Securing the Perimeter – Exchange and VPN Access with ISA Server 2004 Jamie Sharp CISSP Security Advisor Amit Pawar National Technology Specialist Microsoft.

Securing the Perimeter – Securing the Perimeter – Exchange and VPN Access Exchange and VPN Access with ISA Server 2004with ISA Server 2004

Jamie Sharp CISSPJamie Sharp CISSPSecurity AdvisorSecurity AdvisorAmit PawarAmit PawarNational Technology SpecialistNational Technology SpecialistMicrosoft AustraliaMicrosoft Australia

Session OverviewSession Overview Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004

Introduction to ISA Server 2004Introduction to ISA Server 2004 Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004

Securing the Network Perimeter: Securing the Network Perimeter: What Are the Challenges?What Are the Challenges?

Internet

Main office

Remote user

Business partner

Branch office

Wireless

Challenges Include:

Determining proper firewall design

Access to resources for remote users

Effective monitoring and reporting

Need for enhanced packet inspection

Security standards compliance

Challenges Include:

Determining proper firewall design

Access to resources for remote users

Effective monitoring and reporting

Need for enhanced packet inspection

Security standards compliance

Securing the Network Perimeter: Securing the Network Perimeter: What Are the Design Options?What Are the Design Options?

Back-to-back configurationBack-to-back configuration

Bastion hostBastion host Three-legged configurationThree-legged configuration

Web serverWeb server

Internal networkInternal networkInternal networkInternal network

Perimeternetwork

InternetInternet

Internal networkInternal network

Perimeternetwork

Configuring ISA Server to Secure Configuring ISA Server to Secure the Network Perimeterthe Network Perimeter

Use ISA Server to:Use ISA Server to: Provide firewall functionalityProvide firewall functionality Publish internal resources such as Web or Exchange serversPublish internal resources such as Web or Exchange servers Implement multilayer packet inspection and filteringImplement multilayer packet inspection and filtering Provide VPN access for remote users and sitesProvide VPN access for remote users and sites Provide proxy and caching servicesProvide proxy and caching services

LANLAN

ServerServer

UserUser Remote User

VPNVPN

InternetInternet

ExchangeServer

ExchangeServer

WebServerWeb

Server ISAServer

ISAServer

WebServerWeb

Server

ISA Server 2004 Default ConfigurationISA Server 2004 Default Configuration

The ISA Server default configuration blocks all network traffic between networks connected to ISA ServerThe ISA Server default configuration blocks all network traffic between networks connected to ISA Server

No servers are published No servers are published

Access rules include system policy rules and the default access ruleAccess rules include system policy rules and the default access rule

Only members of the local Administrators group have administrative permissions Only members of the local Administrators group have administrative permissions

Default networks are created Default networks are created

Caching is disabled Caching is disabled

The Firewall Client Installation Share is accessible if installed The Firewall Client Installation Share is accessible if installed

Configuring Access RulesConfiguring Access RulesTypes of access rule elements used to create access rules are:

ProtocolsUser setsContent typesSchedulesNetwork objects

Types of access rule elements used to create access rules are:ProtocolsUser setsContent typesSchedulesNetwork objects

AllowDenyAllowDeny UserUser

Destination networkDestination IPDestination site

Destination networkDestination IPDestination site

ProtocolIP port/typeProtocolIP port/type

Source networkSource IPSource networkSource IP

ScheduleContent typeScheduleContent type

an action on traffic from user from source to destination with conditions

Access rules always define:

Implementing Network Templates to Implementing Network Templates to Configure ISA Server 2004Configure ISA Server 2004

Deploy the Single Network Adapter template for Web proxy and caching onlyDeploy the Single Network Adapter template for Web proxy and caching only

