Sneak preview - Configuring ISA Server 2004: Chapter 2 on ISAserver.org!
Got Questions about Chapter 2?
Ask them at:
ISA 2004 retains many of the same features that administrators know and love from ISA 2000, and, in many cases, has improved on them to make them even more functional and easy to use. For example, enhancements and improvements have been made to Virtual Private Networks (VPN) administration, authentication, firewall rules, Outlook Web Access (OWA) publishing, FTP support, secure Web publishing, cache rules, the SMTP message screener, customization of reports, and more.
ISA 2004 also adds an abundance of new features, such as support for multiple networks, stateful filtering and inspection for VPN traffic, VPN quarantine, firewall user groups, firewall generation of forms used by OWA for forms-based authentication, link translation, and much more.
The graphical user interface (GUI) has been completely reworked for a more intuitive and user-friendly experience.
In this chapter, we provide an overview of ISA 2004’s new GUI and discuss old features that have been improved as well as new additions that will make the ISA Server administrator’s job easier. We also look at some features present in ISA 2000 that have been removed in ISA 2004, making the product leaner and meaner, and reflecting Microsoft’s focus on marketing ISA 2004 first and foremost as a firewall/security product that can compete with top competitors in that market, and then, as a caching/acceleration server, adding value and saving money for organizations that need both functions, but don’t want to have to buy two separate products or expensive add-ons for their firewalls.
The New GUI: More Than Just a Pretty Interface
First, we’ll look at the first thing the ISA user sees: the graphical interface. There’s no question that ISA 2004’s interface is more intuitive than the ISA 2000 interface. Improving the user experience by making the interface friendlier was a major goal of the development team, and they’ve done a good job. It’s easy for someone who isn’t familiar with ISA 2000 to sit down at the ISA 2004 interface and click his or her way to performing many of the common firewall administrative tasks without consulting the Help file.
Examining the Graphical Interface
Figure 2.1 shows the ISA Server 2000 management GUI, and Figure 2.2 shows the new ISA Server 2004 GUI. As you can see, the former looks pretty much like any other Microsoft Management Console (MMC), with its simple left-pane tree and right details pane.
Figure 2.1: The ISA 2000 Interface --A Simple MMC
The ISA Server 2004 console is much richer, with a three-pane window that still includes the familiar tree structure in the left pane, but gives you tabbed pages in the middle and right panes that make it easy to select the type of tasks you want to perform and get precise help in performing them. No longer do you have to click through dozens of dialog boxes within dialog boxes in order to find the configuration setting you want. Instead, common management tasks are, literally, at your fingertips. This point-and-click interface can easily be learned by any IT administrator, without extensive training.
Figure 2.2: The ISA Server 2004 Management GUI -- A Handy Three-part Tabbed Interface
You can use the management console to connect to remote ISA servers as well as the local ISA Server. You can also install the management console on a workstation or non-ISA server and manage your ISA machines remotely. You select the ISA computer you want to manage by clicking Connect to Local or Remote ISA Server in the right console pane, on the Tasks tab.
Clicking the top node in the management console’s left pane (labeled Microsoft Internet Security and Acceleration Server 2004) displays the Welcome page in the middle pane. This interface provides quick links to the following options:
The Getting Started Guide, an HTML document (Figure 2.3), provides detailed guidance for installing and configuring ISA Server 2004 and includes a “Feature Walk-Through” that shows you scenarios for performing specific common tasks.
Best Practices for Securing your ISA Server takes you to the Security and Administration section of the ISA Server 2004 Help file. There is also a link to the Guides and Articles page on the ISA Server Website, http://www.microsoft.com/isaserver/techinfo/howto/, where you can find the most current version of the Security Best Practices document.
The Getting Started Page (not to be confused with the Getting Start Guide) provides a logically-organized task-driven list of steps that allow you to quickly and easily set up your ISA Server (discussed in the next section).
The Microsoft ISA 2004 Web site at www.microsoft.com/isaserver has product updates, customer support information, and the latest news about ISA Server.
Partner Products Web site offers an extensive list of third-party add-ons to enhance the functionality of ISA Server, with links to partner sites, case studies, and partner news and reviews.
Figure 2.3: The ISA Server 2003 Getting Started Guide -- Installation Instructions and a Features Walk-through
Examining The Management Nodes
Depending on your selection in the left pane, the middle pane displays different clickable configuration items. The left pane nodes include:
ISA Server (Name) Top Node
Firewall Policy Node
Virtual Private Networks (VPN) Node
The Configuration Node contains four subnodes:
In the following subsections, we’ll take a look at each of the nodes and their interfaces and what you can do with each.
ISA Server (Name) Top Node
If you select the node representing your ISA Server firewall (in the figures, the firewall’s name is ROADBLOCK), the middle pane will display the Getting Started with ISA Server 2004 page, shown in Figure 2.4. Again, don’t confuse this with the Getting Started Guide.
Figure 2.4: Selecting the ISA Server Name -- Left Pane Displays Getting Started Page
The Getting Started page makes it easy to set up the ISA Server firewall and/or caching server. You will see options here for performing the following tasks:
Defining Your ISA Server Network Configuration allows you to select a predefined network template that you can use to create the layout for your ISA Server network and apply default policy rules. You can specify the NAT or routed relationship between multiple ISA server networks.
View and Create Firewall Policy Rules lets you configure rules that will determine how your ISA Server allows secure access to internal and external Web sites, other Internet sites, servers, e-mail, and other services.
Define How ISA Server Caches Web configures caching, first by defining a cache drive and then by creating caching rules to control how the Web content will be downloaded to the cache and the frequency of cache updates.
Configure VPN Access allows you to create a VPN gateway to allow remote users to connect to your Internal network via virtual private networking.
Monitor your ISA Server Network supplies options to view system details and verify connectivity (including monitoring in real time, which users are connected to which Web sites, and application usage). You can also create alerts to notify administrators of specified events via e-mail and set up generation of one-time or scheduled reports.
Each of the options on the Getting Started page actually takes you to one of the nodes shown in the left pane. Thus, clicking “Define Your ISA Server Network Configuration” takes you to the same interface as clicking the Networks node under “Configuration” in the left pane; clicking “View and Create Firewall Policy Rules” takes you to the same interface as clicking Firewall Policy in the left pane, and so forth. After you become familiar with the ISA 2004 management console, you’ll probably find it easier to just click the appropriate node in the left pane, but the Getting Started page brings together in an ordered list all of the configuration options you need when you first set up your ISA Server computer.
When the top ISA Server node is selected, in the Tasks tab of the right pane you’ll see clickable icons for performing several tasks that relate to the ISA server as a whole. These include:
Define Administrative Roles invokes the Administration Delegation Wizard, which you can use to assign administrative roles to individual users or groups. The roles define what permissions those users will have to administer the ISA Server.
Disconnect Selected Server from Management Console will disconnect you from the local or remote ISA Server.
Backup this ISA Server Configuration allows you to save the ISA configuration as an .XML file.
Restore this ISA Server Configuration allows you to use the .XML file created by the Backup option to restore a configuration.
Related Tasks include exporting and importing ISA server configuration files (in .XML format).
ISA SERVER SECRETS
How Does Backup/Restore Differ from Export/Import?
A popular question we get is: “How do the Backup and Restore functions differ from the Export and Import functions?” It’s a good question, because at first glance, they look the same. In both cases, you’re saving the ISA Server configuration to an .XML file and then bringing it back and applying it to the ISA server. The only difference you’ll see between the two dialog boxes for saving the file is that the Export dialog box includes two checkboxes that you won’t see when saving the file using the Backup feature:
Export user permission settings
Export confidential information (encryption will be used)
Both of these function sets allow you to save configuration information, but the export/import feature gives you more granular control over what information you save and how you save it.
With Backup/Restore, the server’s general configuration information is saved. This consists of firewall policy rules, rule elements, alert configurations, cache configuration, and VPN configuration. You have no option to save only some of this information; it’s an “all-or-nothing” deal.
With the Export/Import, you can save the entire configuration, or just specific parts of it. For example, you can save just the networks, or just one network; just the Web chaining rules, or even just one specific chaining rule; just selected firewall policies; just the cache configuration, and so forth. If you select to export the entire configuration, the following will be saved:
ISA Server properties and all general configuration information
You can choose whether to export confidential information such as user passwords, pre-shared keys for IPSec, and RADIUS shared secrets. You can also choose whether to export user permission settings. With the Backup function, you have no choice: the confidential information and user permission settings are automatically saved. Either way, when you save confidential information, it is encrypted for protection. You specify a password during the export operation, and you’ll have to enter it when you import the configuration.
Why export an entire configuration rather than using Backup? This is often used to clone a server, creating a second ISA Server with the identical configuration. If you need to have several ISA Server firewalls configured as duplicates (for example, for several branch offices), this is the fastest way to do it.
An important fact to note is that when you export an entire configuration, the certificate settings are included. If you import the configuration to another ISA Server that doesn’t have the same certificates installed, the firewall service won’t start.
We will revisit the Getting Started tasks in more detail in Chapter Six, Installing and Configuring the ISA Server 2004 Software.
The monitoring node in ISA Server 2004 is a big improvement over the ISA Server 2000 monitoring and logging interface. This is a busy node, with seven tabbed pages displayed in the middle pane:
The Dashboard is just what its name implies: a “big picture” view that summarizes each of the areas represented by a tab (except Logging). Like the dashboard of a car, you’re able to keep an eye on what’s going on with all the different areas from one interface. The Dashboard is shown in Figure 2.5.
Figure 2.5: The Dashboard -- A “Big Picture” View of All Monitoring Areas at One Glance
The Dashboard also provides you with system performance information; you are able to see, graph format, the number of packets allowed per second (x10) and the number of packets dropped per second.
Each of the Dashboard sections contains an icon that indicates the status of that area:
Checkmark inside a green circle: indicates that all is okay
Exclamation point inside a yellow triangle: indicates a warning
X inside a red circle: indicates a problem or potential problem
You can get more detailed information about each monitoring area by clicking on the appropriate tab.
We will go into more detail about how to use the Dashboard in Chapter 13, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.
The Alerts tab provides information about significant events that have occurred (for example, when services start or shut down, an intrusion is detected, the connection limit is exceeded, and so on). You can configure what actions will trigger alerts. The Alerts tab is shown in Figure 2.6.
