Materials and Preparation.doc.doc

Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

2001 Microsoft Corporation. All rights reserved.

Contents

Overview 1

Securing the Server 2

Examining Perimeter Networks 6

Examining Packet Filtering and IP Routing 10

Configuring Packet Filtering and IP Routing 17

Configuring Application Filters 24

Lab A: Configuring the Firewall 35

Review 45

Module 6: Configuring the Firewall

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective owners.

Module 6: Configuring the Firewall iii

Instructor NotesThis module provides students with the knowledge and skills to configure Microsoft® Internet Security and Acceleration (ISA) Server 2000 as a firewall.

After completing this module, students will be able to:

Secure the ISA Server computer.

Explain the use of perimeter networks.

Explain the use of packet filtering and Internet Protocol (IP) routing.

Configure packet filtering and IP routing.

Configure application filters.

Materials and PreparationThis section provides the materials and preparation tasks that you need to teach this module.

Required MaterialsTo teach this module, you need the Microsoft PowerPoint® file 2159A_06.ppt.

Preparation TasksTo prepare for this module, you should:

Read all of the materials for this module.

Complete the lab.

Study the review questions and prepare alternative answers to discuss.

Anticipate questions that students may ask. Write out the questions and provide the answers.

Read “Using Packet Filtering,” “Using extensions,” “Internet Security,” “Perimeter Network Scenarios,” and “ISA Server system Security” in ISA Server Help.

Read Module 9, “Implementing Security in Windows 2000,” in Course 2152, Implementing Microsoft Windows 2000 Professional and Server.

Read Module 3, “Enabling Secure Internet Access,” Module 7, “Configuring Access to Internal Resources,” and Module 8, “Monitoring and Reporting,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

Review RFC 792, “Internet Control Message Protocol,” under Additional Readings on the Trainer Materials compact disc.

Module StrategyUse the following strategy to present this module:

Securing the Server

Discuss the best practices for securing computers, explaining that the list in the module is not comprehensive but is meant to be a guideline. Explain that

Presentation:75 Minutes

Lab:30 Minutes


the ISA Server Security Configuration Wizard changes several operating system settings to pre-configured values and emphasize that ISA Server includes no automatic method of reverting back to the original values.

Examining Perimeter Networks

Briefly describe the use of perimeter networks, which were introduced in Module 1. Ensure that students understand that ISA Server treats both the Internet and the perimeter network as external networks, which requires that you enable IP routing to move network packets between the networks.

Examining Packet Filtering and IP Routing

Explain that the packet filtering and routing functions of ISA Server provide more enhanced security than the packet filtering and routing functions of the Microsoft Windows® 2000 Routing and Remote Access service. Emphasize that you should use ISA Server, and not the Routing and Remote Access service, to configure packet filtering and routing on an ISA Server computer. Explain that ISA Server treats IP addresses that are in the Local Address Table (LAT) as internal and does not apply packet filters to those addresses. Explain that the decision to use IP routing to support a perimeter network depends on the type of perimeter network.

Configuring Packet Filtering and IP Routing

Tell students to always confirm that ISA Server does not include a predefined filter before creating a custom IP packet filter.

Configuring Application Filters

Explain that unlike IP packet filters, which make forwarding decisions based on the header of each IP packet, application filters can examine entire transactions between a client application and a server application. Explain that some functionality of the Simple Mail Transfer Protocol (SMTP) filter depends on the Message Screener component. Mention that the Message Screener is an optional ISA Server component that you usually install on a separate computer on your network. Explain that redirecting Hypertext Transfer Protocol (HTTP) requests improves client performance and allows you to apply site and content rules to Firewall clients and SecureNAT clients. Explain that the H.323 filter enables users who use conferencing applications, such as Microsoft NetMeeting®, to communicate with others over the Internet.

Customization InformationThis section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware.

The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

Lab SetupThe following list describes the setup requirements for the lab in this module.

Important

Module 6: Configuring the Firewall v

Setup Requirement 1The lab in this module requires that ISA Server be installed on all ISA Server computers. To prepare student computers to meet this requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

Perform a full installation of ISA Server manually.

Setup Requirement 2The lab in this module requires that the ISA Server administration tools be installed on all ISA Server client computers. To prepare student computers to meet this requirement, perform one of the following actions:


Install the ISA Server administration tools manually.

Setup Requirement 3The lab in this module requires that the Firewall Client be installed on all ISA Server client computers. To prepare student computers to meet this requirement, perform one of the following actions:


Install the Firewall Client manually.

Setup Requirement 4The lab in this module requires that all of the ISA Server client computers be configured to use the ISA Server computer’s IP address on the private network as their default gateway. To prepare student computers to meet this requirement, perform one of the following actions:


Configure the default gateway manually.

Setup Requirement 5The lab in this module requires that Microsoft Internet Explorer be configured on all student computers to use the ISA Server computer as a Web Proxy server. To prepare student computers to meet this requirement, perform one of the following actions:


Configure Internet Explorer manually.


Setup Requirement 6The lab in this module requires that Internet Information Services (IIS) be configured on all ISA Server computers to use Transmission Control Protocol (TCP) port 8008 for the default Web site. To prepare student computers to meet this requirement, perform one of the following actions:


Configure IIS manually.

Setup Requirement 7The lab in this module requires a protocol rule on the ISA Server computer that that allows all members of the Domain Admins group to gain access to the Internet by using any protocol. To prepare student computers to meet this requirement, perform one of the following actions:

Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

Create the rule manually.

Lab ResultsPerforming the lab in this module introduces the following configuration changes:

The ISA Server computer is configured with the Basicdc.inf security template.

ISA Server is configured to perform packet filtering and routing.

Module 6: Configuring the Firewall 1

Overview Overview

Securing the Server





Microsoft® Internet Security and Acceleration (ISA) Server 2000 includes several security features to help you enforce your security policies. The ISA Server Security Configuration Wizard enables you to set the appropriate level of system security for the operating system. Packet filtering helps prevent unauthorized access to your internal network by inspecting incoming traffic and blocking packets that do not meet your specified security criteria. Internet Protocol (IP) routing allows you to forward network packets according to rules that you define. Application filters control application-specific traffic to determine if network traffic should be accepted, rejected, redirected, or modified.

The packet filtering and routing functions of ISA Server provide more enhanced security than the packet filtering and routing functions of the Microsoft Windows® 2000 Routing and Remote Access. To provide the most comprehensive security for your internal network, use ISA Server, not the Routing and Remote Access service, to configure packet filtering and routing on an ISA Server computer.

After completing this module, you will be able to:

Secure the ISA Server computer.

Explain the use of perimeter networks.

Explain the use of packet filtering and IP routing.

Configure packet filtering and IP routing.

Configure application filters.

Topic ObjectiveTo provide an overview of the module topics and objectives.

Lead-inIn this module, you will learn how to configure ISA Server as a firewall.

Important


Securing the Server Securing the Server

Best Practices

Setting System Security

ISA Server is an important component of an overall security strategy, but network security consists of many elements. Using security best practices will also help you to secure your network effectively.

ISA Server includes the ISA Server Security Configuration Wizard, which you can use to apply system security settings to a single ISA Server computer or to all of the servers in an array. The ISA Server Security Configuration Wizard uses security templates that are included with Microsoft Windows 2000 Server to configure the operating system for different levels of security. You can set the appropriate level of system security, depending on how ISA Server functions in your network.

Topic ObjectiveTo identify the topics related to securing the ISA Server computer.

Lead-inISA Server is an important component of an overall security strategy, but network security consists of many elements.


Best PracticesBest Practices

Stay Informed About Security Issues Stay Informed About Security Issues

Install the Latest Service Pack and Security UpdatesInstall the Latest Service Pack and Security Updates

Do Not Run Unnecessary Services or Accept Unnecessary Packets Do Not Run Unnecessary Services or Accept Unnecessary Packets

Audit Security-Related Events and Review the Associated Log FilesAudit Security-Related Events and Review the Associated Log Files

Document All Aspects of Your Network ConfigurationDocument All Aspects of Your Network Configuration

Understand the Network Protocols that You Use With ISA ServerUnderstand the Network Protocols that You Use With ISA Server

Maintain Physical SecurityMaintain Physical Security

Because the ISA Server computer is often directly connected to the Internet, it is important that you adequately secure that computer. The following list presents security best practices to use as guidelines when securing computers in your network, and particularly the ISA Server computer:

Stay informed about security issues pertaining to Windows 2000 and ISA Server. For security bulletins and other security-related information, see the Microsoft Security Web site at http://www.microsoft.com/security. You may also want to subscribe to security-related mailing lists.

