Dr. Tom Shinder's ISA Server 2006 Migration Guide (eBook)

Front Cover 1
Dr. Tom Shinder's ISA Server 2006 Migration Guide 2
Copyright Page 3
Lead Authors 4
Contributing Authors 6
Contents 8
Introduction 24
Chapter 1: Network Security Basics 35
Introduction 36
Security Overview 36
Defining Basic Security Concepts 36
Knowledge is Power 37
Think Like a Thief 37
The Intrusion Triangle 38
Removing Intrusion Opportunities 39
Security Terminology 39
Addressing Security Objectives 41
Controlling Physical Access 42
Physical Access Factors 42
Protecting the Servers 43
Keeping Workstations Secure 43
Protecting Network Devices 44
Securing the Cable 45
Safely Going Wireless 46
Have Laptop, Will Travel 47
The Paper Chase 48
Removable Storage Risks 48
Physical Security Summary 49
Preventing Accidental Compromise of Data 49
Know Your Users 50
Educate Your Users 50
Control Your Users 50
Preventing Intentional Internal Security Breaches 50
Hiring and Human Resource Policies 51
Detecting Internal Breaches 51
Preventing Intentional Internal Breaches 52
Preventing Unauthorized External Intrusions 52
External Intruders with Internal Access 53
Tactical Planning 53
Recognizing Network Security Threats 53
Understanding Intruder Motivations 54
Recreational Hackers 54
Profit-motivated Hackers 54
Vengeful Hackers 55
Hybrid Hackers 56
Classifying Specific Types of Attacks 56
Social engineering attacks 56
What is social engineering? 56
Protecting your network against social engineers 57
Denial of Service (DOS) Attacks 58
Distributed Denial of Service attacks 58
DNS DOS attack 59
SYN attack/LAND attack 59
Ping of Death 61
Teardrop 61
Ping Flood (ICMP flood) 61
SMURF attack 62
UDP bomb or UDP flood 63
UDP Snork attack 63
WinNuke (Windows out-of-band attack) 63
Mail bomb attack 63
Scanning and Spoofing 64
Port scan 64
IP half scan attack 66
IP Spoofing 66
Source Routing attack 66
Other protocol exploits 67
System and software exploits 67
Trojans, viruses and worms 68
Trojans 68
Viruses 68
Worms 69
Designing a Comprehensive Security Plan 69
Evaluating Security Needs 70
Assessing the type of business 70
Assessing the type of data 71
Assessing the network connections 71
Assessing management philosophy 72
Understanding management models 72
Understanding Security Ratings 72
Legal Considerations 73
Designating Responsibility for Network Security 73
Responsibility for Developing the Security Plan and Policies 73
Responsibility for Implementing and Enforcing the Security Plan and Policies 74
Designing the Corporate Security Policy 74
Developing an Effective Password Policy 75
Password Length and Complexity 75
Who creates the password? 76
Password Change Policy 76
Summary of Best Password Practices 77
Educating Network Users on Security Issues 77
Summary 79
Chapter 2: ISA Server 2006 Client Types and Automating Client Provisioning 81
Introduction 82
Understanding ISA Server 2006 Client Types 82
Understanding the ISA Server 2006 SecureNAT Client 84
SecureNAT Client Limitations 86
SecureNAT Client Advantages 90
Name Resolution for SecureNAT Clients 92
Name Resolution and "Looping Back" Through the ISA Server 2006 Firewall 92
Understanding the ISA Server 2006 Firewall Client 96
Allows Strong User/Group-Based Authentication for All Winsock Applications Using TCP and UDP Protocols 97
Allows User and Application Information to be Recorded in the ISA Server 2006 Firewall's Log Files 98
Provides Enhanced Support for Network Applications, Including Complex Protocols That Require Secondary Connections 98
Provides "Proxy" DNS Support for Firewall Client Machines 98
The Network Routing Infrastructure Is Transparent to the Firewall Client 99
How the Firewall Client Works 101
Installing the Firewall Client Share 103
Installing the Firewall Client 104
Firewall Client Configuration 105
Centralized Configuration Options at the ISA Server 2006 Firewall Computer 106
Enabling Support for Legacy Firewall Client/Winsock Proxy Clients 109
Client Side Firewall Client Settings 110
Firewall Client Configuration Files 112
.ini Files 113
Advanced Firewall Client Settings 114
Firewall Client Configuration at the ISA Server 2006 Firewall 116
ISA Server 2006 Web Proxy Client 118
Improved Performance for the Firewall Client and SecureNAT Client Configuration for Web Access 119
Ability to Use the Autoconfiguration Script to Bypass Sites Using Direct Access 119
