ISA 2006 Lab Manual

ISA Server 2006

Lab Manual

2 de 106

Lab Summary

Contents

There are nine modules in this lab. You can complete each of these lab

modules independent of the other modules.

The monitor icons ( ) indicate which virtual machines are needed.

The 06 code indicates exercises that are specific to ISA Server 2006.

The EE code indicates exercises that are specific to ISA Server Enterprise

Edition.

The up arrow ( ) indicates exercises that depend on the previous exercise.

Lab Summary ............................................................................................... 2

Module A: Introduction to ISA Server ........................................................ 6

Exercise 1 Exploring the User Interface ..................................................... 6

Exercise 2 Ease of Use: Multiple Networks ............................................... 7

Exercise 3 Ease of Use: Single Rule Base ................................................ 9

Exercise 4 Ease of Use: Monitoring ......................................................... 10

Module B: Configuring Outbound Internet Access ................................. 11

Exercise 1 Allowing Outbound Web Access from Client Computers........ 11

Exercise 2 Enabling the Use of the Ping command from Client Computers ...................................................................................................................... 14

Exercise 3 Allowing Outbound Access from the ISA Server .................... 15

Exercise 4 Configuring ISA Server 2006 for Flood Resiliency ................. 17

Module C: Publishing Web Servers and Other Servers .......................... 20

Exercise 1 Publishing a Web Server in the Internal Network ................... 20

Exercise 2 Publishing the Web Server on the ISA Server Computer ....... 22

Exercise 3 Performing Link Translation on a Published Web Server ....... 25

Exercise 4 Using Cross-Site Link Translation to Publish SharePoint Server ........................................................................................................... 26

Exercise 5 Publishing a Web Farm for Load Balancing ........................... 28

Exercise 6 Publishing Multiple Terminal Servers ..................................... 33

Module D: Publishing an Exchange Server ............................................. 37

Exercise 1 Publishing Exchange Web Access - Certificate Management 37

Exercise 2 Publishing an Exchange Server for SMTP and POP3 ............ 41

Exercise 3 Publishing an Exchange Server for Outlook (RPC) ................ 42

Exercise 4 Publishing an Exchange Server for RPC over HTTP ............. 44

Module E: Enabling VPN Connections ..................................................... 50

Exercise 1 Configuring ISA Server to Accept Incoming VPN Connections ...................................................................................................................... 50

Exercise 2 Configuring a Client Computer to Establish a VPN Connection ...................................................................................................................... 52

Exercise 3 Allowing Internal Network Access for VPN Clients ................. 54

Exercise 4 Configuring VPN Quarantine on ISA Server........................... 55

Exercise 5 Creating and Distributing a Connection Manager Profile........ 58

Exercise 6 Using VPN Quarantine on the Client Computer ..................... 62

Module F: ISA Server 2006 as Branch Office Gateway ........................... 65

Exercise 1 Configuring HTTP Compression to Reduce Bandwidth Usage ...................................................................................................................... 65

Exercise 2 Configuring ISA Server to Cache BITS Content ..................... 69

Exercise 3 Configuring DiffServ Settings to Prioritize Network Traffic ..... 71

Den Par Flo Fir Ist

06

06

06

06

06

06

06

EE

EE

Module G: Enterprise Management of ISA Servers ................................ 73

Exercise 1 Enterprise Policies and Array Policies .................................... 73

Exercise 2 Remote Management and Role-based Administration ........... 77

Exercise 3 Working with Configuration Storage Servers (Optional) ......... 81

Module H: Configuring Load Balancing ................................................... 84

Exercise 1 Configuring Network Load Balancing (NLB) ........................... 84

Exercise 2 Examining Details on NLB ...................................................... 88

Exercise 3 Using CARP to Distribute Cache Content .............................. 94

Exercise 4 Using CARP and Scheduled Content Download Jobs ........... 98

Module I: Using Monitoring, Alerting and Logging ............................... 102

Exercise 1 Monitoring the ISA Server .................................................... 102

Exercise 2 Checking Connectivity from the ISA Server ......................... 103

Exercise 3 Logging Client Computer Access ......................................... 105

EE

EE

EE

EE

EE

4 de 106

Lab Setup

To complete each lab module, you need to review the following:

Virtual PC

This lab makes use of Microsoft Virtual PC 2004, which is an application that allows you to run

multiple virtual computers on the same physical hardware. During the lab you will switch between

different windows, each of which contains a separate virtual machine running Windows Server

2003.

Before you start the lab, familiarize yourself with the following basics of Virtual PC:

To issue the Ctrl-Alt-Del keyboard combination inside a virtual machine, use the <right>Alt-

Del instead.

To enlarge the size of the virtual machine window,

drag the right bottom corner of the window.

To switch to full-screen mode, and to return from

full-screen mode, press <right>Alt-Enter.

Lab Computers

The lab uses five computers in virtual machines.

Denver.contoso.com (green) is domain controller for the contoso.com domain on the Internal

network. Denver runs DNS, RADIUS, Exchange 2003 SP1, SharePoint Services 2.0 and is

also Certification Authority (CA).

Istanbul.fabrikam.com (purple) is Web server and client computer on the External network

(Internet). Istanbul runs Outlook 2003. Istanbul is not member of a domain.

Paris (red) runs ISA Server 2006 Standard Edition. Paris has three network adapters, which

connect to the Internal network, the Perimeter network and the External network (Internet).

The Perimeter network is not used in this lab.

Florence (red) and Firenze (red) run ISA Server 2006 Enterprise Edition. Both computers

have three network adapters. Florence and Firenze are in an array named Italy. Only

Florence runs Configuration Storage server (CSS).

The computers cannot communicate with the host computer.

To allow you to examine and understand the traffic on the network, in each virtual machine Microsoft

Network Monitor 5.2, which is part of Windows Server 2003, is installed.

To start the lab

Before you can do any of the lab modules, you need to start the virtual machines, and then you need to log on to the computers.

In each exercise you only have to start the virtual machines that are needed.

To start any virtual machine:

1. On the desktop, double-click the shortcut Open ISA 2006 Lab Folder.

2. In the lab folder, double-click any of the Start computer scripts. (For example: double-click Start Paris to start the Paris computer.)

3. When the logon dialog box has appeared, log on to the computer.

To log on to a computer in a virtual machine:

1. Press <right>Alt-Del (instead of Ctrl-Alt-Del) to open the logon dialog box.

2. Type the following information: User name: Administrator Password: password and then click OK.

3. You can now start with the exercises in this lab manual.

Enjoy the lab!

Comments and feedback

Please send any comments, feedback or corrections regarding the virtual machines or the lab manual to:

6 de 106

Module A: Introduction to ISA Server

Exercise 1: Exploring the User Interface In this exercise, you will explore the user interface of ISA Server.

Note that the steps in this exercise and the other exercises in this module, do not enable, configure or

test the functionality of ISA Server. In later modules, the functionality is configured and used in

scenarios.

Tasks Detailed steps

Perform the following steps on the Paris computer.

1. On the Paris computer, explore the task pane.

a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.

b. In the ISA Server console, in the left pane, expand Paris, expand Configuration, and then select Add-ins.

c. Drag the vertical divider between the tree pane (left) and the details pane, to make the details pane area larger or smaller.

d. On the vertical divider between the details pane and the task pane, click the arrow button.

e. Click the arrow button again.

f. Ensure that in the left pane, the Add-ins node is selected, and then in the right pane, on the Web Filters tab, select (for example) RADIUS Authentication Filter.

g. In the right pane, right-click RADIUS Authentication Filter.

h. In the task pane, select the Help tab.

i. In the task pane, select the Tasks tab.

The following task is related to the use of Virtual PC.

2. Explore how you can make the Virtual PC window larger, or switch to full-screen mode.

a. Drag the bottom right corner of the Paris window, to make the

window larger or smaller.

b. Press the Ctrl-key, and then drag the bottom right corner of

the Virtual PC window, to snap the window size to standard resolutions, such as 800x600.

c. Press <right>Alt-Enter.

d. If a warning message box appears, click Continue to confirm that you can press <right>Alt-Enter again to return from full-screen mode.

e. Press <right>Alt-Enter again to return from full-screen mode.

3. Explore the main nodes in the ISA Server console:

a. In the ISA Server console, in the left pane, select Configuration.

b. In the left pane, select Networks.

- Configuration - Networks - Firewall Policy - Monitoring

c. In the left pane, select Firewall Policy.

d. If the task pane is closed, click the arrow button to open the task pane.

e. In the task pane, on the Toolbox tab, click the Protocols heading, and then click Common Protocols.

f. In the task pane, on the Toolbox tab, click the Users heading, and then click New.

g. Click Cancel to close the New User Set Wizard.

h. In the left pane, select Monitoring.

i. On the Dashboard tab, click the Sessions summary box

header.

4. Explore the Export and Import configuration

commands.

a. In the ISA Server console, in the left pane, right-click Paris.

Exercise 2: Ease of Use: Multiple Networks In this exercise, you will explore how ISA Server uses multiple networks.



1. On the Paris computer, explore how ISA Server uses multiple networks with IP address ranges, instead of the concept of a Local Address Table (LAT).

a. On the Paris computer, in the ISA Server console, in the left pane, expand Paris, expand Configuration, and then select Networks.

b. In the right pane, on the (lower) Networks tab, right-click Internal, and then click Properties.

c. In the Internal Properties dialog box, select the Addresses

tab.

d. Click Cancel to close the Internal Properties dialog box.

e. On the Network Sets tab, right-click All Protected Networks and then click Properties.

f. In the All Protected Networks Properties dialog box, select the Networks tab.

g. Click Cancel to close the All Protected Networks Properties dialog box.

h. On the Start menu, click Control Panel, and then click Network Connections.

i. Click the Start button again to close the Start menu.

2. Explore how Network Rules define

Network Address Translation (NAT) or routing of IP packets between networks. For demonstration purposes, create and discard a new network rule.

a. In the ISA Server console, in the left pane, ensure that Networks is selected.

b. In the right pane, select the Network Rules tab.

c. In the task pane, on the Tasks tab, click Create a Network Rule.

d. In the New Network Rule Wizard dialog box, in the Network rule name text box, type VPN Perimeter Access, and then click Next.

e. On the Network Traffic Sources page, click Add.

f. In the Add Network Entities dialog box,

click Networks, click VPN Clients, and click Add, and then click Close to close the Add Network Entities dialog

box.

g. On the Network Traffic Sources page, click Next.

h. On the Network Traffic Destinations page, click Add.

8 de 106

i. In the Add Network Entities dialog box,

click Networks, click Perimeter, and click Add, and then click Close to close the Add Network Entities dialog box.

j. On the Network Traffic Destinations page, click Next.

k. On the Network Relationship page, select Route, and then click Next.

l. On the Completing the New Network Rule Wizard page, click Finish.

m. On the top of the right pane, click Discard to remove the unsaved changes, such as the new VPN Perimeter Access rule.

n. Click Yes to confirm that you want to discard the changes.

3. Explore how network templates are

used to configure network rules and firewall policy rules.

a. In the ISA Server console, in the left pane, ensure that Networks is selected

b. In the task pane, select the Templates tab.

c. On the Templates tab, click 3-Leg Perimeter.

d. In the Network Template Wizard dialog box, click Next.

e. On the Export the ISA Server Configuration page, click Next.

f. On the Internal Network IP Addresses page, click Next.

g. On the Perimeter Network IP Addresses page, click Next.

h. On the Select a Firewall Policy page, in the Select a firewall policy list box, select Allow limited Web access, allow access to network services on Perimeter network.

i. In the Description list box, scroll to the end of the text to see a description of the firewall policy rules that are created, if this firewall policy is selected.

j. On the Select a Firewall Policy page, click Next.

k. On the Completing the Network Template Wizard page, click CANCEL (do NOT click Finish).

4. Explore the client support configuration settings per network.

a. In the ISA Server console, in the left pane, ensure that Networks is selected, and then in the right pane, select the (lower) Networks tab.

b. Right-click Internal, and then click Properties.

c. In the Internal Properties dialog box, select the Firewall Client

tab.

d. Select the Web Proxy tab.

e. Click Cancel to close the Internal Properties dialog box.

Exercise 3: Ease of Use: Single Rule Base In this exercise, you will explore how ISA Server uses a single list of firewall rules.



1. On the Paris computer, explore the single firewall policy rule list. Create an access rule: Name: Allow Web traffic to Internet Applies to: HTTP From network: Internal To network: External

a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy.

b. In the right pane, on the Firewall Policy tab, select Default rule.

c. In the task pane, on the Tasks tab, click Create Access Rule.

d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web traffic to Internet, and then click Next.

e. On the Rule Action page, select Allow, and then click Next.

f. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add.

g. In the Add Protocols dialog box,

click Web, click HTTP, and click Add, and then click Close to close the Add Protocols dialog box.

h. On the Protocols page, click Next.

i. On the Access Rule Sources page, click Add.

j. In the Add Network Entities dialog box,

click Networks, click Internal, and click Add, and then click Close to close the Add Network Entities dialog box.

k. On the Access Rule Sources page, click Next.

l. On the Access Rule Destinations page, click Add.

m. In the Add Network Entities dialog box,

click Networks, click External, and click Add, and then click Close to close the Add Network Entities dialog box.

n. On the Access Rule Destinations page, click Next.

o. On the User Sets page, click Next.

p. On the Completing the New Access Rule Wizard page, click Finish.

q. Do NOT click Apply to apply the new rule.

2. Add the HTTPS and FTP protocol to the Allow Web traffic to Internet access rule.

a. In the task pane, on the Toolbox tab, in the Protocols section, click Web.

b. Drag HTTPS from the Toolbox to HTTP in the Protocols column of the Allow Web traffic to Internet access rule.

c. Drag FTP from the Toolbox to HTTP/HTTPS in the Protocols column of the Allow Web traffic to Internet access rule.

d. Click the box with the minus-sign in front of the Allow Web traffic to Internet access rule to display the

access rule with multiple protocols on a single line.

3. Explore the properties of the Allow Web traffic to Internet access rule.

a. Right-click the Allow Web traffic to Internet access rule, and then click Properties.

b. In the Allow Web traffic to Internet Properties dialog box, on the Protocols tab, click Add.

c. In the Add Protocols dialog box, click Common Protocols.

d. Click Close to close the Add Protocols dialog box.

10 de 106

e. On the To tab, click Add.

f. Click Close to close the Add Network Entities dialog box.

g. On the From tab, click Add.

h. In the Add Network Entities dialog box, click Networks.

i. Click Close to close the Add Network Entities dialog box.

j. Click Cancel to close the Allow Web traffic to Internet

Properties dialog box.

4. Explore the HTTP protocol scanning features of the Allow Web traffic to Internet

access rule. For demonstration purposes, configure the rule to block HTTP traffic from MSN Messenger. HTTP Header: - User-Agent: MSMSGS

a. Right-click the Allow Web traffic to Internet access rule, and then click Configure HTTP.

b. In the Configure HTTP policy for rule dialog box, examine the five tabs with the HTTP filter settings.

c. On the Signatures tab, click Add.

d. In the Signature dialog box, complete the following information:

Name: MSN Messenger traffic

Search in: Request headers

HTTP Header: User-Agent

Signature: MSMSGS and then click OK.

e. Click OK to close the Configure HTTP policy for rule dialog box.

5. Explore the System Policy Rules in the Firewall Policy.

a. In the left pane, ensure that Firewall Policy is selected.

b. In the task pane, on the Tasks tab, click Show System Policy Rules.

c. In the task pane, on the Tasks tab, click Edit System Policy.

d. Click Cancel to close the System Policy Editor dialog box.

e. In the task pane, on the Tasks tab, click Hide System Policy Rules.

6. Discard the Allow Web traffic to Internet access rule.

a. In the right pane, click Discard to remove the unsaved Allow Web traffic to Internet access rule.

b. Click Yes to confirm that you want to discard the changes.

Exercise 4: Ease of Use: Monitoring In this exercise, you will explore how ISA Server uses monitoring.



1. On the Paris computer, explore the new Monitoring features in

ISA Server.

a. On the Paris computer, in the ISA Server console, in the left pane, expand Paris, and then select Monitoring.

b. Select the Alerts tab.

c. Select the Sessions tab.

d. Select the Services tab.

e. Select the Reports tab.

f. Select the Connectivity Verifiers tab.

g. Select the Logging tab.

h. In the task pane, on the Tasks tab, click Configure Firewall Logging.

i. Click Cancel to close the Firewall Logging Properties dialog

box.

j. Close the ISA Server console.

Module B: Configuring Outbound Internet Access

Exercise 1: Allowing Outbound Web Access from Client Computers In this exercise, you will configure ISA Server to allow outbound Web access for client computers on the internal network.


Perform the following steps on the Denver computer.

1. On the Denver computer, test your connectivity by opening Internet Explorer and attempting to connect to http:// istanbul.fabrikam.com

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com, and then press Enter.

b. Look at the bottom of the Web page and view the reason why the Web page cannot be displayed.

c. Close Internet Explorer.


2. On the Paris computer, create a new access rule. Name: Allow outbound Web traffic

Applies to: HTTP, HTTPS, FTP From network: Internal To network: External


b. In the ISA Server console, expand Paris, and then select Firewall Policy.

c. In the right pane, on the Firewall Policy tab, select Default rule.

d. In the task pane, on the Tasks tab, click Create Access Rule.

e. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow outbound Web traffic, and then click Next.

f. On the Rule Action page, select Allow, and then click Next.

g. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add.

h. In the Add Protocols dialog box,

click Common Protocols, click HTTP, and click Add,

click HTTPS, and click Add,

click Web, click FTP, and click Add, and then click Close to close the Add Protocols dialog box.

i. On the Protocols page, click Next.

j. On the Access Rule Sources page, click Add.

k. In the Add Network Entities dialog box,

click Networks, click Internal, and click Add, and then click Close to close the Add Network Entities dialog

box.

12 de 106

l. On the Access Rule Sources page, click Next.

m. On the Access Rule Destinations page, click Add.

n. In the Add Network Entities dialog box,


o. On the Access Rule Destinations page, click Next.

p. On the User Sets page, click Next.

q. On the Completing the New Access Rule Wizard page, click Finish.

3. Apply the changes. a. Click Apply to apply the new rule, and then click OK.

4. Examine the network rule for connectivity between the Internal network and the External network.

a. In the left pane, expand Configuration, and then select Networks.

b. In the right pane, on the Network Rules tab, select the rule that defines the connectivity between the Internal network and the External network.

5. Examine the Web Proxy settings of the Internal network.

a. On the Networks tab, right-click Internal, and then click Properties.

b. In the Internal Properties dialog box, select the Web Proxy tab.

c. Click Cancel to close the Internal Properties dialog box.


6. On the Denver computer, test your connectivity again by opening Internet Explorer and connecting to http:// istanbul.fabrikam.com and by establishing an FTP session with istanbul.fabrikam.com

.


b. In Internet Explorer, on the Tools menu, click Internet Options.

c. In the Internet Options dialog box, on the Connections tab, click LAN Settings.

d. Click Cancel to close the Local Area Network (LAN) Settings

dialog box.

e. Click Cancel to close the Internet Options dialog box.

f. Close Internet Explorer.

g. Open a Command Prompt window.

h. At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter.

i. Type Ctrl-C to close the FTP session.

j. If the ftp> prompt appears, type quit, and then press Enter.

k. Close the Command Prompt window.


7. On the Paris computer, create a new Computer Set rule element. Name: Restricted Internal Computers Included in the set: 10.1.1.5-10.1.1.8 (Domain Controllers)


b. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Computer Sets, and then click New Computer Set.

c. In the New Computer Set Rule Element dialog box, in the Name text box, type Restricted Internal Computers.

d. Click Add, and then click Address Range.

e. In the New Address Range Rule Element dialog box, complete the following information:

Name: Domain Controllers

Start Address: 10.1.1.5

End Address: 10.1.1.8

Description: DCs on the internal network and then click OK.

f. Click OK to close the New Computer Set Rule Element dialog box.

8. Create a new access rule. Name: Deny restricted computers Action: Deny Applies to: All outbound traffic

From: Restricted Internal Computers To network: External

a. In the Firewall Policy list, select the Allow outbound Web traffic rule.

b. In the task pane, on the Tasks tab, click Create Access Rule.

c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Deny restricted computers, and then click Next.

d. On the Rule Action page, select Deny, and then click Next.

e. On the Protocols page, in the This rule applies to list box, select All outbound traffic, and then click Next.

f. On the Access Rule Sources page, click Add.

g. In the Add Network Entities dialog box,

click Computer Sets, click Restricted Internal Computers, and click Add, and then click Close to close the Add Network Entities dialog

box.

h. On the Access Rule Sources page, click Next.

i. On the Access Rule Destinations page, click Add.



k. On the Access Rule Destinations page, click Next.

l. On the User Sets page, click Next.

m. On the Completing the New Access Rule Wizard page, click Finish.

n. Click Apply to apply the new rule, and then click OK.


9. On the Denver computer, test your connectivity again by opening Internet Explorer and attempting to connect to http:// istanbul.fabrikam.com

.


b. Close Internet Explorer.


10. On the Paris computer, move the Allow outbound Web traffic rule, before the Deny restricted computers rule.


b. In the right pane, right-click the Allow outbound Web traffic rule (order 2), and then click Move Up.

c. Click Apply to save the changes, and then click OK.


11. On the Denver computer, test your

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com, and then

14 de 106

connectivity again by opening Internet Explorer and connecting to http:// istanbul.fabrikam.com.

press Enter.


12. On the Paris computer, delete the Deny restricted computers

access rule.


b. In the right pane, right-click the Deny restricted computers rule, and then click Delete.

c. Click Yes to confirm that you want to delete the rule.

d. Click Apply to save the changes, and then click OK.

Exercise 2: Enabling the Use of the Ping command from Client Computers In this exercise, you will configure ISA Server to allow ICMP network traffic, used by the Ping command, from client computers on the internal network.



1. On the Denver computer, use the Ping command to test connectivity with istanbul.fabrikam.com

a. On the Denver computer, open a Command Prompt window.

b. At the command prompt, type ping istanbul.fabrikam.com, and then press Enter.

c. Close the Command Prompt window.


2. On the Paris computer, create a new access rule. Name: Allow outbound Ping traffic

Applies to: PING

From network: Internal To network: External


b. In the right pane, select the first rule to indicate where the new rule is added to the rule list.


d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow outbound Ping traffic, and then click Next.

e. On the Rule Action page, click Allow, and then click Next.



click Common Protocols, click PING, and click Add, and then click Close to close the Add Protocols dialog box.





box.




click Networks, click External, and click Add, and then click Close to close the Add Network Entities dialog

box.




q. Click Apply to apply the new rule, and then click OK.

3. Examine the PING

protocol definition.

a. In the task pane, on the Toolbox tab, in the Protocols section, expand Common Protocols, right-click PING, and then click Properties.

b. In the PING Properties dialog box, select the Parameters tab.

c. Click Cancel to close the PING Properties dialog box.


4. On the Denver computer, use the Ping command to test connectivity with istanbul.fabrikam.com

again.


b. At the command prompt, type ping istanbul.fabrikam.com, and then press Enter.


