| Acknowledgments | xxvii |
| Introduction | xxix |
| PART I MICROSOFT ISA SERVER 2000 ADMINISTRATOR'S FUNDAMENTALS | |
| 1 Overview of Microsoft ISA Server 2000 Administration | 3 |
| How ISA Server Operates as a Caching and Firewall Server | 3 |
| Firewall: The Secure Server | 4 |
| Caching: The Acceleration Server | 4 |
| ISA Server Product Editions | 5 |
| Quick Comparison of ISA Product Editions | 5 |
| Operating System Compatibility | 6 |
| Basic Hardware and Server Requirements for ISA Server | 7 |
| Detailed Comparison of ISA Server Implementations | 8 |
| Small Business Server 2000 | 8 |
| ISA Server 2000 Standard Edition | 10 |
| ISA Server 2000 Enterprise Edition | 11 |
| Using Common ISA Server Tools and Utilities | 12 |
| Using the ISA Management Console | 12 |
| Console View Options | 13 |
| Working with ISA Management Nodes | 14 |
| ISA Server Wizards | 17 |
| Commonly Used MMCs | 17 |
| Command-Line Utilities | 18 |
| ISA Community | 18 |
| Add-Ons for ISA Server | 18 |
| Administering ISA Server Remotely | 19 |
| ISA Management Console | 19 |
| Terminal Services | 19 |
| Third-Party Products | 20 |
| Additional Resources | 20 |
| 2 Installing and Configuring Microsoft ISA Server 2000 | 21 |
| Installing ISA Server 2000 | 21 |
| Before You Begin | 21 |
| Installing ISA Server on Windows Server 2003 | 26 |
| Installing ISA Server Service Pack 1 | 26 |
| Modifying the Role of ISA Server: Enabling Array Membership | 26 |
| Joining ISA Server to a Domain | 27 |
| Running the Enterprise Initialization Tool | 27 |
| Configuring Enterprise Policy Settings | 28 |
| Verifying Schema Extensions | 29 |
| Promoting a Stand-Alone Server to an Array Member | 29 |
| Configuring ISA Server | 30 |
| Configuring the Local Address Table (LAT) | 31 |
| Manually Creating a New Local Address Table (LAT) Entry | 31 |
| Automatically Constructing the Local Address Table (LAT) | 31 |
| Modifying a LAT Entry | 32 |
| Deleting a LAT Entry | 32 |
| Configuring the Local Domain Table (LDT) | 32 |
| Creating a New LDT Entry | 33 |
| Modifying an LDT Entry | 33 |
| Deleting an LDT Entry | 33 |
| Configuring Automatic Discovery | 33 |
| Enabling Automatic Discovery | 33 |
| Configuring the ISA Server Cache | 35 |
| Setting the Size of the Cache | 36 |
| Configuring the Cache Properties | 36 |
| Determining the Load Factor | 38 |
| Configuring the Intra-Array Address | 38 |
| Configuring Scheduled Content Downloads | 39 |
| Installing ISA Server Feature Pack 1 | 40 |
| Uninstalling ISA Server Feature Pack 1 | 41 |
| Uninstalling ISA Server | 42 |
| Performing an Uninstall with Add/Remove Programs | 42 |
| Performing an Uninstall with Rmisa.exe | 42 |
| Additional Resources | 43 |
| 3 Installing and Configuring Microsoft ISA Server 2000 Clients | 45 |
| Working with the SecureNAT Client | 46 |
| Installation | 46 |
| Simple Network vs. Complex Network | 47 |
| Configuration | 47 |
| Configuring the HTTP Redirector Filter | 47 |
| Working with the Web Proxy Client | 48 |
| Installation | 49 |
| Configuration | 49 |
| Working with the Firewall Client | 51 |
| Installation | 51 |
| UNC-Based Installation | 51 |
| IIS Web-Based Installation | 52 |
| Group Policy-Based Installation | 53 |
| Silent Installations | 54 |
| Configuration | 55 |
| Firewall Client Configuration | 56 |
| Firewall Client Configuration Properties in the ISA Management Console | 56 |
| Configuring a Workstation with All Clients | 57 |