Figure 2.6: The Alerts Tab Notifies You of Significant Events That Occur on the ISA Server
As you can see in Figure 2.6, if you click on an alert, more information about it will be displayed in the bottom middle pane. Alerts are marked by icons to indicate the relative importance of each. The icons will be familiar to Windows administrators, as they are the same ones used in the Event Viewer’s system and application logs:
A lowercase “i” in a white circle: indicates an informational alert. No action is necessary.
An exclamation point in a yellow triangle: indicates a warning. Action may be required.
An “X” inside a red circle: indicates an error, a problem or potential problem that demands immediate attention.
The right task pane allows you to refresh the Alerts window manually, or you can set an automatic refresh rate (none, low, medium, or high). Under Alerts Tasks, you can reset selected alerts by clicking the alert(s) you want to reset (you can highlight multiple alerts by holding down CTRL while you select them) and then clicking Reset. You will be asked if you’re sure you want to reset the alert. Click Yes to do so.
You can also choose Acknowledge to indicate that you are handling the alert. This will not remove it from the Alerts window; however, the alert will be removed from the Dashboard view.
Finally, you can configure alerts by choosing from a list of predefined alert events, and you can specify the number of times an event must occur, or the number of events per second, in order to trigger an alert. You can also specify what should happen when an alert is triggered (send e-mail to an administrator, run a specified program, log to the Windows event log, or start or stop a specified service or services).
We will discuss how to configure alerts step-by-step in Chapter 13, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.
If you reset a group of alerts, all of the alerts in the group will disappear from the Alerts window. You won’t see them there again unless/until the actions occur again to trigger them.
The Sessions tab makes it easy for administrators to view who is and has been connected through the ISA Server firewall and what applications they use. This information can be filtered for easier perusal. The Sessions window is shown in Figure 2.7.
We will discuss how to use the Sessions information in more detail in Chapter 13, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.
Figure 2.7: Using the Sessions Tab --View Information About Who Has Connected Through the ISA Server Firewall
The Services tab shows you the status and uptime of the ISA Server and ISA-related services that are running on the Windows 2000 or Server 2003 computer. You can stop and start the services from this window, either from the Services Tasks section of the right pane or by right-clicking the service you want to start or stop. The Services tab is shown in Figure 2.8. We will discuss the Services tab more in Chapter 13, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.
You can use the Reports tab, shown in Figure 2.9, to generate a one-time report or configure scheduled report jobs. A New Report Wizard walks you through the steps of creating a one-time report. Report jobs can schedule reports daily, weekly, or monthly. You can specify what information to include in the reports. We will discuss step-by-step procedures for generating reports in Chapter 13, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.
Figure 2.8: The Services Tab -- Stop and Start ISA-related Services
Figure 2.9: The Reports Tab -- Generate Reports from the Logs
The Connectivity tab allows you to create, export, and import connectivity verifiers. These are objects that monitor the connectivity status between the ISA Server computer and a specific computer or URL. Connectivity can be determined via PING messages, TCP port, or HTTP request. The Connectivity tab is shown in Figure 2.10.
We will show you how to configure and use connectivity verifiers in Chapter 13, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.
Figure 2.10: The Connectivity Tab -- Monitor Connectivity Status Between the ISA Server and a Specific Computer or URL
The last tab in the Monitoring window is the Logging tab, shown in Figure 2.11. You can use it to configure the logging process for the firewall, Web Proxy, and SMTP Message Screener logs. You can also edit filters to limit the data displayed, export and import filter definitions, and query the logs.
We will discuss how to how to configure, filter, and query the log files in Chapter 13, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.
Figure 2.11: The Logging Tab -- Filter and Query Data in the ISA Log Files
Firewall Policy Node
If you select Firewall Policy, the middle pane displays a list of firewall policy rules, and the right pane contains tabs labeled Toolbox, Tasks, and Help, as shown in Figure 2.12.
Figure 2.12: Firewall Policy -- Configure Rules
The firewall policy node is the “heart” of the ISA Server interface. This is where you create access rules, Web publishing rules, mail server publishing rules, and other server publishing rules to control access to and from your network. In addition, you can edit system policy, define IP preferences, and export and import both system policies and firewall policies. New access rules are created easily using the New Access Rule wizard, shown in Figure 2.13.
Figure 2.13: New Access Wizard -- Create New Access and Publishing Rules
You will learn all the step-by-step details for creating and using access policies and publishing rules in Chapter 7, Creating and Using ISA Server 2004 Firewall Access Policy, and Chapter 8, Publishing Network Services to the Internet with ISA Server 2004.
Virtual Private Networks (VPN) Node
It’s easy to set up your ISA Server firewall to act as a VPN gateway for remote access users or site-to-site VPN. The Virtual Private Networks node, shown in Figure 2.14, provides a friendly interface for performing common VPN configuration tasks and controlling client access.
Figure 2.14: Virtual Private Networks -- Configure VPN Tasks and Control Client Access
The middle pane displays a list of configuration tasks, including:
Verifying that VPN client access is enabled
Specifying the Windows users who are allowed VPN access or selecting a RADIUS server for authentication
Verifying VPN properties and remote access configuration
Viewing firewall policy rules for the VPN clients network
Viewing rules that specify network relationships between the VPN clients network and other networks
From the right Tasks pane, you can configure client access (specifying number of simultaneous VPN connections, selecting groups for which VPN access is allowed, specifying allowed VPN protocols, and mapping users from non-Windows namespaces). You can even disable all VPN access with a single click.
We take you through the processes involved in creating and managing VPNs in Chapter 9, Protecting Remote Access and VPN Communications with ISA Server 2004.
Configuration Node: Networks Subnode
The Configuration node has four subnodes. If you select the Networks subnode, the middle pane displays a tabbed set of pages that includes networks, network sets, network rules, and Web chaining, as shown in Figure 12.15.
Figure 2.15: The Networks Tab-- Configure Networks, Network Sets, Network Rules and Web Chaining
The right pane will contain tabs labeled Tasks, Templates, and Help.
The Networks tab is used to create and configure networks in a multiple network environment. The Network Sets tab lets you group networks and apply rules to a group, or set, of networks. The Network Rules tab is used to create, export, and import rules that define whether and what type of connectivity is allowed between different networks using translated (NAT) or routed connections. The Web Chaining tab is used to create Web chaining rules that allow you to route requests from clients to an upstream ISA Server or an alternate location.
We discuss multiple network configurations in Chapter 12, Configuring Enterprise Networks, Caching Arrays and Network Load Balancing.
Configuration Node: Cache Subnode
The Cache subnode, shown in Figure 2.16, is used to configure caching on your ISA Server.
Figure 2.16: The Cache Subnode -- Configure or Disable Caching on your ISA Server
You can define cache drives where cached content will be stored and create cache rules via the New Cache Rule wizard. The rules apply to specific networks and determine how objects stored in the cache are to be retrieved when requested, as well as when content is to be cached, and limits on the size of cached objects. You can configure general cache settings here and export and import cache rules. You can also disable caching altogether, making the ISA Server function solely as a firewall.
We show you the step-by-step procedures for configuring and using ISA Server as a caching server in Chapter 11, Accelerating Web Performance with ISA Server 2004 Caching Capabilities.
Configuration Node: Add-ins Subnode
The Add-ins subnode is used to configure ISA Server’s application layer filtering (ALF). This is where you enable, view, modify, and disable application filters and Web filters. Some filters are installed and enabled by default when you install ISA Server. The Add-ins subnode is shown in Figure 2.17.
Figure 2.17: The Add-ins Node -- Configure Application and Web Filters
Configuration Node: General Subnode
Finally, the General subnode includes general administrative tasks, including:
Delegation of administration to grant permissions for users and groups to perform specific administrative tasks;
Configuration of firewall chaining to specify how requests from Firewall clients and SecureNAT clients are to be forwarded to upstream servers;
Specification of Dial-up preferences if you use a dial-up account;
Specification of certificate revocation so the ISA Server can verify that incoming certificates are not in the Certificate Revocation List (CRL);
Definition of Firewall client settings, including application settings;
Viewing of ISA Server computer details, such as ISA version, name, product ID, creation date, and installation directory, and
Configuration of link translation to select content types that define the pages to which link translation will be applied.
This subnode also allows you to perform advanced security tasks, such as:
Define RADIUS servers;
Enable intrusion detection and DNS attack detection;
Define IP preferences, and
Define connection limits.
The General subnode is shown in Figure 2.18.
Figure 2.18: The General Subnode -- For General Administrative and Advanced Security Tasks
Teaching Old Features New Tricks
The GUI isn’t the only feature that has been enhanced and improved in ISA 2004. In fact, many of the familiar tasks that firewall administrators performed with ISA 2000 have been made easier in ISA 2004. In the following sections, we will discuss some of the most significant of these improvements, grouped into the following categories:
Virtual Private Networking and Remote Access
Web Cache and Web Proxy
Monitoring and Reporting
Enhanced and Improved Remote Management
Administrators need the ability to manage ISA Server firewalls from remote locations: from their own desktop machines, from their portable computers when on the road or at another site, and sometimes even from computers over which they don’t control, such as public access computers. If your company has multiple ISA Server installations in different locations, you don’t want to have to physically visit every ISA Server machine to perform management tasks.
If you wish, you can copy the ISA Server 2004 Help file to your workstation or non-ISA server so that you can have it at hand even if you are not connected to the ISA Server computer via the ISA management console or terminal services/remote desktop. To do so, navigate to the Microsoft ISA Server folder on the ISA Server (usually installed in the Program Files folder), and find the isa.chm file. Copy this file to your workstation or non-ISA server’s hard disk, and you will be able to access the ISA Help files without connecting to the ISA Server.
With ISA 2004, there are several different ways to remotely manage your firewalls. In the following subsection, we discuss three methods of remote management:
The ISA 2004 Management Console
Windows 2000 Terminal Services or Server 2003 Remote Desktop
Third-party Web interface
Remote Management via the ISA Server 2004 Management Console
You can connect to a remote ISA Server or to multiple ISA Server firewalls with the management console. Each ISA Server will have its own top node in the left pane, as shown in Figure 2.19
Figure 2.19: Connect to Multiple ISA Server Firewalls Simultaneously with the Management Console
To connect to a second or subsequent ISA Server, click Connect to Local or Remote ISA Server in the right pane, and enter the name or IP address of the remote server and credentials to access it, as shown in Figure 2.20.