Install the latest service pack and security updates. Before installing any service packs or updates, test them thoroughly in a lab environment.

Do not run unnecessary services on the ISA Server computer, and configure ISA Server with rules that allow only required network traffic to pass through the ISA Server computer.

Audit security-related events and frequently review the associated log files.

For more information about Windows 2000 auditing, see Module 9, “Implementing Security in Windows 2000,” in Course 2152, Implementing Microsoft Windows 2000 Professional and Server. For more information about monitoring ISA Server security, see Module 8, “Monitoring and Reporting,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

Document all aspects of your network configuration. Maintaining documentation helps you to detect intrusion and recover from intrusion incidents.

Topic ObjectiveTo describe security best practices.

Lead-inBecause the ISA Server computer is often directly connected to the Internet, it is important that you adequately secure that computer.

Delivery TipExplain that this list is not comprehensive, but is meant to present guidelines for securing the ISA Server computer.

Note


Understand the network protocols that you use with ISA Server. A thorough understanding of these protocols will help to ensure that you configure ISA Server properly.

Maintain physical security. Anyone with physical access to the ISA Server computer can gain complete control of the computer.

Setting System SecuritySetting System Security

Domain Controller TemplatesDomain Controller Templates

HisecdcHisecdc.inf.inf

Securedc.infSecuredc.inf

Security LevelSecurity Level

DedicatedDedicated

Limited Limited ServicesServices

BasicdcBasicdc.inf.infSecureSecure

Server TemplatesServer Templates

Hisecws.infHisecws.inf

Securews.inf Securews.inf

Basicsv.inf Basicsv.inf

When configuring the security settings of the ISA Server computer, you can use the ISA Server Security Configuration Wizard to increase the security of several components of Windows 2000. Securing the ISA Server computer is especially important when that computer is directly connected to the Internet.

You can select from one of the following security levels in the ISA Server Security Configuration Wizard:

Dedicated. Use this setting when an ISA Server computer is functioning as a dedicated firewall with no other applications.

Limited Services. Use this setting when the ISA Server computer is functioning as a combined firewall and cache server. An ISA Server computer can also be protected by an additional firewall.

Secure. Use this setting when the ISA Server computer performs other functions, such as running a Web server, a database server, or a mail server.

Topic ObjectiveTo describe the security levels that you can set for the ISA Server computer.

Lead-inThere are three security levels that you can apply to an ISA Server computer.


The ISA Server Security Configuration Wizard changes several operating system settings to pre-configured values. To change all of these settings back to the original values, you must document or export the settings before running the wizard and then reconfigure all of the values. ISA Server includes no automatic method of reverting back to the original values.

Applying Security TemplatesThe security template that the ISA Server Security Configuration Wizard applies depends on the security setting that you select and the type of computer that you are using.

To run the ISA Server Security Configuration Wizard, the systemroot\security\templates folder must contain the required template. If the required template is missing, the ISA Server Security Configuration Wizard fails to run. To add a missing template, you must copy it from the Microsoft Windows 2000 Server compact disc to the Templates folder on your computer. ISA Server uses the templates listed in the following table.

Security level For a server For a domain controller

Dedicated Hisecws.inf Hisecdc.inf

Limited Services Securews.inf Securedc.inf

Secure Basicsv.inf Basicdc.inf

For more information about security templates, see Module 9, "Implementing Security in Windows 2000," in Course 2152, Implementing Microsoft Windows 2000 Professional and Server.

Use the ISA Server Security Configuration Wizard to apply system security settings to an ISA Server computer.

To run the Wizard:

1. In ISA Management, in the console tree, expand your server or array, and then click Computer or Computers.

2. In the details pane, right-click the applicable server, click Secure, and then follow the on-screen instructions to complete the wizard.

Viewing Configuration ChangesWhen you run the ISA Server Security Configuration Wizard, ISA Server creates a log file of all of the changes. ISA Server names this file securwiz.log and places it in the ISA Server installation directory. You can review this file to see the actions that the wizard performed.

CautionNote


Examining Perimeter NetworksExamining Perimeter Networks

Perimeter Networks

Three-Homed Perimeter Network

You can deploy ISA Server as a firewall that acts as a secure gateway to the Internet for internal clients. ISA Server protects all of the communication between the internal computers and the Internet. In a simple firewall design, the ISA Server computer has two network interface cards, one connected to the local network and one connected to the Internet. In more complex designs, such as a design that includes a perimeter network with one or more published servers, you may also need to configure the ISA Server computer for IP routing.

Topic ObjectiveTo identify the topics related to perimeter network configurations.

Lead-inYou can deploy ISA Server as a dedicated firewall that acts as the secure gateway to the Internet for internal clients.


Perimeter NetworksPerimeter Networks

Firewall

InternetInternet

Perimeter NetworkPerimeter Network

Internal NetworkInternal Network

A perimeter network, also known as a DMZ, demilitarized zone, or screened subnet, is a small network that you set up separately from an internal network and the Internet. Perimeter networks allow external users to gain access to specific servers that are located on the perimeter network, while preventing direct access to the internal network.

Perimeter Network UsesA perimeter network is commonly used for deploying an organization’s publicly accessible servers, such as e-mail servers and Web servers. Permitting access to the perimeter network does not allow access to other company data that may be available on computers in the internal network. Even if an external user penetrates the perimeter network security, only the perimeter network servers are compromised.

Perimeter Network ConfigurationsTypically, a perimeter network uses one of the following configurations:

Back-to-back perimeter network configuration. Uses two ISA Server computers on either side of the perimeter network to protect the network.

For more information on how to make server resources in a back-to-back perimeter network available, see Module 7, “Configuring Access to Internal Resources,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

Three-homed perimeter network configuration. Uses the same ISA Server computer with the perimeter network to protect the internal network. The

Topic ObjectiveTo describe the use of perimeter networks.

Lead-inA perimeter network is a small network that you set up separately from an internal network and the Internet.

Note


ISA Server computer is three-homed, which means that it is connected to three networks: the Internet, the perimeter network, and the internal network.

Three-Homed Perimeter NetworkThree-Homed Perimeter Network

InternetInternet



2233

11

ISA ServerComputerISA ServerComputer

In a three-homed perimeter network configuration, a stand-alone ISA Server computer or an array of ISA Server computers connects the Internet, the perimeter network, and the internal network. ISA Server treats both the Internet and the perimeter network as external networks, which requires that you enable IP routing to move network packets between the networks.

Setting Up the ISA Server ComputerTo set up an ISA Server computer in a three-homed perimeter network configuration, install and configure each network adapter as follows:

1. Connect one network adapter to the internal network. Include all of the internal IP addresses in the local address table (LAT).

2. Connect the second network adapter to the perimeter network. Do not add the IP addresses of the perimeter network to the LAT.

3. Connect the third network adapter to the Internet. Do not add any IP addresses from the Internet to the LAT.

Slide ObjectiveTo describe the use of a three-homed perimeter network.

Lead-inIn a three-homed perimeter network configuration, a stand-alone ISA Server computer or an array of ISA Server computers connects the Internet, the perimeter network, and the internal network.

Key PointISA Server treats both the Internet and the perimeter network as external networks, which requires that you enable IP routing to move network packets between the networks.


Placing certain types of servers, especially File Transfer Protocol (FTP) servers, into three-homed perimeter network configurations may create security risks. For more information about these risks, see “Three-homed perimeter network configuration” in ISA Server Help.

Configuring the Perimeter NetworkThe Microsoft Web Proxy service and the network address translation component of the Microsoft Firewall service move network packets between only an internal network and an external network or vice versa. Because ISA Server treats both the Internet and your perimeter network in a three-homed perimeter network configuration as external networks, you must use IP routing to move network packets between the Internet and the perimeter network.

To set up a three-homed ISA Server computer in a perimeter network, perform the following actions:

Enable IP routing.

Enable packet filtering.

Create the appropriate IP packet filters to allow routing of the correct IP packets to each of the servers in the perimeter network.