| Client Dependencies on the Infrastructure | 57 |
| DNS Requirements and Considerations | 57 |
| Configure a Protocol Rule to Allow DNS Lookups | 57 |
| DHCP Services | 58 |
| Additional Resources | 58 |
| 4 Configuring ISA Server on Small Business Server Installations | 59 |
| Limitations and Differences of ISA Server with SBS | 59 |
| Installation | 60 |
| Configuration | 63 |
| Small Business Server Internet Connection Wizard | 63 |
| Common Procedures and Troubleshooting Steps | 68 |
| Internet Connection Wizard Doesn't Start | 68 |
| ISA Server Services Won't Start If Network Address Translation (NAT) is Enabled | 68 |
| Use Only the Dial-Up Connection Specified in ISA Server to Connect to the Internet | 69 |
| Dynamic DNS Services for Small Businesses | 69 |
| Can't Renew DHCP Assigned IP Address on External ISA Interface | 69 |
| Disabling ICW for Dial-Up Connections | 69 |
| Manually Assigning Fax Server Privileges | 70 |
| Logging User Activity | 70 |
| Problems with ISA Server and IIS on the Same Computer | 71 |
| Removing ISA Server from SBS | 71 |
| Additional Resources | 71 |
| 5 Migrating from Microsoft Proxy Server 2.0 | 73 |
| Prerequisites to Upgrading Proxy Server 2.0 to ISA Server | 73 |
| Upgrading the Proxy Server from Windows NT 4 to Windows 2000 | 74 |
| Backing Up the Proxy 2.0 Server | 75 |
| Uninstalling Proxy Server 2.0 | 75 |
| Upgrading the Operating System to Windows 2000 | 75 |
| Installing the Microsoft Proxy Server 2.0 Update for Windows 2000 | 76 |
| Restoring the Proxy Server 2.0 Configuration | 76 |
| Performing an Upgrade to ISA Server 2000 | 76 |
| Stopping Proxy 2.0 Server Services | 77 |
| Removing a Proxy 2.0 Server from an Array | 77 |
| Installing ISA Server to Upgrade Proxy Server 2.0 | 78 |
| Differences Between Proxy Server and ISA Server | 80 |
| Configure the Outbound Web Requests Listener | 80 |
| Be Aware of Differences Between the Winsock Client and the ISA Firewall Client | 80 |
| Configure Published Servers as SecureNAT Clients for Convenience | 81 |
| Reconfigure IIS After Installing ISA Server | 81 |
| Additional Resources | 81 |
| 6 Monitoring and Reporting | 83 |
| Services | 83 |
| Monitoring ISA Server Services | 83 |
| Service Monitoring in ISA Management Console | 84 |
| Services Console | 84 |
| Command-Line Service Management | 85 |
| Sessions | 85 |
| Monitoring Sessions | 85 |
| Determining Session Type | 86 |
| Aborting Sessions | 86 |
| Events | 87 |
| Monitoring Events | 87 |
| Analyzing Events | 88 |
| Alerts | 88 |
| Creating an Alert | 88 |
| Sending an E-Mail Message | 89 |
| Running a Program | 90 |
| Reporting the Event to a Windows 2000 Event Log | 90 |
| Stopping Selected ISA Server Services | 90 |
| Starting Selected ISA Server Services | 90 |
| Configuring an Alert | 91 |
| Viewing Alerts | 92 |
| Resetting Alerts | 93 |
| Reporting with ISA Server | 93 |
| Generating Reports | 93 |
| Reporting Job Properties | 93 |
| Creating a Report | 94 |
| Report Types | 95 |
| Viewing Reports | 95 |
| Saving Reports | 96 |
| Logging Transactions in ISA Server | 96 |
| ISA Log Components | 96 |
| Configuring Logs | 97 |
| Logging to a File | 98 |
| Logging to a Database | 98 |
| Executing SQL Scripts | 98 |
| Defining an ODBC System DSN | 99 |
| Configuring ISA to Log to an ODBC Database | 99 |
| Additional Resources | 100 |
| PART II MICROSOFT ISA SERVER 2000 POLICY MANAGEMENT AND PUBLISHING SERVICES | |
| 7 Configuring ISA Policy Elements | 103 |