Back-to-back configurationBack-to-back configuration

Bastion hostBastion host Three-legged configurationThree-legged configuration

Web serverWeb server

Internal networkInternal network

Internal networkInternal network

Internal networkInternal network

Perimeternetwork

Perimeternetwork

Deploy the EdgeFirewall templateDeploy the EdgeFirewall template

Deploy theFront End

or Back Endtemplate

Deploy theFront End

or Back Endtemplate

Deploy the 3-LegPerimeter templateDeploy the 3-Leg

Perimeter template

InternetInternet

Demonstration: Applying a Network Demonstration: Applying a Network TemplateTemplate

Use a network template to configure Use a network template to configure ISA Server 2004 as an edge firewall ISA Server 2004 as an edge firewall

Deploying ISA Server 2004: Best PracticesDeploying ISA Server 2004: Best Practices

To deploy ISA Server to provide Internet access:To deploy ISA Server to provide Internet access:

Plan for DNS name resolution

Create the required access rule elements and configure the access rules

Plan the access rule order

Implement the appropriate authentication mechanisms

Test access rules before deployment

Deploy the Firewall Client for maximum security and functionality

Use ISA Server logging to troubleshoot Internet connectivity issues

Plan for DNS name resolution

Create the required access rule elements and configure the access rules

Plan the access rule order

Implement the appropriate authentication mechanisms

Test access rules before deployment

Deploy the Firewall Client for maximum security and functionality

Use ISA Server logging to troubleshoot Internet connectivity issues

Securing Access to Internal ServersSecuring Access to Internal Servers

Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004

What Is ISA Server Publishing?What Is ISA Server Publishing?

ISA Server enables three types of publishing rules:ISA Server enables three types of publishing rules:1. Web publishing rules for publishing Web sites

using HTTP

2. Secure Web publishing rules for publishing Web sites that require SSL for encryption

3. Server publishing rules for publishing servers that do not use HTTP or HTTPS

1. Web publishing rules for publishing Web sites using HTTP

2. Secure Web publishing rules for publishing Web sites that require SSL for encryption

3. Server publishing rules for publishing servers that do not use HTTP or HTTPS

Implementing ISA Server Web Publishing Implementing ISA Server Web Publishing RulesRules

To create a Web publishing rule, configure:To create a Web publishing rule, configure:Action

Name or IP address

Users

Traffic source

Public name

Action

Name or IP address

Users

Traffic source

Public name

Web listener

Path mappings

Bridging

Link translation

Web listener

Path mappings

Bridging

Link translation

Implementing ISA Server Implementing ISA Server Secure Web Publishing RulesSecure Web Publishing Rules

To create a secure Web publishing rule:To create a secure Web publishing rule:

Choose an SSL bridging mode or SSL tunneling

Install a digital certificate on ISA Server, on a Web server, or on both

Configure a Web listener for SSL

Configure a secure Web publishing rule

Choose an SSL bridging mode or SSL tunneling

Install a digital certificate on ISA Server, on a Web server, or on both

Configure a Web listener for SSL

Configure a secure Web publishing rule

Demonstration: Configuring a Demonstration: Configuring a Secure Web Publishing RuleSecure Web Publishing Rule

Configure a secure Web publishing Configure a secure Web publishing rule to an internal Web server rule to an internal Web server

Implementing Server Publishing RulesImplementing Server Publishing Rules

To create a server publishing rule, configure:To create a server publishing rule, configure:Action

Traffic

Traffic source

Traffic destination

Networks

Action

Traffic

Traffic source

Traffic destination

Networks

To enable secure server publishing, configure ISA Server to publish a secure protocol, and then install a server certificate on the published server

To enable secure server publishing, configure ISA Server to publish a secure protocol, and then install a server certificate on the published server

Implementing Application and Web FilteringImplementing Application and Web Filtering

Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004

Firewall Requirements: Firewall Requirements: Multiple-Layer FilteringMultiple-Layer Filtering

Packet filtering:Packet filtering:Filters packets based on information in the network and transport layer headers Enables fast packet inspection, but cannot detect higher-level attacks