If you are unable to connect, see the instructions below to add your computer to the Remote Management Computers list in the ISA Firewall Policy node.
Figure 2.20: Use “Connect To” Dialog Box to Add Remote ISA Server to Management Console
You can only connect to ISA Server 2004 firewalls remotely with the management console. If you try to connect to an ISA Server 2000 firewall, you will receive the message, “A failure occurred. The task was not activated.”
In order to manage an ISA Server remotely, the system policy must be configured to allow remote management. To configure the system policy:
1. On the ISA Server computer, click the Firewall Policy node in the left pane of the management console.
2. Click the System Policy rule labeled, “Allow remote management from selected computers using MMC,” to view the rule.
3. To add a computer to it, in the right pane, click Edit System Policy under System Policy Tasks. This opens the System Policy Editor.
4. In the right pane of the Editor, under Configuration Groups, navigate to Remote Management and click Microsoft Management Console (MMC).
5. Click the From tab, and by default you’ll see Remote Management Computers in the box labeled This rule applies to traffic from these sources, as shown in Figure 2.21.
6. Double-click Remote Management Computers.
Figure 2.21: Use System Policy Editor to Configure Remote Management Computers
7. In the properties box, as shown in Figure 2.22, click Add and select Computer, Address Range, or Subnet.
Figure 2.22: Add A Computer, Address Range or Subnet to List of Remote Management Computers
You can add the IP address of a single computer from which you want to remotely manage the ISA Server, a range of addresses, or an entire subnet. The computers to which this rule applies will be the only ones from which you can manage the ISA Server.
You can also add network entities (entire networks, network sets, computers, address ranges, subnets, and computer sets) directly to the rule instead of adding them to the Remote Management Computers list. This is useful if, for example, you want to allow VPN clients to remotely management the ISA Server. In that case, click Add on the From tab pagethen in the Add Network Entities dialog box, expand Networks, and select VPN clients.
Best (most secure) practice is to add individual computers to the Remote Management Computers list. However, if you need to manage the ISA Server from different workstations around the organization and do not know in advance which computers you’ll be using, you may prefer to allow a subnet, address range, or even the entire Internal network (not recommended).
ISA SERVER SECRETS: Installing the Management Console
Before you can manage your ISA Server from a computer that doesn’t have ISA Server installed, you will need to install the management console. You can install the console on Windows Server 2003, Windows XP, and Windows 2000 computers.
To do so, insert the ISA Server CD or navigate to the ISA Server installation files on a file server. Double click the isaautorun.exe file to start the ISA Server 2004 setup program. Click Install ISA Server 2004 on the Setup front page.
If you are installing the console on a computer that is not running Windows 2000 Server or Windows Server 2003, you will get a message that ISA Server 2004 cannot be installed on this machine. Click Continue anyway, and you will be shown a list of the components that can be installed, including the management console. Proceed through the installation wizard to install the management console on your computer. It will appear in your Programs list as “Microsoft ISA Server.”
After you have connected to the remote ISA Server computer via the management console, you can perform any administrative tasks you would be able to perform sitting at the local ISA Server. This is a big improvement over the ISA Server 2000 remote management console. For example, with ISA Server 2000, you could not configure or manage VPNs. With ISA 2004, you can manage all elements of the ISA Server remotely.
Remote Management via Terminal Services/Remote Desktop
Another way to manage your ISA Server from a remote computer is via terminal services (if you are running ISA Server 2004 on a Windows 2000 server) or Remote Desktop (if you are running ISA Server 2004 on a Windows Server 2003 machine). The advantage of this method is that you don’t have to install the ISA Server management console software on the remote computer.
If you are using a Windows XP or Server 2003 computer to remotely manage ISA, you don’t have to install any software at all because the Remote Desktop Connection (RDC) client software is already installed (you’ll find it under Programs | Accessories | Communications).
If you want to use a Windows 2000 or 9x computer to manage your ISA server, you’ll need to install the terminal services client or RDC client software first.
If ISA is running on Windows 2000 Server, the server will need to have terminal services installed and running in either remote admin or application server mode. If ISA is running on a Windows Server 2003 computer, you will need to ensure that Allow users to connect remotely to this computer is checked on the Remote tab in the System properties applet of Control Panel. In addition, your user account must have permission to connect to the server via terminal services or Remote Desktop.
When all of the above hurdles have been crossed, it’s easy to manage the ISA Server via terminal services/remote desktop. Connect to the server as you would to any terminal server/Remote Desktop server, and the server’s desktop will appear in a window on your desktop, allowing you to perform any administrative tasks you could perform sitting at the server locally, as shown in Figure 2.23.
Figure 2.23: With Terminal Services or the RDC Client, the ISA Server’s Desktop Appears in the Desktop Window
As with remote management using the management console, you might need to modify the ISA Server’s system policy to allow management via terminal services before you’ll be able to use this remote management method. The procedure is the same, except after you click Edit System Policy in the right pane of the ISA management console (with Firewall Policy selected in the left pane), you click Terminal Server under Remote Management. Then, on the From tab, click the Add button to add networks, network sets, computers, computer sets, IP ranges, or subnets. These are the computers that will be allowed to manage the ISA Server via terminal services/Remote Desktop.
Third-Party Remote Management Web GUI
Third-party vendors, such as Microsoft partners who make ISA Server-based appliances, provide Web interfaces that can be used to manage their ISA Server machines from any computer, anywhere in the world. No software has to be installed on the client machine, and no special configuration is necessary on the ISA Server. However, you might need to use the Internet Explorer browser, and/or the browser’s security settings may have to be configured to use the Web GUI (for example, ActiveX controls might have to be enabled for the Web GUI to function properly). You also might have to add the ISA Server’s Web site to your Trusted Sites or Local Intranet security zone.
An example of a Web interface for the RoadBLOCK ISA-based firewall appliance marketed by RimApp (http://www.rimapp.com) is shown in Figure 2.24.
Figure 2.24: Third-Party Vendors Provide Web Interfaces for ISA-based Firewall Appliances
Enhanced and Improved Firewall Features
The firewall functionality is Microsoft’s biggest focus in ISA Server 2004, perhaps more so than in ISA 2000. While it is still known as “Internet Security and Acceleration Server,” the emphasis in both development and marketing has been more on the security function and less on the acceleration. ISA 2004 is designed to compete with popular firewall products such as Check Point and PIX, which do not include caching functionality out of the box. Thus, it’s only natural that many improvements have been made to ISA’s security and firewall features. These include:
Better protocol support
Easier access for popular services such as OWA and FTP
Expanded ability to define network objects
Improvements to firewall rules functionality
Improvements to server publishing and Web publishing
In the following subsections, we will look at each of these briefly.
Better protocol support
ISA Server 2004 allows you to control access and usage of any protocol, including IP-level (Layer 3) protocols, such as the Internet Control Message Protocol (ICMP). This makes it possible for users to use applications such as ping and tracert, and also allows them to create VPN connections using the Point-to-Point Tunneling Protocol (PPTP). Internet Protocol security (IPSec) traffic can also be enabled through ISA Server, whereas you could not control IPSec with ISA 2000.
At the Transport layer (Layer 4), ISA Server 2004 also adds new support for port redirection and better FTP support. With ISA Server 2004, a connection that is received on one port can be redirected to a different port number, and FTP servers can be published on alternate port numbers without the requirement for any special configuration on the client by simply creating an FTP server publishing rule.
Streaming media and voice/video applications frequently require the firewall to manage “complex protocols.” A complex protocol is one that needs to make multiple connections. ISA Server 2000 can manage complex protocols, but this requires you to be able to create complex scripts in order to create protocol definitions for protocols that require multiple primary outbound connections. With ISA Server 2004, you can create protocol definitions easily with the New Protocol Wizard. These protocol definitions can be created “on the fly” when creating an access rule, or you can create a new protocol in the Firewall Policy node by selecting Protocols from the Toolbox tab in the right pane, and clicking New, as shown in Figure 2.25.
Figure 2.25: ISA Server 2004 Makes it Easy to Create New Protocol Definitions
In addition, with ISA Server 2004, you can control the source and destination port numbers for any protocol for which you create a Firewall Rule. This gives the ISA Server 2004 firewall administrator a very high level of control over exactly which packets are allowed through the firewall.
Improvements have been made to the authentication process in ISA Server 2004. Users can be authenticated via the built-in Windows authentication or Remote Authentication Dial-In User Service (RADIUS) or other namespaces. You can apply rules to users or user groups in any namespace. Using the software development kit, third-party vendors can extend these built-in authentication types to provide for additional authentication mechanisms.
A common authentication problem with ISA Server 2000 has been solved: in ISA 2000, the HTTP redirector had to forward requests to the Web Proxy service so that firewall clients could benefit from the Web cache. During this process, user credentials were removed, and then the request failed if user credentials were required. ISA Server 2004 fixes this problem by allowing Firewall clients to access the Web cache via the HTTP filter, without requiring separate authentication with the Web Proxy service.
With ISA Server 2000, there were also some authentication issues with the Hotmail Web site. This required the site to be configured for direct access. The improved HTTP filter in ISA Server 2004 fixes this problem, too. Now all users can access Hotmail via an easily-configured firewall rule without any need for special configuration on either the client or the firewall.
Easier Access for Popular Services such as OWA and FTP
It is now easier to set up Outlook Web Access (OWA) to work with ISA 2004, thanks to the OWA Publishing wizard. SSL VPNs provide clientless remote access via secure connections using the Secure Sockets Layer (SSL) protocol.
The ISA Server 2004 OWA Publishing Wizard walks you through the process of setting up a firewall rule that creates an OWA SSL VPN to your Exchange Server. All network elements can be created “on the fly,” and you never need to leave the wizard in order to create a policy element. In addition, the OWA Publishing Wizard now supports Outlook Mobile Access and ActiveSynch, which were not configurable via the wizard in ISA 2000. Configuration of the Web listener was not included in the Wizard in ISA 2000, whereas it is with ISA 2004. The Web listener is also much more configurable; in ISA 2000, you had to set properties globally for the Web listener. That is, if you enabled the HTTP listener, it was enabled for all Web listeners. With ISA 2004, you can set properties individually for each Web listener.