| Policy Elements Explained | 103 |
| Serving Multiple Purposes | 104 |
| Enterprise Policies and Policy Elements | 105 |
| Schedules | 105 |
| Creating New Schedules | 105 |
| Deleting Schedules | 106 |
| Adjusting Existing Schedules | 106 |
| Destination Sets | 107 |
| Creating New Destination Sets | 107 |
| Deleting Destination Sets | 108 |
| Configuring Destination Sets | 108 |
| Client Address Sets | 109 |
| Creating Client Address Sets | 109 |
| Deleting Client Address Sets | 109 |
| Configuring Client Address Sets | 110 |
| User Manager | 110 |
| Protocol Definitions | 110 |
| Creating Protocol Definitions | 111 |
| Deleting Protocol Definitions | 111 |
| Configuring Protocol Definitions | 112 |
| Content Groups | 112 |
| Creating Content Groups | 113 |
| Deleting Content Groups | 113 |
| Configuring Content Groups | 114 |
| Dial-Up Entries | 114 |
| Configuring a Network Dial-Up Connection on Windows 2000 Server | 114 |
| Configuring a Network Dial-Up Connection on Windows Server 2003 | 115 |
| Creating Dial-Up Entries | 116 |
| Deleting Dial-Up Entries | 116 |
| Configuring Dial-Up Entries | 117 |
| Bandwidth Priorities | 117 |
| Creating Bandwidth Priority Entries | 117 |
| Deleting Bandwidth Priority Entries | 118 |
| Configuring Bandwidth Priorities | 118 |
| Additional Resources | 118 |
| 8 Configuring ISA Access Policy | 119 |
| Processing Outgoing Requests | 119 |
| Primary Access Policy Components | 120 |
| Site and Content Rules | 120 |
| Creating a Site and Content Rule | 121 |
| Deleting a Site and Content Rule | 122 |
| Configuring a Site and Content Rule | 123 |
| Enabling and Disabling a Site and Content Rule | 123 |
| Protocol Rules | 123 |
| Creating a Protocol Rule | 124 |
| Deleting a Protocol Rule | 125 |
| Configuring a Protocol Rule | 125 |
| IP Packet Filters | 126 |
| Creating an IP Packet Filter | 126 |
| Deleting an IP Packet Filter | 127 |
| Configuring an IP Packet Filter | 128 |
| Ancillary Access Policy Components | 128 |
| Bandwidth Rules | 128 |
| Creating a Bandwidth Rule | 129 |
| Deleting a Bandwidth Rule | 129 |
| Modifying a Bandwidth Rule | 130 |
| Modifying Bandwidth Rule Processing Order | 131 |
| Routing Rules | 131 |
| Creating a Routing Rule | 131 |
| Deleting a Routing Rule | 133 |
| Configuring a Routing Rule | 133 |
| Firewall Chaining | 134 |
| Outgoing Web Requests | 135 |
| Creating an Outgoing Listener | 135 |
| Configuring and Deleting an Outgoing Listener | 137 |
| Configuring Outgoing Authentication | 137 |
| Resolving Requests Within an Array | 138 |
| Altering the Outgoing Web Requests Port Values | 138 |
| Modifying Outgoing Web Requests Connection Settings | 139 |
| Optimizing Server Performance | 140 |
| ISA Server Extensions | 140 |
| Application Filters | 140 |
| Enabling/Disabling an Application Filter | 141 |
| FTP Access Filter | 141 |
| HTTP Redirector Filter | 142 |
| SOCKS V4 Filter | 143 |
| Streaming Media Filter | 143 |
| Web Filters | 144 |
| Additional Resources | 145 |
| 9 Publishing Fundamentals | 147 |
| Installation Modes | 147 |
| Processing Incoming Requests | 148 |
| Web Publishing | 148 |
| Prerequisites | 149 |
| Incoming Web Requests | 149 |
| Creating an Incoming Listener | 150 |
| Configuring and Deleting an Incoming Listener | 151 |
| Configuring Incoming Authentication | 152 |
| Resolving Requests Within an Array | 152 |
| Altering the Incoming Web Requests Port Values | 152 |