Perform the following steps on the Istanbul computer.

5. On the Istanbul computer, use the Ping command to test connectivity with the ISA Server.

a. On the Istanbul computer, open a Command Prompt window.

b. At the command prompt, type ping 39.1.1.1, and then press Enter.


Exercise 3: Allowing Outbound Access from the ISA Server In this exercise, you will configure ISA Server to allow outbound access from the ISA Server computer.



1. On the Paris computer, test your connectivity by attempting to establish an FTP session with istanbul.fabrikam.com

.

a. On the Paris computer, open a Command Prompt window.

b. At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter.

c. At the ftp> prompt, type quit, and then press Enter.

d. Close the Command Prompt window.

2. Create a new access rule. Name: Allow FTP from firewall Applies to: FTP From network: Local Host To network: External

a. In the ISA Server console, in the left pane, select Firewall Policy.



d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow FTP from firewall, and then click Next.

e. On the Rule Action page, click Allow, and then click Next.



16 de 106

click Web, click FTP, and click Add, and then click Close to close the Add Protocols dialog box.




click Networks, click Local Host, and click Add, and then click Close to close the Add Network Entities dialog

box.





box.





3. Test your connectivity again by establishing an FTP session with istanbul.fabrikam.com.

a. Open a Command Prompt window.

b. At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter.

c. Type Ctrl-C to close the FTP session.

d. If the ftp> prompt appears, type quit, and then press Enter.

e. Close the Command Prompt window.

4. Show the System Policy Rules

in the Firewall Policy.



5. Test your connectivity by opening Internet Explorer and connecting to http:// istanbul.fabrikam.com

and by using the Ping command to istanbul.fabrikam.com and to denver.contoso.com.

a. Open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com, and then press Enter.


c. Open a Command Prompt window.

d. At the command prompt, type ping istanbul.fabrikam.com, and then press Enter.

e. At the command prompt, type ping denver.contoso.com, and then press Enter.

f. Close the Command Prompt window.

6. Hide the System Policy Rules in the Firewall Policy.


b. In the task pane, on the Tasks tab, click Hide System Policy Rules.

c. Close the ISA Server console.

Exercise 4: Configuring ISA Server 2006 for Flood Resiliency In this exercise, you will configure ISA Server to block a large number of TCP connections from the same IP address.



1. On the Paris computer, examine the flood mitigation settings.


b. In the ISA Server console, in the left pane, expand Paris, expand Configuration, and then select General.

c. In the right pane, under Additional Security Policy, click Configure Flood Mitigation Settings.

d. In the Flood Mitigation dialog box, on the Flood Mitigation tab, click the second Edit button.

e. Click Cancel to close the Flood Mitigation Settings dialog box.

f. In the Flood Mitigation dialog box, select the IP Exceptions tab.

2. Disable the logging of network traffic blocked by flood mitigation settings.

a. In the Flood Mitigation dialog box, select the Flood Mitigation

tab.

b. Clear the Log traffic blocked by flood mitigation settings

check box.

c. Click OK to close the Flood Mitigation dialog box.

3. Create a new access rule. Name: Allow Web access (Flood)

Applies to: HTTP


a. In the left pane, select Firewall Policy.

b. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list.


d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (Flood), and then click Next.




click Common Protocols, click HTTP, click Add, and then click Close to close the Add Protocols dialog box.




click Networks, click Internal, click Add, and then click Close to close the Add Network Entities dialog box.




click Networks, click External, click Add, and then click Close to close the Add Network Entities dialog

box.


18 de 106



4. Apply the changes. a. Click Apply to apply the changes, and then click OK.


5. On the Denver computer, configure Internet Explorer not to use a proxy server.

a. On the Denver computer, open Internet Explorer.



d. In the Local Area Network (LAN) Settings dialog box, clear the Use a proxy server for your LAN check box, and then click OK.

e. Click OK to close the Internet Options dialog box.

6. Use Internet Explorer to connect to http:// istanbul.fabrikam.com/ web.asp

a. In Internet Explorer, in the Address bar, type http://istanbul.fabrikam.com/web.asp, and then press Enter.

b. Do not close Internet Explorer.

7. Use the C:\Tools\tcpflooder.vbs tool to create 200 concurrent TCP connections.

a. Use Windows Explorer (or My Computer) to open the C:\Tools folder.

b. Right-click tcpflooder.vbs, and then click Open.

c. Click Yes to confirm that you want to start TCP Flooder.

d. Press OK to acknowledge that 200 TCP connections are created.

e. Close the Tools folder.

8. In Internet Explorer, refresh the existing Web page, and attempt to create a second connection to http:// istanbul.fabrikam.com/ web.asp

a. In the Internet Explorer windows, on the toolbar, click the Refresh button.

b. On the Start menu, click All Programs, and then click Internet Explorer.

c. In Internet Explorer, in the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter.

d. Close the Internet Explorer windows.


9. On the Paris computer, examine the flooding alert.

a. On the Paris computer, in the ISA Server console, in the left pane, select Monitoring.

b. In the right pane, select the Alerts tab.

c. In the task pane, on the Tasks tab, click Refresh Now.

d. In the alert list, expand the Concurrent TCP Connections from One IP Address Limit Exceeded alert, and then select the alert line below that.

10. Configure the log viewer filter conditions: Log Time: Last Hour

Client IP: Equals 10.1.1.5 Destination IP: Greater or Equal 42.1.0.0

a. In the right pane, select the Logging tab.

b. In the task pane, on the Tasks tab, click Edit Filter.

c. In the Edit Filter dialog box, in the conditions list, select the Log Time - Live condition.

d. In the Condition drop-down list box, select Last Hour, and then click Update.

e. Complete the following information:

Filter by: Client IP

Condition: Equals

Value: 10.1.1.5 and then click Add To List.

f. Complete the following information:

Filter by: Destination IP

Condition: Greater or Equal

Value: 42.1.0.0 and then click Add To List.

g. Click Start Query to close the Edit Filter dialog box.

h. Scroll to the top of the list of log entries.

11. Restore the log viewer filter conditions: Log Time: Live Client IP: (remove) Destination IP: (remove)

a. In the task pane, on the Tasks tab, click Edit Filter.

b. In the Edit Filter dialog box, in the conditions list, select Log Time - Last Hour.

c. In the Condition drop-down list box, select Live, and then click Update.

d. In the conditions list, select the Destination IP condition, and then click Remove.

e. In the conditions list, select the Client IP condition, and then click Remove.

f. Click Start Query to close the dialog box.

g. In the task pane, on the Tasks tab, click Stop Query.


12. On the Denver computer, configure Internet Explorer to use a proxy server.




d. In the Local Area Network (LAN) Settings dialog box, complete the following information:

Use a proxy server for your LAN: enable

Address: 10.1.1.1

Port: 8080

Bypass proxy server for local address: enable and then click OK to close the Local Area Network (LAN) Settings dialog box.



20 de 106

Module C: Publishing Web Servers and Other Servers

Exercise 1: Publishing a Web Server in the Internal Network In this exercise, you will configure ISA Server to publish a Web server on the internal network to client

computers on the Internet.



1. On the Paris computer, create a new Web listener. Name: External Web 80 SSL: disable Network: External Compression: disable

Authentication: none



c. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Web Listeners, and then click New Web Listener.

d. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80, and then click Next.

e. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next.

f. On the Web Listener IP Addresses page, complete the following information:

Listen on network: External

ISA Server will compress content: disable and then click Next.

g. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next.

h. On the Single Sign On Settings page, click Next.

i. On the Completing the New Web Listener Wizard page, click Finish.

j. Click Apply to save the changes, and then click OK.

2. Examine the effect of the Web listener definition on the listening ports.


b. At the command prompt, type netstat -ano | find ":80", and then press Enter.


3. Create a Web publishing rule. Name: Web Home Page (on Denver)

Publishing type: single Web site


b. In the right pane, select the first rule, or select Default rule if

no other rule exists, to indicate where the new rule is added to the rule list.

c. In the task pane, on the Tasks tab, click Publish Web Sites.

d. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type

Internal site name: denver.contoso.com

Public name: www.contoso.com Web listener: External Web 80

Delegation: none

Web Home Page (on Denver), and then click Next.

e. On the Select Rule Action page, select Allow, and then click Next.

f. On the Publishing Type page, select Publish a single Web site, and then click Next.

g. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server, and then click Next.

h. On the Internal Publishing Details page, complete the following information:


Use a computer name or IP address: disable (is default) and then click Next.

i. On the next Internal Publishing Details page, complete the following information:

Path: (leave empty)

Forward the original host header: disable (is default) and then click Next.

j. On the Public Name Details page, complete the following information:

Accept requests for: This domain name (type below):

Public name: www.contoso.com

Path: (leave empty) and then click Next.

k. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80, and then click Next.

l. On the Authentication Delegation page, select No delegation, and client cannot authenticate directly, and then click Next.

m. On the User Sets page, click Next.

n. On the Completing the New Web Publishing Rule Wizard page, click Finish.

o. Click Apply to apply the new rule, and then click OK.

4. Examine the effect of the Web publishing rule on the listening ports.



c. At the command prompt, type tasklist /svc | find "nnnn", and then press Enter. (Replace nnnn with the actual process

ID displayed in output of the previous step.)


5. Examine the network rule for connectivity between the External

network and the Internal network.

a. In the ISA Server console, the left pane, expand Configuration, and then select Networks.

b. In the right pane, on the Network Rules tab, select the rule that defines the connectivity between the Internal network and the External network.


6. On the Istanbul computer, verify that www.contoso.com resolves to 39.1.1.1.


b. At the command prompt type ping www.contoso.com, and then press Enter.


7. Connect to the published Web server on www.contoso.com, and attempt to connect to 39.1.1.1.

a. Open Internet Explorer. In the Address box, type http://www.contoso.com, and then press Enter.

b. In the Address box, type http://39.1.1.1, and then press Enter.

22 de 106


8. On the Paris computer, add the 39.1.1.1 public name to the Web Home Page (on Denver) Web publishing rule.


b. In the right pane, select the Web Home Page (on Denver) Web publishing rule.

c. In the task pane, on the Tasks tab, click Edit Selected Rule.

d. In the Web Home Page (on Denver) Properties dialog box, on the Public Name tab, click Add.

e. In the Public Name dialog box, type 39.1.1.1, and then click OK.

f. Click OK to close the Web Home Page (on Denver) Properties

dialog box.

g. Click Apply to apply the changed rule, and then click OK.


9. On the Istanbul computer, connect to the published Web server on 39.1.1.1.

a. On the Istanbul computer, in Internet Explorer, ensure that http://39.1.1.1 is in the Address box, and then click the Refresh button.


Exercise 2: Publishing the Web Server on the ISA Server Computer In this exercise, you will configure ISA Server to publish a Web server on the ISA Server to client




1. On the Paris computer, configure the default Web site to use port 81,

and then start the Web site.

a. On the Paris computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

b. In the IIS Manager console, expand PARIS (local computer), expand Web Sites, right-click Default Web Site (Stopped), and then click Properties.

c. In the Default Web Site (Stopped) Properties dialog box, on the Web Site tab, in the TCP port text box, type 81, and then click OK.

d. Right-click Default Web Site (Stopped), and then click Start.

e. Close the IIS Manager console.

2. Examine the effect of starting the default Web site on the listening ports.



c. At the command prompt, type tasklist /svc | find "mmmm", and then press Enter. (Replace mmmm with the actual process ID displayed in output of the previous step.)


3. Create a Web publishing rule. Name: Products Web Site (on Paris) Publishing type:




d. In the New Web Publishing Rule Wizard dialog box, in the

single Web site Internal site name: Paris IP address: 10.1.1.1 Port: 81

Public name: www.contoso.com /products

Web listener: External Web 80 Delegation: none

Web publishing rule name text box, type Products Web Site (on Paris), and then click Next.





Internal site name: Paris

Use a computer name or IP address: enable

Computer name or IP address: 10.1.1.1 and then click Next.


Path: (leave empty)





Path: products and then click Next.





o. In the right pane, select the Products Web Site (on Paris) Web publishing rule, and then in the task pane, on the Tasks tab, click Edit Selected Rule.

p. In the Products Web Site (on Paris) Properties dialog box, select the Paths tab.

q. Select the Listener tab.

r. On the Bridging tab, in the Redirect requests to HTTP port text box, type 81.

s. Click OK to close the Products Web Site (on Paris) Properties dialog box.

t. Click Apply to apply the new rule, and then click OK.


4. On the Istanbul computer, connect to the published Web servers on www.contoso.com /products

and www.contoso.com.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://www.contoso.com/products, and then press Enter.

b. In the Address box, type http://www.contoso.com, and then press Enter.



5. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left

24 de 106

create a Web publishing rule. Name: Public Web Site (on Paris) Publishing type: single Web site

Internal site name: Paris IP address: 10.1.1.1 Path: publicweb/* Port: 81

Public name: public.contoso.com Web listener: External Web 80

Delegation: none

pane, select Firewall Policy.



d. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Public Web Site (on Paris), and then click Next.









Path: publicweb/*




Public name: public.contoso.com

Path: (remove /publicweb/*, and leave empty) and then click Next.





o. In the right pane, select the Public Web Site (on Paris) Web publishing rule, and then in the task pane, on the Tasks tab, click Edit Selected Rule.

p. In the Public Web Site (on Paris) Properties dialog box, select the Paths tab.

q. On the Bridging tab, in the Redirect requests to HTTP port text box, type 81.

r. Click OK to close the Public Web Site (on Paris) Properties dialog box.

s. Click Apply to apply the new rule, and then click OK.


6. On the Istanbul computer, connect to the published Web servers on public.contoso.com.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://public.contoso.com, and then press Enter.


Exercise 3: Performing Link Translation on a Published Web Server In this exercise, you will configure ISA Server to enable link translation for a published Web site.



1. On the Istanbul computer, connect to the Web page www.contoso.com /links.htm.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://www.contoso.com/links.htm, and then press Enter.

b. Hold the mouse pointer over the Translated link for pic1.jpg URL.

c. Right-click on the displayed image (pic1.jpg), and then click Properties.

d. Click Cancel to close the Properties dialog box.

e. Do not close Internet Explorer.


2. On the Paris computer, examine the Link Translation Filter

Web filter.

a. On the Paris computer, in the ISA Server console, in the left pane, expand Configuration, and then select Add-ins.

b. In the right pane, select the Web Filters tab..

3. Examine the current link translation mappings for the Web Home Page (on Denver) Web publishing rule.

a. In the left pane, select Firewall Policy, and then in the right pane, select the Web Home Page (on Denver) Web

publishing rule.

b. In the task pane, on the Tasks tab, click Edit Selected Rule.

c. In the Web Home Page (on Denver) Properties dialog box, select the Link Translation tab.

d. On the Link Translation tab, click Mappings.

e. Close Internet Explorer.

f. Click Cancel to close the Web Home Page (on Denver) Properties dialog box.

4. Create a new global link translation mapping: Replace this text: http://ronsbox

With this text: http://www.contoso.com

a. In the left pane, select General.

b. In the right pane, under Global HTTP Policy Settings, click Configure Global Link Translation.

c. In the Link Translation dialog box, select the Global Mappings tab.

d. On the Global Mappings tab, click Add.

e. In the Add Mapping dialog box, complete the following information:

Internal URL: http://ronsbox

Translated URL: http://www.contoso.com and then click OK.

f. Click OK to close Link Translation dialog box.

g. Click Apply to save the changes, and then click OK.


5. On the Istanbul computer, refresh the content of the Web page at www.contoso.com /links.htm again, by pressing Ctrl-F5 or Ctrl-Refresh.

a. On the Istanbul computer, in Internet Explorer, ensure that the http://www.contoso.com/links.htm Web page is opened.

b. Hold the Ctrl-key, and then click the Refresh button on the

toolbar, to refresh the content of the Web page.


26 de 106

Exercise 4: Using Cross-Site Link Translation to Publish SharePoint Server In this exercise, you will configure ISA Server to publish a SharePoint Server.

The portal Web site contains links to other Web servers. By using cross-site link translation, you can

access the links from the published portal Web site.



1. On the Denver computer, connect to http://portal, and examine the links on the Project-D Portal Web site.

a. On the Denver computer, open Internet Explorer. In the Address box, type http://portal, and then press Enter.

b. In the portal Web site, under Shared Documents, move the mouse pointer over Agenda (do not click).

c. Click Agenda.

d. In the File Download dialog box, click Open to confirm that

you want to open the Agenda.doc file.

e. Close WordPad.

f. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click).

g. Click Research Web Site.

h. On the toolbar, click the Back button.

i. Close Internet Explorer


2. On the Paris computer, create a new Web listener. Name: External Web 80

SSL: disable

Network: External Compression: disable Authentication: none (If this is not done already)



c. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible).

d. If a Web listener named External Web 80 does not exist, then right-click Web Listeners, and then click New Web Listener.

e. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80, and then click Next.

f. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next.

g. On the Web Listener IP Addresses page, complete the following information:



h. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next.

i. On the Single Sign On Settings page, click Next.

j. On the Completing the New Web Listener Wizard page, click

Finish.

3. Create a Web publishing rule to publish a SharePoint server. Name: Portal Web Site

Publishing type: single Web site Internal site name: portal

Public name: portal.contoso.com Web listener: External Web 80

Delegation: none

a. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list.

b. In the task pane, on the Tasks tab, click Publish SharePoint Sites.

c. In the New SharePoint Publishing Rule Wizard dialog box, in the SharePoint publishing rule name text box, type Portal Web Site, and then click Next.

d. On the Publishing Type page, select Publish a single Web site, and then click Next.

e. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server, and then click Next.

f. On the Internal Publishing Details page, in the Internal site name text box, type portal, and then click Next.

g. On the Public Name Details page, in the Public name text box, type portal.contoso.com, and then click Next.

h. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80, and then click Next.

i. On the Authentication Delegation page, select No delegation, and client cannot authenticate directly, and then click Next.

j. On the Alternate Access Mapping Configuration page, select SharePoint AAM is not yet configured, and then click Next.

k. On the User Sets page, click Next.

l. On the Completing the New SharePoint Publishing Rule Wizard page, click Finish



5. On the Istanbul computer, connect to http://portal.contoso.com, and examine the links on the Project-D Portal Web site.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://portal.contoso.com, and then press Enter.

b. In the portal Web site, under Shared Documents, move the mouse pointer over Agenda (do not click).

c. Click Agenda.

d. In the File Download dialog box, click Open to confirm that

you want to open the Agenda.doc file.

e. Close WordPad.

f. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click).

g. Click Research Web Site.

h. On the toolbar, click the Back button.

i. Close Internet Explorer.


6. On the Paris computer, create a Web publishing rule. Name: Server1 Web Site

Publishing type: single Web site


b. In the right pane, select the first rule to indicate where the new rule is added.


d. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name, type Server1 Web Site, and then click Next.

e. On the Select Rule Action page, select Allow, and then click

28 de 106

Internal site name: server1

Public name: web1.contoso.com Web listener: External Web 80

Delegation: none

Next.



h. On the Internal Publishing Details page, in the Internal site name text box, type server1, and then click Next.

i. On the next Internal Publishing Details page, leave the Path text box empty, and then click Next.

j. On the Public Name Details page, in the Public name text box, type web1.contoso.com, and then click Next.






8. Examine the list of per-server link translation mappings.

a. In the left pane, expand Configuration, and then click General.

b. In the right pane, click Configure Global Link Translation.

c. Select the Global Mappings tab.

d. Click Cancel to close the Link Translation dialog box.


9. On the Istanbul computer, connect to http://portal.contoso.com, and examine the links on the Project-D Portal Web site.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://portal.contoso.com, and then press Enter.

b. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click).

c. Click Research Web Site.

d. On the toolbar, click the Back button.


Exercise 5: Publishing a Web Farm for Load Balancing In this exercise, you will publish two Web servers (10.1.1.21 and 10.1.1.22) as a Web farm. ISA Server

load balances Web requests to servers in a Web farm.

The exercise uses both Cookie-Based Load Balancing and Source-IP Based Load Balancing.



1. On the Paris computer, create a new Web listener. Name: External Web 80



c. In the task pane, on the Toolbox tab, in the Network Objects

SSL: disable

Network: External Compression: disable Authentication: none (If this is not done already)

section, expand Web Listeners (if possible).

d. If a Web Listener named External Web 80 does not exist, then right-click Web Listeners, and then click New Web Listener.

e. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80, and then click Next.

f. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next.

g. On the Web Listener IP Addresses page, complete the following information:



h. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next.

i. On the Single Sign On Settings page, click Next.

j. On the Completing the New Web Listener Wizard page, click Finish.

2. Create a new Server Farm network element.

Name: Shop Web Servers Addresses: - 10.1.1.21 - 10.1.1.22 Monitoring: http://*/

a. In the task pane, on the Toolbox, in the Network Objects section, right-click Server Farms, and then click New Server Farm.

b. In the New Server Farm Definition Wizard dialog box, in the Server farm name text box, type Shop Web Servers, and then click Next.

c. On the Servers page, click Add.

d. In the Server Details dialog box, complete the following information:

Computer name or IP address: 10.1.1.21

Description: Shopping Web Server 1 and then click OK.

e. On the Servers page, click Add again.

f. In the Server Details dialog box, complete the following information:

Computer name or IP address: 10.1.1.22

Description: Shopping Web Server 2 and then click OK.

g. On the Servers page, click Next.

h. On the Server Farm Connectivity Monitoring page, complete the following information:

Send an HTTP/HTTPS GET request: enable (is default)

Current URL: http://*/ (is default) and then click Next.

i. On the Completing the New Server Farm Wizard page, click Finish.

j. In the HTTP Connectivity Verification dialog box, click Yes to

confirm that you want the connectivity verifiers system policy to be enabled.

3. Create a new Web publishing rule. Name: Sales Web Site Type: Publish server farm

a. In the right pane, select the first rule, or select Default rule if


b. In the task pane, on the Tasks tab, click Publish Web Sites.

c. In the New Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Sales Web Site, and then click Next.

d. On the Select Rule Action page, select Allow, and then click

30 de 106

Internal name: store.contoso.com/shop Server farm: Shop Web Servers

Load balance mechanism: Cookie-based

Public name: www.contoso.com/shop

Web listener: External Web 80 Delegation: none

Next.

e. On the Publishing Type page, select Publish a server farm of load balanced Web servers, and then click Next.

f. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server or server farm, and then click Next.

g. On the Internal Publishing Details page, in the Internal site name text box, type store.contoso.com, and then click Next.

h. On the next Internal Publishing Details page, complete the following information:

Path: shop/*

Forward the original host header: disable (default) and then click Next.

i. On the Specify Server Farm page, complete the following information:

Select the server farm (drop-down list box): Shop Web Servers

Cookie-based Load Balancing: enable (is default) and then click Next.


Accept request for: This domain name (type below)


Path (optional): /shop/* (automatic) and then click Next.


l. On the Authentication Delegation page, in the drop-down list box, select No delegation, and client cannot authenticate directly, and then click Next.