Filters packets based on information in the network and transport layer headers Enables fast packet inspection, but cannot detect higher-level attacks

Stateful filtering:Stateful filtering:

Filters packets based on the TCP session informationEnsures that only packets that are part of a valid session are accepted, but cannot inspect application data

Filters packets based on the TCP session informationEnsures that only packets that are part of a valid session are accepted, but cannot inspect application data

Application filtering:Application filtering:

Filters packets based on the application payload in network packetsCan prevent malicious attacks and enforce user policies Filters packets based on the application payload in network packetsCan prevent malicious attacks and enforce user policies

Use HTTP Web filtering to:Use HTTP Web filtering to:

Filter traffic from internal clients to other networksFilter traffic from Internet clients to internal Web serversFilter traffic from internal clients to other networksFilter traffic from Internet clients to internal Web servers

Implementing HTTP Web Implementing HTTP Web Filtering in ISA Server 2004Filtering in ISA Server 2004

HTTP Web filtering can block HTTP packets based on:HTTP Web filtering can block HTTP packets based on:

Length of request headers and payloadLength of URLHTTP request methodHTTP request file name extensionHTTP request or response headerSignature or pattern in the response header or body

Length of request headers and payloadLength of URLHTTP request methodHTTP request file name extensionHTTP request or response headerSignature or pattern in the response header or body

HTTP Web filtering is rule-specific—you can configure different filters for each access or publishing rule

Demonstration: Application Filtering in ISA Demonstration: Application Filtering in ISA Server 2004Server 2004

Edit the default application filtering Edit the default application filtering that is performed by ISA Server 2004 that is performed by ISA Server 2004

Securing Access to Exchange ServerSecuring Access to Exchange Server

Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004

Secure Client Access to Secure Client Access to Exchange Server ChallengesExchange Server Challenges

Outlook Mobile Access

XHTML, cHTML, HTML

Outlook Mobile Access

XHTML, cHTML, HTML

ActiveSync-Enabled mobile devices

ActiveSync-Enabled mobile devices

WirelessnetworkWirelessnetwork

ISAserver

ISAserver

Outlook Web AccessOutlook using RPCOutlook using RPC

over HTTPOutlook express

using IMAP4 or POP3

Outlook Web AccessOutlook using RPCOutlook using RPC

over HTTPOutlook express

using IMAP4 or POP3

Exchangefront-end

server

Exchangefront-end

server

Exchangeback-endservers

Exchangeback-endservers

Configuring RPC over HTTP Configuring RPC over HTTP Client AccessClient Access

RPC over HTTP requires:RPC over HTTP requires:

Exchange Server 2003 running on Windows Server 2003 and Windows Server 2003 global catalog serversExchange Server 2003 running on Windows Server 2003 and Windows Server 2003 global catalog servers

Outlook 2003 running on Windows XPOutlook 2003 running on Windows XP

Windows Server 2003 server running RPC proxy serverWindows Server 2003 server running RPC proxy server

Modifying the Outlook profile to use RPC over HTTP to connect to the Exchange serverModifying the Outlook profile to use RPC over HTTP to connect to the Exchange server

To enable RPC over HTTP connections through ISA Server, use the Secure Web Publishing Wizard to publish the /rpc/*virtual directory

To enable RPC over HTTP connections through ISA Server, use the Secure Web Publishing Wizard to publish the /rpc/*virtual directory

Configuring ISA Server for Configuring ISA Server for Outlook Web AccessOutlook Web Access

To configure ISA Server to enable OWA access:To configure ISA Server to enable OWA access:

Use the Mail Server Publishing Wizard to publishthe OWA serverUse the Mail Server Publishing Wizard to publishthe OWA server11

Configure a bridging mode. For best security, secure the connection from client to ISA Server and from ISA Server to OWA server

Configure a bridging mode. For best security, secure the connection from client to ISA Server and from ISA Server to OWA server