For example, to make a Simple Mail Transfer Protocol (SMTP) server on the perimeter network available to users on the Internet, you must enable IP routing and packet filtering. You then need to create an IP packet filter that configures the ISA Server computer to route all of the required packets from the Internet to the mail server.

NoteDelivery TipTell students that IP routing, packet filtering, and IP packet filters will be covered later in this module.


Examining Packet Filtering and IP Routing Examining Packet Filtering

Controlling Network Traffic

Understanding Packet Filtering

Using IP Routing and Packet Filtering

Guidelines for Using Packet Filtering and IP Routing

You can control the flow of IP packets to and from the external network interface of an ISA Server computer by using packet filtering and IP routing.

By using packet filtering, you can allow IP packets or can block IP packets that are destined for the ISA Server computer or for specific computers on your perimeter network or internal network. You can also use packet filtering to block packets that originate from your internal network.

When you enable routing on a Windows 2000 computer, that computer routes all traffic between the Internet and your internal network. In this case, the computer acts as a router, which is a device that connects separate networks by forwarding packets between them.

By enabling both packet filtering and IP routing in ISA Server, you gain the benefits of strict policy enforcement by using packet filters and establish the correct routing behavior for protocols that use secondary network connections after establishing a primary connection.

You can enable packet filtering only if you install ISA Server in Firewall mode or in Integrated mode.

Topic ObjectiveTo identify the topics related to packet filtering and IP routing.

Lead-inYou can control the flow of IP packets to and from an external network interface of an ISA Server computer by using IP routing and packet filtering.

Important


Controlling Network TrafficControlling Network Traffic

Web Proxy Service

Firewall Service -- Proxy

Firewall Service -- Routing

You can use ISA Server to control the flow of IP packets between different networks, typically your internal network and the Internet. ISA Server controls IP packets by using the following services and methods:

Web Proxy service. The Web Proxy service receives outgoing Web requests from internal Web Proxy clients and then forwards these requests to Web servers on the Internet. The packets are never directly exchanged between the internal Web Proxy client and the Web server on the Internet.

The Web Proxy service can also process incoming Web requests for internal Web servers, which is called Web publishing. For more information about Web publishing, see Module 7, “Configuring Access to Internal Resources,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

Firewall service -- proxy. The Firewall service processes requests from internal Firewall clients and SecureNAT clients that use the User Datagram Protocol (UDP) protocol or the Transmission Control Protocol (TCP) protocol to gain access to external network resources. The Firewall service intercepts IP packets, changes the IP header information, and then sends the packets to the external server. The IP packets appear to the external server as if they originated from the ISA Server computer.

Firewall service -- routing. The Firewall service can also route IP packets between networks. Routing forwards network packets between different networks without changing the IP addresses and ports in the IP packet

Slide ObjectiveTo describe the services and processes that ISA Server uses to control network traffic.

Lead-inYou can use ISA Server to control the flow of IP packets between different networks, typically your internal network and the Internet.

Note


header. The Firewall service also uses rules to determine whether to route a packet. You define these rules by creating IP packet filters.

Understanding Packet FilteringUnderstanding Packet Filtering


ISA Server

Packet Filter

131.107.1.1 131.107.2.1

ProtocolProtocol DirectionDirection

UDP Incoming

Destination / PortDestination / Port

131.107.2.200 / 53

Source / PortSource / Port

Any / Any

TypeType

Allow


192.168.1.1

131.107.2.200

Packet filtering allows you to control which packets an ISA Server computer accepts on an external network interface.

ISA Server treats all network interfaces that are not configured with an IP address that is in the LAT as external. If one or more of the IP addresses that are associated with a network interface are in the LAT, ISA Server treats the network interface as internal and does not apply packet filters.

IP Packet HeadersYou control IP packets by using the following IP packet header information:

Source IP address and port

Destination IP address and port

IP protocol information

When you create a packet filter that allows bi-directional traffic, ISA Server also dynamically opens the appropriate ports that allow packets to return to the IP address and port of the original packet.

For example, you create a packet filter that allows incoming packets to UDP port 53 on a server on your perimeter network, and a computer on the Internet sends a packet to the server. ISA Server automatically allows outgoing network

Topic ObjectiveTo describe the process of packet filtering.

Lead-inPacket filtering allows you to control the network packets that an ISA Server computer accepts on an external network interface.

Important


packets to pass from UDP port 53 on your perimeter network to the IP address and port number that initiated the connection.

Dynamic packet filters that allow packets to return to the IP address and port of the original packet are in effect for only the duration of the session. Also, you cannot modify a dynamic rule.

Types of Packet FiltersYou control which packets are allowed to traverse an external network interface of the ISA Server computer by using the following types of packet filters:

Allow filters. Used to define which packets the external network adapter accepts. ISA Server accepts packets that meet the conditions of an Allow filter only.

Block filters. Used to define exceptions to Allow filters. ISA Server drops packets that meet the conditions of a Block filter, even though they may also meet the conditions of an Allow filter. For example, you can create an Allow filter to permit incoming SMTP traffic to a mail server. You can then create a Block filter to deny access to the mail server for an IP address that was the origin of a previous intrusion attempt. You can also use packet filters to override protocol rules that allow client connections.

Using IP Routing and Packet FilteringUsing IP Routing and Packet Filtering

Situations That Require IP Routing

Servers in a three-homed perimeter network

Protocols other than UDP and TCP

Situations That Require Packet Filtering

Services running on the ISA Server computer

Applications running on the ISA Server computer

Servers in a three-homed perimeter network

Protocols other than UDP and TCP

In some situations, you must use IP routing, packet filtering, or both IP routing and packet filtering.

ImportantTopic ObjectiveTo describe situations in which you must use IP routing and packet filtering.

Lead-inIn some situations, you must use IP routing, packet filtering, or both IP routing and packet filtering.


Situations That Require IP RoutingUse IP routing for the following situations:

Servers in a three-homed perimeter network. ISA Server treats both three-homed perimeter networks and the Internet as external networks and routes packets between them. When you allow users on the Internet to connect to a server on a three-homed perimeter network, you must configure ISA Server to perform IP routing between these networks.

Allowing external users to gain access to resources on servers on a back-to-back perimeter network requires different configuration steps. For more information about making servers in a back-to-back perimeter network available to the Internet, see Module 7, “Configuring Access to Internal Resources,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

Protocols other than UDP and TCP. The Web Proxy service handles outgoing requests that are using the Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol-Secure (HTTP-S), or FTP protocols. The Firewall service handles requests from any application that uses the UDP and TCP protocols. For all other protocols, ISA Server must route the packets.

Situations That Require Packet FilteringUse packet filtering for the following situations:

Services running on the ISA Server computer. When a service is running on an ISA Server computer, you must create an IP packet filter that allows incoming packets for the port associated with that service.

For example, if the ISA Server computer is also functioning as an external Domain Name System (DNS) server, you must allow incoming DNS query packets. To allow the DNS query packets, create an IP packet filter that allows incoming packets to the ISA Server computer on TCP and UDP port 53.

Applications running on the ISA Server computer. When you run an application on the ISA Server computer that needs to connect to the Internet, you must create one or more IP packet filters that allow the appropriate outgoing packets. An application running on the ISA Server computer cannot use the Firewall service to connect to the Internet because configuring the ISA Server computer as a Firewall client is not supported. Instead, the application must establish a direct connection to the Internet, which requires you to create packet filters that allow the appropriate network traffic.

For example, to allow an e-mail client application that is running on the ISA Server computer to connect to an SMTP server, create an IP packet filter that allows packets to pass from the ISA Server computer to TCP port 25 on a remote SMTP server.

Delivery TipEnsure that students understand that the decision to use IP routing to support a perimeter network depends on the type of perimeter network.

Note


Do not create packet filters for outgoing traffic from internal clients that pass through the Firewall service or the Web Proxy service. Because ISA Server automatically and dynamically opens the ports that are required to handle such communications based on the protocol rules that you configured, no packet filters are required provided that all client requests use the TCP or UDP protocol.

Servers in a three-homed perimeter network. When you allow users on the Internet to connect to a server on a three-homed perimeter network, you must create IP packet filters to open the ports that are required for ISA Server to accept and route packets to services that are running on the server in the perimeter network.

For example, to allow external clients to connect to an SMTP server in a perimeter network, create an IP packet filter that allows incoming packets for TCP port 25 on the SMTP server.