5. Examine the connectivity verifiers for the Shop Web Servers farm.

a. In the ISA Server console, in the left pane, select Monitoring.

b. In the right pane, select the Connectivity Verifiers tab.

c. Right-click the first Farm: Shop Web Servers connectivity verifier, and then click Properties.

d. In the Farm: Shop Web Servers Properties dialog box, select the Connectivity Verification tab.

e. Click Cancel to close the Farm: Shop Web Servers Properties

dialog box.


6. On the Istanbul computer, use Internet Explorer to connect to http://www.contoso.com/ shop/web.asp

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter.

b. On the toolbar, click the Refresh button to refresh the content

of the Web page.

7. Create two new Internet Explorer sessions, and connect to http://www.contoso.com/

a. On the Start menu, click All Programs, and then click Internet Explorer.

b. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press

shop/web.asp Enter.

c. On the toolbar, click the Refresh button to refresh the content

of the Web page.

d. On the Start menu, click All Programs, and then click Internet Explorer again.

e. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter.


8. On the Denver computer, stop the Server1 Web Site to

simulate a connectivity problem with the Web server on 10.1.1.21.

a. On the Denver computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

b. In the IIS Manager console, expand DENVER (local computer), expand Web Sites, and then select Server1 Web Site.

c. Right-click Server1 Web Site, and then click Properties.

d. Click Cancel to close the Server1 Web Site Properties dialog box.

e. Right-click Server1 Web Site, and then click Stop.


9. On the Istanbul computer, attempt to refresh the content of the Web pages that were from 10.1.1.21 (Server1).

a. On the Istanbul computer, switch to one of the Internet Explorer windows that currently displays the web.asp page from 10.1.1.21 (Server1).


of the Web page.

c. Wait 20 seconds, and then on the toolbar, click the Refresh

button again.

d. Switch to the other Internet Explorer window that displays the web.asp page from 10.1.1.21 (Server1).

e. On the toolbar, click the Refresh button.


10. On the Paris computer, examine the connectivity verifier and the alert for the connection to 10.1.1.21.



c. In the right pane, select the Alerts tab.

d. In the task pane, on the Tasks tab, click Refresh Now.

e. In the right pane, expand the No Connectivity alert, and then select the lower No Connectivity line.

f. Right-click the lower No Connectivity line, and then click Reset.

g. Click Yes to confirm that you want to reset the No Connectivity

alert.


11. On the Denver computer, start the Server1 Web Site.

a. On the Denver computer, in the IIS Manager console, right-click Server1 Web Site, and then click Start.


12. On the Istanbul computer, refresh the

a. On the Istanbul computer, switch to any of the Internet Explorer windows that currently displays the web.asp page

32 de 106

Web page from 10.1.1.22, and create a

new connection to http://www.contoso.com/ shop/web.asp.

from 10.1.1.22 (Server2).


of the Web page.

c. On the Start menu, click All Programs, and then click Internet Explorer.

d. Wait 20 seconds, and then in Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and press Enter.

e. Close all Internet Explorer windows.


13. On the Paris computer, change the load balancing mechanism for the Sales Web Site rule to Source-IP based.


b. In the right pane, right-click the Sales Web Site rule, and then click Properties.

c. In the Sales Web Site Properties dialog box, on the Web Farm tab, in the Load Balancing Mechanism section, select Source-IP based.

d. Click OK to close the Sales Web Site Properties dialog box.



15. On the Istanbul computer, create two new Internet Explorer sessions, and connect to http://www.contoso.com/ shop/web.asp

a. On the Istanbul computer, on the Start menu, click All Programs, and then click Internet Explorer.

b. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter.

c. On the toolbar, click the Refresh button to refresh the content of the Web page.

d. On the Start menu, click All Programs, and then click Internet Explorer.

e. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter.


16. On the Denver computer, stop the Server2 Web Site to simulate a connectivity problem with the Web server on 10.1.1.22.

a. On the Denver computer, in the IIS Manager console, right-click Server2 Web Site, and then click Stop.


17. On the Istanbul computer, attempt to refresh the content of the Web page that was from 10.1.1.22

(Server2).

a. On the Istanbul computer, switch to one of the Internet Explorer windows that currently displays the web.asp page from 10.1.1.22 (Server2).

b. On the toolbar, click the Refresh button to refresh the content of the Web page.

c. Wait 20 seconds, and then on the toolbar, click the Refresh button again.


18. On the Denver computer, start the

a. On the Denver computer, in the IIS Manager console, right-click Server2 Web Site, and then click Start.

Server2 Web Site. b. Close the IIS Manager console.


19. On the Istanbul computer, attempt to refresh the content of the Web page that was from 10.1.1.21 (Server1).

a. On the Istanbul computer, switch to the Internet Explorer window that currently displays the web.asp page from 10.1.1.21 (Server1).


of the Web page.

c. Wait 20 seconds, and then on the toolbar, click the Refresh

button again.

d. Close all Internet Explorer windows.


20. On the Paris computer, delete the Sales Web Site rule,

and delete the Shop Web Servers

farm.


b. In the right pane, right-click the Sales Web Site rule, and then click Delete.

c. Click Yes to confirm that you want to delete Sales Web Site.

d. In the task pane, on the Toolbox tab, in the Network Objects section, expand Server Farms.

e. Under Server Farms, right-click Shop Web Servers, and then click Delete.

f. Click Yes to confirm that you want to delete Shop Web Servers.


Exercise 6: Publishing Multiple Terminal Servers In this exercise, you will configure ISA Server to publish a terminal server (remote desktop) on the Internal network and publish a terminal server on the ISA Server computer.



1. On the Denver computer, use System properties to enable remote desktop.

a. On the Denver computer, on the Start menu, click Control Panel, and then click System.

b. In the System Properties dialog box, on the Remote tab, enable Enable Remote Desktop on this computer.

c. Click OK to acknowledge that remote connection accounts must have passwords, and that the correct port must be open for remote connections.

d. Click OK to close the System Properties dialog box.


2. On the Paris computer, create a server publishing rule: Name: Publish RDP (on Denver)

Server: 10.1.1.5


b. In the right pane, select the first rule, or select Default rule if


c. In the task pane, on the Tasks tab, click Publish Non-Web Server Protocols.

d. In the New Server Publishing Rule Wizard dialog box, in the Server publishing rule name text box, type

34 de 106

Protocols: RDP (Terminal Services) Server

Publish RDP (on Denver), and then click Next.

e. On the Select Server page, in the Server IP address text box, type 10.1.1.5, and then click Next.

f. On the Select Protocol page, in the Selected protocol drop-down list box, select RDP (Terminal Services) Server, and then click Next.

g. On the Network Listener IP Addresses page, select External, and then click Next.

h. On the Completing the New Server Publishing Rule Wizard page, click Finish.

i. Click Apply to apply the new rule, and then click OK.

3. Use the C:\Tools\fwengmon /C command to examine the active creation objects.



c. Type cd \tools, and then press Enter.

d. Type fwengmon /?, and then press Enter.

e. Type fwengmon /C, and then press Enter.

f. Do not close the Command Prompt window.


4. On the Istanbul computer, create a remote desktop connection to 39.1.1.1

(Paris)

a. On the Istanbul computer, on the Start menu, click All Programs, click Accessories, click Communications, and then right-click Remote Desktop Connection, and click Pin to Start menu.

b. On the Start menu, click Remote Desktop Connection.

c. In the Remote Desktop Connection dialog box, in the Computer text box, type 39.1.1.1, and then click Connect.

d. In the Log On to Windows dialog box, complete the following information:

User name: Administrator

Password: password and then click OK

5. Use the netstat command to examine the client IP address of the remote desktop connection.

a. In the remote desktop connection to Denver, open a Command Prompt window.



6. Log off the remote desktop connection.

a. In the remote desktop connection to Denver, on the Start menu, click Log Off.

b. Click Log Off to confirm that you are sure you want to log off.


7. On the Paris computer, change the Publish RDP (on Denver) rule. Requests appear to come from: ISA Server computer


b. In the right pane, right-click Publish RDP (on Denver), and then click Properties.

c. In the Publish RDP (on Denver) Properties dialog box, on the To tab, select Requests appear to come from the ISA Server computer.

d. Click OK to close the Publish RDP (on Denver) Properties dialog box.

e. Click Apply to save the changes, and then click OK.


8. On the Istanbul computer, create a remote desktop connection to 39.1.1.1

(Paris)

a. On the Istanbul computer, on the Start menu, click Remote Desktop Connection.

b. In the Remote Desktop Connection dialog box, in the Computer text box, type 39.1.1.1, and then click Connect.

c. In the Log On to Windows dialog box, complete the following information:


Password: password and then click OK.

9. Use the netstat

command to examine the client IP address of the remote desktop connection.

a. In the remote desktop connection to Denver, open a Command Prompt window.



10. Log off the remote desktop connection.

a. In the remote desktop connection to Denver, on the Start menu, click Log Off.

b. Click Log Off to confirm that you are sure you want to log

off.


11. On the Paris computer, change the Publish RDP (on Denver) rule.

Publish on port: 3390


b. In the right pane, right-click Publish RDP (on Denver), and then click Properties.

c. In the Publish RDP (on Denver) Properties dialog box, on the Traffic tab, click Ports.

d. In the Ports dialog box, complete the following information:

Publish on this port instead of the default port: 3390 and then click OK.

e. Click OK to close the Publish RDP (on Denver) Properties

dialog box.

f. Click Apply to save the changes, and then click OK.

12. Use the C:\Tools\fwengmon /C command to examine

the active creation objects.

a. In a Command Prompt window in the C:\Tools folder, type fwengmon /C, and then press Enter.


13. On the Istanbul computer, create a remote desktop connection to 39.1.1.1:3390 (Paris)


b. In the Remote Desktop Connection dialog box, in the Computer text box, type 39.1.1.1:3390, and then click Connect.

c. Click Cancel to close the Log On to Windows dialog box.

d. Click Close to close the Remote Desktop Connection dialog

box.


14. On the Paris computer, use System properties to enable remote desktop.

a. On the Paris computer, on the Start menu, click Control Panel, and then click System.

b. In the System Properties dialog box, on the Remote tab, enable Enable Remote Desktop on this computer.


36 de 106


15. Use the netstat command, and the C:\Tools\fwengmon /C command to examine

the effect of enabling remote desktop.

a. In a Command Prompt window, type netstat -ano | find ":3389", and then press Enter.

b. At the command prompt, type tasklist /svc | find "nnnn", and then press Enter. (Replace nnnn with the actual

process ID displayed in the output of the previous step.)

c. At the command prompt, in the C:\Tools folder, type fwengmon /C, and then press Enter.

16. Create a server publishing rule: Name: Publish RDP (on Paris)

Server: 10.1.1.1

Protocols: RDP (Terminal Services) Server



c. In the task pane, on the Tasks tab, click Publish Non-Web Server Protocols.

d. In the New Server Publishing Rule Wizard dialog box, in the Server publishing rule name text box, type Publish RDP (on Paris), and then click Next.

e. On the Select Server page, in the Server IP address text box, type 10.1.1.1, and then click Next.

f. On the Select Protocol page, in the Selected protocol drop-down list box, select RDP (Terminal Services) Server, and then click Next.

g. On the Network Listener IP Addresses page, select External, and then click Next.

h. On the Completing the New Server Publishing Rule Wizard page, click Finish.

i. Click Apply to apply the new rule, and then click OK.

17. Use the netstat command, and the C:\Tools\fwengmon /C command to examine

the effect of enabling remote desktop.

a. In a Command Prompt window, type netstat -ano | find ":3389", and then press Enter.

b. At the command prompt, in the C:\Tools folder, type fwengmon /C, and then press Enter.


18. On the Istanbul computer, create a remote desktop connection to 39.1.1.1 (Paris)


b. In the Remote Desktop Connection dialog box, in the Computer text box, type 39.1.1.1, and then click Connect.

c. Click Cancel to close the Log On to Windows dialog box.

d. Click Close to close the Remote Desktop Connection dialog box.


19. On the Denver computer, use System properties to disable remote desktop.

a. On the Denver computer, on the Start menu, click Control Panel, and then click System.

b. In the System Properties dialog box, on the Remote tab, in the Remote Desktop box, clear Enable Remote Desktop to this computer.

c. Click OK to close the System Properties dialog box.


20. On the Paris computer, use System properties to disable remote desktop.

a. On the Paris computer, on the Start menu, click Control Panel, and then click System.

b. In the System Properties dialog box, on the Remote tab, in the Remote Desktop box, clear Enable Remote Desktop to this computer.


Module D: Publishing an Exchange Server

Exercise 1: Publishing Exchange Web Access - Certificate Management In this exercise, you will enable access to the Exchange Server for clients that use Outlook Web

Access (OWA). You configure ISA Server to use SSL Bridging, because you want to encrypt the

connection with the SSL protocol (HTTPS), but you also want to inspect the traffic at the ISA Server

computer.

This exercise also demonstrates the new certificate management functionality of ISA Server 2006.



1. On the Denver computer, import the denver.contoso.com Web server certificate from the C:\Tools\Certs folder.

a. On the Denver computer, use Windows Explorer (or My Computer) to open the C:\Tools\Certs folder.

b. In the Certs folder, right-click denver-certload.vbs, and then click Open.

c. Click Yes to confirm that you want to import the certificate.

d. Click OK to acknowledge that the import of the certificate is

complete.

e. Close the Certs folder.

2. Configure IIS to use the denver.contoso.com Web server certificate.

a. On the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

b. In the IIS Manager console, expand DENVER (local computer), expand Web Sites, right-click Default Web Site, and then click Properties.

c. In the Default Web Site Properties dialog box, on the Directory Security tab, click Server Certificate.

d. In the Welcome to the Web Server Certificate Wizard dialog box, click Next.

e. On the Server Certificate page, select Assign an existing certificate, and then click Next.

f. On the Available Certificates page, select the certificate for denver.contoso.com that has the intended purpose of Server Authentication (do not select a certificate with another intended purpose), and then click Next.

g. On the SSL Port page, in the SSL port this web site should use text box, type 443, and then click Next.

h. On the Certificate Summary page, click Next.

i. On the Completing the Web Server Certificate Wizard page, click Finish.

j. Click OK to close the Default Web Site Properties dialog box.

k. Close the IIS Manager console.


3. On the Paris computer, a. On the Paris computer, use Windows Explorer (or My

38 de 106

import the mail.contoso.com

Web server certificate from the C:\Tools\Certs folder.

Computer) to open the C:\Tools\Certs folder.

b. In the Certs folder, right-click mail-certload.vbs, and then click Open.


d. Click OK to acknowledge that the import of the certificate is complete.

4. For demonstration purposes, import invalid certificates from the C:\Tools\Certs\Invalid folder.

a. In the Certs folder, open the Invalid folder.

b. In the Invalid folder, right-click certload-invalid-Paris.vbs, and then click Open.

c. Click Yes to confirm that you want to import the certificates.

d. Click OK to acknowledge that the import of the certificates is

complete.

e. Close the Invalid folder.

5. Create a new Web listener. Name: External Web 443

SSL: enable

Network: External Compression: disable Certificate: mail.contoso.com

Authentication: HTTP Authentication - Basic

a. On the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.


c. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Web Listeners, and then click New Web Listener.


e. On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next.




g. On the Listener SSL Certificates page, click Select Certificate.

h. In the Select Certificate dialog box, disable Show only valid certificates.

i. In the certificates list, select each of the certificates cert2.contoso.com to cert5.contoso.com to see the problem with the certificate.

j. In the certificates list, select mail.contoso.com, and then click Select.

k. On the Listener SSL Certificates page, click Next.

l. On the Authentication Settings page, complete the following information:

Authentication method: HTTP Authentication (is default)

Basic: enable

Digest: disable (is default)

Integrated: disable (is default) and then click Next.

m. On the Single Sign On Settings page, click Next.

n. On the Completing the New Web Listener Wizard page, click Finish.

6. Create an OWA mail server publishing rule: Name:

a. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list.

b. In the task pane, on the Tasks tab, click

Publish mail (OWA) Version: Exchange Server 2003

Internal site name: denver.contoso.com Public name: mail.contoso.com

Web listener: External Web 443 Delegation: Basic Authentication

Publish Exchange Web Client Access.

c. In the New Exchange Publishing Rule Wizard dialog box, in the Exchange Publishing rule name text box, type Publish mail (OWA), and then click Next.

d. On the Select Services page, complete the following information:

Exchange version: Exchange Server 2003 (is default)

Outlook Web Access: enable (is default)

Leave the other check boxes disabled (is default) and then click Next.

e. On the Publishing Type page, select Publish a single Web site, and then click Next.

f. On the Server Connection Security page, select Use SSL to connect to the published Web server, and then click Next.

g. On the Internal Publishing Details page, in the Internal site name text box, type denver.contoso.com, and then click Next.

h. On the Public Name Details page, complete the following information:


Public name: mail.contoso.com and then click Next.

i. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 443, and then click Next.

j. On the Authentication Delegation page, select Basic Authentication, and then click Next.


l. On the Completing the New Exchange Publishing Rule Wizard page, click Finish.

7. Examine the new OWA mail server publishing rule named Publish mail (OWA).

a. In the right pane, right-click Publish mail (OWA), and then click Properties.

b. In the Publish mail (OWA) Properties dialog box, select the To tab.

c. Select the Traffic tab.

d. Select the Paths tab.

e. Select the Listener tab.

f. Select the Bridging tab.

g. Click Cancel to close the Publish mail (OWA) Properties dialog box.

8. Apply the new rule. h. Click Apply to apply the new rule, and then click OK.


9. On the Denver computer, configure IIS to require SSL on the virtual directories used by OWA: /Exchange /ExchWeb /Public

a. On the Denver computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

b. In the IIS Manager console, expand Default Web Site, right-click Exchange, and then click Properties.

c. In the Exchange Properties dialog, on the Directory Security tab, in the Secure communications box, click Edit.

d. In the Secure Communications box, enable Require secure channel (SSL), and then click OK.

e. Click OK to close the Exchange Properties dialog box.

f. Right-click ExchWeb, and then click Properties.

g. In the ExchWeb Properties dialog box, on the Directory

40 de 106

Security tab, in the Secure communications box, click Edit.

h. In the Secure Communications box, enable Require secure channel (SSL), and then click OK.

i. Click OK to close the ExchWeb Properties dialog box.

j. Right-click Public, and then click Properties.

k. In the ExchWeb Properties dialog box, on the Directory Security tab, in the Secure communications box, click Edit.

l. In the Secure Communications box, enable Require secure channel (SSL), and then click OK.

m. Click OK to close the Public Properties dialog box.

n. Close the IIS Manager console.


10. On the Istanbul computer, use Internet Explorer to securely connect to https://mail.contoso.com /exchange Send an e-mail to Administrator to test

the secure OWA connection to ISA Server.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter.

b. In the Connect to mail.contoso.com dialog box, complete the following information:


Password: password

Remember my password: disable (is default) and then click OK.

c. On the OWA toolbar, click New.

d. In the new message window, complete the following information:

To: Administrator

Subject: Test mail through Secure OWA - 1

(Message): Publish Exchange using Secure OWA and then click Send.

e. After a few moments, in the left pane, click Inbox to refresh

the display of the Inbox contents.



11. On the Paris computer, configure the External Web 443 Web listener to use HTML Form Authentication.

a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy

b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners, right-click External Web 443, and then click Properties.

c. In the External Web 443 Properties dialog box, on the Authentication tab, in the Client Authentication Method drop-down list box, select HTML Form Authentication.

d. On the Forms tab, click Advanced.

e. Click Cancel to close the Advanced Form Options dialog box.

f. Click OK to close the External Web 443 Properties dialog box.

g. Click Apply to save the changes, and then click OK.


12. On the Istanbul computer, use Internet Explorer to securely connect to https://mail.contoso.com /exchange again.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter.

b. In the Office Outlook Web Access page, complete the following information:

Security: This is a private computer

Use Outlook Web Access Light: disable (is default)

Domain\user name: contoso\administrator

Password: password

and then click Log On.



13. On the Paris computer, configure the External Web 443 Web listener to use Basic authentication.



c. In the External Web 443 Properties dialog box, on the Authentication tab, complete the following information:

Client Authentication Method: HTTP Authentication

Basic: enable


Integrated: disable (is default) and then click OK to close the External Web 443 Properties dialog box.


Exercise 2:Publishing an Exchange Server for SMTP and POP3 In this exercise, you will configure server publishing rules on the ISA Server to allow access to the

Exchange Server by using the SMTP and POP3 protocols.



1. On the Istanbul computer, start Outlook Express, and

then attempt to connect to the Exchange Server (POP3) by clicking Send/Recv.

a. On the Istanbul computer, on the Start menu, click All Programs, and then click Outlook Express.

b. In Outlook Express, on the toolbar, click Send/Recv.

c. In the Logon - Contoso mail dialog box, complete the following information:

User Name: Administrator


d. Click Hide to close the error message box.


2. On the Paris computer, create a mail server publishing rule: Name: Publish mail Protocols: SMTP, POP3

Server: 10.1.1.5



c. In the task pane, on the Tasks tab, click Publish Mail Servers.

d. In the New Mail Server Publishing Rule Wizard dialog box, in the Mail Server Publishing rule name text box, type Publish mail, and then click Next.

e. On the Select Access Type page, select Client access: RPC, IMAP, POP3, SMTP, and then click Next.

f. On the Select Services page, complete the following information:

POP3 (standard port): enable

SMTP (standard port): enable

42 de 106

Leave all other check boxes disabled and then click Next.

g. On the Select Server page, in the Server IP address text box, type 10.1.1.5, and then click Next.

h. On the Network Listener IP Addresses page, select External, and then click Next.

i. On the Completing the New Mail Server Publishing Rule Wizard page, click Finish.

3. Apply the changes. a. Click Apply to apply the new rules, and then click OK.


4. On the Istanbul computer, in Outlook Express, connect to

the Exchange Server, by clicking Send/Recv.

Send an e-mail to administrator @contoso.com to test

the SMTP and POP3 connections to ISA Server.

a. On the Istanbul computer, in Outlook Express, on the toolbar, click Send/Recv.

b. If the Logon - Contoso mail dialog box appears, complete

the following information:

User Name: Administrator


c. On the toolbar, click Create Mail.

d. In the New Message window, complete the following information:

To: [email protected]

Subject: Test mail through SMTP/POP3 - 2

(Message): Publish Exchange using SMTP/POP3 and then click Send.

e. On the toolbar, click Send/Recv.

f. Close Outlook Express.

Exercise 3: Publishing an Exchange Server for Outlook (RPC) In this exercise, you will publish the Exchange Server (Denver) for Remote Procedure Call (RPC)

access by Microsoft Outlook clients. This allows the full functionality of Outlook.



1. On the Paris computer, create a mail server publishing rule: Name: Publish mail Protocols: Outlook (RPC)

Server: 10.1.1.5



c. In the task pane, on the Tasks tab, click Publish Mail Servers.

d. In the New Mail Server Publishing Rule Wizard dialog box, in the Mail Server Publishing rule name text box, type Publish mail, and then click Next.

e. On the Select Access Type page, select Client access: RPC, IMAP, POP3, SMTP, and then click Next.

f. On the Select Services page, complete the following information:

Outlook (RPC) (standard port): enable

Leave all other check boxes disabled and then click Next.

g. On the Select Server page, in the Server IP address text box, type 10.1.1.5, and then click Next.

h. On the Network Listener IP Addresses page, select External, and then click Next.

i. On the Completing the New Mail Server Publishing Rule Wizard page, click Finish.