Allows You to Provide Web Access (HTTP/HTTPS/FTP Download) without Enabling Users Access to Other Protocols 119
Allows You to Enforce User/Group-based Access Controls Over Web Access 120
Allows you to Limit the Number of Outbound Web Proxy Client Connections 126
Supports Web Proxy Chaining, Which Can Further Speed Up Internet Access 127
ISA Server 2006 Multiple Client Type Configuration 127
Deciding on an ISA Server 2006 Client Type 129
Automating ISA Server 2006 Client Provisioning 130
Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery 131
Install the DHCP Server 132
Create the DHCP scope 132
Create the DHCP 252 Scope Option and Add It to the Scope 135
Configure the Client as a DHCP Client 138
Configure the Client Browser to Use DCHP for Autodiscovery 139
Configure the ISA Server 2006 Firewall to Publish Autodiscovery Information 139
Making the Connection 140
Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery 142
Creating the wpad Entry in DNS 142
Configure the Client to Use the Fully-Qualified wpad Alias 145
Configure the client browser to use autodiscovery 148
Configure the ISA Server 2006 Firewall to Publish Autodiscovery Information 148
Making the Connection Using DNS for Autodiscovery 149
Automating Installation of the Firewall Client 150
Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console 151
Group Policy Software Installation 155
Silent Installation Script 158
Systems Management Server (SMS) 159
One More Time 159
Chapter 3: Installing and Configuring the ISA Firewall Software 161
Pre-installation Tasks and Considerations 162
System Requirements 162
Configuring the Routing Table 164
DNS Server Placement 166
Configuring the ISA Firewall's Network Interfaces 168
Installation via a Terminal Services Administration Mode Session 172
Performing a Clean Installation on a Multihomed Machine 172
Default Post-installation ISA Firewall Configuration 179
The Post-installation System Policy 180
Performing a Single NIC Installation (Unihomed ISA Firewall) 191
Quick Start Configuration for ISA Firewalls 193
Configuring the ISA Firewall's Network Interfaces 195
IP Address and DNS Server Assignment 195
Configuring the Internal Network Interface 196
Configuring the External Network Interface 197
Network Interface Order 197
Installing and Configuring a DNS Server on the ISA Server Firewall 198
Installing the DNS Service 198
Installing the DNS Server Service on Windows Server 2003 198
Configuring the DNS Service on the ISA Firewall 199
Configuring the DNS Service in Windows Server 2003 199
Configuring the DNS Service on the Internal Network DNS Server 202
Installing and Configuring a DHCP Server on the ISA Server Firewall 204
Installing the DHCP Service 204
Installing the DHCP Server Service on a Windows Server 2003 Computer 205
Configuring the DHCP Service 205
Installing and Configuring the ISA Server 2006 Software 207
Configuring the ISA Firewall 210
DHCP Request to Server Rule 212
DHCP Reply from Server Rule 214
Internal DNS Server to DNS Forwarder Rule 215
Internal Network to DNS Server 216
The All Open Rule 217
Configuring the Internal Network Computers 218
Configuring Internal Clients as DHCP Clients 218
Hardening the Base ISA Firewall Configuration and Operating System 221
ISA Firewall Service Dependencies 221
Service Requirements for Common Tasks Performed on the ISA Firewall 224
Client Roles for the ISA Firewall 227
ISA Firewall Administrative Roles and Permissions 229
Lockdown Mode 231
Lockdown Mode Functionality 231
Connection Limits 232
DHCP Spoof Attack Prevention 234
One More Time 237
Chapter 4: Creating and Using ISA 2006 Firewall Access Policy 239
ISA Firewall Access Rule Elements 242
Protocols 242
User Sets 243
Content Types 244
Schedules 250
Network Objects 251
Configuring Access Rules for Outbound Access through the ISA Firewall 251
The Rule Action Page 251
The Protocols Page 252
The Access Rule Sources Page 254
The Access Rule Destinations Page 255
The User Sets Page 255
Access Rule Properties 256
The General Tab 256
The Action Tab 256
The Protocols Tab 257
The From Tab 259
The To Tab 260
The Users Tab 260
The Schedule Tab 261
The Content Types Tab 262
The Access Rule Context Menu Options 263
Configuring RPC Policy 264
Configuring FTP Policy 265
Configuring HTTP Policy 266
Ordering and Organizing Access Rules 266
How to Block Logging for Selected Protocols 267
Disabling Automatic Web Proxy Connections for SecureNAT Clients 268