Protocols other than UDP and TCP. Because ISA Server routes all requests from SecureNAT clients that use protocols other than TCP or UDP, you must configure the appropriate packet filters to allow this traffic to pass through the ISA Server computer.

For example, to allow clients to use the Ping utility, which uses the Internet Control Message Protocol (ICMP) protocol, create an IP packet filter that allows the predefined filter “ICMP all outbound” for internal clients.

Guidelines for Using Packet Filtering and IP RoutingGuidelines for Using Packet Filtering and IP Routing

Packet Filtering and IP Routing Not Enabled

Packet Filtering Enabled and IP Routing Not Enabled

Packet Filtering and IP Routing Enabled

Packet Filtering Not Enabled and IP Routing Enabled

Use the following guidelines when using packet filtering, IP routing, or both.

ImportantTopic ObjectiveTo describe guidelines for using packet filtering and IP routing.

Lead-inUse the following guidelines when using packet filtering, IP routing, or both.


Packet Filtering and IP Routing Not EnabledWhen you do not enable packet filtering or IP routing, ISA Server does not apply packet filters to incoming network traffic, which lowers the protection of the ISA Server computer. Use this combination of settings only to optimize performance and when the external interface of the ISA Server computer is connected to a network that you have control over, for example, when using ISA Server to forward traffic from a branch office by using a leased line.

Packet Filtering Enabled and IP Routing Not EnabledWhen you enable packet filtering, ISA Server drops all of the IP packets on external network interfaces unless they are explicitly allowed by static or dynamic rules. The ISA Server computer also does not forward packets directly. Use this setting when:

All client connections use the UDP or TCP protocol.

You do not need to forward packets between the Internet and a three-homed perimeter network configuration.

Packet Filtering and IP Routing EnabledWhen combining packet filtering and IP routing, you gain the security benefits of packet filtering, the ability to route protocols other than TCP or UDP, and the ability to route between the Internet and a three-homed perimeter network. Use this configuration in situations that require both security and routing.

Packet Filtering Not Enabled and IP Routing EnabledYou cannot configure ISA Server to route packets without enabling packet filtering because of the low level of security that such a configuration would provide. If your network configuration requires a router, evaluate the Routing and Remote Access service in Windows 2000.


Configuring Packet Filtering and IP RoutingConfiguring Packet Filtering and IP Routing

Enabling Packet Filtering and IP Routing

Creating IP Packet Filters

Configuring Packet Filter Options

You must enable packet filtering and IP routing to forward IP packets from one external network to another external network. You can then create IP packet filters to allow incoming packets for specific ports and services. To increase the security of your ISA Server computer, you can configure packet-filtering settings.

Enabling Packet Filtering and IP RoutingEnabling Packet Filtering and IP Routing

IP Packet Filters Properties

General

OK Cancel

Use this page to control packet routing and packetfiltering properties.

Packet Filters Intrusion Detection PPTP

Enable packet filtering

Apply

Enable Intrusion detection

Enable IP routing

Select to enable packet filtering.

Select to enable IP routing.

Topic ObjectiveTo identify the topics related to configuring packet filtering and IP routing.

Lead-inYou must enable packet filtering and IP routing to forward IP packets from one external network to another external network.

Topic ObjectiveTo describe the procedure that you use to enable packet filtering and IP routing.

Lead-inBefore you can use IP packet filters, you must enable IP packet filtering on the ISA Server computer.


When you enable packet filtering, ISA Server monitors the IP packets that pass through the external network adapter on the ISA Server computer. In addition to packet filtering, you must enable IP routing to forward IP packets from one external network to another external network, such as the Internet and a three-homed perimeter network. You must also enable IP routing when client computers use network protocols other than the TCP and UDP protocols.

To enable packet filtering and IP routing:

1. In ISA Management, in the console tree, expand your server or array, expand Access Policy, right-click IP Packet Filters, and then click Properties.

2. On the General tab, ensure that the Enable packet filtering check box is selected.

3. Click the Enable IP routing check box, and then click OK.

Creating IP Packet FiltersCreating IP Packet Filters

Name the Filter

Select the Filter Mode

Select the Filter Type

Select Local IP Address

Select Remote Computer(s)

StartStartStart

FinishFinishFinish

Configure Filter Settings

Before you create an IP packet filter, you must identify the associated protocols and ports for the specified packets. You must also identify the IP addresses or IP address ranges of the computers for the source and destination.

To create a new IP packet filter:

1. In ISA Management, in the console tree, expand your server or array, expand Access Policy, click IP Packet Filters, and then in the details pane, click Create a Packet Filter.

Topic ObjectiveTo describe the key steps that you perform to create IP packet filters.

Lead-inBefore you create an IP packet filter, you must identify the associated protocols and ports for the specified packets.


2. In the New IP Packet Filter Wizard, type a name that describes the filter, and then click Next.

3. On the Filter Mode page, select Allow packet transmission or Block packet transmission, and then click Next:

4. On the Filter Type page, select Custom or Predefined to specify the type of filter to create, and then click Next.

Before creating a custom filter, always confirm that ISA Server does not include a predefined filter that meets your requirements.

5. If you select a custom filter, on the Filter settings page, enter the following information, and then click Next.

Important


For this setting Do the following

IP protocol Select Custom protocol, Any, ICMP, TCP, or UDP. If you select Custom Protocol, provide the protocol number.

Number Type the number of the IP protocol.

Direction Specify the direction for the communication. The settings available in the wizard will vary depending on the IP protocol that you select. For most protocols, you can specify Inbound, Outbound, or Both.

Because the UDP protocol is connectionless and requires no session establishment, the options differ for this protocol. If you select the UDP protocol, select Send only (the ISA Server computer or computer on a perimeter network only sends packets), Send/Receive (the ISA Server computer or computer on a perimeter network sends packets and can receive responses), Receive only (the ISA Server computer or computer on a perimeter network only receives packets), Receive/Send (the ISA Server computer or computer on a perimeter network receives packets and can send responses), or Both (full, bi-directional communications).

Local port Click All ports to apply the rule to all ports, click Dynamic (1025-5000) to apply the rule to the ports that client applications typically use to establish connections with servers, or click Fixed port to select a specific port, such as the port on which a server listens. If you select Fixed port, type the port number in the Port number box.

Note: A local port is a port on the ISA Server computer or the computer on the perimeter network. This option is available with only the TCP and UDP protocols.

Remote port Click All ports to apply the rule to all remote ports. Click Fixed port to select a specific port, such as the port on which a remote server listens. If you select Fixed port, type the port number in the Port number box.

Note: A remote port is a port on the computer that communicates with the ISA Server computer or the computer on the perimeter network. This option is available with only the TCP and UDP protocols.

Type Click All types to apply the rule to all ICMP types. Click Fixed Type to apply the rule to only a specific ICMP type, and then type a type number.

Note: This option is available with only the ICMP protocol. The ICMP protocol identifies types by a type field in an ICMP packet, such as Destination Unreachable (Type 3).

Code Click All Codes to apply the rule to all ICMP codes. Click Fixed Code to apply the rule to only a specific ICMP code, and then type a type number.

Note: This option is available with only the ICMP protocol. The ICMP protocol identifies message codes by a code field in the ICMP packet that depends on the ICMP type. For example, an ICMP packet with Type 3 can include Code 4, which indicates Fragmentation Needed. The code numbers that are used depend on the ICMP type.


For a list of registered protocol numbers, see the Information Sciences Institute Web site at http://www.isi.edu/in-notes/iana/assignments/protocol-numbersFor a list of ICMP types, see the Information Sciences Institute Web site at http://www.isi.edu/in-notes/iana/assignments/icmp-parametersFor a list of ICMP codes, see RFC 792, “Internet Control Message Protocol” under Additional Readings on the Student Materials compact disc.

6. On the Local Computer page, select the IP address or IP addresses to apply the filter to, and then click Next.

7. On the Remote Computer page, select the remote computer or computers to apply the filter to, and then click Next.

8. On the Completing the New IP Packet Filter Wizard page, review your choices, and then click Finish.

Configuring Packet Filter OptionsConfiguring Packet Filter Options

Configure Logging of Packets from Allow Filters

Configure PPTP Through the ISA Firewall

Enable Filtering of IP Fragments

Enable Filtering of IP Options

You can increase the security of your ISA Server computer and gain additional information about packet filtering by configuring packet filter options. You configure packet-filter options in the IP Packet Filter Properties dialog box. Packet filter options enable you to:

Configure logging of packets from Allow filters. Enable this option only for troubleshooting packet filters. By default, ISA Server logs information about IP packets that it drops due to Block filters. When you select Log

NoteSlide ObjectiveTo describe the packet filter options that are available in ISA Server.