2. Examine the RPC Filter

application filter.

a. In the left pane, expand Configuration, and then select Add-ins.

b. In the right pane, on the Application Filters tab, select RPC Filter.

3. Examine the new mail server publishing rule named Publish mail Exchange RPC Server

.


b. In the right-pane, select Publish mail Exchange RPC Server, and then in the task pane, on the Tasks tabs, click Edit Selected Rule.

c. In the Publish mail Exchange RPC Server Properties dialog box, select the Traffic tab.

d. On the Traffic tab, click Properties.

e. In the Exchange RPC Server Properties dialog box, select the Interfaces tab.

f. Click Cancel to close the Exchange RPC Server Properties

dialog box.

g. Click Cancel to close the Publish mail Exchange RPC Server


4. Apply the new rule. a. In the right pane, click Apply to apply the new rule, and then click OK.


5. On the Istanbul computer, start Outlook 2003, and

then examine the network connections. Use: netstat -ano

Use: Connection Status


b. At the command prompt, type netstat -ano | find "EST", and then press Enter.

c. On the Start menu, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2003.

d. Switch to the Command Prompt window.

e. At the command prompt, type netstat -ano | find "EST", and then press Enter.


g. Press the Ctrl-key, and then click the Outlook icon in the

system tray area.

h. In the context menu of the system tray Outlook icon, click Connection Status.

i. Click Close to close the Exchange Server Connection Status

window.

6. Send an e-mail to Administrator to test

the RPC connection to ISA Server.

a. In Outlook, on the toolbar, click New.

b. In the new message window, complete the following information:

To: Administrator

Subject: Test mail through RPC - 3

(Message): Publish Exchange using RPC and then click Send.

c. In the Inbox, select the new message.

d. Close Outlook.

44 de 106

Exercise 4: Publishing an Exchange Server for RPC over HTTP In this exercise, you want to provide Microsoft Outlook clients with the full functionality of Outlook

when they connect to the Exchange Server. However, in this exercise, directly publishing Exchange

Server through the Remote Procedure Call (RPC) protocol is not possible. You will configure ISA

Server to tunnel RPC traffic inside HTTP (HTTPS) traffic. This uses the RPC over HTTP protocol.



1. On the Paris computer, import the mail.contoso.com


a. On the Paris computer, use Windows Explorer (or My Computer) to open the C:\Tools\Certs folder.

b. In the Certs folder, right-click mail-certload.vbs, and then click Open.





2. On the Denver computer, import the denver.contoso.com


a. On the Denver computer, use Windows Explorer (or My Computer) to open the C:\Tools\Certs folder.

b. In the Certs folder, right-click denver-certload.vbs, and then click Open.




3. Configure IIS to use the denver.contoso.com

Web server certificate.


b. In the IIS Manager console, expand DENVER (local computer), expand Web Sites, right-click Default Web Site, and then click Properties.

c. In the Default Web Site Properties dialog box, on the Directory Security tab, click Server Certificate.

d. In the Welcome to the Web Server Certificate Wizard dialog box, click Next.

e. On the Server Certificate page, select Assign an existing certificate, and then click Next.

f. On the Available Certificates page, select the certificate for denver.contoso.com that has the intended purpose of Server Authentication (do not select a certificate with another intended purpose), and then click Next.

g. On the SSL Port page, in the SSL port this web site should use text box, type 443, and then click Next.

h. On the Certificate Summary page, click Next.

i. On the Completing the Web Server Certificate Wizard page, click Finish.

j. Click OK to close the Default Web Site Properties dialog box.

k. Close the IIS Manager console.

4. Install the RPC over HTTP Proxy

a. On the Start menu, click Control Panel, and then click Add or Remove Programs.

network service. b. In the Add or Remove Programs window, click Add/Remove Windows Components.

c. On the Windows Components page, select the Networking Services component (do NOT select the check box), and then click Details.

d. In the Networking Services dialog box, select the RPC over HTTP Proxy check box, and then click OK.

e. On the Windows Components page, click Next.

f. On the Completing the Windows Components Wizard page, click Finish.

g. Close the Add or Remove Programs window.

5. In the IIS Manager console, examine the RPC Proxy Server extension.


b. In the IIS Manager console, expand DENVER (local computer), and then in the left pane, select Web Service Extensions.

6. Configure the /Rpc virtual directory: Anonymous access: No

Authentication method: Basic authentication only Require SSL: Yes

a. In the IIS Manager console, expand Web Sites, expand Default Web Site, and then in the left pane, select Rpc.

b. Right-click Rpc, and then click Properties.

c. In the Rpc Properties dialog box, on the Directory Security tab, in the Authentication and access control box, click Edit.

d. In the Authentication Methods dialog box, enable Basic authentication.

e. In the IIS Manager warning message box, click Yes to confirm that you want to continue.

f. In the Authentication Methods dialog box, complete the following information:

Enable anonymous access: disable

Integrated Windows authentication: disable (is default)

Basic authentication: enable (done in previous step) and then click OK.

g. On the Directory Security tab, in the Secure communications box, click Edit.

h. In the Secure communications box, enable Require secure channel (SSL), and then click OK.

i. On the Directory Security tab, click View Certificate.

j. Click OK to close the Certificate dialog box.

k. Click OK to close the Rpc Properties dialog box.

l. Close the IIS Manager console.

7. Configure the RPC Proxy network

service to communicate with the Exchange Server and Global Catalog server (denver.contoso.com) on the following ports: 6001, 6002 and 6004


b. At the command prompt, type cd \tools\reskit, and then press Enter.

c. Type rpccfg /hd.

d. Type rpccfg /hr Denver.

e. Type rpccfg /ha Denver 6001 6002 6004.

f. Type rpccfg /ha denver.contoso.com 6001 6002 6004.

g. Type rpccfg /hd.

h. Type reg.exe query HKLM\Software\Microsoft\Rpc\RpcProxy.

i. Close the Command Prompt window.

8. Configure the Global Catalog server (Denver) to use port 6004 for

a. On the Start menu, click Run.

b. In the Run dialog box, type regedit.exe, and then click OK.

c. In the Registry Editor window, select the

46 de 106

RPC over HTTP connections.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\NTDS\Parameters key.

d. Right-click the Parameters key, click New, and then click Multi-String Value.

e. In the New Value #1 text box, replace the text by typing NSPI interface protocol sequences, and then press Enter.

f. Right-click the NSPI interface protocol sequences value, and then click Modify.

g. In the Edit Multi-String dialog box, type ncacn_http:6004, and then click OK.

h. Close the Registry Editor window.

9. Restart the Denver computer.

a. On the Start menu, click Shut Down.

b. In the Shut Down Windows dialog box, complete the following information:

What do you want the computer to do: Restart

Option: Other (Planned) (is default)

Comment: Changed RPC Proxy settings and then click OK.

10. Log on to the computer: User name: Administrator Password: password Log on to: CONTOSO

a. After the restart, at the Welcome to Windows dialog box, press <right>Alt-Del (instead of Ctrl-Alt-Del).

b. In the Log On to Windows dialog box, complete the following information:


Password: password

Domain: CONTOSO and then click OK to log on.


11. On the Paris computer, disable the existing rule that publishes the Exchange Server by using RPC.


b. In the right pane, right-click Publish mail Exchange RPC Server, and then click Disable.

12. Create a new Web listener. Name: External Web 443 SSL: enable Network: External Compression: disable

Certificate: mail.contoso.com Authentication: HTTP Authentication - Basic

a. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible).

b. If a Web listener named External Web 443 does not exist, then right-click Web Listeners, and then click New Web Listener.

c. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 443, and then click Next.

d. On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next.

e. On the Web Listener IP Addresses page, complete the following information:



f. On the Listener SSL Certificates page, click Select Certificate.

g. In the certificates list, select mail.contoso.com, and then click Select.

h. On the Listener SSL Certificates page, click Next.

i. On the Authentication Settings page, complete the following information:

Authentication method: HTTP Authentication (is default)

Basic: enable


Integrated: disable (is default) and then click Next.

j. On the Single Sign On Settings page, click Next.

k. On the Completing the New Web Listener Wizard page, click Finish.

13. Create a new RPC over HTTPS Web publishing rule. Name: Publish mail (RPC over HTTPS) Version: Exchange Server 2003

Internal site name: denver.contoso.com Public name: mail.contoso.com

Web listener: External Web 443 Delegation: Basic Authentication

a. In the right pane, select the first rule, or select Default rule if


b. In the task pane, on the Tasks tab, click Publish Exchange Web Client Access.

c. In the New Exchange Publishing Rule Wizard dialog box, in the Exchange Publishing rule name text box, type Publish mail (RPC over HTTPS), and then click Next.

d. On the Select Services page, complete the following information:

Exchange version: Exchange Server 2003 (is default)

Outlook Web Access: disable

Outlook RPC/HTTP(s): enable

Leave the other check boxes disabled (is default) and then click Next.


f. On the Server Connection Security page, select Use SSL to connect to the published Web server, and then click Next.

g. On the Internal Publishing Details page, in the Internal site name text box, type denver.contoso.com, and then click Next.

h. On the Public Name Details page, complete the following information:


Public name: mail.contoso.com and then click Next.

i. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 443, and then click Next.

j. On the Authentication Delegation page, select Basic Authentication, and then click Next.


l. On the Completing the New Exchange Publishing Rule Wizard page, click Finish.

14. Examine the new Web publishing rule named Publish mail (RPC over HTTPS).

a. In the right pane, right-click Publish mail (RPC over HTTPS), and then click Properties.

b. In the Publish mail (RPC over HTTPS) Properties dialog box, select the Path tab.

c. Click Cancel to close the Publish mail (RPC over HTTPS)


15. Apply the new rule. a. Click Apply to apply the new rule, and then click OK.


16. On the Istanbul computer, use Internet Explorer to verify the

configuration of the secure Web publishing

a. On the Istanbul computer, open Internet Explorer. In the Address box, type https://mail.contoso.com/rpc, and then press Enter.


48 de 106

rule, by connecting to https://mail.contoso.com /rpc.

The expected error code is 401.3 (Access denied due to an ACL).


Password: password


c. In the Connect to mail.contoso.com dialog box, type Administrator and password for the second time, and then click OK.

d. In the Connect to mail.contoso.com dialog box, type Administrator and password for the third time, and then click OK.


17. Configure the e-mail account in the current Outlook profile to use RPC over HTTP: URL: mail.contoso.com

Use SSL only: Yes

Principal name: msstd:mail.contoso.com

On fast/slow networks, use HTTP first: Yes Proxy authentication: Basic

a. On the Start menu, click Control Panel, and then click Mail.

b. In the Mail Setup - Outlook dialog box, click E-mail Accounts.

c. In the E-mail Accounts dialog box, select View or change existing e-mail accounts, and then click Next.

d. Click Cancel to close the Connecting to Microsoft Exchange Server message box.

e. On the E-mail Accounts page, ensure that Contoso mail is selected, and then click Change.

f. On the Exchange Server Settings page, click More Settings.

g. In the Microsoft Exchange Server dialog box, on the Connection tab, enable Connect to my Exchange mailbox using HTTP, and then click Exchange Proxy Settings.

h. In the Exchange Proxy Settings dialog box, complete the following information:

Use this URL (https://): mail.contoso.com

Connect using SSL only: enable (is default)

Mutually authenticate the session: enable

Principal name for proxy server: msstd:mail.contoso.com

On fast networks, connect using HTTP first: enable

On slow networks, connect using HTTP first: enable (is default)

Proxy authentication settings: Basic Authentication and then click OK.

i. Click OK to close the Microsoft Exchange Server dialog box.

j. On the Exchange Server Settings page, click Next.

k. In the Connect to Denver.contoso.com dialog box, complete the following information:

User name: contoso\administrator


l. On the E-mail accounts page, click Finish.

m. Click Close to close the Mail Setup - Outlook dialog box.

18. Start Outlook 2003, and then examine the network connections. Use: netstat -ano Use: Connection Status


b. At the command prompt, type netstat -ano | find "EST", and then press Enter.

c. On the Start menu, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2003.

d. In the Connecting to Denver.contoso.com dialog box, complete the following information:



e. Switch to the Command Prompt window.

f. At the command prompt, type netstat -ano | find "EST", and then press Enter.

g. Close the Command Prompt window.

h. Press the Ctrl-key, and then click the Outlook icon in the

system tray area.

i. In the context menu of the system tray Outlook icon, click Connection Status.

j. Click Close to close the Exchange Server Connection Status

window.

19. Send an e-mail to Administrator to test

the RPC over HTTP connection to ISA Server.

a. In Outlook, on the toolbar, click New.

b. In the new message window, complete the following information:

To: Administrator

Subject: Test mail through RPC over HTTP - 4

(Message): Publish Exchange using RPC over HTTP and then click Send.

c. In the Inbox, select the new message.

d. Close Outlook.

20. Use Internet Explorer to connect to https://mail.contoso.com /exchange

a. Open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter.



Password: password




21. On the Paris computer, configure the External Web 443 Web listener to use Form Authentication.



c. In the External Web 443 Properties dialog box, on the Authentication tab, complete the following information:

Client Authentication Method: HTML Form Authentication and then click OK to close the External Web 443 Properties

dialog box.



22. Use Internet Explorer to connect to https://mail.contoso.com /exchange

again.

a. Open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter.

b. In the Office Outlook Web Access page, complete the following information:

Security: This is a private computer

Use Outlook Web Access Light: disable (is default)

Domain\user name: contoso\administrator

Password: password and then click Log On.


23. Start Outlook 2003. a. On the Start menu, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2003.

b. In the Connecting to Denver.contoso.com dialog box, complete the following information:

50 de 106



c. Switch to the Command Prompt window.

d. Press the Ctrl-key, and then click the Outlook icon in the

system tray area.

e. In the context menu of the system tray Outlook icon, click Connection Status.

f. Click Close to close the Exchange Server Connection Status

window.

g. Close Outlook.

h. Close the Internet Explorer Outlook Web Access window.

Module E: Enabling VPN Connections

Exercise 1: Configuring ISA Server to Accept Incoming VPN Connections In this exercise, you will configure ISA Server to accept incoming VPN connections from client




1. On the Paris computer, examine the status of the Routing and Remote Access service.

a. On the Paris computer, on the Start menu, click Administrative Tools, and then click Routing and Remote Access.

b. In the Routing and Remote Access console, select PARIS (local).

2. Use the ISA Server console to configure VPN address ranges. IP address ranges: - 10.3.1.1 - 10.3.1.120

a. On the Start menu, click All Programs, click Microsoft ISA Server, and then click, ISA Server Management.

b. In the ISA Server console, expand Paris, and then select Virtual Private Networks (VPN).

c. In the right pane, ensure that the VPN Clients tab is selected.

d. In the task pane, on the Tasks tab, click Define Address Assignments.

e. In the Virtual Private Networks (VPN) Properties dialog box, on the Address Assignment tab, select Static address pool, and then click Add.

f. In the Server IP Address Range Properties dialog box, complete the following information:

Start address: 10.3.1.1

End address: 10.3.1.120 and then click OK.

g. Click OK to close the Virtual Private Networks (VPN) Properties dialog box.

3. Enable and configure VPN client access.

a. On the Tasks tab, click Enable VPN Client Access.

b. On the Tasks tab, click Configure VPN Client Access.

- Maximum clients: 100

- Protocols: PPTP

c. In the VPN Client Properties dialog box, on the General tab, in the Maximum number of VPN clients allowed text box, leave the default value 100.

d. On the Protocols tab, ensure that only Enable PPTP is

selected.

e. Click OK to close the VPN Clients Properties dialog box.

4. Examine the VPN connection settings. Access networks: External

Authentication: MS-CHAPv2

a. In the left pane, right-click Virtual Private Networks (VPN), and then click Properties.

b. In the Virtual Private Networks (VPN) Properties dialog box, select the Access Networks tab.

c. Select the Authentication tab.

d. Click OK to close the Virtual Private Networks (VPN) Properties dialog box.

5. Examine the VPN access rule: System policy rule: Allow VPN client traffic to ISA Server

(rule 13).



c. In the right pane, select the Allow VPN client traffic to ISA Server system policy rule (rule 13).

d. In the task pane, on the Tasks tab, click Hide System Policy Rules.

6. Apply the VPN configuration.

a. In the ISA Server console, click Apply to apply the VPN configuration, and then click OK.

7. Examine the configuration of the Routing and Remote Access console.

a. In the Routing and Remote Access console, in the left pane, right-click PARIS (local), and then click Refresh.

b. Right-click PARIS (local), and then click Properties.

c. In the PARIS (local) Properties dialog box, select the IP tab.

d. Click Cancel to close the PARIS (local) Properties dialog box.

e. Expand PARIS (local), and then select Remote Access Policies.

f. In the right pane, right-click the ISA Server Default Policy remote access policy, and then click Properties.

g. Click Cancel to close the ISA Server Default Policy Properties

dialog box.

h. Close the Routing and Remote Access console.

8. Configure the user profile of the Administrator account

so that it is allowed to dial in.

a. On the Start menu, click Administrative Tools, and then click Computer Management.

b. In the Computer Management console, in the left pane, expand Local Users and Groups, and then select Users.

c. In the right pane, right-click Administrator, and then click Properties.

d. In the Administrator Properties dialog box, on the Dial-in tab, select Allow access, and then click OK.

e. Close the Computer Management console.

52 de 106

Exercise 2: Configuring a Client Computer to Establish a VPN Connection In this exercise, you will configure a client computer on the Internet to establish a VPN connection to the ISA Server computer.



1. On the Istanbul computer, examine the current IP address configuration, and use the Ping command to test connectivity to the Internal network (10.1.1.5).


b. At the command prompt, type ipconfig, and then press Enter.

c. Type ping 39.1.1.1, and then press Enter.

d. Type ping 10.1.1.5, and then press Enter.


2. Create a new connection in the Network Connections window. Type: VPN connection Name: VPN to Contoso VPN Server: 39.1.1.1

a. On the Start menu, click Control Panel, right-click Network Connections, and then click Open.

b. In the Network Connections window, right-click New Connection Wizard, and then click New Connection.

c. In the New Connection Wizard dialog box, click Next.

d. On the Network Connection Type page, select Connect to the network at my workplace, and then click Next.

e. On the Network Connection page, select Virtual Private Network connection, and then click Next.

f. On the Connection Name page, in the Company Name text box, type VPN to Contoso, and then click Next.

g. On the VPN Server Selection page, in the Host name or IP address text box, type 39.1.1.1, and then click Next.

h. On the Connection Availability page, select My use only, and then click Next.

i. On the Completing the New Connection Wizard page, click Finish.

3. Establish the VPN connection named VPN to Contoso. User name: Administrator Password: password

a. In the Connect VPN to Contoso dialog box, complete the following information:


Password: password and then click Connect.

4. Examine the current IP address configuration, and use the Ping command to test the connection to the Internal network (10.1.1.5), and the

VPN tunnel end-point (10.3.1.1).


b. At the command prompt, type ipconfig, and then press Enter.

c. Type route print, and then press Enter.


e. Type ping 10.3.1.1, and then press Enter.


5. On the Paris computer, a. On the Paris computer, open a Command Prompt window.

use the Ping command to test the connection to the VPN client computer (10.3.1.2 or

higher).

b. At the command prompt, type ping 10.3.1.2 (or the higher 10.3.1.x IP address assigned to Istanbul), and then press Enter.


d. In the ISA Server console, select Firewall Policy.

e. In the task pane, on the Tasks tab, click Show System Policy Rules.

f. In the task pane, on the Tasks tab, click Hide System Policy Rules.

6. Create a new access rule. Name: Allow Ping from VPN clients Applies to: PING From network: VPN Clients To network: Local Host

a. In the right pane, select the first rule., or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list.


c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Ping from VPN clients, and then click Next.

d. On the Rule Action page, select Allow, and then click Next.

e. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add.

f. In the Add Protocols dialog box,


g. On the Protocols page, click Next.

h. On the Access Rule Sources page, click Add.


click Networks, click VPN Clients, and click Add, and then click Close to close the Add Network Entities dialog box.

j. On the Access Rule Sources page, click Next.

k. On the Access Rule Destinations page, click Add.

l. In the Add Network Entities dialog box,

click Networks, click Local Host, and click Add, and then click Close to close the Add Network Entities dialog box.

m. On the Access Rule Destinations page, click Next.

n. On the User Sets page, click Next.

o. On the Completing the New Access Rule Wizard page, click Finish.

p. Click Apply to apply the new rule, and then click OK.


7. On the Istanbul computer, use the Ping command again to test connectivity to the VPN tunnel end-point at the ISA Server computer (10.3.1.1).

a. On the Istanbul computer, at the command prompt, type ping 10.3.1.1, and then press Enter.

b. Close the Command Prompt window.

54 de 106

Exercise 3: Allowing Internal Network Access for VPN Clients In this exercise, you will configure ISA Server so that client computers on the Internet, are allowed access to the internal network, by establishing a VPN connection.



1. On the Paris computer, examine the network rule for connectivity between the VPN Clients network and the Internal network.

a. On the Paris computer, in the ISA Server console, in the left pane, expand Configuration, and then select Networks.

b. In the right pane, on the Network Rules tab, select the rule that defined the connectivity between the VPN Clients network and the Internal network.

2. Create a new access rule: Name: Allow access from VPN clients to Internal

Applies to: PING, Microsoft CIFS (TCP) From network: VPN Clients To network: Internal




d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow access from VPN clients to Internal, and then click Next.




click Common Protocols, click PING, and click Add,

click All protocols, click Microsoft CIFS (TCP), and click Add, and then click Close to close the Add Protocols dialog box.




click Networks, click VPN Clients, and click Add, and then click Close to close the Add Network Entities dialog

box.





box.






3. On the Istanbul computer, reconnect the VPN to Contoso

connection, if it was

a. On the Istanbul computer, if the VPN to Contoso connection is disconnected, then in the Network Connections window, right-click VPN to Contoso, and then click Connect. In the

Connect VPN to Contoso dialog box, complete the following

disconnected. information:



4. Use the Ping command to test connectivity to the Internal network (10.1.1.5), and use the Run dialog box to connect to \\10.1.1.5.




d. On the Start menu, click Run.

e. In the Run dialog box, type \\10.1.1.5, and then click OK.

f. Close the \\10.1.1.5 window.

5. Disconnect the VPN to Contoso

connection, and close the Network Connections window.

a. In the System tray, right-click the connection icon, and click Disconnect.

b. Close the Network Connections window.

Exercise 4: Configuring VPN Quarantine on ISA Server In this exercise, you will configure ISA Server so that it can allow phased network access to

VPN clients. Only client computers whose security configuration meets the security policy are allowed

full access to the network.



1. On the Paris computer, in the C:\Tools folder, examine the RQScript.vbs script file that is used to check the security configuration of the VPN client computer.

a. On the Paris computer, use Windows Explorer (or My Computer) to open the C:\Tools folder.

b. Right-click the RQScript.vbs file, and then click Edit (do not click Open).

c. Maximize the RQScript.vbs - Notepad, if that is not done already.

d. Close Notepad.