Using Scripts to Populate Domain Name Sets 269
Using the Import Scripts 271
Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports 276
Avoiding Looping Back through the ISA Firewall for Internal Resources 278
Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) 280
Blocking MSN Messenger using an Access Rule 280
Allowing Outbound Access to MSN Messenger via Web Proxy 283
Changes to ISA Firewall Policy Only Affects New Connections 284
Allowing Intradomain Communications through the ISA Firewall 285
One More Time 294
Chapter 5: Publishing Network Services with ISA 2006 Firewalls 297
Overview of Web Publishing and Server Publishing 298
Web Publishing Rules 298
Proxied Access to Web Sites Protectedby the ISA firewall 299
Deep Application-Layer Inspection of Connections Made to Published Web Sites 299
Path Redirection 300
URL rewriting with ISA's Link Translation 300
Ability to Publish Multiple Web Sites with a Single IP Address 301
Pre-authentication of requests, and Authentication Delegation to the published Site 301
Single Sign-On (SSO) for Published Web Sites 302
Support for SecurID Authentication 302
Support for RADIUS Authentication 302
Reverse Caching of Published Web Sites 303
Support for Forwarding either the ISA Firewall's IP Address, or the Original Web Client's IP Address to the Web Site 303
Ability to Schedule when Connections are Allowed to Published Web Sites 304
Port and Protocol Redirection 304
Server Publishing Rules 305
Server Publishing Rules are a Form of Reverse NAT, sometimes referred to as "Port Mapping" or "Port forwarding" and do not Proxy the Connection 305
Almost All IP Level and TCP/UDP Protocols can be Published using Server Publishing Rules 306
Server Publishing Rules do not Support Authentication on the ISA Server 306
Application-Layer Filtering can be Applied to a Defined Subset of Server Published Protocols 306
You can Configure Port Overrides to Customize the Listening Ports and the Port Redirection. You can also Lock Down the Source Ports the Requesting Clients use to Connect to the Published Server 307
You can lock down who can Access Published Resources using IP addresses 307
The External Client Source IP Address can be Preserved or it can be Replaced with the ISA Firewall's IP address 307
Restrict connections to specific days and times 307
Support for Port Redirection or PAT (Port Address Translation) 308
Creating and Configuring Non-SSL Web Publishing Rules 308
The Select Rule Action Page 308
The Publishing Type Page 309
The Server Connection Security Page 310
The Internal Publishing Details Page (Part one) 311
The Internal Publishing Details Page(Part two) 313
The Public Name Details Page 315
The Select Web Listener Page and Creating an HTTP Web Listener 316
The Web Listener IP Addresses Page 318
The Authentication Settings Page 320
The Single Sign on Settings Page 324
The LDAP Settings Page 325
The RADIUS Settings Page 327
SecurID Settings 329
The Authentication Delegation Page 329
The User Sets Page 332
Creating and Configuring SSL Web Publishing Rules 333
SSL Bridging 333
SSL "Tunneling" versus SSL "Bridging" 334
What about SSL-to-HTTP Bridging? 334
Enterprise and Standalone Certificate Authorities 335
SSL-to-SSL Bridging and Web Site Certificate Configuration 336
Importing Web Site Certificates into the ISA Firewall's Machine Certificate Store 338
Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites 340
Creating an SSL Web Publishing Rule 342
The Internal Publishing Details Pages 343
The Public Name Details Page 345
The Server Connection Security Page 345
The Client Connection Security Page 346
ISA 2004's Bridging Mode Page and ISA 2006 349
Configuring Advanced Web Listener Properties 350
The General Tab 350
The Networks Tab 350
The Connections Tab 350
The Connections - Advanced Dialog 352
The Certificates Tab 352
The Certificates - Advanced Dialog 353
The Authentication Tab 353
Advanced Authentication Options Dialog Box 353
The Forms Tab 356
The Forms - Advanced Dialog 357
The SSO Tab 358
The Web Publishing Rule Properties Dialog Box 359
The General Tab 359
Action 360
From 361
To 362
Traffic 364
Listener 366
Public Name 366
Paths 367
Bridging 371
Users 372
Schedule 374
Link Translation 374
Authentication Delegation 375
Application Settings 377
Creating Server Publishing Rules 378
The Server Publishing Rule Properties Dialog Box 383
Server Publishing HTTP Sites 389