It was difficult to configure outbound access to FTP servers listening on non-standard ports in ISA Server 2000, and it required the Firewall Client. ISA Server 2004 allows you to access Internet FTP servers listening on alternate port numbers without requiring any special configuration on the client or on the ISA Server 2004 firewall. Also, FTP server publishing on alternate port numbers was a problem in ISA Server 2000, but it’s easy in ISA Server 2004, requiring nothing more than a simple- to-create FTP Server Publishing Rule. You will learn how to do this in Chapter 8, Publishing Network Services to the Internet with ISA 2004.
How Secure Sockets Works
Netscape originally developed Secure Sockets Layer (SSL) as a security protocol to be used in transmitting information via a Web browser. Netscape licensed the public key cryptography from RSA. SSL uses public key (asymmetric) encryption to provide authentication and protect the confidentiality and integrity of messages exchanged between two computers. Here is a simplified version of how it works:
A client computer sends a request for a secure connection to the server.
The server sends its authentication certificate and its public key to the client.
The client checks to determine if the certificate is valid, and if so, the client sends the server a randomly-generated encryption key that has been encrypted with the server’s public key.
The server decrypts the encryption key, using its private key that matches the public key with which the client encrypted it.
The client and server can now exchange data securely using session-based symmetric key encryption.
Expanded Ability to Define Network Objects
With ISA Server 2000, you defined network objects based on IP addresses (client address sets) or fully-qualified domain names (destination sets). With ISA Server 2004, you have much more flexibility in defining network objects. You can specify them according to the following categories:
Networks: In this context, a network is defined as a range of IP addresses.
Network sets: This is a group of networks.
Computers: A computer is defined here as representing a single IP address. To apply a rule to a computer with multiple NICs or with multiple IP addresses assigned to a single NIC, you would use a computer set, an address range, or even a subnet.
Address ranges: This is just what it sounds like: a range of IP addresses.
Subnets: A subnet is also defined as a range of IP addresses, in this case, the addresses make up a sub network.
Computer sets: As a network set is a group of networks, a computer set is a group of computers (or more specifically, a group of non-sequential IP addresses).
URL set: This is a group of Uniform Resource Locators (Web addresses).
Domain name set: This is a group of domain names.
Web listener: This is a software construct that determines which IP addresses and ports will be used to “listen” for Web requests.
These network objects define the source and destination for Firewall Rules. Whenever you create a rule, you specify source and destination objects to which the rule is to be applied. The full list of categories with their subcategories is shown in Figure 2.26.
Figure 2.26: ISA Server 2004 -- Providing Great Flexibility in Defining Network Objects
You will learn about working with network objects in Chapter 4, Preparing the Network Infrastructure for ISA 2004.
Improvements to Firewall Rules Functionality
The core component of controlling access through the ISA firewall is the firewall policy, which consists of system policy rules, publishing rules and access rules (together, these are called firewall policy rules). ISA Server 2004 includes a new set of rule Wizards that make it easier than ever to create access policies. With ISA 2000, outbound access policies required IP Packet Filters, Site and Content Rules, and Protocol Rules. ISA Server 2004 access policies can be created by using the sophisticated Firewall Rule Wizard that allows you to configure any required policy element “on the fly.” You do not need to leave the rule wizard to create a network object as you did with ISA 2000; any network object or relationship that is needed for the rule can be created within the new Wizard.
ISA Server 2000 access control was based on Allow and Deny rules. Generally, Deny rules were processed first, and then Allow rules were processed. ISA Server 2004 rules processing has been completely revamped. System policy rules are processed first, then user-defined rules. The firewall rules now represent an ordered list, in which connection parameters are first compared to the top listed rule. ISA Server 2004 moves down the list of rules until it finds a rule that matches the connection parameters, and then it enforces the matching rule’s policy. This approach to firewall policy makes it much easier to troubleshoot problems and determine why a specific connection was Allowed or Denied.
To change the order of rules in the list, right-click the rule you want to move and select Move Down or Move Up as shown in Figure 2.27.
Figure 2.27: Changing the Order in which Access and Publishing Rules are Processed
You can change the order of the user-defined (publishing and access) rules, but you cannot change the order of the System Policy Rules.
ISA Server 2000 allowed you to specify which sites and protocols users could access, but you could not allow a user to access a particular site with a selected protocol or use a particular protocol to access a specific site. ISA Server 2004’s enhanced firewall rules allow you to define the source and destination for each individual protocol that a user or group is allowed to access. This increases the flexibility with which you can control both inbound and outbound access through the ISA firewall.
System Policy Rules are discussed in detail in Chapter 6, Installing and Configuring the ISA Server 2004 Software. You will learn all the details of creating and working with user-defined firewall rules in Chapter 7, Creating and Using ISA 2004 Firewall Access Policy, and Chapter 8, Publishing Network Services to the Internet with ISA 2004.
Improvements to Server Publishing and Web Publishing
Several improvements have been made to server publishing and Web publishing in ISA 2004. In ISA Server 2000, the Server Publishing Rules forwarded incoming connections to a published server on the same port where the original request was received. ISA Server 2004 allows you to receive a connection on a particular port number and then redirect the request to a different port number on the published server.
With ISA Server 2004, you can place servers behind the firewall, either on the corporate network or on a perimeter network, and securely publish their services. Unlike ISA 2000, ISA 2004 has two separate Web Publishing Wizards. The first is for publishing a secure Web server that will allow remote users to access the Web server via SSL (shown in Figure 2.28).
Figure 2.28: ISA 2004 Wizard for Publishing SSL Web Sites
There is also a new Mail Server Publishing Wizard that will allow you to publish any IMAP, POP3, SMTP or RPC-based mail server or NNTP news server, or you can publish Outlook Web Access, Outlook Mobile Access, or Exchange ActiveSynch. ISA 2000 included the Mail Server Security Wizard and a separate OWA Publishing Wizard that was categorized under Web publishing. The ISA 2000 Wizard did not include support for OMA or ActiveSynch.
The improved Web Publishing Wizards allow you to publish Web sites easily and quickly. For example, configuration of the Web listener was not included in the wizard in ISA 2000, whereas it is with ISA 2004. The Web listener is also much more configurable; in ISA 2000, you had to set properties globally for the Web listener. That is, if you enabled the HTTP listener, it was enabled for all Web listeners. With ISA 2004, you can set properties individually for each Web listener.
In ISA 2000, prior to creating a server publishing rule or a Web publishing rule, you had to create a number of new policy elements that would be required by the rule. With ISA 2004, policy elements can be created “on the fly” within the Rule Wizard.
Enhanced and Improved Virtual Private Networking and Remote Access
Virtual private networking (VPN) is becoming increasingly important to companies, because of the proliferation of employees who telecommute, executives, and sales personnel who need network access either while traveling or after-hours from home, as well as partners and others outside the organization who need to access the corporate network. ISA Server 2004 includes many improvements and enhancements to VPN and remote access functionality, including:
More flexibility for site-to-site VPN links
Better control over VPN clients
PPTP server publishing
Forced Encryption for Secure Exchange RPC Connections
In the following subsections, we look at what’s been improved in each of these categories.
More Flexibility for Site-to-Site VPN Links
ISA Server 2004 has improved VPN capabilities that allow it to create site-to-site links to other VPN servers, using IPSec in tunnel mode. This increases the level of interoperability of VPN networking over that offered by ISA Server 2000. This means that ISA Server 2004 can be placed at a Branch Office and a tunnel mode IPSec site-to-site link can connect the Branch Office network to the Main Office network, even if the Main Office is using a third-party edge firewall such as a Cisco PIX, Check Point, or any other firewall that supports IPSec VPNs. ISA Server 2000 could use only the PPTP and L2TP/IPSec VPN protocols to join networks over the Internet using a VPN site-to-site link.
With ISA Server 2000, networks joined by a site-to-site link were considered trusted networks; thus, firewall policy was not applied to communications that moved through the link. ISA Server 2004 introduces stateful filtering and inspection for all communications moving through a site-to-site VPN connection. This means you can control which resources specific hosts or networks can access on the opposite side of the link. User/group-based access policies can be used to granularly control resource utilization via the link.
Better Control over VPN Clients
Unlike with ISA 2000, the ISA Server 2004 firewall policy is applied to all network interfaces. This includes VPN interfaces. For better security and control, you can limit the VPN clients to a selected set of servers and protocols on the internal network. For example, you might want to allow VPN clients to have full Outlook MAPI client access to the Exchange Server on the internal network, but you might not want these users to have access to any other servers or protocols on the network. In this case, you can configure the ISA Server 2004 Firewall Rules to limit VPN users’ access to only the Exchange Server’s MAPI client services and nothing else.
VPN clients are configured as a separate network zone. This means that you can create distinct policies for VPN clients. The firewall rule engine discriminately checks requests from VPN clients, statefully filtering and inspecting these requests and dynamically opening connections, based on the access policy.
In ISA Server 2000, only VPN clients that were configured as Firewall clients could access the Internet via their connected ISA Server 2000 VPN server. ISA Server 2004 improves VPN client support by allowing SecureNAT clients to access the Internet without requiring that the Firewall client be installed on the client computer. You can also enhance the corporate network’s security by forcing user/group-based firewall policy on SecureNAT clients that are connecting via VPN.
PPTP Server Publishing
Publishing of VPN servers has also been improved. You could only publish L2TP/IPSec NAT-T VPN servers using ISA Server 2000. ISA Server 2004 allows you to publish PPTP VPN servers located behind the ISA Server 2004 firewall. The ISA Server 2004 smart PPTP application filter performs the complex connection management. In addition, you can easily publish the Windows Server 2003 NAT-T L2TP/IPSec VPN server using ISA Server 2004 Server Publishing. ISA Server 2004 also supports NAT-T-compliant IPSec-based VPN servers located behind the firewall.
Forced Encryption for Secure Exchange RPC Connections
RPC policy can be set on the ISA Server 2004 firewall to prevent non-encrypted communications from remote Outlook MAPI clients connecting over the Internet. This enhances network and Exchange security by preventing user credentials and data from being exchanged in a non-encrypted format.