Lead-inYou can increase the security of your ISA Server computer and gain additional information about packet filtering by configuring packet filter options.


packets from Allow filters, ISA Server also records information about packets that were forwarded because of an Allow filter. Enabling this option causes an additional workload for the ISA Server computer and can create large amounts of logging information.

For more information about ISA Server logs, see Module 8, “Monitoring and Reporting,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

Configure PPTP through the ISA firewall. Select the PPTP through ISA firewall check box on the PPTP tab to enable client computers to establish outgoing connections by using the Point-to-Point Tunneling Protocol (PPTP). When you enable PPTP, ISA Server allows traffic that uses IP protocol 47, and it creates a packet filter called SecureNAT PPTP. When you enable PPTP through the ISA Firewall, all users with SecureNAT clients can establish PPTP connections through ISA Server.

Enable filtering of IP fragments. Set this option to refuse and drop all fragmented IP packets. A well-known attack sends and reassembles fragmented packets in a way that may disrupt the operations of a computer.

Do not enable filtering of IP fragments if you want to allow video streams or quality audio streams to pass through the ISA Server computer.

Enable Filtering of IP Options. Set this option to refuse and drop all packets that have “IP Options” in the header. Some well-known attacks use IP options in the IP packet header. Enabling the filtering of IP Options guards against such attacks.

When configuring packet filters, you can also configure several aspects of intrusion detection. For more information about how to configure intrusion detection, see Module 3, “Enabling Secure Internet Access," and Module 8, “Monitoring and Reporting,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

NoteImportantNote


Configuring Application Filters Configuring Application Filters

Application Filter Overview

Configuring the SMTP Filter

Configuring the Streaming Media Filter

Configuring the HTTP Redirector Filter

Configuring the H.323 Filter

Application filters provide an extra layer of security for the Firewall service. Unlike IP packet filters, which make forwarding decisions based on the header of each IP packet, application filters can examine entire transactions between a client application and a server application, such as an entire e-mail message. An application filter can also examine transactions that use more than one protocol. An application filter can perform protocol-specific or system-specific tasks, such as authentication and virus checking. ISA Server uses application filters to support protocols that are more complex, such as the FTP protocol.

Application filters operate in addition to packet filters and access rules. To enable network traffic to pass through ISA Server, you must also configure any required packet filters or protocol rules.

Several application filters are installed with ISA Server. You can enable and configure these filters to meet the needs of your organization. In-house developers or third-party developers can also create additional application filters.

You can use application filters only if you install ISA Server in Firewall mode or in Integrated mode.

Topic ObjectiveTo identify topics related to configuring application filters.

Lead-inApplication filters provide an extra layer of security for the Firewall service.

Key PointUnlike IP packet filters, which make forwarding decisions based on the header of each IP packet, application filters can examine entire transactions between a client application and a server application.

Note


Application Filter OverviewApplication Filter Overview

DNS Intrusion Detection Filter

FTP Access Filter

H.323 Filter

HTTP Redirector Filter

POP Intrusion Detection Filter

RPC Filter

SMTP Filter

SOCKS V4 Filter

Streaming Media FilterISA ServerISA Server

By default, ISA Server enables all of the application filters that are installed with ISA Server, except for the SMTP filter. Application filters register with the Firewall service and are automatically loaded when you start the Firewall service.

ISA Server includes the following application filters:

DNS Intrusion Detection filter. Detects DNS traffic that indicates some types of network intrusions that use DNS.

For more information about DNS intrusions, see Module 8, “Monitoring and Reporting,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

FTP Access filter. Enables ISA Server to support the FTP protocol.

H.323 filter. Controls incoming and outgoing network traffic that uses the H.323 protocol. Applications that use the H.323 protocol provide multimedia services to clients, such as multimedia conferencing and Internet telephony.

HTTP Redirector filter. Redirects Web requests from Firewall clients and SecureNAT clients to the Web Proxy service, directly to the requested Web site, or blocks such requests.

POP Intrusion Detection filter. Detects traffic that indicates some types of network intrusions that use the Post Office Protocol (POP).

Topic ObjectiveTo describe the application filters that are available in ISA Server.

Lead-inWhen you install ISA Server, ISA Server enables all of the application filters that are included with the default installation.

Delivery TipExplain that you can modify some application filters, but that other application filters, such as the FTP Access Filter, do not require or allow any customization.

Note


For more information about POP intrusions, see Module 8, “Monitoring and Reporting,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

RPC filter. Enables the publishing of servers that use remote procedure calls (RPCs).

SMTP filter. Screens and blocks e-mail messages based on the properties of attachments, such as users, domains, keywords, or SMTP commands.

SOCKS V4 filter. Allows ISA Server to respond to clients that use the SOCKS protocol.

Streaming Media Filter. Allows Firewall clients and SecureNAT clients to use protocols for gaining access to streaming media services, such as those provided by Microsoft Windows Media™ Technology (WMT) Server.

To enable or disable an application filter:

1. In ISA Management, in the console tree, expand your server or array, expand Extensions, and then click Application Filters.

2. In the details pane, right-click the appropriate application filter, and then click Properties.

3. On the General tab, select or click to clear the Enable this filter check box, and then click OK.

Developers can also create Web filters, which screen and route Web content. Web filters can monitor, evaluate, and intercept HTTP communication between an internal network and the Internet. Web filters load when you start the Web Proxy service. For more information about creating Web filters, see the documentation that is included with the ISA Server Software Development Kit (SDK).

NoteNote


Configuring the SMTP FilterConfiguring the SMTP Filter

SMTP Filter Properties

General

OK Cancel

SMTP Filter

Attachments

Vendor: Microsoft

Version: 3.0 RC 1

Description: Filters SMTP traffic

SMTP CommandsUsers/Domains

Enable this filter

Keywords

Cancel

After you create IP packet filters that allow incoming SMTP traffic to reach the mail server, you must enable the SMTP filter. The SMTP filter screens SMTP traffic that arrives on port 25 of the ISA Server computer. For example, you can configure the SMTP filter to check for buffer overrun attacks. A buffer overrun attack occurs when an SMTP command is specified with a line length that exceeds a specific value. Some third-party SMTP servers are vulnerable to such attacks, which may allow an intruder to run arbitrary commands on the mail server.

You can also configure the SMTP filter to block specific SMTP commands. For example, you can block the VRFY command to prevent an intruder from using this command to gain information about users in the organization. In addition, the SMTP filter can screen incoming e-mail messages based on the user or the domain and can drop or redirect messages from the specific users or domains.

The SMTP application filter can also screen e-mail messages based on attachments and keywords. For example, you can configure the SMTP application filter to reject e-mail messages that contain an attachment that indicates a known e-mail virus.

Topic ObjectiveTo describe the procedure that you use to configure the SMTP filter.

Lead-inAfter you create one or more IP packet filters that allow SMTP traffic to reach the mail server, you must enable the SMTP application filter.

Delivery TipExplain to students that some functionality of the SMTP filter depends on the Message Screener. For more information, refer students to Module 7, “Configuring Access to Internal Resources,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.


To screen e-mail messages for specific attachments, users, domains, or keywords, you must install the Message Screener. The Message Screener is an optional ISA Server component that you usually install on a separate computer on your network. For more information about how to configure servers in your network to enable content filtering of SMTP traffic, see Module 7, “Configuring Access to Internal Resources,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

To configure the SMTP filter:


2. In the details pane, right-click SMTP Filter, and then click Properties.

3. Perform the following actions in the SMTP Filter Properties dialog box, and then click OK.

To Do this

Stop users from sending messages to the SMTP server

On the Users/Domains tab, in the Sender's name box, type the e-mail address of the e-mail sender from whom e-mail messages will be rejected, and then click Add.

Stop domains from sending messages to the SMTP server

On the Users/Domains tab, in the Domain Name box, type the name of the DNS domain from which e-mail messages will be rejected, and then click Add.

Configure attachments for the SMTP application filter

On the Attachments tab, click Add. In the Mail Attachment Rule dialog box, select the Enable attachment rule check box, and then click one of the following:

Attachment name. Type the name of the attachment.