2. Install the Remote Access Quarantine Agent service

(RQS.exe).

a. On the Start menu, click Control Panel, and then click Add or Remove Programs.

b. In the Add or Remove Programs window, click Add/Remove Windows Components.

c. On the Windows Components page, select the Networking Services component (do NOT select the check box), and then click Details.

d. In the Networking Services dialog box, select the Remote Access Quarantine Service check box, and then click OK.




3. Configure the RQS.exe service: AllowedSet: RQVersion3


b. In the Run dialog box, type regedit.exe, and then click OK.

c. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

56 de 106

Authenticator: vpnplgin.dll

Services\rqs key.

d. In the right pane, right-click the AllowedSet value, and then click Modify.

e. In the Edit Multi-String dialog box, delete the current value, and then type RQVersion3, and click OK.

f. Right-click the rqs key, click New, and then click String Value.

g. In the New Value #1 text box, replace the text by typing Authenticator, and then press Enter.

h. Right-click the Authenticator value, and then click Modify.

i. In the Edit String dialog box, type C:\Program Files\Microsoft ISA Server\vpnplgin.dll, and then click OK.

j. Close the Registry Editor window.

k. On the Start menu, click Administrative Tools, and then click Services.

l. In the Services console, in the right pane, right-click Remote Access Quarantine Agent, and then click Properties.

m. Click Cancel to close the Remote Access Quarantine Agent


n. Close the Services console.

4. Create a new protocol definition: Name: RQS - Network Quarantine Direction: Outbound Port: TCP 7250


b. In the task pane, on the Toolbox tab, in the Protocols section, on the New menu, click Protocol.

c. In the New Protocol Definition Wizard dialog box, in the Protocol definition name text box, type RQS - Network Quarantine, and then click Next.

d. On the Primary Connection Information page, click New.

e. In the New/Edit Protocol Connection dialog box, complete the following information:

Protocol type: TCP

Direction: Outbound

Port Range From: 7250

Port Range To: 7250 and then click OK.

f. On the Primary Connection Information page, click Next.

g. On the Secondary Connections page, select No, and then click Next.

h. On the Completing the New Protocol Definition Wizard page, click Finish.

5. Create a new access rule: Name: Allow RQS network quarantine notification Applies to: RQS - Network Quarantine

From network: Quarantined VPN Clients To network: Local Host

a. In the right pane, select the first rule to indicate where the new rule is added to the rule list.


c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow RQS network quarantine notification, and then click Next.




click User-Defined, click RQS - Network Quarantine, and

click Add, and then click Close to close the Add Protocols dialog box.




click Networks, click Quarantined VPN Clients, and click Add, and then click Close to close the Add Network Entities dialog

box.








6. In the C:\Tools\ISA

folder, examine the ConfigureRQSForISA .vbs script file.

a. Use Windows Explorer (or My Computer) to open the C:\Tools\ISA folder.

b. Right-click the ConfigureRQSForISA.vbs file, and then click Edit (do NOT click Open).

c. Maximize the ConfigureRQSForISA.vbs - Notepad window if that is not done already.

d. Close Notepad.

e. Close the Windows Explorer window.

7. Configure ISA Server to enable quarantine: Type: Use ISA Server

Disconnect quarantine: 60 seconds

a. In the ISA Server console, in the left pane, select Networks.

b. In the right pane, on the Networks tab, right-click the Quarantined VPN Clients network, and then click Properties.

c. In the Quarantined VPN Clients Properties dialog box, on the Quarantine tab, select Enable Quarantine Control.

d. In the message box, click OK to acknowledge that enabling quarantine control requires configuration on both the ISA Server and VPN client computers.

e. On the Quarantine tab, complete the following information:

Enable Quarantine Control: enable (done in previous step)

Quarantine according to ISA Server policies: enable (is default)

Disconnect quarantine users after (seconds): 60 and then click OK.

f. Click Apply to save the changes, and then click OK.

58 de 106

Exercise 5: Creating and Distributing a Connection Manager Profile In this exercise, you will create and distribute a Connection Manager profile, for use with network access quarantine. The profile is made available through an extranet distribution point.



1. On the Paris computer, install the Connection Manager Administration Kit (CMAK).

a. On the Paris computer, on the Start menu, click Control Panel, and then click Add or Remove Programs.

b. In the Add or Remove Programs window, click Add/Remove Windows Components.

c. On the Windows Components page, select the Management and Monitoring Tools component (do NOT clear or select the check box), and then click Details.

d. In the Management and Monitoring Tools dialog box, select the Connection Manager Administration Kit check box, and then click OK.




2. Use CMAK to create a new Connection Manager profile. - Service name: VPN to Contoso (CM) - File name: VPN_RQ VPN server: 39.1.1.1

- Custom post-connect action: C:\Tools\RQScript.vbs %TunnelRasEntry% %Domain% %UserName% - Additional files: C:\Program Files\ cmak\support\rqc.exe

a. On the Start menu, click Administrative Tools, and then click Connection Manager Administration Kit.

b. On the Welcome to the Connection Manager Administration Kit Wizard page, click Next.

c. On the Service Profile Selection page, select New profile, and then click Next.

d. On the Service and File Names page, complete the following information:

Service name: VPN to Contoso (CM)

File name: VPN_RQ and then click Next.

e. On the Realm Name page, select Do not add a realm name to the user name, and then click Next.

f. On the Merging Profile Information page, click Next.

g. On the VPN Support page, complete the following information:

Phone book from this profile: enable

Always use the same VPN server: 39.1.1.1 and then click Next.

h. On the VPN Entries page, select VPN to Contoso (CM) Tunnel, and then click Next.

i. On the Phone Book page, CLEAR the Automatically download phone book updates check box, and then click Next.

j. On the Dial-up Networking Entries page, select VPN to Contoso (CM), and then click Next.

k. On the Routing Table Update page, select Do not change the routing tables, and then click Next.

l. On the Automatic Proxy Configuration page, select Do not configure proxy settings, and then click Next.

m. On the Custom Actions page, click New.

n. In the New Custom Action dialog box, complete the following information:

Description: Quarantine policy checking

Program to run: c:\tools\RQScript.vbs

Parameters: %TunnelRasEntry% %Domain% %UserName%

Action type: Post-connect

Run this custom action for: All connections (is default)

Include the custom action program: enable

Program interacts with the user: enable (is default) and then click OK.

o. On the Custom Actions page, click Next.

p. On the Logon Bitmap page, select Default graphic, and then click Next.

q. On the Phone Book Bitmap page, select Default graphic, and then click Next.

r. On the Icons page, select Default icons, and then click Next.

s. On the Notification Area Shortcut Menu page, click Next.

t. On the Help File page, select Default Help file, and then click Next.

u. On the Support Information page, click Next.

v. On the Connection Manager Software page, select Install Connection Manager 1.3, and then click Next.

w. On the License Agreement page, click Next.

x. On the Additional Files page, click Add.

y. In the Browse dialog box, in the C:\Program Files\cmak\support folder, select the rqc.exe file, and then click Open.

z. On the Additional Files page, click Next.

aa. On the Ready to Build the Service Profile page, do NOT select Advanced customization, and then click Next.

bb. On the Completing the Connection Manager Administration Kit Wizard page, click Finish.

3. Create a new folder C:\Inetpub\Extranet. Copy VPN_RQ.exe to the Extranet folder.

a. Use Windows Explorer (or My Computer) to open the C:\Program Files\cmak\Profiles\VPN_RQ folder.

b. Right-click the VPN_RQ.exe file, and then click Copy.

c. In the Windows Explorer window, open the C:\Inetpub folder.

d. Right-click in the empty area of the Inetpub folder, click New, and then click Folder.

e. In the New Folder text box, replace the text by typing Extranet, and then press Enter.

f. Open the Extranet folder.

g. In the empty area of the Extranet folder, click Paste.

h. Close the Extranet folder.

4. Configure the default Web site to use port 81, and then start the Web site. (If this is not done already).


b. In the IIS Manager console, expand PARIS (local computer), expand Web Sites, right-click Default Web Site, and then click Properties.

c. In the Default Web Site Properties dialog box, on the Web Site tab, ensure that the TCP port text box is set to 81, and then click OK.

d. If the Default Web Site is not started, then right-click Default Web Site (Stopped), and then click Start.

5. Create a new virtual directory for the default Web site:

a. In the IIS Manager console, in the left pane, expand Default Web Site.

b. Right-click Default Web Site, click New, and then click

60 de 106

Alias: extranet

Path: C:\Inetpub\Extranet Permissions: Read and Browse.

Virtual Directory.

c. In the Virtual Directory Creation Wizard dialog box, click Next.

d. On the Virtual Directory Alias page, in the Alias text box, type extranet, and then click Next.

e. On the Web Site Content Directory page, in the Path text box, type C:\Inetpub\Extranet, and then click Next.

f. On the Virtual Directory Access Permissions page, complete the following information:

Read: enable (is default)

Run scripts: disable (is default)

Execute: disable (is default)

Write: disable (is default)

Browse: ENABLE and then click Next.

g. On the Completing the Virtual Directory Creation Wizard page, click Finish.

h. Close the IIS Manager console.

6. Create a new Web listener. Name: External Web 80 SSL: disable Network: External Compression: disable

Authentication: none

(If this is not done already)


b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible).

c. If a Web listener named External Web 80 does not exist, then right-click Web Listeners, and then click New Web Listener.


e. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next.




g. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next.

h. On the Single Sign On Settings page, click Next.

i. On the Completing the New Web Listener Wizard page, click Finish.

7. Create a Web publishing rule. Name: Extranet Web Site Publishing type: single Web site

Internal site name: Paris IP address: 10.1.1.1 Path: /extranet Port: 81

Public name: www.contoso.com /extranet




d. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Extranet Web Site, and then click Next.






Web listener: External Web 80

Delegation: none




Path: extranet/*

Forward the original host header: enable and then click Next.




Path: /extranet/* and then click Next.





o. In the right pane, select the Extranet Web Site Web publishing rule, and then in the task pane, on the Tasks tab, click Edit Selected Rule.

p. In the Extranet Web Site Properties dialog box, on the Bridging tab, in the Redirect requests to HTTP port text box, type 81.

q. Click OK to close the Products Web Site (on Paris) Properties

dialog box.

r. Click Apply to apply the new rule, and then click OK.


8. On the Istanbul computer, connect to http://www.contoso.com /extranet

and install the VPN_RQ.exe

Connection Manager profile.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://www.contoso.com/extranet, and then press Enter.

b. In the extranet folder, right-click VPN_RQ.exe, and then click Open.

c. In the File Download - Security Warning message box, click Run.

d. In the Internet Explorer - Security Warning message box, click Run to confirm that you want to run this software (without a

valid signature to verify the publisher).

e. In the VPN to Contoso (CM) message box, click Yes to

confirm that you want to install the Connection Manager profile.

f. In the next VPN to Contoso (CM) dialog box, select My use only, and then click OK.

g. Click Cancel to close the VPN to Contoso (CM) connection dialog box.

h. Close the Network Connections window.

i. Close Internet Explorer.

62 de 106

Exercise 6: Using VPN Quarantine on the Client Computer In this exercise, you will use the network access quarantine by creating a VPN connection from the

VPN client to the ISA Server.



1. On the Istanbul computer, use the VPN to Contoso (CM) connection, to establish a VPN connection to the ISA Server. User name: Administrator Password: password

Domain: (empty)

a. On the Istanbul computer, on the Start menu, click Control Panel, right-click Network Connections, and then click Open.

b. In the Network Connections window, under Connection Manager, right-click VPN to Contoso (CM), and then click Connect.

c. In the VPN to Contoso (CM) connection dialog box, complete the following information:


Password: password

Logon domain: (leave empty)

Save password: ENABLE

Connect automatically: disable (is default) and then click Connect.

d. Click OK to close the Remote Access Quarantine message

box.

e. Open a Command Prompt window.

f. At the command prompt, type ipconfig, and then press Enter.

g. At the command prompt, type ping 10.3.1.1, and then press Enter.


2. On the Paris computer, create a new access rule. Name: Allow Ping from Quarantined VPN clients Applies to: PING From network: Quarantined VPN Clients To network: Local Host




d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Ping from Quarantined VPN clients, and then click Next.








click Networks, click Quarantined VPN Clients, and click Add, and then click Close to close the Add Network Entities dialog

box.










3. On the Istanbul computer, use the Ping

command to test the connection to the VPN tunnel end-point (10.3.1.1) and the

Internal network (10.1.1.5).

a. On the Istanbul computer, in the Reconnect message box, click Yes.

b. In the VPN to Contoso (CM) connection dialog box, ensure that the User name and Password information is still present, and then click Connect.

c. Click OK to close the Remote Access Quarantine message

box.

d. At the command prompt, type ping 10.3.1.1, and then press Enter.

e. At the command prompt, type ping 10.1.1.5, and then press Enter.

f. If the Reconnect message box appears, click No to close the

message box.

4. Enable Windows Firewall.

a. On the Start menu, click Control Panel, and then click Windows Firewall.

b. In the Windows Firewall message box, click Yes to confirm that you want to start the Windows Firewall/ICS service.

c. After the Windows Firewall/ICS service has started, in the Windows Firewall dialog box, on the General tab, select On, and then click OK.

5. Use the VPN to Contoso (CM)

connection, to establish a VPN connection to the ISA Server again.

a. In the Network Connections window, under Connection Manager, right-click VPN to Contoso (CM), and then click Connect.


c. Click OK to close the Remote Access Quarantine message box.


6. On the Paris computer, start the Remote Access Quarantine Agent (RQS.exe)

service.

a. On the Paris computer, on the Start menu, click Administrative Tools, and then click Services.

b. In the Services console, in the right pane, right-click Remote Access Quarantine Agent, and then click Start.

c. Close the Services console.


7. On the Istanbul computer, use the VPN to Contoso (CM) connection, to establish a VPN connection to the ISA Server again. Test the connection: - Ping 10.1.1.5 - Run \\10.1.1.5

a. On the Istanbul computer, in the Reconnect message box, click Yes.


c. Click OK to close the Remote Access Quarantine message

box.

d. At the command prompt, type ping 10.1.1.5, and then press Enter.

64 de 106

Disconnect the VPN connection again.


f. On the Start menu, click Run.

g. In the Run dialog box, type \\10.1.1.5, and then click OK.

h. Close the \\10.1.1.5 window.

i. Right-click the connection icon in the system tray area, and then click Disconnect.

8. Use the VPN to Contoso connection (not the Connection Manager), to establish a VPN connection to the ISA Server. Disconnect the VPN connection again.

a. In the Network Connections window, under Virtual Private Network (not under Connection Manager), right-click VPN to Contoso, and then click Connect.

b. In the Connect VPN to Contoso dialog box, complete the following information:



c. Wait (60 seconds) until the Reconnect VPN to Contoso dialog box appears, and then click Cancel, or right-click the

connection icon in the system tray area, and then click Disconnect.

9. Disable Windows Firewall.

a. On the Start menu, click Control Panel, and then click Windows Firewall.

b. In the Windows Firewall dialog box, on the General tab, select Off, and then click OK.

c. Close the Network Connections window.


10. On the Paris computer, disable VPN client access.

a. On the Paris computer, in the ISA Server console, in the left pane, select Virtual Private Networks (VPN).

b. In the task pane, on the Tasks tab, click Disable VPN Client Access.

c. Click Apply to save the changes, and then click OK.

Module F: ISA Server 2006 as Branch Office Gateway

Exercise 1: Configuring HTTP Compression to Reduce Bandwidth Usage In this exercise, you will configure ISA Server to compress HTTP content when responding to requests

from client computers, and to request compressed HTTP content when connecting to other servers.



1. On the Istanbul computer, examine the uncompressed file size of content.htm in the

Default Web Site.

a. On the Istanbul computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

b. In the IIS Manager console, expand ISTANBUL (local computer), expand Web Sites, and then select Default Web Site.

c. Right-click Default Web Site, and then click Open.

d. Close the c:\inetpub\wwwroot window.

e. Close the IIS Manager console.

2. Open the C:\Tools\ Perfmon-sent.msc

console.


b. In the Tools folder, right-click Perfmon-sent.msc, and then click Open.

c. Close the C:\Tools folder.


3. On the Paris computer, create a new access rule. Name: Allow Web access (Branch)

Applies to: HTTP



b. In the left pane, expand Paris, and then select Firewall Policy.

c. In the right pane, select the first rule, or select Default rule if


d. In the task pane, on the Tasks tab, click Create Access Rule.

e. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (Branch), and then click Next.

f. On the Rule Action page, select Allow, and then click Next.

g. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add.

h. In the Add Protocols dialog box,

click Common Protocols, click HTTP, click Add, and then click Close to close the Add Protocols dialog box.

i. On the Protocols page, click Next.

j. On the Access Rule Sources page, click Add.

66 de 106

k. In the Add Network Entities dialog box,


l. On the Access Rule Sources page, click Next.

m. On the Access Rule Destinations page, click Add.

n. In the Add Network Entities dialog box,


box.

o. On the Access Rule Destinations page, click Next.

p. On the User Sets page, click Next.

q. On the Completing the New Access Rule Wizard page, click Finish.

4. Apply the changes. a. Click Apply to apply the new rule, and then click OK.


5. On the Denver computer, open the C:\Tools\ Perfmon-received.msc console.

a. On the Denver computer, use Windows Explorer (or My Computer) to open the C:\Tools folder.

b. In the Tools folder, right-click Perfmon-received.msc, and then click Open.

c. Close the C:\Tools folder.

6. Use Internet Explorer to connect to http:// istanbul.fabrikam.com/ content.htm

a. Open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/content.htm, and then press Enter.

7. Examine the peak bytes received per second in the Performance

console.

a. Switch to the Performance - Bytes Received console.


8. On the Istanbul computer, examine the peak bytes sent per second in the Performance console.

a. On the Istanbul computer, switch to the Performance - Bytes Sent console.


9. On the Paris computer, examine the two Web filters for HTTP compression.

a. On the Paris computer, in the ISA Server console, under Paris, expand Configuration, and then select Add-ins.

b. In the right pane, select the Web Filters tab.

10. Configure HTTP Compression. Return Compressed Data: Internal Content types: - Documents - HTML Documents - Macro Documents - Text

a. In the left pane, under Configuration, select General.

b. In the right pane, click Define HTTP Compression Preferences.

c. In the HTTP Compression dialog box, on the Return Compressed Data tab, click the top Add button.

d. In the Add Network Entities dialog box,


e. On the Return Compressed Data tab, click Content Types.

f. In the Content Types dialog box, complete the following information:

Compress the selected content types only: enable (is default)

Documents: enable

HTML Documents: enable (is default)

Macro Documents: enable

Text: enable (is default)

All other check boxes: disable. and then click OK to close the Content Types dialog box.

g. Click OK to close the HTTP Compression dialog box.

h. Click Apply to apply the changes, and then click OK.


11. On the Denver computer, configure Internet Explorer to use HTTP 1.1 when

connection through a proxy server.

a. On the Denver computer, in Internet Explorer, on the Tools menu, click Internet Options.

b. In the Internet Options dialog box, on the Connections tab, click LAN Settings.

c. Click Cancel to close the Local Area Network (LAN) Setting dialog box.

d. On the Advanced tab, in the Settings list box, scroll to the HTTP 1.1 settings section.

e. Enable the Use HTTP 1.1 through proxy connections check box, and then click OK.

12. Refresh the content of the Web page at http:// istanbul.fabrikam.com/ content.htm, by pressing Ctrl-F5 or Ctrl-Refresh.

a. In Internet Explorer, ensure that the http://istanbul.fabrikam.com/content.htm Web page is opened.

b. Hold the Ctrl-key, and then click the Refresh button on the toolbar, to refresh the content of the Web page.


console.





15. Configure IIS to enable HTTP compression.

Application files: yes Static files: yes


b. In the IIS Manager console, expand, ISTANBUL (local computer), right-click Web Sites, and then click Properties.

c. In the Web Sites Properties dialog box, on the Service tab,

complete the following information:

Compress application files: enable

Compress static files: enable and then click OK.

16. Restart IIS. a. In the IIS Manager console, in the left pane, right-click ISTANBUL (local computer), click All Tasks, and then click Restart IIS.

b. In the Stop/Start/Restart dialog box, in the drop-down list box, select Restart Internet Services on ISTANBUL, and then click OK.

c. Close the IIS Manager console.

17. Examine the IIS a. Use Windows Explorer (or My Computer) to open the

68 de 106

Temporary Compressed Files

folder.

C:\Windows\IIS Temporary Compressed Files folder.

b. Do not close the IIS Temporary Compressed Files folder.


18. On the Paris computer, configure HTTP Compression. Request Compressed Data: External

a. On the Paris computer, in the ISA Server console, in the left pane, select General.


c. In the HTTP Compression dialog box, on the Request Compressed Data tab, click the top Add button.

d. In the Add Network Entities dialog box,

click Networks, click External, and click Add and then click Close to close the Add Network Entities dialog box.

e. Click OK to close the HTTP Compression dialog box.

f. Click Apply to apply the changes, and then click OK.


19. On the Denver computer, refresh the content of the Web page at http:// istanbul.fabrikam.com/ content.htm, by pressing Ctrl-F5 or Ctrl-Refresh twice.

a. On the Denver computer, in Internet Explorer, ensure that the http://istanbul.fabrikam.com/content.htm Web page is opened.

b. Hold the Ctrl-key, and then click the Refresh button on the toolbar, to refresh the content of the Web page.

c. Wait five seconds, and then hold the Ctrl-key, and click the Refresh button on the toolbar again.


console.





b. Close the Performance - Bytes Sent console.

22. Examine the IIS Temporary Compressed Files folder.

a. Switch to the IIS Temporary Compressed Files folder.

b. Close the IIS Temporary Compressed Files folder.

23. Configure IIS to disable HTTP compression. Application files: no Static files: no


b. In the IIS Manager console, expand, ISTANBUL (local computer), right-click Web Sites, and then click Properties.

c. In the Web Sites Properties dialog box, on the Service tab, complete the following information:

Compress application files: disable

Compress static files: disable and then click OK.

24. Restart IIS. a. In the IIS Manager console, in the left pane, right-click ISTANBUL (local computer), click All Tasks, and then click Restart IIS.

b. In the Stop/Start/Restart dialog box, in the drop-down list box, select Restart Internet Services on ISTANBUL, and then click OK.

c. Close the IIS Manager console.


25. On the Paris computer, disable HTTP Compression.

a. On the Paris computer, in the ISA Server console, in the left pane, select General.


c. In the HTTP Compression dialog box, on the Return Compressed Data tab, select Internal, and then click Remove.

d. On the Request Compressed Data tab, select External, and then click Remove.

e. Click OK to close the HTTP Compression dialog box.

f. Click Apply to apply the changes, and then click OK.


26. Close the Performance console and close Internet Explorer.

a. Close the Performance - Bytes Received console.


Exercise 2: Configuring ISA Server to Cache BITS Content In this exercise, you will configure ISA Server to cache Background Intelligent Transfer Service (BITS)

content, and request ranges from cached files.