Enhanced and Improved Web Cache and Web Proxy
It’s important to remember that despite Microsoft’s emphasis on the security side, ISA Server 2004 is more than a firewall; it’s also a functional caching server. Several improvements have been made to the Web Cache and Web Proxy features in ISA Server. These include:
Improvements to the Cache Rule Wizard
More Flexibility in Caching of SSL Content
Path Mapping for Web Publishing Rules
Enhancements to Scheduled Content Download
In the following subsections, we discuss each of these improvements and enhancements in more detail.
Improvements to the Cache Rule Wizard
As with ISA Server 2000, cache rules can be created via a handy wizard interface. However, the Cache Rules Wizard has been improved in ISA Server 2004. For one thing, you can find it in the ISA Server 2000 interface, cache rules were set up via the “New Routing Rule” Wizard, as shown in Figure 2.29, located rather non-intuitively in the Network Configuration node of the left console pane (not the Cache Configuration node where one might expect it to be).
Figure 2.29: Cache Rules in ISA 2000
With ISA Server 2004, cache rules are created from the Configuration | Cache node --right where most folks would naturally look -- either by right-clicking the Cache node and selecting New and then Cache Rule, as shown in Figure 2.30, or by simply clicking Create a Cache Rule in the right Tasks pane, also shown in Figure 2.30.
Figure 2.30: Creating A Cache Rule in ISA Server 2004
In addition, you have more flexibility and clarity in selecting the network entities to which your rule will apply. In ISA Server 2000, your choices were: all destinations, all internal destinations, all external destinations, a specified destination set, or all destinations except a selected set.
With ISA Server 2004, you can apply the cache rule to any of the list of network entities discussed earlier: entire networks, network sets, individual computers, address ranges, subnets, computer sets, domain name sets, or URL sets.
You can also configure the circumstances when retrieved content is stored in the cache much more granularly in the in ISA Server 2004 wizard. In addition to selecting to store content in the cache if the source and request headers indicate to cache, you can also select to cache dynamic content, to cache content for offline browsing, and to cache content requiring user authentication on a per-rule basis.
We discuss the Cache Rule Wizard in more detail in Chapter 11, Accelerating Web Performance with ISA Server 2004 Caching Capabilities.
More Flexibility in Caching of SSL Content
With ISA Server 2000, there was no way to select not to cache SSL content. This was a problem because, since SSL is secure content, you might not want it to be stored in the cache because of security concerns.
With ISA Server 2004, this problem is solved. When you create a cache rule, SSL content is cached by default, but you can select not to cache it by unchecking a checkbox on the Cache Advanced Configuration page. Alternatively, after the rule has been created, you can configure it not to cache SSL content by right-clicking the rule, selecting Properties and selecting the Advanced tab, then unchecking the checkbox as shown in Figure 2.31.
Figure 2.31: ISA Server 2004 -- You can Select Not to Cache SSL Content
The ability to control whether or not SSL responses will be cached is a welcome addition to ISA Server 2004.
Path Mapping for Web Publishing Rules
ISA Server 2000 Web Publishing Rules required that the path the user included in the original request be the same path as on the published Web server. ISA Server 2004 significantly improves the flexibility of Web Publishing by allowing you to redirect the path sent to the firewall by the user to any path of choice on the published Web server.
When you configure path mapping in ISA Server 2004, ISA replaces the path that is contained in the request with the path that you have mapped.
Path mapping is configured by editing the Web publishing rule after it is created. In the publishing rule’s Properties dialog box, select the Paths tab, and add the path to which you want requests mapped in the format /path/*.
You will learn more about path mapping when we discuss creating publishing rules in Chapter 8, Publishing Network Services to the Internet with ISA 2004.
Enhancements to Scheduled Content Download
The scheduled content download feature has also been improved in ISA Server 2004. With ISA Server 2000, you could not schedule content for download from sites that required user authentication. This limited your ability to automate the content download process.
With ISA Server 2004, you can now specify an account to be used for authentication, thus allowing you to schedule content download jobs from sites that require authentication.
Enhanced and Improved Monitoring and Reporting
One part of ISA Server 2000 that left some users less than satisfied was the monitoring and reporting functionality (to be fair, this is a complaint with many other vendors’ firewalls, as well). Certainly, the “paper trail” – or in this case, the digital trail – is not nearly as exciting as some other features, but documentation is an essential element of protecting your network, and yourself, in today’s business environment.
Microsoft has listened to customers and made a large number of improvements and additions to ISA Server 2004’s logging, monitoring, and reporting functions, including:
Real-time monitoring of log entries
Real-time monitoring and filtering of firewall sessions
A built-in log-querying mechanism
Ability to customize reports
Ability to publish reports
E-mail notification for report jobs
Ability to configure time of log summary
Better SQL logging
Ability to log to an MSDE database
We take a brief look at each of these in the following subsections.
Real-time monitoring of log entries
With ISA Server 2004, you are able to see Firewall, Web Proxy, and SMTP Message Screener logs in real time. The monitoring console displays the log entries as they are recorded in the firewall’s log file (Figure 2.32). This is in contrast to ISA Server 2000, where you had to consult the actual log file (by default, created daily) or generate a report in order to see the logged information.
Figure 2.32: Monitor Logs in Real Time with ISA Server 2004
Real-time Monitoring and Filtering of Firewall Sessions
ISA Server 2004 allows you to view all active connections to the firewall. Using the Sessions tab in the Monitoring console, as shown in Figure 2.33, you can sort or disconnect individual or groups of sessions. You can also filter the entries in the Sessions interface to focus on specific sessions in which you’re interested, using the built-in sessions filtering feature.
Figure 2.33: The Sessions Feature -- View All Active Connections Through the Firewall
As shown, you can see the session type (whether the client is connecting via the firewall client, SecureNAT or as a Web Proxy client), the user’s IP address, the user name and client computer name, and even the application that is being used.
This is useful for troubleshooting purposes and for determining if users are using unauthorized or problematic applications.
A Built-in Log-Querying Mechanism
With ISA Server 2004, you can query the log files using the built-in log-query mechanism. You can query the logs for information contained in any field recorded in the log files. The results appear in the ISA Server 2004 console’s log viewer and can be copied to the clipboard and pasted into another application for more detailed analysis.
You can configure filters to limit the results of the query. For example, you can limit the scope of the query to a specific time frame, or specify that the query use live (real-time) data. Configuration is simple, as shown in Figure 2.34.
Figure 2.34: Configure Filters to Limit Query Results
The log viewer can be used to view information about the Firewall and Web Proxy logs, but not the SMTP Message Screener log.
You can filter by many different criteria in addition to the log time, including (but not limited to) client or destination IP address, user name, protocol, server name, service, or URL.
We discuss how to filter queries in much more detail in Chapter 13, Using ISA Server 2004’s Monitoring, Logging and Reporting Tools.
ISA Server 2004 provides the ability to verify connectivity by regularly monitoring connections to a specific computer or URL from the ISA Server 2004 computer, using Connection Verifiers through the Connectivity tab on the Monitoring console. You can configure which method to use to determine connectivity: ping, TCP connect to a port, or HTTP GET. You can select which connection to monitor, by specifying an IP address, computer name, or URL.
A Connectivity Verifier Wizard walks you through the process of creating new connection verifiers.
Better Customization of Reports
ISA Server 2000 allowed some limited customization of the reports generated by the firewall. However, ISA Server 2004 includes an enhanced report customization feature that allows you to include more information in the firewall reports.
The New Report Wizard helps you customize one-time reports, and the New Report Job Wizard helps you customize scheduled report jobs. In either case, you can select the content to be included, time period covered, and whether/where to publish the report.
Ability to Publish Reports
With ISA Server 2004, individual reports or report jobs can be configured to automatically save a copy of a report to a local folder or network file share. The published reports are saved in HTML format, and the folder or file share in which the reports are saved can be mapped to a Web site virtual directory so that other users can view the report. You can also manually publish reports that have not been configured to automatically publish after report creation.
E-mail Notification for Report Jobs
In both the New Report Wizard and the New Report Job Wizard in ISA 2004, you can configure a report or report job to send you or another administrator an e-mail message after a report or job is completed. You can customize the message to be sent, and if you have configured the report to be published, you can automatically include a link to the report within the e-mail message.
Ability to Configure Time of Log Summary
ISA Server 2000 was hard-coded to create log summaries at 12:30 A.M. each day. Reports are based on information contained in log summaries, so this limited the time of day when an accurate report could be generated. ISA Server 2004 allows you to easily customize the time for creating log summaries. This, in turn, gives you increased flexibility in determining the time of day your reports are to be created.
The default time is still 12:30 A.M., but changing it is as easy as clicking the Up and Down arrows in a box, as shown in Figure 2.35.
Figure 2.35: With ISA Server 2004, You Can Change the Time when the Log Summaries are Generated
Better SQL logging
With ISA Server 2004, you can log to a SQL database that is located on another machine on the Internal network. ISA Server 2004 SQL logging has also been optimized to provide much higher performance in comparison to SQL logging in ISA Server 2000.
We discuss how to set up logging to a remote SQL server in Chapter 13, Using ISA Server 2004’s Monitoring, Logging and Reporting Tools.
Ability to Log to an MSDE Database
With ISA Server 2004, logs can now be stored in Microsoft Data Engine (MSDE) format. Logging to a local database enhances query speed and flexibility. Data that you save in an MSDE database can be viewed in the log viewer and saved in a text file.
If you have a SQL Server 2000 license, you can use your SQL tools (such as Enterprise Manager, query tools, and so on.) to view the database and conduct queries.
We discuss how to set up logging to an MSDE database in Chapter 13, Using ISA Server 2004’s Monitoring, Logging and Reporting Tools.
New Features on the Block
In addition to all the improved features discussed in the previous section, Microsoft has added a number of completely new features to ISA Server 2004. In the following sections, we look at three of the most significant new features:
New Application Layer Filtering (ALF) features
VPN Quarantine Control
A big limitation of ISA 2000 was the fact that it did not support multiple networks. Today’s complex networks demand that you be able to work with multiple networks and define the relationships between them. With ISA Server 2004, Microsoft has introduced a multi-networking model that is appropriate for the interconnected networks used by many corporations. Now you can create network rules and control how different networks communicate with one another.