| Modifying Incoming Web Requests Connection Settings | 153 |
| Creating a Web Publishing Rule | 154 |
| Deleting a Web Publishing Rule | 155 |
| Configuring a Web Publishing Rule | 155 |
| Enabling/Disabling a Web Publishing Rule | 156 |
| Adjusting the Rule Processing Order | 156 |
| Accessing Secured Sites | 157 |
| Web Publishing and SSL Bridging | 157 |
| Server Publishing and SSL Tunneling | 158 |
| Web Filters for Inbound Access | 158 |
| Using Link Translation | 158 |
| Server Publishing | 161 |
| Limitations | 161 |
| Prerequisites | 162 |
| Creating a Server Publishing Rule | 162 |
| Deleting a Server Publishing Rule | 163 |
| Configuring a Server Publishing Rule | 163 |
| Enabling/Disabling a Server Publishing Rule | 164 |
| Routing and IP Packet Filters | 164 |
| Enabling Packet Filtering | 165 |
| Enabling IP Routing | 166 |
| Application Filters for Inbound Access | 166 |
| DNS Intrusion Detection Filter | 166 |
| H.323 Filter | 167 |
| POP Intrusion Detection Filter | 168 |
| RPC Filter | 168 |
| SMTP Filter | 168 |
| Additional Resources | 169 |
| 10 Common Web and Server Publishing Scenarios | 171 |
| Common Prerequisites | 171 |
| Configuring the LAT | 172 |
| Configuring DNS Resolution | 172 |
| Routing | 172 |
| Disabling Socket Pooling | 172 |
| Publishing Web Server | 174 |
| Publishing a Web Site Behind the ISA Server | 174 |
| Creating a Destination Set | 174 |
| Creating a Web Listener for Incoming Web Requests | 175 |
| Creating a Web Publishing Rule | 175 |
| Publishing a Web Site on the ISA Server | 176 |
| Modifying Web Site Properties in IIS | 176 |
| Creating a Web Publishing Rule | 176 |
| Publishing Secured Web Site (HTTPS) | 176 |
| Web Server Certificate | 177 |
| Creating an Incoming Listener | 177 |
| Using the Predefined HTTPS Protocol Definition | 177 |
| Creating an HTTPS (SSL) Server Publishing Rule | 177 |
| Publishing FTP Server | 178 |
| Using Packet Filters to Provide FTP Services | 179 |
| Configuring FTP Packet Filters to Allow PASV Clients | 180 |
| Publishing FTP Using ISA Server | 180 |
| Disabling Socket Pooling | 180 |
| Configuring FTP Server to Listen on the Internal Interface | 181 |
| Disabling Port Attack Mechanism | 181 |
| Configuring the Server Publishing Rule | 181 |
| Enabling the FTP Access Filter | 182 |
| Publishing Exchange Server | 182 |
| Publishing a Mail Server Located Behind ISA Server | 183 |
| Configuring DNS Resolution | 183 |
| Configuring Server Client Type | 183 |
| Creating Client Address Sets | 183 |
| Creating Protocol Definitions | 184 |
| Running the Secure Mail Publishing Wizard | 184 |
| Publishing Exchange Using the RPC Publishing Wizard for Outlook Clients | 185 |
| Configuring DNS Resolution Configure Server Client Type | 185 |
| Creating a Site and Content Rule | 185 |
| Configuring Client Address Sets | 186 |
| Creating Protocol Rules | 186 |
| Enabling Client Authentication | 186 |
| Creating a Server Publishing Rule | 186 |
| Configuring the Outlook Clients | 186 |
| Enabling Access to Exchange Servers Outside ISA Server | 187 |
| Publishing an OWA Server | 187 |
| Prerequisites | 187 |
| Using a Web Publishing Rule | 188 |
| Using the OWA Web Publishing Wizard | 189 |
| Publishing SQL Server | 189 |
| Creating an Incoming Listener | 189 |
| Using the Predefined Protocol Definition | 190 |
| Creating a SQL Server Publishing Rule | 190 |
| Publishing Remote Desktop or a Terminal Server | 191 |
| Creating an RDP Protocol Definition | 191 |