1. On the Paris computer, define a cache drive. Cache size: 10 MB

a. On the Paris computer, in the ISA Server console, under Configuration, select Cache.

b. In the right pane, select the Cache Drives tab.

c. In the task pane, on the Tasks tab, click Define Cache Drives (Enable Caching).

d. In the Define Cache Drives dialog box, in the Maximum cache size (MB) text box, type 10, and then click Set.

e. Click OK to close the Define Cache Drives dialog box.

2. Apply the changes and restart the Firewall service.

a. Click Apply to apply the changes.

b. In the ISA Server Warning dialog box, CHANGE the current selection, and select Save the changes and restart the services, and then click OK.

c. Click OK to close the Saving Configuration Changes dialog box.

3. Open a Command Prompt window to verify the existence of the disk cache file. File: c:\urlcache\Dir1.cdat


b. At the command prompt, type cd \urlcache, and then press Enter.

c. Type dir, and then press Enter

4. Examine the BITS caching setting for the Default rule.

a. In the ISA Server console, in the left pane, select Cache.

b. In the right pane, select the Cache Rules tab.

c. Right-click Default rule, and then click Properties.

d. In the Default rule Properties dialog box, select the Advanced

70 de 106

tab.

e. Click Cancel to close the Default rule Properties dialog box.

5. Examine the BITS caching setting for the Microsoft Update Cache Rule.

a. In the right pane, right-click Microsoft Update Cache Rule, and then click Properties.

b. In the Microsoft Update Cache Rule Properties dialog box, select the Advanced tab.

c. On the To tab, select Microsoft Update Domain Name Set, and then click Edit.

d. Click Cancel to close the Microsoft Update Domain Name Set


e. Click Cancel to close the Microsoft Update Cache Rule


6. Add istanbul.fabrikam.com to Microsoft Update Domain Name Set.

a. Right-click Microsoft Update Cache Rule, and then click Properties.

b. On the To tab, select Microsoft Update Domain Name Set, and then click Edit.

c. In the Microsoft Update Domain Name Set Properties dialog box, click Add.

d. Replace the New Domain text by typing istanbul.fabrikam.com, and then press Enter.

e. Click OK to close the Microsoft Update Domain Name Set


f. Click OK to close the Microsoft Update Cache Rule Properties

dialog box.


8. Verify the existence of the Allow Web access (Branch) firewall rule.



9. On the Denver computer, examine the BITS service.

a. On the Denver computer, on the Start menu, click Administrative Tools, and then click Services.

b. In the Services console, in the right pane, select Background Intelligent Transfer Service.


10. Examine the bitsclient.cmd and bitsadmin.exe tools.

Folder: C:\Tools


b. At the command prompt, type cd \tools, and then press Enter.

c. Type dir, and then press Enter.

11. Use the bitsclient tool

to download the content2.htm file from

Istanbul.

a. At the command prompt, type bitsclient, and then press Enter.

b. Type bitsclient http://istanbul.fabrikam.com/content2.htm, and then press Enter.


12. On the Paris computer, use the find command

to verify the presence of the content2.htm

content in the disk cache file.

a. On the Paris computer, in the Command Prompt window, in the C:\urlcache folder, type find /i "content2.htm" dir1.cdat, and then press Enter.

b. After a few seconds, press Ctrl-C to interrupt the find

command, and to avoid searching the entire 10 MB disk cache file.



13. On the Istanbul a. On the Istanbul computer, on the Start menu, click

computer, disable the Local Area Connection network adapter.

Control Panel, and then right-click Network Connections, and click Open.

b. In the Network Connections window, right-click Local Area Connection, and then click Disable.


14. On the Denver computer, for demonstrative purposes, request the 11 bytes starting at position 749 in the content2.htm file.

a. On the Denver computer, in the Command Prompt window, in the C:\Tools folder, type bitsclient http://istanbul.fabrikam.com/content2.htm 749:11, and then press Enter.

b. Type type bits-job1.txt, and then press Enter.



15. On the Istanbul computer, enable the Local Area Connection network adapter.

a. On the Istanbul computer, in the Network Connections window, right-click Local Area Connection, and then click Enable.

b. Close the Network Connections window.


16. On the Paris computer, disable caching.

a. On the Paris computer, in the ISA Server console, in the left pane, select Cache.

b. In the right pane, select the Cache Drives tab.

c. In the task pane, on the Tasks tab, click Disable Caching.

d. Click Yes to confirm that you want to disable caching.

17. Apply the changes and restart the Firewall

service.

a. Click Apply to apply the changes.


c. Click OK to close the Saving Configuration Changes dialog

box.

Exercise 3: Configuring DiffServ Settings to Prioritize Network Traffic In this exercise, you will configure ISA Server to use Differentiated Services (DiffServ) tagging of

HTTP and HTTPS network packets.



1. On the Paris computer, enable the Web filter for DiffServ tagging.

a. On the Paris computer, in the ISA Server console, under Paris, expand Configuration, and then select Add-ins.

b. In the right pane, select the Web Filters tabs.

c. In the right pane, select DiffServ Filter, and then in the task pane, on the Tasks tab, click Enable Selected Filters.

d. Click Apply to apply the changes, and then click OK.

2. Define new DiffServ priorities. Name: High priority DiffServ bits: 100110 Size limit: 700 bytes Name: Medium

a. In the left pane, select General.

b. In the right pane, click Specify DiffServ Preferences.

c. In the HTTP DiffServ dialog box, on the General tab, select Enable network traffic prioritization.

d. On the Priorities tab, click Add.

e. In the Add Priority dialog box, complete the following information:

72 de 106

priority DiffServ bits: 110110 Size limit: None

Priority name: High priority

DiffServ bits: 100110

Apply a size limit to this priority: enable

Size limit: 700 and then click OK.

f. On the Priorities tab, click Add.

g. In the Add Priority dialog box, complete the following information:

Priority name: Medium priority

DiffServ bits: 110110

Apply a size limit to this priority: disable (is default) and then click OK.

3. Assign priorities to URLs. URL: istanbul.fabrikam.com /sales Priority: High priority URL: istanbul.fabrikam.com Priority: Medium priority

a. In the HTTP DiffServ dialog box, on the URLs tab, click Add.

b. In the Add URL Priority dialog box, complete the following information:

URL: istanbul.fabrikam.com/sales/*

Priority: High priority and then click OK.

c. On the URLs tab, click Add.

d. In the Add URL Priority dialog box, complete the following information:

URL: istanbul.fabrikam.com/*

Priority: Medium priority and then click OK.

4. Assign priorities to Domains. Domain: *.fabrikam.com Priority: Medium priority

a. In the HTTP DiffServ dialog box, on the Domains tab, click Add.

b. In the Add Domain Priority dialog box, complete the following information:

Domain: *.fabrikam.com

Priority: Medium priority and then click OK.

5. Enable DiffServ tagging for the External

network.

a. In the HTTP DiffServ dialog box, on the Networks tab, select External.

b. Click OK to close the HTTP DiffServ dialog box.


7. Start the log viewer. a. In the ISA Server console, in the left pane, select Monitoring.

b. In the right pane, select the Logging tab.

c. In the task pane, on the Tasks tab, click Start Query.

8. Verify the existence of the Allow Web access (Branch) firewall rule.



9. On the Denver computer, use Internet Explorer to connect to http:// istanbul.fabrikam.com/ default.htm

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/default.htm, and then press Enter.



10. On the Paris computer, stop the log viewer.


b. In the right pane, select the Logging tab.

c. In the task pane, on the Tasks tab, click Stop Query.

11. Add the Filter Information

column to the list of displayed columns.

a. In the right pane, right-click the Log Time column header (or another column header), and then click Add/Remove Columns.

b. In the Add/Remove Columns dialog box, in the Available columns list box, select Filter Information, and then click Add.

c. In the Displayed columns list, select Filter Information, and then click Move Up, so that the new column is not last in the

list.

d. Click OK to close the Add/Remove Columns dialog box.

12. Examine the contents of the Filter Information log

field.

a. In the right pane, scroll the list of log field columns, so that you can see the Filter Information column near the end of the list.

b. In the column headers, double-click the small line between the Filter Information column, and the next column.

c. Scroll the list of log entries until you see text in the Filter Information field.

Module G: Enterprise Management of ISA Servers

Exercise 1: Enterprise Policies and Array Policies In this exercise, you will create an enterprise policy, and apply this policy to multiple ISA Server arrays.


Perform the following steps on the Florence computer.

1. On the Florence computer, in the ISA Server console, examine the Enterprise nodes, Arrays node and Servers node.

a. On the Florence computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.

b. In the ISA Server console, in the left pane, expand Enterprise.

c. Expand Enterprise Policies, and then select Default Policy.

d. In the left pane, select Arrays

e. Expand Arrays, expand ITALY, expand Configuration, and then select Servers.

2. Examine the Configuration Storage server (CSS) settings.

a. In the left pane, select Arrays.

b. Scroll the right pane, so that you can see the Configuration Server column.

c. Right-click ITALY, and then click Properties.

d. In the ITALY Properties dialog box, select the Configuration Storage tab.

e. Click Cancel to close the ITALY Properties dialog box.

f. In the left pane, expand PORTUGAL, expand Configuration, and then select Servers.

3. Examine the four components of the firewall policy rule list:

a. In the left pane, expand Arrays, expand ITALY, and then select Firewall Policy (ITALY).

b. In the task pane, on the Tasks tab, click Show System

74 de 106

- System policy rules - Enterprise rules (before) - Array-level rules - Enterprise rules (after)

Policy Rules.

c. On the Tasks tab, click Hide System Policy Rules.

4. Create a new enterprise policy: Name: Company Enterprise Policy

a. In the left pane, expand Enterprise, expand Enterprise Policies, and then select Enterprise Policies.

b. In the task pane, on the Tasks tab, click Create New Enterprise Policy.

c. In the New Enterprise Policy Wizard dialog box, in the Enterprise policy name text box, type Company Enterprise Policy, and then click Next.

d. On the Completing the New Enterprise Policy Wizard page, click Finish.

e. In the left pane (NOT the right pane), select Company Enterprise Policy.

5. Create an enterprise network: Name: All Internal Networks

Network addresses: 10.1.1.0 - 10.1.1.255 10.4.1.0 - 10.4.1.255

a. In the left pane, select Enterprise Networks.

b. In the task pane, on the Tasks tab, click Create a New Network.

c. In the New Network Wizard dialog box, in the Network name text box, type All Internal Networks, and then click Next.

d. On the Network Addresses page, click Add Range.

e. In the IP Address Range Properties dialog box, complete the following information:



f. On the Network Addresses page, click Add Range again.

g. In the IP Address Range Properties dialog box, complete the following information:



h. On the Network Addresses page, click Next.

i. On the Completing the New Network Wizard page, click Finish.

6. In Company Enterprise Policy,

create a new access rule: Name: Baseline - Allow HTTP traffic to Internet

Applies to: HTTP

From network: All Internal Networks To network: External

a. In the left pane, select Company Enterprise Policy, and then in the right pane, select Default rule.

b. In the task pane, on the Tasks tab, click Create Enterprise Access Rule.

c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Baseline - Allow HTTP traffic to Internet, and then click Next.




click Common Protocols, click HTTP, and click Add, and then click Close to close the Add Protocols dialog box.




click Enterprise Networks, click All Internal Networks, and click Add, and then click Close to close the Add Network Entities dialog

box.




click Enterprise Networks, click External, and click Add, and then click Close to close the Add Network Entities dialog

box.




7. Assign Company Enterprise Policy to the ITALY array.

a. In the left pane, right-click ITALY, and then click Properties.

b. In the ITALY Properties dialog box, select the Policy Settings

tab.

c. in the Enterprise policy list box, select Company Enterprise Policy.

d. Click OK to close the ITALY Properties dialog box.

8. Assign Company Enterprise Policy to the PORTUGAL array.

a. In the left pane, right-click PORTUGAL, and then click Properties.

b. In the PORTUGAL Properties dialog box, select the Policy Settings tab.

c. in the Enterprise policy list box, select Company Enterprise Policy.

d. Click OK to close the PORTUGAL Properties dialog box.

9. Examine the firewall policy of the PORTUGAL array.

a. In the left pane, select Firewall Policy (PORTUGAL).

b. In the right pane, right-click the Baseline - Allow HTTP traffic to Internet rule, and then click Properties.

c. In the access rule properties dialog box, select the Action tab.

d. Click Cancel to close the access rule properties dialog box.

10. Collapse the PORTUGAL node.

a. In the left pane, collapse the PORTUGAL node.

11. Create a new enterprise protocol definition: Name: Attack Ports

Protocols: - TCP 12345 (outbound) - TCP 31337 (outbound)

a. In the left pane, select Enterprise Policies.

b. In the task pane, on the Toolbox tab, in the Protocols section, on the New menu, click Protocol.

c. In the New Protocol Definition Wizard dialog box, in the Protocol definition name text box, type Attack Ports, and then click Next.

d. On the Primary Connection Information page, click New.

e. In the New/Edit Protocol Connection dialog box, complete the following information:

Protocol type: TCP

Direction: Outbound

From: 12345

To: 12345 and then click OK.

f. On the Primary Connection Information page, click New.

g. In the New/Edit Protocol Connection dialog box, complete the following information:

Protocol type: TCP

Direction: Outbound

From: 31337

To: 31337 and then click OK.

h. On the Primary Connection Information page, click Next.

76 de 106

i. On the Secondary Connections page, click Next.

j. On the Completing the New Protocol Definition Wizard page, click Finish.

12. In Company Enterprise Policy,

create a new access rule: Name: Block - Trojan horse traffic

Applies to: Attack Ports From network: All Internal Networks

To network: External

a. In the left pane, select Company Enterprise Policy, and then in the right pane, select Baseline - Allow HTTP traffic to Internet

b. In the task pane, on the Tasks tab, click Create Enterprise Access Rule.

c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Block - Trojan horse traffic, and then click Next.

d. On the Rule Action page, select Deny, and then click Next.



click User-Defined, click Attack Ports, and click Add, and then click Close to close the Add Protocols dialog box.




click Enterprise Networks, click All Internal Networks, and click Add, and then click Close to close the Add Network Entities dialog box.




click Enterprise Networks, click External, and click Add, and then click Close to close the Add Network Entities dialog box.




p. Right-click Block - Trojan horse traffic, and then click Move Up.

13. Examine the firewall policy of the ITALY array.

a. In the left pane, select Firewall Policy (ITALY).

b. In the task pane, on the Toolbox tab, in the Protocols section, expand User-Defined.

14. Assign Default Policy to the ITALY array.

a. In the left pane, right-click ITALY, and then click Properties.

b. In the ITALY Properties dialog box, select the Policy Settings tab.

c. In the Enterprise policy text box, select Default Policy, and then click OK.

d. In the left pane, select Firewall Policy (ITALY).

15. Discard the changes. a. In the right pane, click Discard to discard all the changes made in this exercise.

b. Click Yes to confirm that you want to discard the changes.

Exercise 2: Remote Management and Role-based Administration In this exercise, you will configure ISA Server to allow remote management.

You can connect remotely to manage ISA Server using the ISA Server console, or using a Remote

Desktop connection.



1. On the Florence computer, add the Denver computer (10.1.1.5) to the Enterprise Remote Management Computers computer

set.

a. On the Florence computer, in the ISA Server console, in the left pane, expand Enterprise, and then select Enterprise Policies.

b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Computer Sets.

c. Right-click Enterprise Remote Management Computers, and then click Properties.

d. In the Enterprise Remote Management Computers Properties dialog box, click Add, and then click Computer.

e. In the New Computer Rule Element dialog box, complete the following information:

Name: Denver

Computer IP Address: 10.1.1.5 and then click OK.

f. Click OK to close the Enterprise Remote Management Computers Properties dialog box.

2. For the ITALY array, examine the Remote Management Computers computer set.


b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Computer Sets.

c. Right-click Enterprise Remote Management Computers, and then click Properties.

d. Click Cancel to close the Enterprise Remote Management Computers Properties dialog box.

e. Right-click Remote Management Computers, and then click Properties.

f. Click Cancel to close the Remote Management Computers Properties dialog box.

3. Examine the system policy rules that are used by the remote management computers: System policy rules: 2 - 3 - 4 - 11 - 20 - 32

a. In the task pane, on the Tasks tab, click Show System Policy Rules.

b. In the System Policy Rules list, select system policy rule 2.

c. In the task pane, on the Tasks tab, click Hide System Policy Rules.

4. Use System properties to enable remote desktop.

a. On the Start menu, click Control Panel, and then click System.

b. In the System Properties dialog box, on the Remote tab, in the Remote Desktop box, select Enable Remote Desktop on this computer.



78 de 106

5. Create a new user account. Name: David

Password: Password2

Change password at next logon: disable

Member of: Remote Desktop Users

a. On the Start menu, click Administrative Tools, and then click Computer Management.


c. Right-click Users, and then click New User.

d. In the New User dialog box, complete the following information:

User name: David

Password: Password2

Confirm password: Password2

User must change password at next logon: disable and then click Create.

e. Click Close to close the New User dialog box.

f. Right-click David, and then click Properties.

g. In the David Properties dialog box, on the Member Of tab, click Add.

h. In the Select Groups dialog box, type Remote Desktop Users, and then click OK.

i. Click OK to close the David Properties dialog box.

j. Close the Computer Management console.

Perform the following steps on the Firenze computer.

6. On the Firenze computer, create a new (mirrored) user account. Name: David

Password: Password2

Change password at next logon: disable

a. On the Firenze computer, on the Start menu, click Administrative Tools, and then click Computer Management.


c. Right-click Users, and then click New User.

d. In the New User dialog box, complete the following information:

User name: David

Password: Password2

Confirm password: Password2

User must change password at next logon: disable and then click Create.

e. Click Close to close the New User dialog box.

f. Close the Computer Management console.


7. On the Florence computer, assign array administrative roles: Array Administrator: FLORENCE\David Mirrored monitor account: David

a. On the Florence computer, in the ISA Server console, in the left pane, right-click ITALY, and then click Properties.

b. In the ITALY Properties dialog box, on the Assign Roles tab, click the top Add button.

c. In the Administration Delegation dialog box, complete the following information:

Group or User: FLORENCE\David

Role: ISA Server Array Administrator and then click OK.

d. Click OK to acknowledge that you must assign this role to the

mirrored account.

e. Click the bottom Add button.

f. In the Administration Delegation dialog box, complete the following information:

Group or User: David

Role: ISA Server Array Administrator

and then click OK.

g. Click OK to close the ITALY Properties dialog box.

8. Examine the enterprise administrative roles.

a. In the left pane, right-click Enterprise, and then click Properties.

b. In the Enterprise Properties dialog box, select the Assign Roles tab.

c. Click Cancel to close the Enterprise Properties dialog box.

9. Start the Array Status Monitor to quickly see the current CSS status. File: C:\Tools\Status\ ArrayStatus.hta

a. Use Windows Explorer (or My Computer) to open the C:\Tools\Status folder.

b. In the Status folder, right-click ArrayStatus.hta, and then click Open.

c. Close the Status folder.

10. Apply the changes. a. Click Apply to save the changes, and then click OK. Use the Array Status Monitor to wait until the CSS status is Synced.


11. On the Denver computer, use ISA Server console to connect to ITALY. CSS: Florence CSS credentials: David / Password2

Monitor credentials: David / Password2

a. On the Denver computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.

b. In the ISA Server console, in the left pane, select Microsoft Internet Security and Acceleration Server 2006, and then in the task pane, on the Tasks tab, click Connect to Configuration Storage Server.

c. In the Configuration Storage Server Connection Wizard dialog box, click Next.

d. On the Configuration Storage Server Location page, in the On remote computer (remote management) text box, type Florence, and then click Next.

e. On the Configuration Storage Server Credentials page, complete the following information:

Credentials of the following user: enable

User name: David

Password: Password2 and then click Next.

f. On the Array Connection Credentials page, select The same credentials used to connect to the Configuration Storage Server, and then click Next.

g. On the Completing the Connection Wizard page, click Finish.

12. Attempt to create a new enterprise policy.

a. In the ISA Server console, in the left pane, expand Enterprise.

b. Right-click Enterprise Policies, click New, and then click Enterprise Policy.

c. Click OK to acknowledge that you do not have necessary

permissions.

13. Examine the services information for the array members.

a. In the left pane, expand Arrays.

b. Expand ITALY, and then select Monitoring.

c. In the right pane, select the Services tab.

14. Disconnect from the enterprise, and close the ISA Server console.

a. In the left pane, select Microsoft Internet Security and Acceleration Server 2006.

b. In the task pane, on the Tasks tab, click Disconnect from Enterprise.

c. Click Yes to confirm that you want to disconnect from the

80 de 106

enterprise.

d. Close the ISA Server console.

15. Create a remote desktop connection to Florence.

Log on: - User name: David - Password: Password2

a. On the Start menu, click All Programs, click Accessories, click Communications, and then click Remote Desktop Connection.

b. In the Remote Desktop Connection dialog box, in the Computer text box, type Florence, and then click Connect.

c. In the Log On to Windows dialog box, complete the following information:

User name: David

Password: Password2 and then click OK.

16. Use the ISA Server console to examine the permissions of David.


b. In the ISA Server console, expand Arrays.

c. Expand ITALY, and then select Monitoring.

d. In the right pane, select the Services tab.

e. Close the ISA Server console.

17. Log off from the remote desktop connection.

a. On the Start menu, click Log Off.

b. Click Log Off to confirm that you want to log off.


18. On the Florence computer, use System properties to disable remote desktop.

a. On the Florence computer, on the Start menu, click Control Panel, and then click System.

b. In the System Properties dialog box, on the Remote tab, in the Remote Desktop box, CLEAR the Enable Remote Desktop on this computer check box.


Exercise 3: Working with Configuration Storage Servers (Optional) In this exercise, you will examine details on how ISA Server uses a Configuration Storage server

(CSS) to save configuration data.



1. On the Florence computer, examine the Configuration Storage server (CSS) settings.

a. On the Florence computer, in the ISA Server console, in the left pane, right-click ITALY, and then click Properties.

b. In the ITALY Properties dialog box, select the Configuration Storage tab.

c. Open the Check the Configuration Storage server for updates every list box.

d. Close the Check the Configuration Storage server for updates every list box.

e. Click Cancel to close the ITALY Properties dialog box.

2. In the ISA Server installation folder, examine the ChangeStorageServer.vbs script.


b. At the command prompt, type cd \Program Files\Microsoft ISA Server, and then press Enter.

c. Type cscript.exe ChangeStorageServer.vbs /?, and then press Enter.

d. Do not close the Command Prompt window.

3. In the Services console, examine the ISASTGCTRL service.

a. On the Start menu, click Administrative Tools, and then click Services.

b. In the Services console, right-click ISASTGCTRL, and then click Properties.

c. Click Cancel to close the ISASTGCTRL Properties (Local Computer) dialog box.

d. Close the Services console.

4. In the Event Viewer console, examine the ADAM (ISASTGCTRL) log.

a. On the Start menu, click Administrative Tools, and then click Event Viewer.

b. In the Event Viewer console, in the left pane, select ADAM (ISASTGCTRL).

c. Close the Event Viewer console.

