol definitions, 32 protocol filters, H.323 Gatekeeper, 212 protocol rules, 32-33 outbound Internet access, configuring, 154-157 protocols H.323, 209-210 Mapping, selecting, 198 Proxy DenySitesSet, 123 Proxy DomainFilter, 123 proxy packet filters, 122 Proxy Server. See Microsoft Proxy 2.0 Server PSTN (Public Service Telephone Networks), 209 publishing, 492 outbound Internet access, 145-146 perimeter network servers, 330 requirements, 54, 479 SSL bridging, 492 Web publishing, 492 publishing servers. See server publishing
Q-R question types (ExamGear, Training Guide Edition software), 636 drag and drop, 637-638 hot spot, 641 multiple choice, 637 ordered list, 639 ordered tree, 640 simulations, 640-641
666
INDEX
Questions tab (Item Review screen), ExamGear, Training Guide Edition software, 643-645 RAM (random access memory) controlling caching, 469-470 minimum system requirements, 53 Read permissions, limiting, 138 Real-Time Control Protocol (RTCP), 209 Real-Time Protocol (RTP), 209 registering ExamGear, Training Guide Edition software, 630 registration admission and status, H.323 Gatekeeper, 213-214 registration database, H.323 Gatekeeper, 212-213 registration process, H.323 Gatekeeper, 214-215 Registry, performance optimization, 459-460 relays, preventing, 196 remote access authentication, 486 remote administration, 56, 253-254 remote clients, Routing and Remote Access Service, connecting, 246 Remote Procedure Call (RPC) filters, 33, 482 removing. See deleting, uninstalling reports, 485 application usage reports, 37, 456-457, 485 configuring, 37 dates, 453 ISA Server, analysis, 451-458 performance, analyzing, 468-469 reports within reports, 453-454 security reports, 37, 458, 485 summaries, generation, 452 Summary reports, 37, 455, 485 traffic and utilization reports, 37, 457-458, 485 Web usage reports, 37, 455-456, 485 requirements ExamGear, Training Guide Edition software, 629 for certification, 620 MCDBA, 620-621 MCP, 620 MCSD, 622-624
MCSE, 621-622 MCT, 624 restricting management, 341 retired certifications, 620 reverse caching, 20-21 Root CAs, installing and configuring, 290-291 routing, 494 modifying, 401-402 outbound Internet access, 144-145 Routing and Remote Access Service, 246 Routing and Remote Access Service dial-on-demand connections, 249-252 interoperability, 487 ISA Server, compared, 245-248 remote clients, connecting, 246 routing, 246 static routes, 247-248 troubleshooting, 250-252 routing rules, outbound Internet access, configuring, 167 RPC filters, 33, 320 RRAS. See Routing and Remote Access Service RTCP (Real-Time Control Protocol), 209 RTP (Real-Time Protocol), 209 rule processing, H.323 Gatekeeper, 215-216 rules application filters, 33 bandwidth rules, 33, 36-37 call routing rules, H.323 Gatekeeper, 223-228 default, 483 dial-up routing rules, creating, 240-241 outbound Internet access, 146-160 bandwidth rules, 164-165 evaluation, 149 routing rules, 167 packet filters, configuring, 312-317 processing order, 372-373 protocol rules, 33 rule processing, H.323 Gatekeeper, 215-216 server publishing, creating, 197
INDEX
site and content rules, 33 Web publishing, configuring, 187-188
S scalibility arrays, configuring, 350-355 CARP, 350-351 scheduling, 32 caching, 22-23 exams, 619 logging, 463 Internet access, creating, 151 Secure (security level), 19 SecureNAT (secure network address translation) clients, 15-16, 386 configuring, 407 NAT client, compared, 386 PPTP filters, 275 security alerts, 433-435 authentication, 485-486 firewalls, system hardening, 321-327 group file permissions, 460 intrusion detection, configuring, 429-433 levels, 19 logs, 485 configuring, 424-428 monitoring alerting, 423-435 logging, 423-435 reports, 37, 458, 485 troubleshooting, 436-442 Security Configuration Wizard, 19 Select and Place questions (ExamGear, Training Guide Edition software), 638 server address mapping, identifying, 198 server certificates, 189-190 server chains, configuring, 168 server placement, 58
667
server proxy, configuring for, 193-197 content filtering, 195-197 DNS, 194 mail proxy, 194 server publishing configuring for, 197-200 perimeter networks, 199 Service permissions, 141 Services, H.323 Gatekeeper, 212 setup logs, reviewing, migration, 117-118 Shields Up utility, 441 simulation questions (ExamGear, Training Guide Edition software), 640-641 site and content rules, 32-33 site placement, 58 site rules, outbound Internet access, configuring, 153-154 SMTP (Simple Mail Transfer Protocol) filters, 34, 195-197, 482 SMTP buffer overrun attacks, 195 SOCKS filters, 34, 321, 482 software installing, options, 48-49 users, needs, 48 SSL bridging, 492 SSL requests, redirecting, Web publishing, 190-193 standalone CA, certificates, requesting, 292-295 standalone servers, promoting, 348-349 Standard ISA Server, 29-30 installing, 80-82 stateful inspection, 18 static routes, Routing and Remote Access Service, 247-248 status, alerts, monitoring, 435 storage formats, logs, 424 streaming media filters, 34, 482 Study Mode (ExamGear, Training Guide Edition software), 628, 631 compared to Practice Exam mode and Adaptive Exam mode, 634-635 starting, 632-634