ISA Server 2004 includes several built-in network definitions, including:
The Internal network (includes the addresses on the primary protected network)
The External network (includes addresses that don’t belong to any other network)
The VPN clients network (includes the addresses assigned to VPN clients)
The Local host network (includes the IP addresses on the ISA Server)
You can configure one or more networks, each with distinct relationships to each other network. In ISA Server 2000, all traffic was inspected relative to a local address table (LAT), which included only address ranges on the Internal network, but ISA Server 2004 extends the firewall and security features to apply to traffic between any networks or network objects.
ISA Server 2004’s new multi-networking features make it easy for you to protect your network against internal and external security threats, by limiting communication between clients, even within your own organization. Multi-networking functionality supports sophisticated perimeter network (also known as a DMZ, demilitarized zone, or screened subnet) scenarios, allowing you to configure how clients in different networks access the perimeter network. Access policy between networks can be based on the unique security zone that is represented by each network.
You can also use ISA Server 2004 to define the routing relationship between networks, depending on the type of access and communication required between the networks. For example, in some cases you would want more secure, less transparent communication between the networks. You can define a network address translation (NAT) relationship for these networks. In other scenarios, you might want to just route traffic through the ISA Server; in this case, you would define a routed relationship. Unlike with ISA Server 2000, the packets that move between the routed networks are all fully exposed to ISA Server 2004’s stateful filtering and inspection mechanisms.
ISA Server 2004 provides network templates that you can use to easily configure firewall policy governing the traffic between multiple networks. These are designed to address common scenarios, including:
ISA Server as edge firewall
Perimeter network (DMZ)
ISA as front-end firewall with a third-party back end firewall
ISA Server deployed between a perimeter network and the Internal network
Caching/Web Proxy server with a single NIC
You will learn more about how to configure multi-networking, create networking rules and apply network templates in Chapter 4, Preparing the Network Infrastructure for ISA Server 2004.
New Application Layer Filtering (ALF) Features
Application Layer Filtering is one of ISA Server 2004’s strong points; unlike a traditional packet filtering firewall, ISA can delve deep into application layer communications to protect your network from the many modern exploits that occur at this layer. ISA Server 2000’s ALF functionality has been enhanced by the addition of the following new features:
Per-rule HTTP filtering
Ability to block access to all executables
Ability to control HTTP downloads by file extension
Application of HTTP filtering to all client connections
Control of HTTP access based on signatures
Control over allowed HTTP methods
Ability to force secure Exchange RPC connections
Policy-based control over FTP
In the following subsections, we’ll have a look at each of these.
Per-rule HTTP Filtering
ISA Server 2004’s HTTP policy allows the firewall to perform deep HTTP stateful inspection (application layer filtering). You can configure the extent of the inspection on a per-rule basis. This means that you can configure custom constraints for HTTP inbound and outbound access. With ISA Server 2000, HTTP filtering had to be performed globally, using a version of URLscan installed with Feature Pack 1 for ISA Server 2000.
Ability to Block Access to All Executables
You can configure ISA Server 2004’s HTTP policy to block all connection attempts to Windows executable content, regardless of the file extension used on the resource. This blocks all responses in which the first word of the downloaded binary is MZ. You can also block by file extension (see the next subsection).
Blocking all Windows executables does not necessarily block all file types that can be dangerous. For example, .pif and .com files are not blocked by this filter because the first two bytes of the binaries is not MZ. You can block these other potentially dangerous file types by configuring filters to block by file extension.
The first two bytes of the file contain its file signature. The MZ file signature, originally used for MS-DOS executable files, stands for the name of Microsoft programmer Mark Zbikowski.
Ability to Control HTTP Downloads by File Extension
ISA Server 2004’s HTTP policy makes it easy for you to allow all files extensions, allow all except a specified group of extensions, or block all extensions except for a specified group. This gives you a lot of flexibility in controlling what types of files can be downloaded by users, especially since this is done on a per-rule basis. This means you can apply the blocking of certain extensions to specific users or groups.
Application of HTTP Filtering to All Client Connections
ISA Server 2000 was able to block content for Web Proxy clients based on HTTP and FTP connections by MIME type (for HTTP) or file extension (for FTP). With ISA Server 2004’s HTTP policy, you can control HTTP access for all ISA Server 2004 client connections, regardless of client type. There was no deep inspection of outbound connections, out of the box, with ISA Server 2000.
Control of HTTP Access Based on Signatures
ISA Server 2004’s deep HTTP inspection also allows you to create “HTTP Signatures” that can be compared to the Request URL, Request headers, Request body, Response headers, and Response body. This allows you to exercise extremely precise control over the content that internal and external users can access through the ISA Server 2004 firewall.
A signature is a character string for which ISA Server will search the request body, request header, response body, and/or response header. If the string is found, the data will be blocked. You can search for either a text or binary string. Blocking based on text signatures can only be done if the HTTP requests and responses are UTF-8 encoded.
Control Over Allowed HTTP Methods
You can control which HTTP methods are to be allowed through the firewall by setting access controls on user access to various methods. For example, you can limit the HTTP POST method to prevent users from sending data to Web sites using the HTTP POST method. You can select to allow all methods, allowed selected methods, or block specified methods and allow all others.
HTTP methods are commands that tell the server what action to perform on a given request. They are also sometimes referred to as “HTTP verbs” because they consist of action words: GET (retrieve the data identified by theURI), PUT (store the data under the URL), POST (create an object linked to the specified object), and so on.
Ability to Force Secure Exchange RPC Connections
ISA Server 2004’s Secure Exchange Server Publishing Rules allow remote users to connect to the Exchange server by using the fully functional Outlook MAPI client over the Internet. However, the Outlook client must be configured to use secure RPC so that the connection will be encrypted. ISA Server 2004’s RPC policy allows you to block all non-encrypted Outlook MAPI client connections.
With traditional firewalls, you have to open a number of ports to enable remote access to Exchange RPC services with the Outlook MAPI client, creating a security risk. With ISA Server 2004, the RPC filter solves this problem.
Policy-based Control Over FTP
You can configure ISA Server 2004’s FTP policy to allow users to upload and download via FTP, or you can limit user FTP access to download only. This gives you more control over FTP activity and more granular security. By selecting Read Only on the Protocols tab when you configure FTP filtering, you block FTP uploads.
The FTP access filter is more functional than a user-defined FTP protocol because it dynamically opens specified ports for the secondary connection and can perform the address translation that is required by the secondary connection. The filter is also able to differentiate between read and write permissions, so you can granularly control access.
Some of your published Web sites might include references to the (NetBIOS) names of computers. Only the ISA Server 2004 firewall and external namespace, and not the internal network namespace, is available to external clients. That means when external clients try to access the sites via these links, these references will appear to be broken links.
ISA Server 2004 includes a link translation feature, which allows you to create a dictionary of definitions for internal computer names that map to publicly-known names. This is especially useful, for example, when publishing SharePoint Web sites. The link translation directory can also translate requests that are made to ports other than the standard ports, and the link translator will include the port number when it sends the URL back to the client.
Although link translation was not available as a feature of ISA Server 2000 out of the box, it can be added to ISA 2000 by installing Feature Pack 1.
By default, link translation only works with HTML documents, but you can add other content groups if you wish.
If your document contains interal links that have not been mapped to their appropriate external links in the link translation dictionary, the internal NetBIOS names will be exposed to external users. This can pose a security risk because it allows outsiders to know what the internal computer names are.
VPN Quarantine Control
This is another feature that was not available in ISA Server 2000. ISA Server 2004 leverages the Network Access Quarantine Control feature built into Windows Server 2003 to provide VPN quarantine, which allows you to quarantine VPN clients on a separate network until they meet a predefined set of security requirements. Even if ISA Server 2004 is installed on Windows 2000, you can still use quarantine control, with some limitations. In either case, you are able to specify conditions that VPN clients must meet in order to be allowed on the Internal network, such as the following:
security updates and service packs must be installed
anti-virus software must be installed and enabled
personal firewall software must be installed and enabled
VPN clients that pass the pre-defined security tests are allowed network access based on the VPN client firewall policies. VPN clients who fail security testing may be provided limited access to servers that will help them meet network security requirements (for example, servers where they can download the patches and updates they need).
Benefits of ISA Server 2004 VPN Quarantine Control
VPN quarantine control is an exciting feature that helps to protect your network from remote users who establish VPN connections from client computers that don’t have their security patches and service packs up to date, don’t have anti-virus software installed and enabled, and/or don’t have personal firewalls to prevent Internet attacks. A number of other firewall vendors offer similar functionality, although usually with a different name – but in most cases, you must use their proprietary VPN client software (at extra cost) to take advantage of this feature. With ISA Server 2004, no special client software is required; clients use the PPTP or L2TP clients built into all modern Windows operating systems.
Options for Using VPN Quarantine Control
To use VPN quarantine control through Routing and Remote Access, ISA Server 2004 needs to be installed on a Windows Server 2003 computer. You are then able to quarantine VPN clients based on RADIUS server policies. If ISA Server 2004 is installed on a Windows 2000 server, you can still enable quarantine mode via the ISA Server and set a firewall policy for the Quarantined VPN clients network.
Quarantine control is great for enforcing compliance with your organization’s security policy when users access the network from an outside location using a VPN, but setting it up is not a no-brainer. You must create Connection Manager profiles and connectoids for your VPN clients using the Connection Manager Administration Kit (CMAK) that comes with Windows 2000 server and Windows Server 2004.
You can then enable quarantine on the server, either using RADIUS policy or using ISA Server policy. Microsoft recommends that you use RADIUS policy if you are running ISA on a Windows Server 2003 computer and you have a RADIUS server on the network. Otherwise, you’ll have to use ISA Server policy.
You can set the amount of time that a client will stay in quarantine when trying to connect through the VPN. If the client doesn’t comply with the security policy requirements within this specified time period, allowing it to move from the Quarantined VPN clients network to the VPN clients network, it will be disconnected. If you have certain clients that should not be quarantined even if they don’t pass the security test (the big boss’s computer, for example), you can create an exemption list so that quarantine won’t be applied to them.
Requirements for Enabling VPN Quarantine Control
To use quarantine control, you have to install a listener component on the ISA Server firewall. This is a software construct that listens for messages from the VPN clients that tell the ISA server that the quarantine control script has been run successfully. The listener listens for messages from the notifier component. The ISA Server 2004 Resource Kit contains a listener, the Remote Access Quarantine Agent service (Rqs.exe), and a notifier component (Rqc.exe) that you can use, or you can create your own listener. When the client computer is in compliance with the security policies, the notifier sends a notification message to the listener, and the client is removed from quarantine.