5. Examine the CSS authentication setting.

a. In the ISA Server console, in the left pane, right-click ITALY, and then click Properties.

b. In the ITALY Properties dialog box, on the Configuration Storage tab, click Select.

c. Click Cancel to close the Select Authentication Type dialog box.

d. Click Cancel to close the ITALY Properties dialog box.

6. In the ISA Server installation folder, examine ISACertTool.exe.

e. In a Command Prompt window, in the C:\Program Files\Microsoft ISA Server folder, type isacerttool.exe /?, and then press Enter.

f. Do not close the Command Prompt window.

7. Use the Certificates console to examine the Web server certificate for the ISASTGCTRL service account.


b. In the Run dialog box, type mmc.exe, and then click OK.

c. In the Console1 window, on the File menu, click Add/Remove Snap-in.

d. In the Add/Remove Snap-in dialog box, click Add.

e. In the Add Standalone Snap-in dialog box, select Certificates,

82 de 106

and then click Add.

f. In the Certificates snap-in dialog box, select Service account, and then click Next.

g. In the Select Computer dialog box, select Local computer, and then click Next.

h. In the Certificates snap-in dialog box, in the Service account list box, select ISASTGCTRL, and then click Finish.

i. Click Close to close the Add Standalone Snap-in dialog box.

j. Click OK to close the Add/Remove Snap-in dialog box.

k. Maximize the Console Root window.

l. In the left pane, expand Certificates - Service (ISASTGCTRL), expand ADAM_ISASTGCTRL\Personal, and then select Certificates.

m. In the right pane, right-click the Florence certificate, and then click Open.

n. Click OK to close the Certificate dialog box.

o. Close the Console1 window. Click No to confirm that you do

not want to save console settings to Console1.

8. Use the dsdbutil tool to examine the LDAP ports used by CSS.

a. On the Start menu, click All Programs, click ADAM, and then click ADAM Tools Command Prompt.

b. At the command prompt, type dsdbutil, and then press Enter.

c. At the dsdbutil: prompt, type list instances, and then press Enter.

d. At the dsdbutil: prompt, type quit, and then press Enter.

9. Use the ldp tool to

check the LDAP SSL connection to CSS.

a. At the command prompt, type ldp, and then press Enter.

b. In the Ldp window, on the Connection menu, click Connect.

c. In the Connect dialog box, complete the following information:

Server: Florence

Port: 2172

Connectionless: disable (is default)

SSL: enable and then click OK.

d. Close the Ldp window.

10. Use the dsmgmt tool to

examine the CSS ADAM naming contexts.

a. At the command prompt, type dsmgmt, and then press Enter.

b. At the dsmgmt: prompt, type partition management, and then press Enter.

c. At the partition management: prompt, type connections, and then press Enter.

d. At the server connections: prompt, type connect to server Florence:2171, and then press Enter.

e. At the server connections: prompt, type quit, and then press Enter.

f. At the partition management: prompt, type list, and then press Enter.

g. At the partition management: prompt, type quit, and then press Enter.

h. At the dsmgmt: prompt, type quit, and then press Enter.

i. Close the ADAM Tools Command Prompt window.

11. Use the ADAM ADSI Edit console to examine the ADAM site replication configuration.

a. On the Start menu, click All Programs, click ADAM, and then click ADAM ADSI Edit.

b. In the ADAM-adsiedit window, on the Action menu, click Connect to.

c. In the Connection Settings dialog box, complete the following

Connections to [Florence:2171]: - Configuration and - CN=FPC2

information:

Connection name: Configuration

Server name: Florence

Port: 2171

Well-known naming context: Configuration and then click OK.

d. On the Action menu, click Connect to again.

e. In the Connection Settings dialog box, complete the following information:

Connection name: Enterprise Data

Server name: Florence

Port: 2171

Distinguished name (DN) or naming context: CN=FPC2 and then click OK.

f. In the left pane, expand Configuration [Florence:2171], expand CN=Configuration, CN={...}, expand CN=Sites, expand CN=Default-First-Site-Name, and then select CN=Servers.

g. In the left pane, select CN=Default-First-Site-Name, and then in the right pane, right-click CN=NTDS Site Settings, and click Schedule.

h. Click Cancel to close the Schedule dialog box.

i. In the left pane, expand CN=Inter Site Transports, and then select CN=IP.

j. In the right pane, right-click CN=DEFAULTIPSITLINK, and then click Properties.

k. In the CN=DEFAULTIPSITELINK Properties dialog box, in the Attributes list, select replInterval.

l. Click Cancel to close the CN=DEFAULTIPSITELINK Properties dialog box.

m. In the left pane, expand Enterprise Data [Florence:2171], expand CN=FPC2, expand CN=Array-Root, expand CN=Arrays, and then select the first CN={...}.

n. Close the ADAM-adsiedit window.

12. In the ISA Server installation folder, examine AdamSites.exe.

a. In a Command Prompt window, in the C:\Program Files\Microsoft ISA Server folder, type adamsites.exe /?, and then press Enter.

b. At the command prompt, type adamsites.exe sites, and then press Enter.

c. At the command prompt, type adamsites.exe sitelinks, and then press Enter.


13. Examine the protocol definitions related to CSS: - MS Firewall Storage - MS Firewall Storage Replication - MS Firewall Storage Server

a. In the ISA Server console, in the left pane, select Firewall Policy (ITALY).

b. In the task pane, on the Toolbox tab, in the Protocols section, expand All Protocols.

c. In the list of protocols, right-click MS Firewall Storage, and then click Properties.

d. In the MS Firewall Storage Properties dialog box, select the Parameters tab.

e. Click Cancel to close the MS Firewall Storage Properties dialog box.

84 de 106

Module H: Configuring Load Balancing

Exercise 1: Configuring Network Load Balancing (NLB) In this exercise, you will configure ISA Server to use NLB for load balanced and fault tolerant

outbound and inbound access.



1. On the Florence computer, examine the current configuration of the Internal Connection network

adapter, before NLB is enabled.

a. On the Florence computer, on the Start menu, click Control Panel, click Network Connections, right-click Internal Connection, and then click Properties.

b. Click Cancel to close the Internal Connection Properties dialog box.

2. In the ISA Server console, enable NLB integration, and enable NLB on the Internal network. Primary Virtual IP address: 10.1.1.3

Subnet mask: 255.255.255.0


b. In the ISA Server console, expand Arrays, expand ITALY, expand Configuration, and then in the left pane, select Networks.

c. In the right pane, select the Networks tab.

d. In the task pane, on the Tasks tab, click Enable Network Load Balancing Integration.

e. In the Network Load Balancing Wizard dialog box, click Next.

f. On the Select Load Balanced Networks page, select Internal, and then click Set Virtual IP.

g. In the Set Virtual IP Addresses dialog box, complete the following information:

Primary VIP: 10.1.1.3

Subnet mask: 255.255.255.0 and then click OK.

h. On the Select Load Balanced Networks page, click Next.

i. On the Completing the Network Load Balancing Integration Wizard page, click Finish.

j. Click OK to close the message box.

k. In the left pane, right-click ITALY, and then click Properties.

l. In the ITALY Properties dialog box, select the Configuration Storage tab.

m. Click Cancel to close the ITALY Properties dialog box.

3. Examine the NLB and CARP configuration on the Internal network.

a. In the left pane, select Networks, and in the right pane, on the Networks tab, right-click Internal, and then click Properties.

b. In the Internal Properties dialog box, select the NLB tab.

c. Select the CARP tab, and ensure that CARP is NOT enabled

on this network.

d. Click OK to close the Internal Properties dialog box.

4. Examine the status of the Network Load

a. In the left pane, select Monitoring, and then in the right pane, select the Services tab.

Balancing service on the Monitoring/Services tab.

b. Do NOT click Apply yet to save the changes.

5. Start the Array Status Monitor to quickly see

the current CSS status and NLB status. File: C:\Tools\Status\ ArrayStatus.hta

a. Use Windows Explorer (or My Computer) to open the C:\Tools\Status folder.

b. In the Status folder, right-click ArrayStatus.hta, and then click Open.

c. Close the Status folder.

6. Apply the changes and restart the Firewall

service.

a. In the ISA Server console, click Apply to save the changes.


c. Click OK to close the Saving Configuration Changes dialog

box.

d. Use the Array Status Monitor to wait until the CSS status is Synced, and the NLB status is Running. This may take 5 to 10 minutes.

7. Examine the NLB host IDs, and the network used for intra-array communication.

a. In the left pane, select Servers.

b. In the right pane, right-click Florence, and then click Properties.

c. In the Florence Properties dialog box, select the Communication tab.

d. Click Cancel to close the Florence Properties dialog box.

8. Delete all existing Web publishing rules and Server publishing rules.


b. In the right pane, in the Firewall Policy Rules list, for each Server publishing rule, right-click the rule, click Delete, and then click OK to confirm that you want to delete the rule.

c. For each Web publishing rule, right-click the rule, click Delete, and then click OK to confirm that you want to delete the rule.

9. Create a new access rule. Name: Allow Web access (NLB) Applies to: HTTP From network: Internal To network: External

a. In the right pane, select the first rule in the Firewall Policy Rules list, or select Default rule if no other

rule exists, to indicate where the new rule is added to the rule list.


c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (NLB), and then click Next.








click Networks, click Internal, click Add, and then click Close to close the Add Network Entities dialog

box.


86 de 106




box.




10. After NLB integration is fully enabled, apply the changes.

a. Before you apply the new rule, ensure that NLB integration is fully enabled on the ISA Server array. Wait until the CSS status is Synced, and the NLB status is Running.

b. Click Apply to apply the new rule, and then click OK. Wait until the CSS status is Synced, and the NLB status is Running.


11. On the Denver computer, connect to http:// istanbul.fabrikam.com/ web.asp.

Use proxy server address: 10.1.1.1:8080

and 10.1.1.3:8080

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter.

b. On the Tools menu, click Internet Options.




Address: 10.1.1.3

Port: 8080

Bypass proxy server for local addresses: enable and then click OK.


f. On the toolbar, click the Refresh button.

g. Close Internet Explorer.


12. On the Firenze computer, stop, wait 10 seconds, and start the Microsoft Firewall service.

a. On the Firenze computer, in a Command Prompt window, type net stop fwsrv, and then press Enter.

b. Wait 10 seconds, and then type net start fwsrv, and press Enter.



13. On the Florence computer, enable NLB on the External

network. Primary Virtual IP address: 39.1.1.3 Subnet mask: 255.255.255.0

a. On the Florence computer, in the ISA Server console, in the left pane, select Networks.

b. In the task pane, on the Tasks tab, click Configure Load Balanced Networks.

c. In the Network Load Balancing Wizard dialog box, click Next.

d. On the Select Load Balanced Networks page, select External, and then click Set Virtual IP.

e. In the Set Virtual IP Addresses dialog box, complete the following information:

Primary VIP: 39.1.1.3

Subnet mask: 255.255.255.0 and then click OK.

f. On the Select Load Balanced Networks page, click Next.

g. On the Completing the Load Balanced Networks Wizard page, click Finish.

h. Click Apply to apply the changes, and then click OK. Wait until the CSS status is Synced, and the NLB status is Running.

14. Refresh the ISA Server console, so that the new virtual IP address is shown in the user interface.

a. In the left pane, right-click Firewall Policy (ITALY), and then click Refresh.

15. Create a new Web listener. Name: External Web 80 NLB SSL: disable Network: External - 39.1.1.3 Compression: disable Authentication: none


b. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Web Listeners, and then click New Web Listener.

c. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80 NLB, and then click Next.

d. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next.

e. On the Web Listener IP Addresses page, select the External check box, and then click Select IP Addresses.

f. In the External Network Listener IP Selection dialog box, select the Specified IP addresses option, and then in the Available IP Addresses list, select 39.1.1.3, and click Add.

g. Click OK to close the External Network Listener IP Selection

dialog box.

h. On the Web Listener IP Addresses page, clear ISA Server will compress content, and then click Next.

i. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next.

j. On the Single Sign On Settings page, click Next.

k. On the Completing the New Web Listener Wizard page, click Finish.

16. Create a Web publishing rule. Name: Web Home Page NLB Publishing type: single Web site

Internal site name: denver.contoso.com Public name: shop.contoso.com

Web listener: External Web 80 NLB Delegation: none

a. In the right pane, select the first rule in the Firewall Policy Rules list to indicate where the new rule is

added to the rule list.

b. In the task pane, on the Tasks tab, click Publish Web Sites.

c. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Web Home Page NLB, and then click Next.

d. On the Select Rule Action page, select Allow, and then click Next.


f. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server, and then click Next.

g. On the Internal Publishing Details page, complete the following information:


Use a computer name or IP address: disable (is default) and then click Next.

h. On the next Internal Publishing Details page, complete the following information:

Path: (leave empty)

Forward the original host header: disable (is default)

88 de 106

and then click Next.

i. On the Public Name Details page, complete the following information:


Public name: shop.contoso.com

Path: (leave empty) and then click Next.

j. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80 NLB, and then click Next.

k. On the Authentication Delegation page, select No delegation, and client cannot authenticate directly, and then click Next.

l. On the User Sets page, click Next.

m. On the Completing the New Web Publishing Rule Wizard page, click Finish.

n. Click Apply to apply the new rule, and then click OK. Wait until the CSS status is Synced, and the NLB status is Running.


17. On the Istanbul computer, verify the IP address of shop.contoso.com,

and then connect to http://shop.contoso.com/ web.asp


b. At the command prompt, type ping shop.contoso.com, and the press Enter.

c. Open Internet Explorer. In the Address box, type http://shop.contoso.com/web.asp, and then press Enter.

d. Close Internet Explorer.

Exercise 2: Examining Details on NLB In this exercise, you will examine details on how ISA Server configures and controls the NLB driver to

provide load balancing functionality for array members. You will also perform the steps needed to

disable NLB integration on an array.



1. On the Florence computer, use the nlb query command to

see the current convergence state of the NLB cluster.

a. On the Florence computer, in a Command Prompt window, type nlb query, and then press Enter.

2. Use the nlb queryport command to see the number of accepted and dropped network packets.

a. At the command prompt, type nlb queryport 8080, and then press Enter.


3. On the Firenze computer, use the nlb queryport command to see the number of accepted and dropped network

a. On the Firenze computer, open a Command Prompt window.

b. At the command prompt, type nlb queryport 8080, and then press Enter.


packets.


4. On the Florence computer, examine the configuration of the Internal Connection

network adapter.

a. On the Florence computer, on the Start menu, click Control Panel, click Network Connections, right-click Internal Connection, and then click Properties.

b. In the Internal Connection Properties dialog box, select Network Load Balancing (do NOT clear the check box), and then click Properties.

c. Select the Host Parameters tab.

d. Select the Port Rules tab.

e. Click CANCEL to close the Network Load Balancing Properties dialog box.

f. Click Cancel to close the Internal Connection Properties dialog box.

g. In a Command Prompt window, type ipconfig /all, and then press Enter.


5. On the Firenze computer, examine the configuration of the Internal Connection network adapter.

a. On the Firenze computer, open a Command Prompt window.

b. At the command prompt, type ipconfig /all, and then press Enter.



6. On the Florence computer, create a new access rule. Name: Allow Ping to firewall Applies to: PING From network: Internal To network: Local Host

a. On the Florence computer, in the ISA Server console, in left pane, select Firewall Policy.

b. In the right pane, select the first rule in the Firewall Policy Rules list, to indicate where the new rule is added to the rule list.


d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Ping to firewall, and then click Next.








click Networks, click Internal, click Add, and then click Close to close the Add Network Entities dialog

box.




click Networks, click Local Host, click Add, and then click Close to close the Add Network Entities dialog

box.




90 de 106

q. Click Apply to apply the new rule, and then click OK. Wait until the CSS status is Synced, and the NLB status is Running.


7. On the Denver computer, examine the MAC addresses used by 10.1.1.1, 10.1.1.2, and 10.1.1.3.



c. Type ping 10.1.1.2, and then press Enter.


e. Type arp -a, and then press Enter.


8. Connect to http:// istanbul.fabrikam.com/ web.asp.


and use default gateway: 10.1.1.1.

a. Open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter.




Use a proxy server for your LAN: disable and then click OK.



9. Change the default gateway from 10.1.1.1 to 10.1.1.3.

a. In a Command Prompt window, type ipconfig, and then press Enter.

b. On the Start menu, click Control Panel, click Network Connections, right-click Local Area Connection, and then click Properties.

c. In the Local Area Connection Properties dialog box, select Internet Protocol (TCP/IP) (do NOT clear the check box), and then click Properties.

d. In the Internet Protocol (TCP/IP) Properties dialog box, complete the following information:

Default gateway: 10.1.1.3 and then click OK.

e. Click Close to close the Local Area Connection Properties

dialog box.

f. In the Command Prompt window, type ipconfig, and then press Enter.

g. Close the Command Prompt window.

10. Connect to http:// istanbul.fabrikam.com/ reload.asp.

Use default gateway: 10.1.1.3.

a. In Internet Explorer, in the Address box, type http://istanbul.fabrikam.com/reload.asp, and then press Enter.



11. On the Florence computer, use the ISA Server console to stop the Microsoft Firewall service on Firenze.

a. On the Florence computer, in the ISA Server console, in the left pane, select Monitoring.

b. In the right pane, on the Services tab, select the Microsoft Firewall service for Firenze.

c. In the task pane, on the Tasks tab, click Stop Selected Service.


12. On the Denver computer, wait until reload.asp is refreshed through Florence.

a. On the Denver computer, in Internet Explorer, wait until reload.asp is refreshed through Florence (39.1.1.1), instead of Firenze (39.1.1.2).


13. On the Florence computer, use the ISA Server console to start the Microsoft Firewall service on Firenze.

a. On the Florence computer, in the ISA Server console, on the Services tab, select the Microsoft Firewall service for Firenze.

b. In the task pane, on the Tasks tab, click Start Selected Service.

c. Wait until the CSS status is Synced, and the NLB status is Running.


14. On the Denver computer, examine the continuing refresh of reload.asp. Close and reopen Internet Explorer, and connect to http:// istanbul.fabrikam.com/ reload.asp.

a. On the Denver computer, in Internet Explorer, notice that reload.asp continues to be refreshed through Florence (39.1.1.1).


c. Open Internet Explorer again, and in the Address box, type http://istanbul.fabrikam.com/reload.asp.

d. Close Internet Explorer.


15. On the Istanbul computer, connect to http://shop.contoso.com/ web.asp.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://shop.contoso.com/web.asp, and then press Enter.



16. On the Florence computer, change the Web Home Page NLB

rule. Requests appear to come from: original client

a. On the Florence computer, in the ISA Server console, in the Firewall Policy Rules list, right-click Web Home Page NLB, and then click Properties.

b. In the Web Home Page NLB Properties dialog box, on the To tab, select Requests appear to come from the original client, and then click OK.

c. Click Apply to apply the new rule, and then click OK. Wait until the CSS status is Synced, and the NLB status is Running.


17. On the Istanbul computer, refresh the connection to http://shop.contoso.com/ web.asp.

a. On the Istanbul computer, in Internet Explorer, on the toolbar, click the Refresh button.



18. On the Florence computer, use the

a. On the Florence computer, in a Command Prompt window, type nlb params 39.1.1.3, and the press Enter.

92 de 106

nlb params command and the C:\Tools\fwengmon /N command to examine

the NLB bi-directional configuration.

b. At the command prompt, type nlb params 10.1.1.3, and then press Enter.

c. Type cd \tools, and then press Enter.

d. Type fwengmon /?, and then press Enter.

e. Type fwengmon /N, and then press Enter.

f. Type fwengmon /N > nlbrules.txt, and then press Enter.

g. Type notepad nlbrules.txt, and then press Enter.

h. In Notepad, on the Format menu, ensure that Word Wrap is

disabled.

i. Maximize the nlbrules.txt - Notepad window, if that is not done already.

j. Close Notepad.


19. On the Denver computer, connect to http:// istanbul.fabrikam.com web.asp.

Use default gateway 10.1.1.3 (Do not use a proxy server)




d. Ensure that Internet Explorer is not configured to use a proxy server.

e. Click OK to close the Local Area Network (LAN) Settings

dialog box.

f. Click OK to close the Internet Options dialog box.

g. In the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter.

20. Connect again to http:// istanbul.fabrikam.com web.asp.

Use a proxy server: 10.1.1.3:8080

a. On the Tools menu, click Internet Options.


c. In the Local Area Network (LAN) Settings dialog box, complete the following information:


Address: 10.1.1.3

Port: 8080


d. Click OK to close the Internet Options dialog box.

e. On the toolbar, click the Refresh button.


21. On the Florence computer, examine the warning message when attempting to disable NLB integration.

a. On the Florence computer, in the ISA Server console, in the left pane, select Networks, and in the right pane, select the Networks tab.

b. In the task pane, on the Tasks tab, click Disable Network Load Balancing Integration.

c. Click CANCEL to indicate that you do NOT yet want to disable NLB integration.

22. Delete the firewall policy rules and rule elements that use the virtual IP addresses. Firewall policy rule: Web Home Page NLB


b. In the right pane, in the Firewall Policy Rules list, right-click Web Home Page NLB, and then click Delete.

c. Click Yes to confirm that you want to delete the Web Home Page NLB rule.

d. In the task pane, on the Toolbox tab, in the Network Objects section, under Web Listeners, right-click

Web listener: External Web 80 NLB (Step 1)

External Web 80 NLB, and then click Delete.

e. Click Yes to confirm that you want to delete the External Web

80 NLB Web listener.

23. Disable NLB on all networks. Networks: Internal External

(Step 2)

a. In the left pane, select Networks, and in the right pane, select the Networks tab.

b. In the task pane, on the Tasks tab, click Configure Load Balanced Networks.

c. In the Network Load Balancing Wizard dialog box, click Next.

d. On the Select Load Balanced Networks page, clear the check boxes of all networks, and then click Next.

e. On the Completing the Load Balanced Networks Wizard page, click Finish.

24. Apply the changes. (Step 3)

a. Click Apply to save the changes, and then click OK. Wait until the CSS status is Synced, and the NLB status is Not configured.

25. Use nlb query, and ipconfig /all to

examine the network configuration.

a. In a Command Prompt window, type nlb query, and then press Enter.

b. At the command prompt, type ipconfig /all, and then press Enter.


26. Disable NLB integration. Apply the changes and restart the Firewall service. (Step 4)

a. In the ISA Server console, in the left pane, select Networks, and in the right pane, select the Networks tab.

b. In the task pane, on the Tasks tab, click Disable Network Load Balancing Integration.

c. Click OK to confirm that you want to disable NLB integration.

d. In the left pane, select Monitoring, and in the right pane, select the Services tab.

e. Click Apply to save the changes.

f. In the ISA Server Warning dialog box, CHANGE the current selection, and select Save the changes and restart the services, and then click OK.

g. Click OK to close the Saving Configuration Changes dialog box.

h. Wait until the CSS status is Synced.


27. On the Denver computer, configure Internet Explorer to use proxy server 10.1.1.1:8080, and

change the default gateway to 10.1.1.1.