Attachment extension. Type a file extension. For example, to prohibit attachments with an .exe extension, type .exe

Attachment size limit. Type the maximum size of the attachment. Some e-mail attacks involve overloading a mail server with large attachments.

In the Action list, select Delete message, Hold message, or Forward messages to, and then type the forwarding address.

Configure keywords for the SMTP application filter

On the Keywords tab, click Add. Click Enable keyword rule. In the Keyword box, type the keyword string. Under Apply action if keyword is found in, select one of the following options to indicate which part of the e-mail message that the SMTP application filter checks for the keyword:

Message header or body

Message header

Message body

In the Action list, select Delete message, Hold message, or Forward messages to, and type the forwarding address.

Disallow an SMTP command On the SMTP Commands tab, double-click the appropriate command. In the SMTP Command Rule dialog box, click to clear the Enable an SMTP command check box.

Configure the SMTP application filter buffer overflow thresholds

On the SMTP Commands tab, double-click the appropriate command. In the SMTP Command Rule box, select the Enable an SMTP command check box. In the Maximum Length box, type the maximum length of the command line for the SMTP commands.

Important


Configuring the Streaming Media FilterConfiguring the Streaming Media Filter

Streaming Media Filter Properties

General

OK Cancel

Use this page to select WMT live stream splitting mode

Live Stream Splitting

Disable WMT live stream splitting

Split live streams using a local WMT server

Split live streams using the following WMT server pool:

Apply

WMT Server Address

WMT server administrator account:

User account:

Password:

Confirm password:

Add…Add…

RemoveRemove

Edit…Edit…

Browse…Browse…

Select one of these options to enable live stream splitting.

The Streaming Media filter enables Firewall Clients and SecureNAT clients to use popular streaming media protocols to gain access to media streaming servers. Streaming media technology allows the distribution of audio and video on the Internet as a continuous real-time stream. A server application transmits the media stream to a client application. The client application can start displaying the video or play the audio immediately or as soon as enough of the media stream is received and stored in the application’s buffer.

The Streaming Media filter supports the following streaming media protocols:

Microsoft Windows Media (MMS), which allows Microsoft Windows Media™ Player client access and server publishing.

Progressive Networks Protocol (PNM), which allows RealPlayer client access and server publishing.

Real Time Streaming Protocol (RTSP), which allows RealPlayer G2 and QuickTime 4 client access and server publishing.

In addition, the Streaming Media filter can improve the performance of the streaming media for clients by splitting the live streams.

Configuring Live Stream SplittingConfiguring live stream splitting enables the Streaming Media filter to obtain the media stream from the Internet and then make it available on a WMT Server computer or WMT Server pool for access by clients. To allow SecureNAT

Topic ObjectiveTo describe the procedure that you use to configure the Streaming Media filter.

Lead-inThe Streaming Media filter enables Firewall clients and SecureNAT clients to use popular streaming media protocols to gain access to media streaming servers.

Delivery TipExplain the use of WMT and Windows Media Services.


clients or Firewall clients to take advantage of live stream splitting, no client configuration is required.

If you configure ISA Server to make streaming media available on a single WMT Server computer, the Windows Media Services, an optional component of Windows 2000 Server, must be installed on the ISA Server computer. If you transmit the live stream by using a pool of one or more WMT Server computers, this pool can be located anywhere on your internal network.of filters to obtain information from the Internet once, then make it available locally on a

To use live stream splitting, you must install Windows Media Service on the ISA Server computer. If you use a WMT server pool, you need to install only the Windows Media Service administration tool on the ISA Server computer.

To configure live stream splitting for a streaming media filter:


2. In the details pane, right-click Streaming Media Filter, and then click Properties.

3. On the Live Stream Splitting tab, click one of the following options, and then click OK.

To Then

Disable live stream splitting Click Disable WMT live stream splitting.

Enable splitting of media streams by using the ISA Server computer

Click Split live streams using a local WMT server.

Enable splitting of media streams by using a WMT Server pool on your network

Click Split live streams using the following WMT server pool, click Add, and then type the IP address of the WMT Server pool.

4. If you are enabling splitting of media streams by using a WMT Server pool, in the User account box, type the user name of the WMT Server administrator account. In the Password box and in the Confirm password box, type the account password, and then click OK.

The user account that you specify must be a member of the Netshow Administrators group on each WMT Server computer.

NoteNote


Configuring the HTTP Redirector FilterConfiguring the HTTP Redirector Filter

HTTP Redirector Filter Properties

General

OK Cancel

Response to HTTP requests:

Options

Redirect to local Web Proxy service

ApplyApply

If the local service is unavailable, redirect requests torequested Web server

Send to requested Web server

Reject HTTP requests from Firewall and SecureNAT clients

Select an option to redirect HTTP requests.

The HTTP Redirector filter forwards HTTP requests from Firewall clients and SecureNAT clients to the Web Proxy service on the ISA Server computer. By using the HTTP Redirector filter, HTTP requests are cached, even if users on a Firewall client computer or SecureNAT client computer do not configure their Web browser to use the ISA Server computer as a Web Proxy server. Redirecting HTTP requests improves client performance and allows you to apply site and content rules to Firewall clients and SecureNAT clients.

HTTP Redirector Filter OptionsYou can configure the HTTP Redirector filter to perform one of the following actions:

Redirect requests to the Web Proxy service. This option is the default option for the HTTP Redirector filter. When choosing redirection, you can also configure ISA Server to send the request directly to the Web server if the Web Proxy service is unavailable.

Send requests to the Web server. Requests bypass the Web Proxy service and the objects are not cached. Choose this option if you do not want the ISA Server computer to cache HTTP requests from Firewall clients or from SecureNAT clients.

Discard HTTP requests. Discards all HTTP requests from Firewall clients and SecureNAT clients. Choose this option when you want to require all clients that use the HTTP protocol to be configured as Web Proxy clients.

Topic ObjectiveTo describe the procedure that you use to configure the HTTP Redirector filter.

Lead-inThe HTTP Redirector filter forwards HTTP requests from Firewall clients and SecureNAT clients to the Web Proxy service.

Key PointRedirecting HTTP requests improves client performance and enables you to apply site and content rules to Firewall clients and SecureNAT clients.

Delivery TipExplain that the default setting works best in most situations.


When the HTTP Redirector filter passes a request from a Firewall client to the Web Proxy service, the client's authentication information is lost. Therefore, the Web Proxy service treats all HTTP and FTP requests that originate from Firewall clients as unauthenticated. If you configured the Web Proxy service to require authentication, ISA Server denies requests from Firewall clients. SecureNAT clients never send authentication information.

Configuring Redirection OptionsTo configure the HTTP Redirector filter:


2. In the details pane, right-click HTTP Redirector Filter, and then click Properties.

3. On the Options tab, click the appropriate option, and then click OK.

Configuring the H.323 FilterConfiguring the H.323 Filter

H.323 Filter Properties

General

OK Cancel

Gatekeeper location

Call Control

Apply

Use this Gatekeeper

LONDON Browse…

Call directionAllow incoming calls

Allow outgoing calls

Use DNS gatekeeper lookup and LRQs for alias resolution

Media Control

Allow audio

Allow video

Allow T120 and application sharing

Specify an H.323 Gatekeeper.

Select one or more media options.

The H.323 filter enables users who use conferencing applications, such as Microsoft NetMeeting®, to communicate with others over the Internet by using video, audio, and application sharing. You can configure the H.323 filter to limit client access to certain media, such as denying access to video or data sharing.

NoteTopic ObjectiveTo describe the procedure that you use to configure the H.323 filter.

Lead-inThe H.323 filter enables users who use conferencing applications, such as NetMeeting, to communicate with others over the Internet by using video, audio, and application sharing.


To enable multiple H.323 sessions and to improve efficiency, you can configure an H.323 Gatekeeper. For more information on H.323 Gatekeepers, see Module 7, “Configuring Access to Internal Resources,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

To configure the H.323 filter:

1. In ISA Management, in the console tree, expand Extensions, and then click Application Filters.

2. In the details pane, right-click H.323 Filter, and then click Properties.

3. On the Call Control tab, select the Use this Gatekeeper check box, and then specify the computer that runs the H.323 Gatekeeper.