668
INDEX
study tips, 498, 500-501 active-study strategies, 498 common-sense strategies, 499 exams, preparation, 500-501 learning as a process, 497 macro and micro strategies, 498 pretesting yourself, 499 study tools, ExamGear, Training Guide Edition software, 627-628 summaries, reports, generation, 452 Summary reports, 37, 455, 485 system hardening, firewalls, configuring, 321-327 system requirements See also, minimum system requirements ExamGear, Training Guide Edition software, 629 hardware, 53-54 interoperability, 51-53 system-hardening templates, 19
T T-120, H.323 Gatekeeper, 210 TCP/IP network cards, configuring, 61 telnet ports, testing, 440-442 Terminal services, interoperability, 487 testing connectivity, 62 ports, 440-442 tools, 495 VPNs, 272-274 time limit on exams, 500 time management options (ExamGear, Training Guide Edition software), 642-643 tools outbound Internet access, 146-160 testing, 495 traffic and utilization reports, 37, 457-458, 485 trainers. See MCT
troubleshooting access problems, 372-375 authentication, 413-414 autodetection, 412-413 clients, 411-412 dial-on-demand connections, 238-242 dial-up connections, 243, 245 firewalls, access, 330-331 ISA Server installation, 94-98 network usage, 436-442 outbound Internet access, 169-172 Routing and Remote Access Service, 250-252 security, 436-442
U UDP bomb attacks, 18, 430 unattended setup, ISA Server installation, 90-92 Uninstall program, running, 95 uninstalling ExamGear, Training Guide Edition software, 630-631 ISA Server, 98-99 updates, ExamGear, Training Guide Edition software, 647-648 upgrading, Microsoft Proxy 2.0 Servers, 111-124 upstream servers, 239 user-based access problems, troubleshooting, 373-375 users, 32 needs, 48 rejecting, 197
V verification certificates, 296 ISA Server installation, 96-97 VPN Allow Wizard, 270-272
INDEX
VPNs (Virtual Private Networks), 19, 269, 494 configuring as VPN endpoints, 269-274 for pass-throughs, 274-275 endpoints, configuring for, 275-289 Gateway to Gateway VPNs, 494-495 hardware requirements, 56 L2TP over IPSec VPNs, 297 Microsoft certificate services, configuring, 289-292 testing, 272-274
W W3C format, logs, 425 Web Proxy Autodiscovery Protocol (WPAD), 402 Web proxy clients, 12, 15, 386-387, 408 Web publishing, 492 CARP (Cache Array Routing Protocol), enabling, 188 configuring, 184-193 authentication methods, 189-190 destination sets, 186 listeners, 186-187 rules, 187-188 server certificates, 189-190 HTTP requests, redirecting, 190-193 SSL requests, redirecting, 190-193 Web sites ExamGear, Training Guide Edition software, checking, 647 Microsoft Certified Professional, 619 Microsoft Training and Certification, 620 Web usage reports, 37, 455-456, 485 Win Proxy Automatic Discover (WPAD) protocol, 393 Windows 2000 install error message, 114 Windows NT 4.0 domains, interoperability, 487 Windows out-of-band attacks, 18 WinNuke attacks, 429
wizards Add Destination Wizard, 224 ISA VPN Wizard, 276-283 Mail Server Security Wizard, 194 New Filter, 314 Security Configuration Wizard, 19 VPN Allow Wizard, 270-272 WPAD (Web Proxy Autodiscovery Protocol), 393, 402
669
H O W
TO
C O N TA C T
U S
VISIT OUR WEB SITE W W W. N E W R I D E R S . C O M
On our web site, you’ll find information about our other books, authors, tables of contents, and book errata.You will also find information about book registration and how to purchase our books, both domestically and internationally. EMAIL US
Contact us at: [email protected]
T H AT
M AT T E R
• If you have comments or questions about this book
• To report errors that you have found in this book • If you have a book proposal to submit or are interested in writing for New Riders • If you are an expert in a computer topic or technology and are interested in being a technical editor who reviews manuscripts for technical accuracy
Contact us at: [email protected] • If you are an instructor from an educational institution who wants to preview New Riders books for classroom use. Email should include your name, title, school, department, address, phone number, office days/hours, text in use, and enrollment, along with your request for desk/examination copies and/or additional information.