Creating Mail Server Publishing Rules 391
The Client Access: RPC, IMAP, POP3, SMTP Option 392
Publishing Exchange Web Client Access 394
One More Time 397
Chapter 6: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls 399
Overview of ISA Firewall VPN Networking 400
Firewall Policy Applied to VPN Client Connections 402
Firewall Policy Applied to VPN Site-to-Site Connections 403
VPN Quarantine 404
User Mapping of VPN Clients 405
SecureNAT Client Support for VPN Connections 406
Site-to-Site VPN Using Tunnel Mode IPSec 407
Publishing PPTP VPN Servers 408
Pre-shared Key Support for IPSec VPN Connections 409
Advanced Name Server Assignment for VPN Clients 410
Monitoring of VPN Client Connections 411
An Improved Site-to-Site Wizard (New ISA 2006 feature) 411
The Create Answer File Wizard (New ISA 2006 Feature) 412
The Branch Office Connectivity Wizard (New ISA 2006 feature) 412
The Site-to-Site Summary (New ISA 2006 Feature) 413
Creating a Remote Access PPTP VPN Server 413
Enable the VPN Server 414
Create an Access Rule Allowing VPN Clients Access to Allowed Resources 425
Enable Dial-in Access 426
Test the PPTP VPN Connection 429
Creating a Remote Access L2TP/IPSec Server 431
Issue Certificates to the ISA Firewall and VPN Clients 431
Test the L2TP/IPSec VPN Connection 437
Monitor VPN Clients 438
Using a Pre-shared Key for VPN Client Remote Access Connections 440
Creating a PPTP Site-to-Site VPN 442
Create the Remote Site Network at the Main Office 445
The Network Rule at the Main Office 452
The Access Rules at the Main Office 452
Create the VPN Gateway Dial-in Account at the Main Office 453
Create the Remote Site Network at the Branch Office 455
The Network Rule at the Branch Office 457
The Access Rules at the Branch Office 458
Create the VPN Gateway Dial-in Account at the Branch Office 458
Activate the Site-to-Site Links 459
Creating an L2TP/IPSec Site-to-Site VPN 460
Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA 461
Request and Install a Certificate for the Main Office Firewall 462
Configure the Main Office ISA Firewall to use L2TP/IPSec for the Site-to-Site Link 466
Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA 468
Request and Install a Certificate for the Branch Office Firewall 469
Configure the Branch Office ISA Firewall to use L2TP/IPSec for the Site-to-Site Link 471
Activate the L2TP/IPSec Site-to-Site VPN Connection 471
Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links 473
IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways 474
Using RADIUS for VPN Authentication and Remote Access Policy 474
Configure the Internet Authentication Services (RADIUS) Server 475
Create a VPN Clients Remote Access Policy 476
Remote Access Permissions and Domain Functional Level 479
Changing the User Account Dial-in Permissions 481
Changing the Domain Functional Level 482
Controlling Remote Access Permission via Remote Access Policy 483
Enable the VPN Server on the ISA Firewall and Configure RADIUS Support 484
Create an Access Rule Allowing VPN Clients Access to Approved Resources 487
Make the Connection from a PPTP VPN Client 488
Using EAP User Certificate Authentication for Remote Access VPNs 490
Configuring the ISA Firewall Software to Support EAP Authentication 491
Enabling User Mapping for EAP Authenticated Users 493
Issuing a User Certificate to the Remote Access VPN Client Machine 494
Supporting Outbound VPN Connections through the ISA Firewall 497
Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall 500
Summary 503
Chapter 7: ISA 2006 Stateful Inspection and Application Layer Filtering 505
Introduction 506
Application Filters 506
The SMTP Filter 507
The DNS Filter 508
The POP Intrusion Detection Filter 509
The SOCKS V4 Filter 509
The FTP Access Filter 511
The H.323 Filter 511
The MMS Filter 512
The PNM Filter 512
The PPTP Filter 512
The RPC Filter 512
The RTSP Filter 512
Web Filters 513
The HTTP Security Filter (HTTP Filter) 513
Overview of HTTP Security Filter Settings 514
The General Tab 514
The Methods Tab 516
The Extensions Tab 518
The Headers Tab 519
The Signatures Tab 523
HTTP Security Filter Logging 526
Exporting and Importing HTTP Security Filter Settings 527
Exporting an HTTP Policy from a Web Publishing Rule 527
Importing an HTTP Policy into a Web Publishing Rule 528
Investigating HTTP Headers for Potentially Dangerous Applications 529
Example HTTP Security Filter Policies 533