22

Configure a Web listener for OWA publishing. Choose forms-based authentication for the Web listenerConfigure a Web listener for OWA publishing. Choose forms-based authentication for the Web listener

33

Forms-based authentication ensures that user credentials are not stored on the client computer; can be used to block access to attachments

Forms-based authentication ensures that user credentials are not stored on the client computer; can be used to block access to attachments

Demonstration: Demonstration: Configuring Outlook Web AccessConfiguring Outlook Web Access

Configure an OWA publishing ruleConfigure an OWA publishing rule

Securing Access to Exchange Server: Securing Access to Exchange Server: Best PracticesBest Practices

Enable Outlook RPC connections for pre–Exchange Server 2003 and Outlook 2003 environmentsEnable Outlook RPC connections for pre–Exchange Server 2003 and Outlook 2003 environments

Use forms-based authentication on ISA Server for OWAUse forms-based authentication on ISA Server for OWA

Implement RPC over HTTPS with SSLImplement RPC over HTTPS with SSL

Explore the use of additional ISA Server features to protect computers running Exchange ServerExplore the use of additional ISA Server features to protect computers running Exchange Server

Consider third-party add-ons for ISA Server to protect computers running Exchange ServerConsider third-party add-ons for ISA Server to protect computers running Exchange Server

Virtual Private Networking with ISA Server Virtual Private Networking with ISA Server 20042004

Introduction to ISA Server 2004Introduction to ISA Server 2004 Securing Access to Internal ServersSecuring Access to Internal Servers Implementing Application and Web FilteringImplementing Application and Web Filtering Securing Access to Exchange ServerSecuring Access to Exchange Server Virtual Private Networking with ISA Server 2004Virtual Private Networking with ISA Server 2004

Virtual Private Networking: What Are the Virtual Private Networking: What Are the Challenges?Challenges?

VPNs provide a secure option for communicating across a public network

VPNS are used in two primary scenarios:

VPNs provide a secure option for communicating across a public network

VPNS are used in two primary scenarios:

Network access for remote clients

Network access between sites

Network access for remote clients

Network access between sites

VPN quarantine control provides an additional level of security by providing the ability to check the configuration of the VPN client machines before allowing them access to the organization’s network

VPN quarantine control provides an additional level of security by providing the ability to check the configuration of the VPN client machines before allowing them access to the organization’s network

Enabling Virtual Private Enabling Virtual Private Networking with ISA ServerNetworking with ISA Server

ISA Server enables VPN access:ISA Server enables VPN access:

By including remote-client VPN access for individual clients and site-to-site VPN access to connect multiple sites

By enabling VPN-specific networks, including:

VPN Clients network

Quarantined VPN Clients network

Remote-site network

By using network and access rules to limit network traffic between the VPN networks and the other networks with servers running ISA Server

By extending RRAS functionality

By including remote-client VPN access for individual clients and site-to-site VPN access to connect multiple sites

By enabling VPN-specific networks, including:

VPN Clients network

Quarantined VPN Clients network

Remote-site network

By using network and access rules to limit network traffic between the VPN networks and the other networks with servers running ISA Server

By extending RRAS functionality

Enabling VPN Client ConnectionsEnabling VPN Client Connections

To enable VPN client connections:To enable VPN client connections:

Choose a tunneling protocol

Choose an authentication protocolUse MS-CHAP v2 or EAP if possible

Enable VPN client access in ISA Server Management

Configure user accounts for remote access

Configure remote-access settings

Configure firewall access rules for the VPN Clients network

Choose a tunneling protocol

Choose an authentication protocolUse MS-CHAP v2 or EAP if possible

Enable VPN client access in ISA Server Management

Configure user accounts for remote access

Configure remote-access settings

Configure firewall access rules for the VPN Clients network

Implementing Site-to-Site VPN Implementing Site-to-Site VPN ConnectionsConnections

To enable site-to-site VPN connections:To enable site-to-site VPN connections:

Choose a tunneling protocol

Configure the remote-site network

Configure network rules and access rules to enable:open communications between networks, orcontrolled communications between networks

Configure the remote-site VPN gateway

Choose a tunneling protocol

Configure the remote-site network

Configure network rules and access rules to enable:open communications between networks, orcontrolled communications between networks

Configure the remote-site VPN gateway

How Does Network Quarantine Work?How Does Network Quarantine Work?