Here’s the tricky part: you have to be adept at scripting to create the quarantine script that will be run on the client computer by the Connection Manager profile
The notification message isn’t encrypted nor is it authenticated. This means it is possible for a hacker to spoof the message.
What about clients that don’t comply with the policy? You can set up a Web server that allows anonymous access for those clients to download instructions and/or software that’s needed to come into compliance. The quarantined clients can access this server, but not other resources on the network.
We discuss how to configure ISA Server 2004 quarantine control policies in Chapter 9, Protecting Remote Access and VPN Communications with ISA Server 2004.
Missing in Action: Gone But Not Forgotten
ISA Server 2004 offers some great new features and many improvements and enhancements to features that were present, but less functional or less friendly, in ISA Server 2000. However, we would be remiss if we didn’t mention that there are a few features you might have used in ISA Server 2000 that are “missing in action” when it comes to ISA Server 2004.
Most ISA Server firewall administrators won’t miss these features, as they were ones that either were not used much or didn’t work well in ISA 2000. However, take note, and if you have a specific need for these features, you might consider not upgrading to ISA 2004, or adding a third-party product that can handle these functions. The most significant “gone but not forgotten features” are:
Live media stream splitting
The H.323 gateway
Let’s briefly address what each of these features does and why Microsoft chose not to include them in ISA Server 2004.
Live Media Stream Splitting
ISA Server 2000 was able to split live media streams using Windows Media Technologies (WMT) to reduce the amount of bandwidth used for streaming audio or video, depending on the number of internal clients that were viewing the same streaming media. If a large number of people within your organization often viewed or listened to the same streaming media source, this could be beneficial. The feature could be applied to streams that used a WMT server located on the internal network, or you could install the WMT server on the ISA Server itself.
According to customer feedback, most companies implementing ISA Server did not use the streaming media splitting feature, so Microsoft did not include it in ISA Server 2004.
The H.323 gateway is used for call handling and routing of Voice over IP (VoIP) calls. VoIP allows you to make voice calls over the Internet instead of using telephone company lines. This can result in a big savings in long distance charges for organizations that must make many long distance calls.
Problems were reported with memory leaks in the ISA Server gatekeeper service when malformed packets were directed at the service. These attacks had no effect if the H.323 gateway was not configured on the ISA Server. Although the problem was corrected with ISA Server 2000 Service Pack 1, many users stopped using the H.323 gateway service or did not use it because of these problems and because configuration of the H.323 gateway was difficult for many ISA Server users to figure out. Further, many newer VoIP products use the Session Initiation Protocol (SIP) instead of H.323. SIP is less complex and was designed as an alternative to H.323. Cisco and other vendors market IP phones that are based on SIP (Cisco also has its own proprietary VoIP protocol called Skinny). In order for H.323 to be effective, both sides of the connection have to have an H.323 gateway.
Microsoft dropped support for the H.323 gateway in ISA Server 2004 because of low usage due to these causes.
ISA Server 2000 included a bandwidth control feature. You could right-click on the Bandwidth Rules node and check a box to enable bandwidth control, then set an effective bandwidth in Kbps. Effective bandwidth refers to either the actual bandwidth used by a device such as a modem, or overall network bandwidth. You could use bandwidth rules to specify which connections would have priority over others.
Although it seemed like a good idea, users complained that bandwidth controls in ISA Server 2000 didn’t work, or didn’t work as expected. Users expected bandwidth controls to limit the amount of bandwidth that could be used by each connection. This was not how it worked. Instead, the bandwidth rules were used by the quality of service (QoS) packet scheduling service to determine how connections should be prioritized. More disconcertingly, even when you understood what the bandwidth rules did and didn’t do and configured them correctly, there were widespread problems with the rules ceasing to work over time. The only solution seemed to be to reformat and reinstall the operating system and ISA Server – not something that the average firewall administrator wants to do on a regular basis.
For these reasons, support for the bandwidth control feature was dropped in ISA Server 2004.
ISA Server 2000 supported not only forward/reverse and distributed/hierarchical caching types, but also supported active caching. This feature would automatically initiate requests to update objects that were stored in cache without any intervention from the user. These updates could be triggered based on the amount of time the object had been cached or when it had last been retrieved from the source server. When active caching was enabled, ISA Server would automatically refresh the cache content before objects expired. The ISA server kept track of which objects in the cache were most popular, and re-cached them even if no one had requested them.
You were able to configure the active caching policy to determine how frequently objects should be updated to balance the need for up-to-date cached objects with network performance concerns.
Although active caching can ensure that frequently-requested objects are kept up to date, it also can use a lot of network bandwidth and impact overall network performance. Active caching was not enabled by default in ISA Server 2000, and input from customers indicated that it was not a feature that was important to most Microsoft ISA Server users. In keeping with Microsoft’s emphasis on firewall functionality in ISA Server 2004, the active caching feature was left out.
ISA Server 2004 is loaded with features. This chapter discussed the completely revamped graphical user interface, which is one of the most obvious changes that has been made to the ISA Server software. With ISA Server 2004, Microsoft has taken another big step away from Proxy Server and into the arena of serious firewall products. Although it is built on the shoulders of ISA Server 2000, ISA Server 2004 is, in many ways, a completely new product rather than a version upgrade. The emphasis is, more than ever, on security.
ISA Server 2004 still retains many of the same features that were available in ISA Server 2000, but most of them have been improved or enhanced. From more functional wizards to greater configuration flexibility to entirely new ways to perform old familiar firewall administration tasks, ISA Server has seen a lot of changes.
Microsoft has also added some brand new features to ISA Server 2004. The most extensive and perhaps the most welcome new feature is multi-networking support, which extends ISA Server 2004’s ability to function as the firewall of choice in large, complex networking environments. New Application Layer Filtering (ALF) features give ISA Server 2004 even more of an edge when it comes to such functions as front-line defense against spam, and VPN quarantine control gives administrators a powerful way to ensure that remote VPN clients must meet the same standards in regard to security configurations as do the clients on the Internal network.
In this chapter, we did not attempt to cover every single feature that has been improved or added to ISA Server. We did attempt to give you a good idea of some of the differences between ISA Server 2004 and its predecessor. This chapter didn’t go into details on how to use all of these new and improved features, but we introduced you to many of them and will provide step-by-step instructions for their use in later chapters of the book.
We also took a moment to mourn a few dearly departed friends: features we had grown to love (or in some cases, not love) in ISA Server 2000 that didn’t make it into ISA Server 2004. Overall, we think ISA Server 2004’s feature set is a solid one, and we find it much easier to set up and administer. The extent of our faith in ISA Server 2004 can be illustrated by the fact that we currently have multiple ISA Server 2004 machines protecting our own network. Feature-for-feature, we believe ISA Server is one of the best firewall/caching solutions available for the money. In the next chapter, we’ll compare it to some of its competitors and show you why we think it stacks up.
New GUI: More Than Just a Pretty Face
Improving the user experience by making the interface friendlier was a major goal of the ISA Server 2004 development team, and they’ve done a good job.
The ISA Server 2004 console is much richer than that of ISA 2000, with a three-pane window that still includes the familiar tree structure in the left pane, but gives you tabbed pages in the middle and right panes that make it easy to select the type of tasks you want to perform and get precise help in performing them.
The left pane nodes include: ISA Server (Name) Top Node, Monitoring Node, Firewall Policy Node, Virtual Private Networks (VPN) Node, and Configuration Node.
The Configuration Node contains four subnodes: Networks, Cache, Add-ins, and General.
The Getting Started page makes it easy to set up the ISA Server firewall and/or caching server.
The Dashboard is just what its name implies -- a “big picture” view that summarizes each of the Monitoring areas represented by a tab (except Logging).
The firewall policy node is the “heart” of the ISA Server interface. This is where you create access rules, Web publishing rules, mail server publishing rules, and other server publishing rules to control access to and from your network.
The Virtual Private Networks node provides a friendly interface for performing common VPN configuration tasks and controlling client access.
The Networks tab (Configuration node) is used to create and configure networks in a multiple network environment.
The Cache subnode is used to define cache drives, create cache rules, configure general cache settings or disable caching altogether, making the ISA server function solely as a firewall.
The Add-ins subnode is used to configure ISA Server’s application layer filtering (ALF). This is where you enable, view, modify, and disable application filters and Web filters.
The General subnode includes general administrative tasks.
Teaching Old Features New Tricks
If your company has multiple ISA Server installations in different locations, you don’t want to have to physically visit every ISA Server machine to perform management tasks on each.
Three ways to remotely manage your ISA Server firewalls are: the ISA Server management console, Windows 2000 terminal services or Server 2003 remote desktop, and through a third-party Web interface.
ISA Server 2004 allows you to control access and usage of any protocol, including IP-level protocols.
Improvements have been made to the authentication process in ISA Server 2004. Users can be authenticated via the built-in Windows authentication or Remote Authentication Dial-In User Service (RADIUS) or other namespaces.
It is now easier to set up Outlook Web Access (OWA) to work with ISA 2004, thanks to the OWA Publishing wizard.
With ISA Server 2004, you have more flexibility in defining network objects because you can specify them according to the following categories: Networks, Network sets, Computers, Computer sets, Address ranges, Subnets, URL sets, Domain name sets, and Web listeners.
ISA Server 2004 includes a new set of rule wizards that make it easier than ever to create access policies.
In ISA Server 2000, the Server Publishing Rules forwarded incoming connections to a published server on the same port where the original request was received. ISA Server 2004 allows you to receive a connection on a particular port number and then redirect the request to a different port number on the published server.
ISA Server 2004 includes many improvements and enhancements to VPN and remote access functionality, including more flexibility for site-to-site VPN links, better control over VPN clients, PPTP server publishing, and forced Encryption for Secure Exchange RPC Connections.
Several improvements have been made to the Web Cache and Web Proxy features in ISA Server, including improvements to the Cache Rule Wizard, more flexibility in caching of SSL content, path mapping for Web Publishing Rules, and enhancements to scheduled content download.