Commonly Blocked Headers and Application Signatures 537
The ISA Server Link Translator 538
Determining Custom Dictionary Entries 541
Configuring Custom Link Translation Dictionary Entries 541
The Web Proxy Filter 543
The OWA Forms-Based Authentication Filter 544
The RADIUS Authentication Filter 545
IP Filtering and Intrusion Detection/Intrusion Prevention 545
Common Attacks Detection and Prevention 545
DNS Attacks Detection and Prevention 546
IP Options and IP Fragment Filtering 547
Source Routing Attack 549
Summary 550
Chapter 8: Accelerating Web Performance with ISA 2006 Caching Capabilities 551
Understanding Caching Concepts 552
Web Caching Types 552
Forward Caching 553
Reverse Caching 553
How Reverse Caching Reduces Bandwidth Usage 554
How Reverse Caching Increases Availability of Web Content 554
Web Caching Architectures 554
Web Caching Protocols 557
Understanding ISA 2006's Web Caching Capabilities 557
Using the Caching Feature 558
Understanding Cache Rules 559
Using Cache Rules to Specify Content Types That Can Be Cached 560
Using Cache Rules to Specify How Objects are Retrieved and Served from Cache 560
Understanding the Content Download Feature 561
Configuring ISA 2006 as a Caching Firewall 563
Enabling and Configuring Caching 563
How to Enable Caching in Enterprise Edition 563
How to Enable Caching in Standard Edition 565
How to Disable Caching in Enterprise Edition 565
How to Disable Caching in Standard Edition 566
How to Configure Properties 566
Configuring Which Content to Cache 566
Configuring the Maximum Size of Objects in the Cache 567
Configuring Whether Expired Objects Should be Returned from Cache 568
Allocating a Percentage of Memory to Caching 568
Creating Cache Rules 569
How to Create a Cache Rule 569
How to Modify an Existing Cache Rule 573
How to Disable or Delete a Cache Rule 575
How to Change the Order of Cache Rules 575
How to Copy a Cache Rule 575
How to Export and Import Cache Rules 576
Configuring Content Downloads 578
How to Ensure a Content Download Job Can Run 579
Configuring the Local Host Network 579
Enabling the System Policy Rules 581
Running the Job Scheduler Service 582
How to Create and Configure Scheduled Content Download Jobs 584
How to Make Changes to an Existing Content Download Job 587
How to Disable or Delete Content Download Jobs 588
How to Export and Import Content Download Job Configurations 588
How to Run a Content Download Job Immediately 589
Summary 590
Chapter 9: Using ISA Firewall 2006's Monitoring, Logging, and Reporting Tools 591
Introduction 592
Exploring the ISA 2006 Dashboard 593
Dashboard Sections 595
Dashboard Connectivity Section 596
Dashboard Services Section 597
Dashboard Reports Section 598
Dashboard Alerts Section 599
Dashboard Sessions Section 600
Dashboard System Performance Section 601
Configuring and Customizing the Dashboard 603
Creating and Configuring ISA 2006 Alerts 604
Alert-Triggering Events 604
Viewing the Predefined Alerts 607
Creating a New Alert 607
Modifying Alerts 614
Viewing Alerts that have been Triggered 615
Monitoring ISA 2006 Connectivity, Sessions, and Services 617
Configuring and Monitoring Connectivity 617
Creating Connectivity Verifiers 618
Monitoring Connectivity 621
Monitoring Sessions 625
Viewing, Stopping and Pausing Monitoring of Sessions 625
Monitoring Specific Sessions Using Filter Definitions 627
Disconnecting Sessions 630
Exporting and Importing Filter Definitions 630
Monitoring Services 630
Working with ISA Firewall Logs and Reports 631
Understanding ISA Firewall Logs 631
Log Types 632
Logging to an MSDE Database 632
Logging to a SQL Server 632
Logging to a File 633
How to Configure Logging 634
Configuring MSDE Database Logging 635
Configuring Logging to a File 636
Configuring Logging to a SQL Database 637
How to Use the Log Viewer 638
How to Filter the Log Information 639
Saving Log Viewer Data to a File 642
Exporting and Importing Filter Definitions 643
Generating, Viewing, and Publishing Reports with ISA 2006 643
How to Generate a One-Time Report 643
How to Configure an Automated Report Job 646
Other Report Tasks 649
How to View Reports 650
Publishing Reports 651
Using the ISA Firewall's Performance Monitor 652
Recommended Performance Counters 656
ISA Firewall 2004 Upgrade Considerations 656
Preserving Log Files Prior to Upgrade 657
File Logging 657
MSDE Logging 658
SQL Logging 659
Preserving SQL Logging Options Prior to Upgrade 660
Index 661