Address: 10.1.1.1

Port: 8080




f. On the Start menu, click Control Panel, click Network Connections, right-click Local Area Connection, and then click Properties.

g. In the Local Area Connection Properties dialog box, select

94 de 106

Internet Protocol (TCP/IP) (do NOT clear the check box), and then click Properties.

h. In the Internet Protocol (TCP/IP) Properties dialog box, complete the following information:

Default gateway: 10.1.1.1 and then click OK.

i. Click Close to close the Local Area Connection Properties dialog box.

Exercise 3:Using CARP to Distribute Cache Content In this exercise, you will configure ISA Server to use Cache Array Routing Protocol (CARP). When you

enable CARP, the cache drives on all servers are treated as a single logical cache drive.

You will also explore the CARP algorithm in the automatic configuration script that is used by Internet

Explorer.



1. On the Florence computer, verify that ISA Server listens for Web Proxy client requests on the Internal network.


b. In the right pane, on the Networks tab, right-click Internal, and then click Properties.

c. In the Internal Properties dialog box, on the Web Proxy tab,

ensure that Enable Web Proxy client connections on this network is enabled, and that HTTP port is 8080.

d. Select the CARP tab. (Do NOT enable CARP).

e. Click OK to close the Internal Properties dialog box.

2. Create a new access rule. Name: Allow Web access (CARP)

Applies to: HTTP



b. In the right pane, select the first rule in the Firewall Policy Rules list, or select Default rule if no other rule exists, to

indicate where the new rule is added to the rule list.


d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (CARP), and then click Next.













box.




q. Click Apply to apply the new rule, and then click OK. Wait until the CSS status is Synced.


3. On the Denver computer, connect to http:// istanbul.fabrikam.com/ web.asp


and 10.1.1.2:8080

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter.





Address: 10.1.1.2

Port: 8080





4. On the Florence computer, enable caching and configure cache settings and cache rules. (Step 1)

a. On the Florence computer, in the ISA Server console, in the left pane, select Cache.

b. In the right pane, on the Cache Drives tab, select Florence.

c. In the task pane, on the Tasks tab, click Define Cache Drives (Enable Caching).

d. Click Cancel to close the Florence Properties dialog box.

e. Select the Cache Rules tab.

f. In the task pane, on the Tasks tab, click Configure Cache Settings.

g. In the Cache Settings dialog box, select the Advanced tab.

h. Click Cancel to close the Cache Settings dialog box.

i. In the right pane, right-click Default rule, and then click Properties.

j. Click Cancel to close the Default rule Properties dialog box.

5. Create a new domain name set for CARP exceptions: Name: CARP Exception Web Sites

Computer: download.contoso.com


b. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Domain Name Sets, and then click New Domain Name Set.

c. In the New Domain Name Set Policy Element dialog box, in the Name text box, type CARP Exception Web Sites, and then click Add.

d. In the New Domain text box, replace the text by typing download.contoso.com, and then press Enter.

e. Click OK to close the New Domain Name Set Policy Element dialog box.

6. Enable CARP on the Internal network.

a. In the left pane, select Networks.

96 de 106

Add the new domain name set as CARP exceptions. (Step 2)


c. In the Internal Properties dialog box, on the CARP tab, select Enable CARP on this network.

d. In the CARP Exceptions box, click Add.

e. In the Add Domain Name Sets dialog box,

click CARP Exception Web Sites, and click Add, and then click Close to close the Add Domain Name Sets

dialog box.

f. Select the NLB tab.

g. Click OK to close the Internal Properties dialog box.

7. Configure a CARP load factor for

each array member. (Step 3)

a. In the left pane, select Servers.

b. In the right pane, right-click Florence, and then click Properties.

c. In the Florence Properties tab, select the CARP tab.

8. Configure the network used for intra-array communication (Perimeter) to listen for Web Proxy client requests. (Step 4)

a. In the Florence Properties dialog box, select the Communication tab.

b. Click Cancel to close the Florence Properties dialog box.

c. In the left pane, select Networks.

d. In the right pane, on the Networks tab, right-click Perimeter, and then click Properties.

e. In the Perimeter Properties dialog box, on the Web Proxy tab, complete the following information:

Enable Web Proxy clients: enable

Enable HTTP: enable (is default)

HTTP port: 8080 (is default)

Enable SSL: disable (is default) and then click OK.

9. Apply the changes. a. Click Apply to apply the changes, and then click OK. Wait until the CSS status is Synced.


10. On the Denver computer, refresh the Web page http:// istanbul.fabrikam.com/ web.asp


a. On the Denver computer, in Internet Explorer, on the toolbar, click the Refresh button.


11. On the Florence computer, examine the URL of the CARP calculation script.



c. In the Internal Properties dialog box, select the Firewall Client tab.

d. Select the Web Browser tab.

e. Click Cancel to close the Internal Properties dialog box.


12. On the Denver computer, configure Internet Explorer to use an automatic configuration script. Address: http:// 10.1.1.1:8080/array.dll? Get.Routing.Script



c. In the Local Area Network (LAN) Settings dialog box, in the Automatic configuration box, complete the following

information:

Use automatic configuration script: enable

Address: http://10.1.1.1:8080/array.dll?Get.Routing.Script and then click OK.


13. Refresh the Web page http:// istanbul.fabrikam.com/ web.asp and connect to http:// ankara.fabrikam.com/ web.asp

Use configuration script.

a. On the toolbar, click the Refresh button.

b. In the Address box, type http://ankara.fabrikam.com/web.asp, and then press Enter.


14. Use Internet Explorer to save a copy of the configuration script to C:\Tools\array.Script.txt

a. Open Internet Explorer. In the Address box, type http://10.1.1.1:8080/array.dll?Get.Routing.Script, and then press Enter.

b. In the File Download dialog box, click Save.

c. In the Save As dialog box, browse to the C:\Tools folder, and then in the File name text box, type array.Script.txt, and click Save.

15. Examine the contents of C:\Tools\array.Script.txt in Notepad.


b. In the Tools folder, right-click array.Script.txt, and then click Open.

c. Scroll to the end of the script.

d. Close Notepad.


16. Use C:\Tools\carpdemo.js to calculate the selected proxy server for: istanbul.fabrikam.com/ web.asp istanbul.fabrikam.com/ <yourname> ankara.fabrikam.com


b. At the command prompt, type cd \tools, and then press Enter.

c. Type dir, and then press Enter.

d. Type carpdemo istanbul.fabrikam.com/web.asp, and then press Enter.

e. Click OK. Type carpdemo istanbul.fabrikam.com/yourname (replace yourname by your own name), and then press Enter.

f. Click OK. Type carpdemo ankara.fabrikam.com, and then press Enter.

g. Click OK. Type carpdemo izmir, and then press Enter.

h. Click OK to close the CARP Routing Script demo message

box.

98 de 106

izmir

i. Close the Command Prompt window.

17. Configure Internet Explorer to use a proxy server: Address: 10.1.1.1:8080

a. In Internet Explorer, on the Tools menu, click Internet Options.



Use automatic configuration script: disable


Address: 10.1.1.1

Port: 8080





18. On the Florence computer, disable CARP on the Internal network.



c. In the Internal Properties dialog box, on the CARP tab, CLEAR the Enable CARP on this network check box.

d. Click OK to close the Internal Properties dialog box.

e. Click Apply to save the changes, and then click OK. Wait until the CSS status is Synced.

Exercise 4: Using CARP and Scheduled Content Download Jobs In this exercise, you will configure ISA Server to use CARP and a content download job to update

cache content.



1. On the Florence computer, examine the Microsoft ISA Server Job Scheduler service.

a. On the Florence computer, on the Start menu, click Administrative Tools, and then click Services.

b. In the Services console, select the Microsoft ISA Server Job Scheduler service (two services below Microsoft Firewall in the list)


2. Configure the Local Host network to

listen for Web Proxy client

requests.

a. In the ISA Server console, in the left pane, select Networks.

b. In the right pane, on the Networks tab, right-click Local Host, and then click Properties.

c. In the Local Host Properties dialog box, on the Web Proxy

tab, complete the following information:

Enable Web Proxy clients: enable

Enable HTTP: enable (is default)

HTTP port: 8080 (is default)

Enable SSL: disable (is default) and then click OK.

3. Enable system policy rule 29 to allow HTTP from the Local Host


b. In the task pane, on the Tasks tab, click

network for content download jobs.

Show System Policy Rules.

c. In the right pane, right-click system policy rule 29, and then click Properties.

d. Select the Users tab.

e. Click Cancel to close the system policy rule 29 dialog box.

f. Right-click system policy rule 29, and then click Edit System Policy.

g. In the System Policy Editor dialog box, in the Configuration Groups list, ensure that Scheduled Download Jobs is selected, and then select the Enable check box.

h. Click OK to close the System Policy Editor dialog box.

i. In the task pane, on the Tasks tab, click Hide System Policy Rules.

4. Apply the changes. a. Click Apply to save the changes, and then click OK. Wait until the CSS status is Synced.

5. Create a new content download job. Name: Fabrikam News Site Download frequency: Daily at 7:00 AM

URL: http:// istanbul.fabrikam.com/ news.htm

a. In the left pane, select Cache, and then in the right pane, select the Content Download Jobs tab.

b. In the task pane, on the Tasks tab, click Schedule a Content Download Job.

c. In the New Content Download Job Wizard dialog box, in the Content Download Job name text box, type Fabrikam News Site, and then click Next.

d. On the Download Frequency page, select Daily, and then click Next.

e. On the Daily Frequency page, complete the following information:

Job start date: today's date (is default)

Job start time: 7:00 AM

Run the job one time every day: enable (is default) and then click Next.

f. On the Content Download page, in the Download content from this URL text box, type http://istanbul.fabrikam.com/news.htm and then click Next.

g. On the Content Caching page, click Next.

h. On the Completing the Scheduled Content Download Job Wizard page, click Finish.

6. Examine the configuration status of the array servers.

a. In the left pane, select Monitoring, and then in the right-pane, select the Configuration tab.

b. In the task pane, on the Tasks tab, click Refresh Now.

c. Wait until the configuration status is Synced.

7. Edit the log viewer filter: Log Record Type: Web Proxy Filter

Start the log viewer.

a. Select the Logging tab.


c. In the Edit Filter dialog box, in the conditions list, select the existing Log Record Type condition.

d. In the Value list box, select Web Proxy Filter, and then click Update.

e. Click Start Query to close the Edit Filter dialog box.

8. Start the Fabrikam News Site

content download job now.

a. In the left pane, select Cache, and in the right-pane select the Content Download Jobs tab.

b. In the right pane, select the Fabrikam News Site job.

c. Scroll the contents of the right pane to the right, so that you can see the Status column.

d. In the task pane, on the Tasks tab, click

100 de 106

Start Selected Jobs Now.

e. After a few seconds, on the Tasks tab, click Refresh Now.

9. Stop the log viewer, and examine the Web Proxy log entries.

a. In the left pane, select Monitoring, and in the right pane select the Logging tab.

b. After a few seconds, in the task pane, on the Tasks tab, click Stop Query.

10. Enable CARP on the Local Host network.



c. In the Local Host Properties dialog box, on the CARP tab, select Enable CARP on this network.

d. Click OK to close the Local Host Properties dialog box.

e. Click Apply to save the changes, and then click OK. Wait until the CSS status is Synced.


11. On the Denver computer, use C:\Tools\carpdemo.js

to calculate the selected proxy server for: istanbul.fabrikam.com/ news.htm and ankara.fabrikam.com economy.htm

a. On the Denver computer, in a Command Prompt window, in the C:\Tools folder, type carpdemo istanbul.fabrikam.com/news.htm, and then press Enter.

b. Click OK. Type carpdemo ankara.fabrikam.com/economy.htm, and then press Enter.



12. On the Florence computer, start the log viewer.

a. On the Florence computer, in the ISA Server console, in the left pane, select Monitoring, and in the right pane select the Logging tab.

b. In the task pane, on the Tasks tab, click Start Query.

13. Start the Fabrikam News Site content download job now.

a. In the left pane, select Cache, and in the right-pane select the Content Download Jobs tab.

b. In the right pane, select the Fabrikam News Site job.

c. In the task pane, on the Tasks tab, click Start Selected Jobs Now.

d. After a few seconds, on the Tasks tab, click Refresh Now.

14. Stop the log viewer, and examine the Web Proxy log entries.

a. In the left pane, select Monitoring, and in the right pane select the Logging tab.

b. After a few seconds, in the task pane, on the Tasks tab, click Stop Query.

15. Edit the log viewer filter: Log Record Type: Firewall or Web Proxy Filter

a. In the left pane, select Monitoring, and then in the right-pane, select the Logging tab.


c. In the Edit Filter dialog box, in the conditions list, select the existing Log Record Type condition.

d. In the Value list box, select Firewall or Web Proxy Filter, and then click Update.

e. Click Start Query to close the Edit Filter dialog box.

f. On the Tasks tab, click Stop Query.

16. Delete the Fabrikam News Site

content download job.

a. In the left pane, select Cache.

b. In the right pane, on the Content Download Jobs tab, right-click the Fabrikam News Site job, and then click Delete.

c. Click Yes to confirm that you want to delete the Fabrikam

News Site job.

d. Wait until the CSS status is Synced.

17. Disable Web Proxy clients and CARP on the Local Host network.



c. In the Local Host Properties dialog box, on the Web Proxy tab, CLEAR the Enable Web Proxy clients check box.

d. On the CARP tab, CLEAR the Enable CARP on this network check box.

e. Click OK to close the Local Host Properties dialog box.

18. Disable Web Proxy clients on

the network used for intra-array communication (Perimeter).

a. On the Networks tab, right-click Perimeter, and then click Properties.

b. In the Perimeter Properties dialog box, on the Web Proxy tab, CLEAR the Enable Web Proxy clients check box.

c. Click OK to close the Perimeter Properties dialog box.

19. Disable system policy rule 29.



c. In the right pane, right-click system policy rule 29, and then click Edit System Policy.

d. In the System Policy Editor dialog box, in the Configuration Groups list, ensure that Scheduled Download Jobs is selected, and then CLEAR the Enable check box.

e. Click OK to close the System Policy Editor dialog box.

f. In the task pane, on the Tasks tab, click Hide System Policy Rules.

20. Apply the changes. a. Click Apply to save the changes, and then click OK. Wait until the CSS status is Synced.

102 de 106

Module I: Using Monitoring, Alerting and Logging

Exercise 1: Monitoring the ISA Server In this exercise, you will explore the monitoring functions of ISA Server.



1. On the Paris computer, examine the alert definition for the Service Shutdown event.

a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click, ISA Server Management.

b. In the ISA Server console, in the left pane, expand Paris, and then select Monitoring.

c. In the right pane, select the Dashboard tab.

d. Select the Alerts tab.

e. In the task pane, on the Tasks tab, click Configure Alert Definitions.

f. In the Alert Properties dialog box, select the Service Shutdown line (do not clear the check box for Service Shutdown), and then click Edit.

g. In the Service Shutdown Properties dialog box, select the Events tab.

h. Select the Actions tab.

i. Click Cancel to close the Service Shutdown Properties dialog box.

j. Click Cancel to close the Alerts Properties dialog box.

2. Use the Services console to stop the Microsoft ISA Server Job Scheduler service

to simulate an unexpected shutdown of the service.

a. On the Start menu, click Administrative Tools, and then click Services.

b. In the Services console, in the right pane, right-click Microsoft ISA Server Job Scheduler service, and then click Stop.


3. Examine how an alert shows up on the Alerts

tab, and the Dashboard tab.

a. In the ISA Server console, on the Alerts tab, wait for 30 seconds for the new alert (Service Shutdown) to show up, or in the task pane, on the Tasks tab, click Refresh Now.

b. Select the Dashboard tab. Wait for 30 seconds, or in the task pane, on the Tasks tab, click Refresh Now.

4. Investigate the Service Shutdown

alert and resolve the issue by starting the ISA Server Job Scheduler service on the Services tab.

a. On the Dashboard tab, click the heading of the Alerts summary box to return to the Alerts tab.

b. On the Alerts tab, select the Service Shutdown alert, and then expand the Service Shutdown alert.

c. Select the second Service Shutdown alert line.

d. In the task pane, on the Tasks tab, click Acknowledge Selected Alerts.

e. Select the Services tab, and then in the task pane, on the

Tasks tab, click Refresh Now.

f. In the right pane, select Microsoft ISA Server Job Schedule, and then in the task pane, on the Tasks tab, click Start Selected Service.

g. On the Alerts tab, select the second acknowledged Service Shutdown alert line.

h. In the task pane, on the Tasks tab, click Reset Selected Alerts.

i. Click Yes to confirm that you want to reset Service Shutdown.

5. Examine the intrusion detection options.

a. In the ISA Server console, in the left pane, expand Configuration, and then select General.

b. In the right pane, click Enable Intrusion Detection and DNS Attack Detection.

c. Click Cancel to close the dialog box.

6. Examine the performance monitoring options.

a. On the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Performance Monitor.

b. Close the ISA Server Performance Monitor console.

c. If a message box appears, click No to confirm that you do not want to save console settings to msisaprf.msc.

Exercise 2: Checking Connectivity from the ISA Server In this exercise, you will explore the connectivity checking functions of ISA Server.



1. On the Paris computer, create two new connectivity verifiers: Name: Istanbul (ping) Server: 39.1.1.7 Method: Ping

Name: Istanbul (http) Server: 39.1.1.7 Method: HTTP "GET"



c. In the task pane, on the Tasks tab, click Create New Connectivity Verifier.

d. In the New Connectivity Verifier Wizard dialog box, in the Connectivity Verifier name text box, type Istanbul (ping), and then click Next.

e. On the Connectivity Verification Details, complete the following information:

Monitor connectivity to this server or URL: 39.1.1.7

Group type used to categorize: Web (Internet)

Verification method: Send a Ping request and then click Next.

f. On the Completing the Connectivity Verifier Wizard page, click Finish.

g. In the task pane, on the Tasks tab, click Create New Connectivity Verifier.

h. In the New Connectivity Verifier Wizard dialog box, in the Connectivity Verifier name text box, type Istanbul (http), and then click Next.

i. On the Connectivity Verification Details, complete the following information:

Monitor connectivity to this server or URL: 39.1.1.7

Group type used to categorize: Web (Internet)

Verification method: Send an HTTP "GET" request

104 de 106

and then click Next.

j. On the Completing the Connectivity Verifier Wizard page, click Finish.

k. If the Enable HTTP Connectivity Verification message box appears, click Yes to confirm that a system policy rule is enabled.

2. Examine the System policy rules used by the connectivity verifiers.



3. Apply changes to save and activate the new connectivity verifiers.

a. In the left pane, select Monitoring.

b. In the right pane, click Apply to save the new connectivity verifiers, and then click OK.

4. Wait for the successful check of the two connectivity verifiers for Istanbul.

a. On the Connectivity Verifiers tab, wait one minute, and then in the task pane, on the Tasks tab, click Refresh Now.


5. On the Istanbul computer, stop the Default Web Site to

simulate a failure of the Web server.

a. On the Istanbul computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

b. In the IIS Manager console, expand ISTANBUL (local computer), expand Web Sites, right-click Default Web Site, and then click Stop.


6. On the Paris computer, wait for the failure state of the Istanbul (http) connectivity verifier.

a. On the Paris computer, on the Connectivity Verifiers tab, wait one minute, and then in the task pane, on the Tasks tab, click Refresh Now.


7. On the Istanbul computer, start the Default Web Site

again.

a. On the Istanbul computer, in the IIS Manager console, right-click Default Web Site (Stopped), and then click Start.

b. Close the IIS Manager console.


8. On the Paris computer, wait for the success state of the Istanbul (http)

connectivity verifier.

a. On the Paris computer, on the Connectivity Verifiers tab, wait one minute, and then in the task pane, on the Tasks tab, click Refresh Now.

9. Delete the two connectivity verifiers for Istanbul.

a. Right-click the Istanbul (http) connectivity verifier, and then click Delete.

b. Click Yes to confirm that you want to delete the connectivity verifier.

c. Right-click the Istanbul (ping) connectivity verifier, and then click Delete.

d. Click Yes to confirm that you want to delete the connectivity verifier.


Exercise 3: Logging Client Computer Access In this exercise, you will explore the logging functions of ISA Server.



1. On the Paris computer, find the location of the ISA Server log files.

a. On the Paris computer, in the ISA Server console, in the left pane, select Monitoring, and then select the Logging tab.

b. In the task pane, on the Tasks tab, click Configure Firewall Logging.

c. In the Firewall Logging Properties dialog box, on the Log tab, click Options.

d. Click Cancel to close the Options dialog box.

e. Click Cancel to close the Firewall Logging Properties dialog box.

2. Start a new online log query.

a. On the Logging tab, click Start Query.

3. Create a new access rule. Name: Allow Web access (logging test) Applies to: HTTP From network: Internal To network: External




d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (logging test), and then click Next.













box.






4. On the Denver a. On the Denver computer, open Internet Explorer. In the

106 de 106

computer, use Internet Explorer to connect to http:// istanbul.fabrikam.com

.

Address box, type http://istanbul.fabrikam.com, and then press Enter.


5. On the Paris computer, create a filter definition for online mode logging. Filter by: Destination IP Condition: Equals Value: 39.1.1.7

a. On the Paris computer, in the ISA Server console, in the left pane, select Monitoring, and then select the Logging tab.


c. In the Edit Filter dialog box, complete the following information:

Filter by: Destination IP

Condition: Equals

Value: 39.1.1.7 and then click Add To List to add the filter definition.

d. Click Start Query to close the Edit Filter dialog box.


6. On the Denver computer, refresh the content of the Web page at http:// istanbul.fabrikam.com twice. - First press Ctrl-F5 (Ctrl-Refresh). - then press F5 (Refresh)

a. On the Denver computer, in Internet Explorer, ensure that the http://istanbul.fabrikam.com Web page is opened.

b. Hold the Ctrl-key, and click the Refresh button on the toolbar, to refresh the content of the Web page, regardless of any changes.

c. Wait a few seconds, and then click the Refresh button on the

toolbar (without the Ctrl-key) to refresh the content of the Web page when it has changed.

7. Attempt to open the non-existing Web page at http:// istanbul.fabrikam.com/ test.htm

a. In Internet Explorer, in the Address box, type http://istanbul.fabrikam.com/test.htm, and then press Enter.



8. On the Paris computer, view the online mode logging records for destination IP 39.1.1.7. Add column: HTTP Status Code

a. On the Paris computer, on the Logging tab, wait a few

moments for the log file entries for destination IP 39.1.1.7 to appear on the screen.

b. Right-click the Log Time heading, and then click Add/Remove Columns.

c. In the Add/Remove Columns dialog box, in the Available columns list box, select HTTP Status Code, and then click Add ->.

d. In the Displayed columns list, select HTTP Status Code, and then click Move Up, until HTTP Status Code is just after HTTP Method.

e. Click OK to close the Add/Remove Columns dialog box.

9. Remove the online filter definition, and stop the query.

a. In the task pane, on the Tasks tab, click Edit Filter.

b. In the Edit Filter dialog box, select the Destination IP - Equals - 39.1.1.7 expression, and then click Remove.

c. Click Start Query to close the Edit Filter dialog box.

d. In the task pane, on the Tasks tab, click Stop Query.