Contact us at: [email protected] • If you are a member of the media who is interested in reviewing copies of New Riders books. Send your name, mailing address, and email address, along with the name of the publication or web site you work for. B U L K P U R C H A S E S / C O R P O R AT E S A L E S If you are interested in buying 10 or more copies of a title or want to set up an account for your company to purchase directly from the publisher at a substantial discount, contact us at 800-382-3419 or email your contact information to [email protected]. A sales representative will contact you with more information.
V O I C E S
W R I T E TO U S
New Riders Publishing 201 W. 103rd St. Indianapolis, IN 46290-1097 C A L L / FA X U S
Toll-free (800) 571-5840 If outside U.S. (317) 581-3500 Ask for New Riders F A X : (317) 581-4663
W W W. N E W R I D E R S . CO M
The Road to MCSE Windows 2000 The new Microsoft Windows 2000 track is designed for information technology professionals working in a typically complex computing environment of medium to large organizations. A Windows 2000 MCSE candidate should have at least one year of experience implementing and administering a network operating system. MCSEs in the Windows 2000 track are required to pass five core exams and two elective exams that provide a valid and reliable measure of technical proficiency and expertise. See below for the exam information and the relevant New Riders title that covers that exam.
Core Exams New MCSE Candidates (Who Have Not Already Passed Windows NT 4.0 Exams) Must Take All 4 of the Following Core Exams: Exam 70-210: Installing, Configuring and Administering Microsoft® Windows® 2000 Professional
or
Exam 70-240: Microsoft Windows 2000 Accelerated Exam for MCPs Certified on Microsoft Windows NT 4.0.
Exam 70-215: Installing, Configuring and Administering Microsoft Windows 2000 Server Exam 70-216: Implementing and Administering a Microsoft Windows 2000 Network Infrastructure
MCPs Who Have Passed 3 Windows NT 4.0 Exams (Exams 70-067, 70-068, and 70-073) Instead of the 4 Core Exams at Left, May Take:
ISBN 0-7357-0965-3
ISBN 0-7357-0968-8
(This accelerated, intensive exam, which will be available until December 31, 2001, covers the core competencies of exams 70-210, 70-215, 70-216, and 70-217.) ISBN 0-7357-0979-3
Exam 70-217: Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure
MCSE Training Guide: Core Exams (Bundle) ISBN 0-7357-0966-1
ISBN 0-7357-0976-9 ISBN 0-7357-0988-2
PLUS - All Candidates - 1 of the Following Core Elective Exams Required: *Exam 70-219: Designing a Microsoft Windows 2000 Directory Services Infrastructure *Exam 70-220: Designing Security for a Microsoft Windows 2000 Network *Exam 70-221: Designing a Microsoft Windows 2000 Network Infrastructure ISBN 0-7357-0983-1
ISBN 0-7357-0984-X
ISBN 0-7357-0982-3
PLUS - All Candidates - 2 of the Following Elective Exams Required: Any current MCSE electives (visit www.microsoft.com for a list of current electives) (Selected third-party certifications that focus on interoperability will be accepted as an alternative to one elective exam. Please watch for more information on the third-party certifications that will be acceptable.)