ISAServer

ISAServer

DNSServerDNS

Server

WebServerWeb

ServerDomain

ControllerDomain

Controller

FileServer

FileServer

Quarantine scriptQuarantine script

VPN QuarantineClients Network

VPN Clients Network

RQC.exeRQC.exe

Quarantine remote access policy

Quarantine remote access policy

ISAserver

ISAserver

DNSserverDNS

server

WebserverWeb

serverDomain

controllerDomain

controller

Fileserver

Fileserver

Quarantine scriptQuarantine script

Quarantined VPN Clients Network

VPN clients network

Rqc.exeRqc.exe

Quarantine remote access policy

Quarantine remote access policy

Implementing Network QuarantineImplementing Network Quarantine

To implement quarantine control on ISA Server:To implement quarantine control on ISA Server:

Enable quarantine control on ISA ServerEnable quarantine control on ISA Server

Create and install a listener component Create and install a listener component

Configure network rules and access rules for the Quarantined VPN Clients networkConfigure network rules and access rules for the Quarantined VPN Clients network

Use CMAK to create a CM profile for remote-access clientsUse CMAK to create a CM profile for remote-access clients

Create a client-side script that validates client configuration Create a client-side script that validates client configuration 11

44

33

55

22

Configuring VPN Access Using ISA Configuring VPN Access Using ISA Server: Best PracticesServer: Best Practices

Use strongest possible authentication protocolsUse strongest possible authentication protocols

Enforce the use of strong passwords when using PPTPEnforce the use of strong passwords when using PPTP

Avoid the use of pre-shared keys for L2TP/IPSecAvoid the use of pre-shared keys for L2TP/IPSec

Configure access rules to control access for VPN clients and site-to-site VPN connectionsConfigure access rules to control access for VPN clients and site-to-site VPN connections

Use access rules to provide quarantined VPN clients with the means to meet the security requirementsUse access rules to provide quarantined VPN clients with the means to meet the security requirements

Session SummarySession Summary

ISA Server 2004 is secure by default because it blocks all traffic—configure access rules to provide the fewest possible access rights

ISA Server 2004 is secure by default because it blocks all traffic—configure access rules to provide the fewest possible access rights

Many applications now use HTTP as a tunneling protocol—use HTTP filtering to block the applicationsMany applications now use HTTP as a tunneling protocol—use HTTP filtering to block the applications

Implement ISA Server publishing rules to make internal resources accessible from the InternetImplement ISA Server publishing rules to make internal resources accessible from the Internet

Implementing Outlook RPC publishing and RPC over HTTP publishing means that users can use Outlook from anywhere Implementing Outlook RPC publishing and RPC over HTTP publishing means that users can use Outlook from anywhere

Use access rules to limit access for VPN remote-access clients, site-to-site VPN clients, and network quarantine clientsUse access rules to limit access for VPN remote-access clients, site-to-site VPN clients, and network quarantine clients

ISA Server 2004 ResourcesISA Server 2004 Resources

ISAServer.org – ISAServer.org – www.isaserver.orgwww.isaserver.org FREE! TechNet Virtual Lab: ISA ServerFREE! TechNet Virtual Lab: ISA Server

http://www.microsoft.com/technet/trainchttp://www.microsoft.com/technet/traincert/virtuallab/isa.mspxert/virtuallab/isa.mspx

838709 838709 How to use the ISA Server How to use the ISA Server 2004 migration tool 2004 migration tool to migrate from to migrate from ISA Server 2000 to ISA Server 2004ISA Server 2000 to ISA Server 2004