| Creating a RDP Publishing Rule | 192 |
| Publishing a Citrix Server | 192 |
| Configuring the Citrix Server as a SecureNAT Client | 193 |
| Creating a Citrix ICA Protocol Definition | 193 |
| Creating a Citrix Server Publishing Rule | 193 |
| Configuring the Citrix Server | 194 |
| Configuring the Citrix Clients | 194 |
| Publishing a DNS Server | 194 |
| Publishing a Public DNS Server Located Behind an ISA Server | 195 |
| Creating an Incoming Listener | 195 |
| Using the Predefined Protocol Definition | 195 |
| Creating a DNS Server Publishing Rule | 195 |
| Publishing a Public DNS Server on the ISA Server | 196 |
| Using the Predefined DNS Query Packet Filter | 196 |
| Creating Two DNS Server Packet Filters | 197 |
| Additional Resources | 198 |
| General Scenario-Based References | 198 |
| Microsoft Knowledge Base References | 198 |
| PART II MICROSOFT ISA SERVER 2000 AND ENTERPRISE SYSTEMS ADMINISTRATION | |
| 11 Managing ISA Server and Windows Active Directory | 201 |
| Stand-Alone Versus Array Members | 201 |
| Characteristics of a Stand-Alone ISA Server | 201 |
| Characteristics of an ISA Server Array Member | 202 |
| Active Directory Interoperability | 202 |
| Creating and Configuring ISA Server Arrays | 202 |
| ISA Server Array Criteria | 203 |
| Administrative Requirements for ISA Server Arrays | 203 |
| Creating the Array Environment | 203 |
| Creating a New Array | 204 |
| Adding or Removing Array Members | 205 |
| Moving an ISA Array Member to a Different Array | 206 |
| Configuring Array Permissions | 207 |
| ISA Server 2000 and Domain Integration | 207 |
| Managing a Multidomain Configuration and Trust Relationships | 207 |
| ISA Server and Windows NT 4.0 domains | 207 |
| ISA Server and Windows 2000 and Windows Server 2003 Domains | 208 |
| Additional Resources | 209 |
| 12 Using Enterprise and Array Policies | 211 |
| Enterprise and Array Policies Explained | 211 |
| Enterprise and Array Decisions | 212 |
| Configuring Enterprise Policy Settings | 213 |
| Enterprise Policy Administration | 213 |
| Creating Enterprise Policies | 214 |
| Configuring Enterprise Policies | 214 |
| Backing Up and Restoring an Enterprise Configuration | 215 |
| Deleting Enterprise Policies | 216 |
| Enterprise Administration and Permissions | 216 |
| Connecting to Remote Enterprise and Arrays | 217 |
| Applying an Enterprise Policy to Selective Arrays | 217 |
| Setting a Default Enterprise Policy | 218 |
| Array Policy Administration | 218 |
| Allowing Array Policies | 218 |
| Configuring Array Policies | 219 |
| Forcing Packet Filtering for an Array | 219 |
| Allowing Publishing Rules in an Array | 219 |
| Configuring Enterprise Policy Settings for an Array | 219 |
| Backing Up, Restoring and Deleting an Array Configuration | 220 |
| Additional Resources | 221 |
| 13 Working with Enterprise Technologies and ISA Server 2000 | 223 |
| Cache Array Routing Protocol (CARP) | 223 |
| Enabling CARP for Outgoing and Incoming Web Requests | 224 |
| Configuring Intra-Array Communication | 225 |
| Configuring the CARP Load Factor | 225 |
| CARP and Scheduled Content Download | 226 |
| Network Load Balancing | 226 |
| Prerequisites | 227 |
| Installing and Configuring Network Load Balancing | 227 |
| Additional Configuration for ISA Server and Network Load Balancing | 229 |
| Server Publishing and Network Load Balancing | 230 |
| Using DNS Round Robin | 230 |
| Virtual Private Networks (VPNs) | 231 |