*Exam 70-219: Designing a Microsoft Windows 2000 Directory Services Infrastructure *Exam 70-220: Designing Security for a Microsoft Windows 2000 Network *Exam 70-221: Designing a Microsoft Windows 2000 Network Infrastructure
ISBN 0-7357-0983-1
ISBN 0-7357-0984-X
ISBN 0-7357-0982-3
Exam 70-222: Upgrading from Microsoft Windows NT 4.0 to Microsoft Windows 2000 *Core exams that can also be used as elective exams may only be counted once toward a certification; that is, if a candidate receives credit for an exam as a core in one track, that candidate will not receive credit for that same exam as an elective in that same track. WWW.NEWRIDERS.COM
OT H E R
ISBN: 1562059297 1450 pages US $49.99
N E W
R I D E R S
T I T L E S
Inside Windows 2000 Server
Inside ASP.NET
William Boswell
Inside ASP.NET is a comprehensive guide to ASP.NET development using Microsoft's .NET development framework. This book presents information on the .NET framework that is of specific interest to Internet and intranet developers. Each chapter tackles a specific area of ASP.NET development, first by giving a detailed overview, then presenting a series of code examples and walk-throughs that illustrate various applications of ASP.NET. The chapters conclude with an indepth look inside that particular area of ASP.NET.
“I can’t believe how many great books these people publish. Inside Windows 2000 is an extremely thorough reference for anyone deploying or supporting Windows 2000. Don’t try to read it cover to cover. It is much too exhaustive for that. It is my primary reference for Windows 2000 issues.”
Scott Worley
ISBN: 0735711356 Available November 2001 900 pages US $49.99
—An online reviewer
Windows 2000 Security Roberta Bragg
ISBN: 0735709912 500 pages US $39.99
“Roberta Bragg is one of the foremost experts on security. I got this book based on her reputation and was not disappointed. Security has a lot of dark passages that can lose you, but this book, since it is dedicated to Win2K, covers all topics in a clear, concise format. It is good for security novices and experts. I have used it to not only understand principles but to gather reference information. An excellent book!” —An online reviewer
MCSE Training Guide (70-220) Windows 2000 Network Security Design Roberta Bragg
ISBN: 073570984X 906 pages US $49.99
Exam 70-220, Designing Security for a Windows 2000 Network tests the skills required to analyze the business requirements for security and design a security solution that meets business requirements. Security includes controlling access to resources, auditing access to resources, authentication, and encryption. Ideal for professionals looking for comprehensive self-study materials to get through the exam successfully. Exam 70-220 is one of the required core elective exams.
MCSE Training Guide Windows 2000 Core Exams Bundle
ISBN: 0735709882 4 books in slipcase US $149.99
Get all the core requirements of the MCSE 2000 exam track in one place! This bundle contains four Training Guides, one covering each of the four required exams. Each book is held up to the rigorous standards of New Riders and each title contains a companion CD-ROM with ExamGear, Training Guide edition, which helps to extend your study and offers premium exam preparation content.
When IT really matters, test with
You’ve studied the Training Guide. Tested your skills with ExamGear ™. Now what? Are you ready to sit the exam? If the answer is yes, be sure to test with VUE. Why VUE? Because with VUE, you get the best technology and even better service. Some of the benefits are: • VUE allows you to register and reschedule your exam in real-time, online, by phone, or at you local testing center • Your test is on time and ready for you, 99% of the time • Your results are promptly and accurately provided to the certifying agency, then merged with your test history VUE has over 2,400 quality-focused testing centers worldwide, so no matter where you are, you’re never far from a VUE testing center. VUE is a testing vendor for all the major certification vendors, including Cisco®, Microsoft®, CompTIA® and Novell®. Coming soon, you’ll find New Riders questions and content on the VUE web site, and you’ll be able to get your next Training Guide at www.vue.com.
HURRY! SIGN UP FOR YOUR EXAM NOW! TEST WITH VUE. WHEN
www.newriders.com
IT
R E A L LY M AT T E R S .
W W W . V U E . C O M
Solutions from experts you know and trust. www.informit.com OPERATING SYSTEMS
New Riders has partnered with WEB DEVELOPMENT
PROGRAMMING
■
Master the skills you need, when you need them
■
Call on resources from some of the best minds in the industry
■
Get answers when you need them, using InformIT’s comprehensive library or live experts online
■
Go above and beyond what you find in New Riders books, extending your knowledge
InformIT.com to bring technical information to your desktop. Drawing on New Riders authors
NETWORKING
and reviewers to provide additional CERTIFICATION
AND MORE…
information on topics you’re interested in, InformIT.com has free, in-depth information you
Expert Access. Free Content.
won’t find anywhere else.
As an InformIT partner, New Riders has shared the wisdom and knowledge of our authors with you online. Visit InformIT.com to see what you’re missing.
www.informit.com
■
www.newriders.com