840697 840697 ISA Server 2000 settings and ISA Server 2000 settings and features that are not supported when you features that are not supported when you migrate to ISA Server 2004 migrate to ISA Server 2004

For More Information…For More Information…

The official ISA Server site:The official ISA Server site: www.microsoft.com/isaserverwww.microsoft.com/isaserver

A useful site with a wealth of information:A useful site with a wealth of information: www.isaserver.orgwww.isaserver.org

What is TechNet?What is TechNet? Put the right answers at your fingertipsPut the right answers at your fingertips

The comprehensive collection of resources to help IT prosThe comprehensive collection of resources to help IT prosplan, deploy and manage Microsoft products successfullyplan, deploy and manage Microsoft products successfully

Comprehensive set of resources delivered reliably every month on CD or DVD – The trusted resource for guidance, tools and software to efficiently evaluate, deploy and support Microsoft technologies.

TechNet Subscription

Accessible at www.microsoft.com/technet Online resources and community Subscriber-only Online Services

TechNet Web Site

Biweekly e-newsletter Security updates, new resources, and special offers

TechNet Flash

Briefings on the latest Microsoft products and technologies Hands-on, “how to” information

TechNet Eventsand Webcasts

User GroupsManaged Newsgroups

TechNet Communities

Connect with TechNetConnect with TechNet

Free Technical Briefings: Free Technical Briefings: www.microsoft.com/seminar/eventswww.microsoft.com/seminar/events TechNet Webcasts: TechNet Webcasts: www.microsoft.com/webcastswww.microsoft.com/webcasts TechNet Flash Newsletter: TechNet Flash Newsletter: www.microsoft.com/www.microsoft.com/technettechnet/flash/flash TechNet Online: TechNet Online: www.microsoft.com/www.microsoft.com/technettechnet Security Notification Service Sign-Up:Security Notification Service Sign-Up:

www.microsoft.com/www.microsoft.com/technet/security/signup/default.mspxtechnet/security/signup/default.mspx TechNet Subscription*: TechNet Subscription*: www.microsoft.com/www.microsoft.com/technettechnet/subscriptions/subscriptions

* * Microsoft TechNet Subscription GiveawayMicrosoft TechNet Subscription Giveaway

Complete the webcast survey to be entered to win a one year Complete the webcast survey to be entered to win a one year TechNet Plus subscription. See the official rules TechNet Plus subscription. See the official rules http://www.microsoft.com/seminar/events/officialrules_1.mspxhttp://www.microsoft.com/seminar/events/officialrules_1.mspx for for details. details.

Microsoft’s TechNet programs provide IT professionals with high-Microsoft’s TechNet programs provide IT professionals with high-quality, how-to information and resources to efficiently evaluate, quality, how-to information and resources to efficiently evaluate, deploy, maintain and support their Microsoft technology. To learn more, deploy, maintain and support their Microsoft technology. To learn more, subscribe, or attend a free briefing, please visit:subscribe, or attend a free briefing, please visit:

Questions and AnswersQuestions and Answers

Submit text questions using the “Ask a Submit text questions using the “Ask a Question” buttonQuestion” button

Don’t forget to fill out the surveyDon’t forget to fill out the survey For upcoming and recordings of previous For upcoming and recordings of previous

webcasts: webcasts: www.microsoft.com/webcastswww.microsoft.com/webcasts Have webcast content ideas?Have webcast content ideas?

Send us e-mail at: Send us e-mail at: [email protected]@microsoft.com

https://msevents.microsoft.com/https://msevents.microsoft.com/CUI/WelcomePage.aspx?EventID=...CUI/WelcomePage.aspx?EventID=... [Live Meeting Web Page. Use Live Meeting[Live Meeting Web Page. Use Live Meeting > > Edit Slide Edit Slide

Properties...Properties... to edit.] to edit.]