| Using ISA Server as a VPN Server | 231 |
| Configuring a Gateway-to-Gateway VPN | 231 |
| Configuring the Local VPN Server | 231 |
| Configuring the Remote VPN Server | 233 |
| Confirming the Gateway-to-Gateway Configuration | 234 |
| Connecting Remote Clients Using VPN | 234 |
| Configuring a Client Virtual Private Network (VPN) | 234 |
| Configuring a VPN Connectoid | 236 |
| Configuring VPN Pass-Through | 237 |
| Manually Configuring the VPN | 238 |
| H.323 Gatekeeper | 241 |
| Prerequisites | 241 |
| Create a DNS Service Record for the H.323 Gatekeeper | 241 |
| Defining Access to the H.323 Protocol | 242 |
| Installing and Configuring the H.323 Gatekeeper | 243 |
| Installing the H.323 Gatekeeper Service Management Console | 243 |
| Enabling the H.323 Filter | 244 |
| Adding an H.323 Gatekeeper | 244 |
| Configuring H.323 Gatekeeper Properties | 244 |
| Configuring H.323 Gatekeeper Permissions | 245 |
| Enable IP Routing to Improve H.323 Performance | 245 |
| Configure Call Routing Rules | 245 |
| Creating a Call Routing Rule | 245 |
| Configuring an Internal NetMeeting Client to Use an H.323 Gatekeeper | 248 |
| Configuring an External NetMeeting Client to Use an H.323 Gatekeeper | 249 |
| Additional Resources | 249 |
| PART IV MICROSOFT ISA SERVER 2000 SECURITY MANAGEMENT | |
| 14 Microsoft ISA Server 2000 and Perimeter Networks | 253 |
| Perimeter Networks Explained | 253 |
| Trihomed ISA Server Perimeter Networks | 254 |
| Configuring the Trihomed ISA Server Network Interfaces | 254 |
| Configuring the Trihomed Perimeter Network | 255 |
| Limitations of a Trihomed Perimeter Network | 256 |
| Back-to-Back ISA Server Perimeter Networks | 256 |
| Configuring the Back-to-Back ISA Servers | 257 |
| Configuring Back-to-Back Perimeter Networks | 258 |
| Configuring a Private Address Perimeter Network | 259 |
| Configuring a Public Address Perimeter Network | 260 |
| Limitations of Perimeter Networks | 263 |
| Publishing Services in Perimeter Networks | 263 |
| Publishing Web Servers | 264 |
| Configuring the Web Server In a Trihomed Perimeter Network | 264 |
| Configuring the Web Server In a Back-to-Back Perimeter Network | 264 |
| Publishing FTP Services | 265 |
| Configuring the PORT Mode FTP Server in a Trihomed Perimeter Network | 265 |
| Configuring the PASV Mode FTP Server in a Trihomed Perimeter Network | 266 |
| Configuring FTP in a Back-to-Back Perimeter Network | 266 |
| Publishing SMTP Services in a Trihomed Perimeter Network | 267 |
| Additional Resources | 268 |
| 15 Securing ISA Server 2000 | 269 |
| Trustworthy Computing | 269 |
| Common Types of Attacks and Best Prevention Practices | 270 |
| Intrusion Detection | 271 |
| Configuring Intrusion Detection | 272 |
| Intrusion Detection Alerts and Actions | 275 |
| ISA Server Security Wizards | 275 |
| Security Templates | 276 |
| Optimizing ISA Server Security | 278 |
| Checklist for Securing ISA Server 2000 | 278 |
| Securing the Network Interface Adapters | 279 |
| Disabling Services | 281 |
| Running ISA Server on a Dedicated Server | 282 |
| URLScan 2.5 for ISA Server | 282 |
| Installing URLScan 2.5 | 283 |
| Disabling the URLScan Web Filter | 284 |
| Configuring the Urlscan.ini File | 284 |
| A Look at Web Authentication with RSA SecurID | 285 |
| Installing the RSA SecurID Web Filter | 286 |
| Additional Resources | 286 |
| Security References | 286 |
| Trustworthy Computing | 287 |
| Securing ISA Server 2000 | 287 |