4. Select one or more of the following options, and then click OK:

Allow incoming calls. Permits people in other organizations to call people in your organization over the Internet.

Allow outgoing calls. Permits people in your organization to call people in other organizations over the Internet.

Use DNS gatekeeper lookup and LRQs for alias resolution. Enables the use of DNS to look up H.323 aliases for outgoing calls.

Allow audio. Permits audio calls.

Allow video. Permits video calls.

Allow T120 and application sharing. Permits T.120 data and application sharing.

Lab A: Configuring the FirewallLab A: Configuring the Firewall

ObjectivesAfter completing this lab, you will be able to:

NoteTopic ObjectiveTo introduce the lab.

Lead-inIn this lab, you will configure an ISA Server computer as a firewall.

Explain the lab objectives.


Secure an ISA Server computer.

Create IP packet filters.

Configure the SMTP filter.

PrerequisitesBefore working on this lab, you must have experience using ISA Management.

Lab SetupTo complete this lab, you need the following:

A computer running Microsoft Windows 2000 Advanced Server with ISA Server installed.

A computer running Windows 2000 Advanced Server that is configured as a Firewall client and as a Web Proxy client and that has ISA Management installed.

A protocol rule that allows all members of the Domain Admins group to gain access to the Internet by using any protocol.

ScenarioYou want to connect the ISA Server computer at Northwind Traders to the Internet and use it as a firewall. Because this ISA Server computer will be accessible directly from the Internet, you decide to configure it for a high level of security before you permanently connect the computer to the Internet. You also want to allow an application on the ISA Server computer to connect to the Internet to download product updates to the ISA Server computer. Next, you want to allow users on the Internet to connect to a public Web site that is running on the ISA Server computer. Finally, you want to secure Northwind Traders’ mail servers by configuring the SMTP filter on the ISA Server computer.

Estimated time to complete this lab: 30 minutes

Exercise 1Securing the ISA Server ComputerIn this exercise, you will secure the ISA Server computer by running the Server Security Configuration Wizard.

ScenarioYou have installed ISA Server on a new computer at Northwind Traders that you will use as a firewall. Because this computer will be accessible directly from the Internet, you decide to configure it for a high level of security before you permanently connect the computer to the Internet.

Tasks Detailed steps

Perform the following step on the ISA Server computer and the ISA Server client computer.

1. Log on as [email protected]

Log on as [email protected] (where domain is the name of your domain) with a password of password.


(where domain is the name of your domain) with a password of password.

Perform the following steps only on the ISA Server computer.

2. Use the Security Configuration Wizard to configure your computer with the default Windows 2000 security settings.

a. Open ISA Management from the Microsoft ISA Server menu.

b. In ISA Management, in the console tree, expand Servers and Arrays, expand server (where server is the name of the ISA Server computer), expand Access Policy, and then click IP Packet Filters.

c. In the details pane, click Secure Your ISA Server Computer.

d. In the ISA Server Security Configuration Wizard, read the warning, and then click Next.

ISA Server allows you to configure your computer’s system security to one of three levels. To avoid conflicts with other labs, you will select the lowest possible setting to ensure that all of the other services will continue to run after you apply the security settings.

e. On the Select System Security Level page, ensure that Secure is selected, and then click Next.

f. On the Congratulations page, click Finish.

ISA Server applies the Windows 2000 security setting that you chose. This process takes several minutes. ISA Management does not respond while the wizard applies these settings.

g. In the ISA Server dialog box, click OK.

h. Close ISA Management, and then restart your computer.

i. After your computer restarts, log on as [email protected] (where domain is the name of your domain) with a password of password.

2. (continued) j. Open Windows Explorer, and then double-click C:\Program Files\Microsoft ISA Server\securwiz.log.

Notice that the wizard changed the security settings for a number of registry keys, files, system services, and security policies.

k. Close Notepad, and then close Windows Explorer.

Exercise 2Creating IP Packet FiltersIn this exercise, you will create IP packet filters.

ScenarioYou are running a third-party application on the ISA Server computer. This application must periodically connect to the Internet to automatically download product updates. You must configure the ISA Server computer with an IP packet filter so that it allows these connections to Web sites of software vendors. You are also using a third-party ISA Server extension that scans incoming files for viruses. This extension automatically downloads virus updates from the extension vendor’s Web site. Because you want to take some time to test the extension with a specific set of virus signatures,


you want to temporarily prevent the extension from downloading new signatures. To suspend this activity temporarily, you will create an IP packet filter that prevents all connections to the vendor’s Web site. After you have finished configuring the ISA Server computer, you will disable all of the IP packet filters that you created until you are ready to connect the ISA Server computer to the Internet permanently.


Before continuing, ensure that your partner has finished the preceding exercise, and then perform the following steps on the ISA Server computer and the ISA Server client computer.

1. Configure ISA Server to perform IP routing.

a. Open ISA Management from the Microsoft ISA Server menu.

b. In ISA Management, in the console tree, expand Servers and Arrays, expand server (where server is the name of the ISA Server computer), expand Access Policy, and then click IP Packet Filters.

c. In ISA Management, in the details pane, click Configure Packet Filtering and Intrusion Detection.

d. In the IP Packet Filters Properties dialog box, on the General tab, ensure that the Enable IP routing check box is selected.

e. On the Packet Filters tab, select the Enable filtering of IP fragments and the Enable filtering IP options check boxes, and then click OK.

f. Minimize ISA Management.

Perform the following steps only on the ISA Server computer.

2. Configure Microsoft Internet Explorer to not use a proxy server. Create an IP packet filter that allows outbound TCP connections from a client application that is running on the ISA Server computer to TCP port 80 on all remote computers. Test the packet filter by connecting from the ISA Server computer tohttp://www.contoso.msft

a. On the desktop, right-click Internet Explorer, and then click Properties.

b. In the Internet Options dialog box, on the Connections tab, click LAN Settings.

c. Click to clear the Use a proxy server check box, and then click OK twice.

Internet Explorer no longer uses the Web Proxy service to retrieve Web content. Because Internet Explorer will connect directly to the Internet, you must configure a protocol rule for ISA Server to allow such connections.

d. Open Internet Explorer.

e. In Internet Explorer, in the Address box, type http://www.contoso.msft and then press ENTER.

Internet Explorer is unable to connect to the Web site. Internet Explorer is unable to connect because Internet Explorer is not configured as a Web Proxy client and because you have not configured an IP packet filter to allow a direct connection to the instructor computer from the ISA Server computer.

f. Minimize Internet Explorer.

Perform the following steps on the ISA Server computer and the ISA Server client computer.

2. (continued) g. Restore ISA Management.


h. In ISA Management, in the details pane, click Create a Packet Filter.

i. In the New IP Packet Filter Wizard, in the IP packet filter name box, type x Allow Outgoing Port 80 (where x is your assigned student number), and then click Next.

j. On the Filter Mode page, ensure that Allow packet transmission is selected, and then click Next.

k. On the Filter Type page, click Custom, and then click Next.

l. On the Filter Settings page, in the IP protocol list, click TCP, and then in the Direction list, click Outbound.

m. In the Local port list, click Dynamic, and then in the Remote port list, click Fixed port.

n. In the Port number box next to the Remote port list, type 80 and then click Next.

o. On the Local Computer page, ensure that Default IP addresses for each external interface on the ISA Server computer is selected, and then click Next.

p. On the Remote Computers page, ensure that All remote computers is selected, and then click Next.

q. On the Completing the New IP Packet Filter Wizard page, click Finish.

Before continuing, ensure that your partner has finished the preceding steps, and then wait for one minute. Perform the following steps only on the ISA Server computer.

2. (continued) r. Restore Internet Explorer.

s. In Internet Explorer, in the Address box, type http://www.contoso.msft and then press ENTER.

Internet Explorer displays the Web site. The IP packet filter that you created allows TCP connections to be established to port 80 on remote computers.

t. Close Internet Explorer.

Before continuing, ensure that your partner has finished the preceding steps, and then perform the following steps on the ISA Server computer and the ISA Server client computer.

3. Create an IP packet filter that blocks all outbound TCP connections to the IP address 192.168.y.200 (where y is the third octet of your classroom network), and then test the packet filter by connecting from the ISA Server computer tohttp://www.contoso.msft

a. In ISA Management, in the details pane, click Create a Packet Filter.

b. In the New IP Packet Filter Wizard, in the IP packet filter name box, type x Block outgoing traffic to www.contoso.msft (where x is your assigned student number), and then click Next.

c. On the Filter Mode page, click Block packet transmission, and then click Next.

d. On the Filter Type page, click Custom, and then click Next.

e. On the Filter Settings page, in the IP protocol list, click TCP, and then in the Direction list, click Outbound.

f. In the Local port list, ensure that All ports is selected.

g. In the Remote port list, click Fixed port, in the Port number box next


to the Remote port list, type 80 and then click Next.

h. On the Local Computer page, ensure that Default IP addresses for each external interface on the ISA Server computer is selected, and then click Next.

i. On the Remote Computers page, click Only this remote computer, and then type 192.168.y.200 (where y is the third octet of your classroom network), and then click Next.

j. On the Completing the New IP Packet Filter Wizard page, click Finish.

Before continuing, ensure that your partner has finished the preceding steps, and then wait for one minute. Perform the following steps on the ISA Server computer and the ISA Server client computer.

3. (continued) k. Open Internet Explorer.

l. In Internet Explorer, in the Address box, type http://www.contoso.msft and then press ENTER.

After a delay of up to two minutes, Internet Explorer displays a message indicating that the page cannot be displayed. The IP packet filter that you created blocks all connections to the remote computer that you are attempting to connect to. The packet filter that blocks the request applies to all types of connections, including direct connections from the ISA Server computer and connections that the Web Proxy service attempts to establish on behalf of a Web Proxy client.

m. Close Internet Explorer.

Before continuing, ensure that your partner has finished the preceding steps, and then perform the following steps on the ISA Server computer and the ISA Server client computer.

Note: After you installed ISA Server, you configured IIS to use TCP port 80 for HTTP connections to the Default Web Site. When you create a packet filter to allow connections from Web browsers on the

Internet, you must specify TCP port 8008 in the packet filter definition.

4. Create an IP packet filter that allows inbound TCP connections from any computer to port 8008 on the external network interface of the ISA Server computer, and then test the packet filter by asking your instructor to use Internet Explorer to connect to http://ip_address:8008 (where ip_address is the IP address of the ISA Server computer on the classroom network).

a. In ISA Management, in the details pane, click Create a Packet Filter.

b. In the New IP Packet Filter Wizard, in the IP packet filter name box, type x Allow Incoming Port 8008 (where x is your assigned student number), and then click Next.

c. On the Filter Mode page, ensure that Allow packet transmission is selected, and then click Next.

d. On the Filter Type page, click Custom, and then click Next.

e. On the Filter Settings page, in the IP protocol list, click TCP, and then in the Direction list, click Inbound.

f. In the Local port list, click Fixed port, and then in the Port number box next to the Local port list, type 8008

g. In the Remote port list, ensure that All ports is selected, and then click Next.

h. On the Local Computer page, ensure that Default IP addresses for each external interface on the ISA Server computer is selected, and then


click Next.

i. On the Remote Computers page, ensure that All remote computers is selected, and then click Next.

j. On the Completing the New IP Packet Filter Wizard page, click Finish.

Before continuing, ensure that your partner has finished the preceding steps.

4. (continued) k. Ask your instructor to use Internet Explorer to connect to http://ip_address:8008 (where ip_address is the IP address of the ISA Server computer on the classroom network).

Your instructor sees the Web page on the ISA Server computer because you have allowed incoming traffic on TCP port 8008.

Before continuing, ensure that your instructor has tested the IP packet filter that you created. Perform the following steps only on the ISA Server computer

5. Configure Internet Explorer as a Web Proxy client.

a. Minimize ISA Management.

b. On the desktop, right-click Internet Explorer, and then click Properties.

c. In the Internet Options dialog box, on the Connections tab, click LAN Settings.

d. Select the Use a proxy server check box, ensure that the Address box contains the ISA Server computer’s IP address on the private network, ensure that the Port box contains 8080, and then click OK twice.

e. Restore ISA Management.

Perform the following steps on the ISA Server computer and the ISA Server client computer.

6. Disable all of the IP packet filters that you created, and then log off.

a. In ISA Management, in the console tree, click IP Packet Filters.

b. In the details pane, click each of the IP packet filters that you created, and then on the Action menu, click Disable. Perform this step for each of the following packet filters:

x Allow Outgoing Port 80 (where x is your assigned student number)

x Block outgoing traffic to www.contoso.msft (where x is your assigned student number)

x Allow Incoming Port 8008 (where x is your assigned student number)

Exercise 3Configuring the SMTP FilterIn this exercise, you will configure the SMTP filter.

Scenario


You must ensure that ISA Server enforces the parts of Northwind Traders’s security policy that define acceptable SMTP traffic. To do this, you will configure the SMTP filter to prevent the use of the VRFY command and hold SMTP messages that contain attachments with.exe and .com extensions from being delivered to users.


Before continuing, ensure that your partner has finished the preceding exercise, and then perform the following steps on the ISA Server computer and the ISA Server client computer.

1. Configure the SMTP filter to block the VRFY command.

a. In the console tree, expand Extensions, and then click Application Filters.

b. In the details pane, right-click SMTP Filter, and then click Properties.

c. In the SMTP Filter Properties dialog box, on the SMTP Commands tab, click VRFY, and then click Edit.

d. In the SMTP Command Rule dialog box, click to clear the Enable an SMTP command check box, and then click OK.

The VRFY command displays as disabled.

2. On the ISA Server computer, configure the SMTP filter to hold all messages with an .exe extension. On the ISA Server client computer, configure the SMTP filter to hold all messages with a .com extension.

a. On the Attachments tab, click Add.

b. In the Mail Attachment Rule dialog box, click Attachment extension.

c. On the ISA Server computer only, type .exe

d. On the ISA Server client computer only, type .com

e. In the Action list, click Hold message, and then click OK.

The attachment rule that you created displays as enabled.

3. Enable the SMTP filter, and then log off.

a. On the General tab, select the Enable this filter check box, and then click OK.

b. In the ISA Server Warning dialog box, click Save the changes and restart the service(s), and then click OK.

c. Close all open windows, and then log off.


Review Review

Securing the Server





1. You have been asked to troubleshoot an ISA Server installation that was performed by another administrator. Since installing and configuring ISA Server, the administrator can connect to servers on the Internet by using most protocols, such as the HTTP protocol and the FTP protocol. However, the administrator does not receive any replies when using the Ping utility to test connectivity with Internet hosts. What should you check first when troubleshooting this problem?

Ensure that IP routing is enabled on the ISA Server computer and that there is an IP packet filter that allows the forwarding of the required ICMP packets.

2. You want to ensure that the ISA Server computer never responds to any outside connection attempts that use the Telnet protocol, even if an administrator accidentally installs a Telnet server application on the ISA Server computer. Telnet uses TCP port 23. What must you do to ensure that ISA Server never accepts any packets that are intended for TCP port 23?

You must create an IP packet filter. The IP packet filter must be a Block filter that blocks packets from any source IP address and port with the destination IP address of the ISA Servers computer’s external IP address and a destination TCP port of 23.

3. You are running the ISA Server Security Configuration Wizard and you immediately receive a message that the operation failed. During

Topic ObjectiveTo reinforce module objectives by reviewing key points.

Lead-inThe review questions cover some of the key concepts taught in the module.


troubleshooting, you notice that a required security template is missing. Further investigation reveals that another administrator modified and renamed the original template. Where can you find the templates and where must you put them for the wizard to run successfully?

The templates are on the Windows 2000 Server compact disc. They must be in the systemroot\security\templates folder for the wizard to run successfully.

4. When must you enable ISA Server IP routing?

You must enable ISA Server IP routing when the ISA Server computer must forward protocols other than TCP and UDP or when you want to make resources in a three-homed perimeter network available.

5. All of the software developers in your organization will participate in training broadcasts that are delivered over the Internet. This training involves weekly live video broadcasts. You are concerned about whether your connection to the Internet will be able to handle multiple simultaneous sessions to the media server. What can you do to reduce the amount of Internet bandwidth that your organization uses for viewing these training sessions?

You can configure the Streaming Media filter for live stream splitting. All of the users in your organization can then gain access to the video stream from an internal server.

Materials and Preparation.doc.doc

Documents

ip packet filters

use of packet filtering

module strategyuse

teachthis module

acceleration isa server

isa server computer

microsoft windows

isa server system security