Microsoft has listened to customers and made a number of improvements and additions to ISA Server 2004’s logging, monitoring, and reporting functions. These include real-time monitoring of log entries, real-time monitoring and filtering of firewall sessions, a built-in log querying mechanism, connection verifiers, ability to customize reports, ability to publish reports, e-mail notification for report jobs, ability to configure time of log summary, better SQL logging, and the ability to log to an MSDE database.
New Features on the Block
With ISA Server 2004, Microsoft has introduced a multi-networking model that is appropriate for interconnected networks used by many corporations.
Now you can create network rules and control how different networks communicate with one another.
ISA Server 2004 includes several built-in network definitions, including: the Internal network (includes the addresses on the primary protected network), the External network (includes addresses that don’t belong to any other network), the VPN clients network (includes the addresses assigned to VPN clients), and the Local host network (includes the IP addresses on the ISA Server).
ISA Server 2004’s new multi-networking features make it easy for you to protect your network against internal and external security threats by limiting communication between clients, even within your own organization.
You can use ISA Server 2004 to define the routing relationship between networks, depending on the type of access and communication required between the networks.
ISA Server 2004 provides network templates that you can use to easily configure firewall policy governing the traffic between multiple networks.
ISA Server 2004’s HTTP policy allows the firewall to perform deep HTTP stateful inspection (application layer filtering). You can configure the extent of the inspection on a per-rule basis.
You can configure ISA Server 2004’s HTTP policy to block all connection attempts to Windows executable content, regardless of the file extension used on the resource.
ISA Server 2004’s HTTP policy makes it easy for you to allow all file extensions, allow all except a specified group of extensions, or block all extensions except for a specified group.
With ISA Server 2004’s HTTP policy, you can control HTTP access for all ISA Server 2004 client connections, regardless of client type.
ISA Server 2004’s deep HTTP inspection also allows you to create “HTTP Signatures” that can be compared to the Request URL, Request headers, Request body, Response headers, and Response body.
You can control which HTTP methods are allowed through the firewall by setting access controls on user access to various methods.
ISA Server 2004’s Secure Exchange Server Publishing Rules allow remote users to connect to the Exchange server by using the fully-functional Outlook MAPI client over the Internet.
You can configure ISA Server 2004’s FTP policy to allow users to upload and download via FTP, or you can limit user FTP access to download only.
ISA Server 2004 includes a link translation feature, which allows you to create a dictionary of definitions for internal computer names that map to publicly-known names.
ISA Server 2004 leverages the Network Access Quarantine Control feature built into Windows Server 2003 to provide VPN quarantine, which allows you to quarantine VPN clients on a separate network until they meet a predefined set of security requirements.
ISA Server 2004 adds support for port redirection and the ability to publish FTP servers on alternate ports.
Missing in Action: Gone But Not Forgotten
ISA Server 2000 was able to split live media streams using Windows Media Technologies (WMT) to reduce the amount of bandwidth used for streaming audio or video, depending on the number of internal clients that were viewing the same streaming media. According to customer feedback, most companies implementing ISA Server did not use the streaming media splitting feature, so Microsoft did not include it in ISA Server 2004.
The H.323 gateway is used for call handling and routing of Voice over IP (VoIP) calls. Microsoft dropped support for the H.323 gateway in ISA Server 2004 because of low usage.
ISA Server 2000 included a bandwidth control feature, but users complained that bandwidth controls in ISA Server 2000 didn’t work, or didn’t work as expected. Support for the bandwidth control feature was dropped in ISA Server 2004.
ISA Server 2000 supported not only forward/reverse and distributed/hierarchical caching types, but also supported active caching. This feature would automatically initiate requests to update objects that were stored in cache without any intervention from the user. In keeping with Microsoft’s emphasis on firewall functionality in ISA Server 2004, the active caching feature was left out.
Q: Is ISA Server 2004 a firewall or a cache server?
A: ISA Server 2000 can be configured as an integrated firewall and caching solution, or it can be deployed as a locked-down firewall only. The caching feature is disabled by default and is enabled only after a firewall administrator acts to enable it. Organizations require a robust firewall solution. The ISA Server 2004 firewall secures their networks with ISA Server 2004 dynamic packet filtering (stateful filtering), intrusion detection, system hardening, and deep application layer inspection. Microsoft’s emphasis in developing and marketing ISA Server 2004 is on its firewall functionality.
Q: Does implementing the cache functionality compromise the security of ISA Server as a firewall?
A: No. The cache is a sophisticated memory and disk-based storage engine that allows improved network access performance by storing frequently retrieved objects. The Web cache is integrated into the firewall service engine that provides Hypertext Transfer Protocol (HTTP) connectivity, filtering capabilities, and security-related tasks such as content screening and Uniform Resource Locator (URL) blocking.
Q: Can I deploy only the firewall functionality?
A: The ISA Server 2004 firewall architecture is quite different than the ISA Server 2000 architecture. Because of this, the ISA Server 2004 firewall does not distinguish between firewall and caching services – all services are mediated by the hardened firewall service. You can completely disable Web caching if your organization does not require it.
Q: Do I have to run Active Directory to use an ISA Server 2004 firewall?
A: No. Active Directory is not required. While the ISA Server 2004 firewall can leverage the users and groups contained in the Active Directory to provide granular inbound and outbound access control that no other firewall on the market can provide, you do not need an Active Directory or NT domain to benefit from an ISA Server 2004 firewall.
Q: How does ISA Server handle streaming media?
A: ISA Server 2004 includes application filters that manage complex media streaming connections. It specifically supports Microsoft Windows Media–based streaming, RealAudio and Apple QuickTime. ISA Server 2004 has dropped support for media stream splitting.
Q: How do ISA Server 2004 access policies differ from ISA Server 2000
A: ISA Server 2000 access policy was based on Protocol Rules, Site and Content Rules, IP Packet Filters, Server Publishing Rules and Web Publishing Rules where deny rules were processed before allow rules. In contrast, ISA Server 2004 access policy is a single, unified ordered list of Firewall Rules that are applied from top to bottom. The rule highest on the list that matches the characteristics of the connection is applied.
Q: How does ISA Server 2004 support Exchange Server?
A: ISA Server 2004 provides a unique level of protection for Microsoft Exchange Servers. Remote access to Microsoft Exchange can be done in a highly secure fashion using ISA Server 2004 secure RPC publishing, secure Outlook Web Access Publishing, and secure POP3/IMAP4/SMTP publishing. The firewall performs SSL-to-SSL bridging which provides a level of inspection of SSL stream content that no other firewall in ISA Server 2004’s class can provide. In addition, the ISA Server 2004 firewall can perform form-based authentication on behalf of the OWA site on the internal network by generating the log on the form itself. This prevents non-authenticated connections to the OWA site.
Q: Can I put a VPN Server behind the ISA Server 2004 firewall?
A: Yes. Unlike ISA Server 2000, you can publish non-TCP/UDP protocols (GRE) using ISA Server 2004. You can publish a PPTP or NAT-T compliant L2TP/IPSec VPN server located behind the ISA Server 2004 firewall. In fact, you can make the ISA Server 2004 firewall a VPN server itself and publish a VPN server located behind the ISA Server 2004 firewall.
Q: What is ISA Server 2004 Multinetworking?
A: ISA Server 2004 multinetworking greatly increases the flexibility you have in deploying the firewall and expands on the LAT-based network view used by ISA Server 2000 firewalls. ISA Server 2004 firewalls apply firewall policy to all network interfaces and the firewall administrator can set the routing relationship between these interfaces. Each Firewall Rule includes a reference to the source and destination network. Unlike with other firewalls, you do not need to create rules for each interface because the ISA Server 2004 firewall automatically creates the required stateful filters to allow or deny the connection based on interfaces used for the source and destination networks.
Q: What is the Firewall System Policy?
A: Firewall System Policy is a default set of Firewall Rules that allows the ISA Server 2004 firewall to communicate with vital network infrastructure services on the internal network. The Firewall System Policy takes effect immediately after the ISA Server 2004 software is installed. The firewall administrator can adjust Firewall System Policy after the firewall is started the first time.
Q: What VPN Protocols does ISA Server 2004 support?
A: ISA Server 2004 supports PPTP and L2TP/IPSec for client/server VPN connections. When ISA Server 2004 is installed on Windows Server 2003, the VPN client can take advantage of IPSec NAT traversal (NAT-T). This allows the VPN client, VPN server, or both to be located behind NAT devices and use a secure L2TP/IPSec connection. ISA Server 2004 firewalls support PPTP, L2TP/IPSec, and IPSec tunnel more for site-to-site VPN links.
Q: What is Application Layer Filtering?
A: Application layer filtering allows the ISA Server 2004 firewall to determine the validity of communications moving through it by examining application layer protocol commands and data. The ISA Server 2004 firewall is configured to recognize legitimate commands and data for the application layer protocol, then pass valid connections and reject invalid ones. Traditional firewalls are not able to assess the validity of a connection attempt or message because they are only aware of source and destination IP addresses and port numbers. Traditional firewalls pass exploit code because they do not understand application layer protocols. ISA Server 2004 firewalls have a deep understanding of the most popular application layer protocols used on the Internet today. This understanding allows ISA Server 2004 firewalls to protect your network from known and unknown exploits now and in the future.
Q: Does ISA Server 2004 Application Layer Filtering have an effect on performance?
A: Deep inspection of application layer protocol commands and data does incur some memory, disk, and processing overhead. The level of overhead is determined by the number of rules and communications per second the firewall evaluates. Larger Firewall Rule sets generate greater overhead than smaller ones. ISA Server 2004 includes a built-in Performance console you can use to evaluate effects of different rule set configurations. Because ISA Server 2004 runs on PC architecture hardware, its simple to upgrade the hardware component that performance analysis indicates is causing a bottleneck. Traditional hardware firewalls require that you purchase a new license, or worse, purchase a new device when hardware upgrades are required.
Q: Can I customize the presentation of the information displayed in ISA Server 2004 reports?
A: The ISA Server 2004 reporting engine allows you to customize many components of the built-in ISA Server 2004 reports. For example, you can increase the number of user names that appear in the Web usage report, the number of sites that appear in the Web usage report, and the sort order of applications that appear in the application usage report. This is just a small sample of the customizations you can make to the ISA Server 2004 reports.
Got Questions about Chapter 2?
Ask them at: