Dr. Tom Shinder's ISA Server 2006 Migration Guide

Table of contents

1. Copyright
2. Lead Authors
3. Contributing Authors
4. Introduction
   1. What’s New in ISA 2006 Firewalls
5. 1. Network Security Basics
   1. Introduction
   2. Security Overview
   3. Defining Basic Security Concepts
      1. Knowledge is Power
      2. Think Like a Thief
         1. The Intrusion Triangle
         2. Removing Intrusion Opportunities
      3. Security Terminology
   4. Addressing Security Objectives
      1. Controlling Physical Access
         1. Physical Access Factors
            1. Protecting the Servers
            2. Keeping Workstations Secure
            3. Protecting Network Devices
            4. Securing the Cable
            5. Safely Going Wireless
            6. Have Laptop, Will Travel
            7. The Paper Chase
            8. Removable Storage Risks
         2. Physical Security Summary
      2. Preventing Accidental Compromise of Data
         1. Know Your Users
         2. Educate Your Users
         3. Control Your Users
      3. Preventing Intentional Internal Security Breaches
         1. Hiring and Human Resource Policies
         2. Detecting Internal Breaches
         3. Preventing Intentional Internal Breaches
      4. Preventing Unauthorized External Intrusions
         1. External Intruders with Internal Access
         2. Tactical Planning
   5. Recognizing Network Security Threats
      1. Understanding Intruder Motivations
         1. Recreational Hackers
         2. Profit-motivated Hackers
         3. Vengeful Hackers
         4. Hybrid Hackers
      2. Classifying Specific Types of Attacks
         1. Social engineering attacks
            1. What is social engineering?
            2. Protecting your network against social engineers
         2. Denial of Service (DOS) Attacks
            1. Distributed Denial of Service attacks
            2. DNS DOS attack
            3. SYN attack/LAND attack
            4. Ping of Death
            5. Teardrop
            6. Ping Flood (ICMP flood)
            7. SMURF attack
            8. UDP bomb or UDP flood
            9. UDP Snork attack
            10. WinNuke (Windows out-of-band attack)
            11. Mail bomb attack
         3. Scanning and Spoofing
            1. Port scan
            2. IP half scan attack
            3. IP Spoofing
         4. Source Routing attack
         5. Other protocol exploits
         6. System and software exploits
         7. Trojans, viruses and worms
            1. Trojans
            2. Viruses
            3. Worms
   6. Designing a Comprehensive Security Plan
      1. Evaluating Security Needs
         1. Assessing the type of business
         2. Assessing the type of data
         3. Assessing the network connections
         4. Assessing management philosophy
            1. Understanding management models
      2. Understanding Security Ratings
      3. Legal Considerations
      4. Designating Responsibility for Network Security
         1. Responsibility for Developing the Security Plan and Policies
         2. Responsibility for Implementing and Enforcing the Security Plan and Policies
      5. Designing the Corporate Security Policy
         1. Developing an Effective Password Policy
            1. Password Length and Complexity
            2. Who creates the password?
            3. Password Change Policy
            4. Summary of Best Password Practices
      6. Educating Network Users on Security Issues
   7. Summary
6. 2. ISA Server 2006 Client Types and Automating Client Provisioning
   1. Introduction
   2. Understanding ISA Server 2006 Client Types
      1. Understanding the ISA Server 2006 SecureNAT Client
         1. SecureNAT Client Limitations
         2. SecureNAT Client Advantages
         3. Name Resolution for SecureNAT Clients
            1. Name Resolution and “Looping Back” Through the ISA Server 2006 Firewall
      2. Understanding the ISA Server 2006 Firewall Client
         1. Allows Strong User/Group-Based Authentication for All Winsock Applications Using TCP and UDP Protocols
         2. Allows User and Application Information to be Recorded in the ISA Server 2006 Firewall’s Log Files
         3. Provides Enhanced Support for Network Applications, Including Complex Protocols That Require Secondary Connections
         4. Provides “Proxy” DNS Support for Firewall Client Machines
         5. The Network Routing Infrastructure Is Transparent to the Firewall Client
         6. How the Firewall Client Works
         7. Installing the Firewall Client Share
         8. Installing the Firewall Client
         9. Firewall Client Configuration
            1. Centralized Configuration Options at the ISA Server 2006 Firewall Computer
            2. Enabling Support for Legacy Firewall Client/Winsock Proxy Clients
         10. Client Side Firewall Client Settings
         11. Firewall Client Configuration Files
             1. .ini Files
             2. Advanced Firewall Client Settings
         12. Firewall Client Configuration at the ISA Server 2006 Firewall
      3. ISA Server 2006 Web Proxy Client
         1. Improved Performance for the Firewall Client and SecureNAT Client Configuration for Web Access
         2. Ability to Use the Autoconfiguration Script to Bypass Sites Using Direct Access
         3. Allows You to Provide Web Access (HTTP/HTTPS/FTP Download) without Enabling Users Access to Other Protocols
         4. Allows You to Enforce User/Group-based Access Controls Over Web Access
         5. Allows you to Limit the Number of Outbound Web Proxy Client Connections
         6. Supports Web Proxy Chaining, Which Can Further Speed Up Internet Access
      4. ISA Server 2006 Multiple Client Type Configuration
      5. Deciding on an ISA Server 2006 Client Type
   3. Automating ISA Server 2006 Client Provisioning
      1. Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery
         1. Install the DHCP Server
         2. Create the DHCP scope
         3. Create the DHCP 252 Scope Option and Add It to the Scope
         4. Configure the Client as a DHCP Client
         5. Configure the Client Browser to Use DCHP for Autodiscovery
         6. Configure the ISA Server 2006 Firewall to Publish Autodiscovery Information
         7. Making the Connection
      2. Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery
         1. Creating the wpad Entry in DNS
         2. Configure the Client to Use the Fully-Qualified wpad Alias
         3. Configure the client browser to use autodiscovery
         4. Configure the ISA Server 2006 Firewall to Publish Autodiscovery Information
         5. Making the Connection Using DNS for Autodiscovery
   4. Automating Installation of the Firewall Client
      1. Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console
      2. Group Policy Software Installation
      3. Silent Installation Script
      4. Systems Management Server (SMS)
   5. One More Time
7. 3. Installing and Configuring the ISA Firewall Software
   1. Pre-installation Tasks and Considerations
      1. System Requirements
      2. Configuring the Routing Table
      3. DNS Server Placement
      4. Configuring the ISA Firewall’s Network Interfaces
      5. Installation via a Terminal Services Administration Mode Session
   2. Performing a Clean Installation on a Multihomed Machine
   3. Default Post-installation ISA Firewall Configuration
   4. The Post-installation System Policy
   5. Performing a Single NIC Installation (Unihomed ISA Firewall)
   6. Quick Start Configuration for ISA Firewalls
      1. Configuring the ISA Firewall’s Network Interfaces
         1. IP Address and DNS Server Assignment
            1. Configuring the Internal Network Interface
            2. Configuring the External Network Interface
         2. Network Interface Order
      2. Installing and Configuring a DNS Server on the ISA Server Firewall
         1. Installing the DNS Service
            1. Installing the DNS Server Service on Windows Server 2003
         2. Configuring the DNS Service on the ISA Firewall
            1. Configuring the DNS Service in Windows Server 2003
         3. Configuring the DNS Service on the Internal Network DNS Server
      3. Installing and Configuring a DHCP Server on the ISA Server Firewall
         1. Installing the DHCP Service
            1. Installing the DHCP Server Service on a Windows Server 2003 Computer
         2. Configuring the DHCP Service
      4. Installing and Configuring the ISA Server 2006 Software
         1. Configuring the ISA Firewall
            1. DHCP Request to Server Rule
            2. DHCP Reply from Server Rule
            3. Internal DNS Server to DNS Forwarder Rule
            4. Internal Network to DNS Server
            5. The All Open Rule
      5. Configuring the Internal Network Computers
         1. Configuring Internal Clients as DHCP Clients
   7. Hardening the Base ISA Firewall Configuration and Operating System
      1. ISA Firewall Service Dependencies
      2. Service Requirements for Common Tasks Performed on the ISA Firewall
      3. Client Roles for the ISA Firewall
      4. ISA Firewall Administrative Roles and Permissions
      5. Lockdown Mode
         1. Lockdown Mode Functionality
      6. Connection Limits
      7. DHCP Spoof Attack Prevention
   8. One More Time
8. 4. Creating and Using ISA 2006 Firewall Access Policy
   1. ISA Firewall Access Rule Elements
      1. Protocols
      2. User Sets
      3. Content Types
      4. Schedules
      5. Network Objects
   2. Configuring Access Rules for Outbound Access through the ISA Firewall
      1. The Rule Action Page
      2. The Protocols Page
      3. The Access Rule Sources Page
      4. The Access Rule Destinations Page
      5. The User Sets Page
      6. Access Rule Properties
         1. The General Tab
         2. The Action Tab
         3. The Protocols Tab
         4. The From Tab
         5. The To Tab
         6. The Users Tab
         7. The Schedule Tab
         8. The Content Types Tab
      7. The Access Rule Context Menu Options
      8. Configuring RPC Policy
      9. Configuring FTP Policy
      10. Configuring HTTP Policy
      11. Ordering and Organizing Access Rules
      12. How to Block Logging for Selected Protocols
      13. Disabling Automatic Web Proxy Connections for SecureNAT Clients
   3. Using Scripts to Populate Domain Name Sets
      1. Using the Import Scripts
      2. Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports
      3. Avoiding Looping Back through the ISA Firewall for Internal Resources
      4. Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections)
      5. Blocking MSN Messenger using an Access Rule
      6. Allowing Outbound Access to MSN Messenger via Web Proxy
      7. Changes to ISA Firewall Policy Only Affects New Connections
   4. Allowing Intradomain Communications through the ISA Firewall
   5. One More Time
9. 5. Publishing Network Services with ISA 2006 Firewalls
   1. Overview of Web Publishing and Server Publishing
      1. Web Publishing Rules
         1. Proxied Access to Web Sites Protected by the ISA firewall
         2. Deep Application-Layer Inspection of Connections Made to Published Web Sites
         3. Path Redirection
         4. URL rewriting with ISA’s Link Translation
         5. Ability to Publish Multiple Web Sites with a Single IP Address
         6. Pre-authentication of requests, and Authentication Delegation to the published Site
         7. Single Sign-On (SSO) for Published Web Sites
         8. Support for SecurID Authentication
         9. Support for RADIUS Authentication
         10. Reverse Caching of Published Web Sites
         11. Support for Forwarding either the ISA Firewall’s IP Address, or the Original Web Client’s IP Address to the Web Site
         12. Ability to Schedule when Connections are Allowed to Published Web Sites
         13. Port and Protocol Redirection
      2. Server Publishing Rules
         1. Server Publishing Rules are a Form of Reverse NAT, sometimes referred to as “Port Mapping” or “Port forwarding” and do not Proxy the Connection
         2. Almost All IP Level and TCP/UDP Protocols can be Published using Server Publishing Rules
         3. Server Publishing Rules do not Support Authentication on the ISA Server
         4. Application-Layer Filtering can be Applied to a Defined Subset of Server Published Protocols
         5. You can Configure Port Overrides to Customize the Listening Ports and the Port Redirection. You can also Lock Down the Source Ports the Requesting Clients use to Connect to the Published Server
         6. You can lock down who can Access Published Resources using IP addresses
         7. The External Client Source IP Address can be Preserved or it can be Replaced with the ISA Firewall’s IP address
         8. Restrict connections to specific days and times
         9. Support for Port Redirection or PAT (Port Address Translation)
   2. Creating and Configuring Non-SSL Web Publishing Rules
      1. The Select Rule Action Page
      2. The Publishing Type Page
      3. The Server Connection Security Page
      4. The Internal Publishing Details Page (Part one)
      5. The Internal Publishing Details Page (Part two)
      6. The Public Name Details Page
      7. The Select Web Listener Page and Creating an HTTP Web Listener
      8. The Web Listener IP Addresses Page
      9. The Authentication Settings Page
      10. The Single Sign on Settings Page
      11. The LDAP Settings Page
      12. The RADIUS Settings Page
      13. SecurID Settings
      14. The Authentication Delegation Page
      15. The User Sets Page
   3. Creating and Configuring SSL Web Publishing Rules
      1. SSL Bridging
         1. SSL “Tunneling” versus SSL “Bridging”
         2. What about SSL-to-HTTP Bridging?
         3. Enterprise and Standalone Certificate Authorities
         4. SSL-to-SSL Bridging and Web Site Certificate Configuration
      2. Importing Web Site Certificates into the ISA Firewall’s Machine Certificate Store
      3. Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites
      4. Creating an SSL Web Publishing Rule
         1. The Internal Publishing Details Pages
         2. The Public Name Details Page
         3. The Server Connection Security Page
         4. The Client Connection Security Page
         5. ISA 2004’s Bridging Mode Page and ISA 2006
   4. Configuring Advanced Web Listener Properties
      1. The General Tab
      2. The Networks Tab
      3. The Connections Tab
      4. The Connections – Advanced Dialog
      5. The Certificates Tab
      6. The Certificates – Advanced Dialog
      7. The Authentication Tab
      8. Advanced Authentication Options Dialog Box
      9. The Forms Tab
      10. The Forms – Advanced Dialog
      11. The SSO Tab
   5. The Web Publishing Rule Properties Dialog Box
      1. The General Tab
      2. Action
      3. From
      4. To
      5. Traffic
      6. Listener
      7. Public Name
      8. Paths
      9. Bridging
      10. Users
      11. Schedule
      12. Link Translation
      13. Authentication Delegation
      14. Application Settings
   6. Creating Server Publishing Rules
      1. The Server Publishing Rule Properties Dialog Box
      2. Server Publishing HTTP Sites
   7. Creating Mail Server Publishing Rules
      1. The Client Access: RPC, IMAP, POP3, SMTP Option
   8. Publishing Exchange Web Client Access
   9. One More Time
10. 6. Creating Remote Access and Site-to-Site VPNs with ISA Firewalls
    1. Overview of ISA Firewall VPN Networking
       1. Firewall Policy Applied to VPN Client Connections
       2. Firewall Policy Applied to VPN Site-to-Site Connections
       3. VPN Quarantine
       4. User Mapping of VPN Clients
       5. SecureNAT Client Support for VPN Connections
       6. Site-to-Site VPN Using Tunnel Mode IPSec
       7. Publishing PPTP VPN Servers
       8. Pre-shared Key Support for IPSec VPN Connections
       9. Advanced Name Server Assignment for VPN Clients
       10. Monitoring of VPN Client Connections
       11. An Improved Site-to-Site Wizard (New ISA 2006 feature)
       12. The Create Answer File Wizard (New ISA 2006 Feature)
       13. The Branch Office Connectivity Wizard (New ISA 2006 feature)
       14. The Site-to-Site Summary (New ISA 2006 Feature)
    2. Creating a Remote Access PPTP VPN Server
       1. Enable the VPN Server
       2. Create an Access Rule Allowing VPN Clients Access to Allowed Resources
       3. Enable Dial-in Access
       4. Test the PPTP VPN Connection
    3. Creating a Remote Access L2TP/IPSec Server
       1. Issue Certificates to the ISA Firewall and VPN Clients
       2. Test the L2TP/IPSec VPN Connection
       3. Monitor VPN Clients
       4. Using a Pre-shared Key for VPN Client Remote Access Connections
    4. Creating a PPTP Site-to-Site VPN
       1. Create the Remote Site Network at the Main Office
       2. The Network Rule at the Main Office
       3. The Access Rules at the Main Office
       4. Create the VPN Gateway Dial-in Account at the Main Office
       5. Create the Remote Site Network at the Branch Office
       6. The Network Rule at the Branch Office
       7. The Access Rules at the Branch Office
       8. Create the VPN Gateway Dial-in Account at the Branch Office
       9. Activate the Site-to-Site Links
    5. Creating an L2TP/IPSec Site-to-Site VPN
       1. Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA
       2. Request and Install a Certificate for the Main Office Firewall
       3. Configure the Main Office ISA Firewall to use L2TP/IPSec for the Site-to-Site Link
       4. Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA
       5. Request and Install a Certificate for the Branch Office Firewall
       6. Configure the Branch Office ISA Firewall to use L2TP/IPSec for the Site-to-Site Link
       7. Activate the L2TP/IPSec Site-to-Site VPN Connection
       8. Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links
    6. IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways
    7. Using RADIUS for VPN Authentication and Remote Access Policy
       1. Configure the Internet Authentication Services (RADIUS) Server
       2. Create a VPN Clients Remote Access Policy
       3. Remote Access Permissions and Domain Functional Level
       4. Changing the User Account Dial-in Permissions
       5. Changing the Domain Functional Level
       6. Controlling Remote Access Permission via Remote Access Policy
       7. Enable the VPN Server on the ISA Firewall and Configure RADIUS Support
       8. Create an Access Rule Allowing VPN Clients Access to Approved Resources
       9. Make the Connection from a PPTP VPN Client
    8. Using EAP User Certificate Authentication for Remote Access VPNs
       1. Configuring the ISA Firewall Software to Support EAP Authentication
       2. Enabling User Mapping for EAP Authenticated Users
       3. Issuing a User Certificate to the Remote Access VPN Client Machine
    9. Supporting Outbound VPN Connections through the ISA Firewall
    10. Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall
    11. Summary
11. 7. ISA 2006 Stateful Inspection and Application Layer Filtering
    1. Introduction
    2. Application Filters
       1. The SMTP Filter
       2. The DNS Filter
       3. The POP Intrusion Detection Filter
       4. The SOCKS V4 Filter
       5. The FTP Access Filter
       6. The H.323 Filter
       7. The MMS Filter
       8. The PNM Filter
       9. The PPTP Filter
       10. The RPC Filter
       11. The RTSP Filter
    3. Web Filters
       1. The HTTP Security Filter (HTTP Filter)
          1. Overview of HTTP Security Filter Settings
             1. The General Tab
             2. The Methods Tab
             3. The Extensions Tab
             4. The Headers Tab
             5. The Signatures Tab
          2. HTTP Security Filter Logging
          3. Exporting and Importing HTTP Security Filter Settings
             1. Exporting an HTTP Policy from a Web Publishing Rule
             2. Importing an HTTP Policy into a Web Publishing Rule
          4. Investigating HTTP Headers for Potentially Dangerous Applications
          5. Example HTTP Security Filter Policies
          6. Commonly Blocked Headers and Application Signatures
       2. The ISA Server Link Translator
          1. Determining Custom Dictionary Entries
          2. Configuring Custom Link Translation Dictionary Entries
       3. The Web Proxy Filter
       4. The OWA Forms-Based Authentication Filter
       5. The RADIUS Authentication Filter
    4. IP Filtering and Intrusion Detection/Intrusion Prevention
       1. Common Attacks Detection and Prevention
       2. DNS Attacks Detection and Prevention
       3. IP Options and IP Fragment Filtering
          1. Source Routing Attack
    5. Summary
12. 8. Accelerating Web Performance with ISA 2006 Caching Capabilities
    1. Understanding Caching Concepts
       1. Web Caching Types
          1. Forward Caching
          2. Reverse Caching
             1. How Reverse Caching Reduces Bandwidth Usage
             2. How Reverse Caching Increases Availability of Web Content
       2. Web Caching Architectures
       3. Web Caching Protocols
    2. Understanding ISA 2006’s Web Caching Capabilities
       1. Using the Caching Feature
       2. Understanding Cache Rules
          1. Using Cache Rules to Specify Content Types That Can Be Cached
          2. Using Cache Rules to Specify How Objects are Retrieved and Served from Cache
       3. Understanding the Content Download Feature
    3. Configuring ISA 2006 as a Caching Firewall
       1. Enabling and Configuring Caching
          1. How to Enable Caching in Enterprise Edition
          2. How to Enable Caching in Standard Edition
          3. How to Disable Caching in Enterprise Edition
          4. How to Disable Caching in Standard Edition
          5. How to Configure Properties
          6. Configuring Which Content to Cache
          7. Configuring the Maximum Size of Objects in the Cache
          8. Configuring Whether Expired Objects Should be Returned from Cache
          9. Allocating a Percentage of Memory to Caching
       2. Creating Cache Rules
          1. How to Create a Cache Rule
          2. How to Modify an Existing Cache Rule
          3. How to Disable or Delete a Cache Rule
          4. How to Change the Order of Cache Rules
          5. How to Copy a Cache Rule
          6. How to Export and Import Cache Rules
       3. Configuring Content Downloads
          1. How to Ensure a Content Download Job Can Run
             1. Configuring the Local Host Network
             2. Enabling the System Policy Rules
             3. Running the Job Scheduler Service
          2. How to Create and Configure Scheduled Content Download Jobs
          3. How to Make Changes to an Existing Content Download Job
          4. How to Disable or Delete Content Download Jobs
          5. How to Export and Import Content Download Job Configurations
          6. How to Run a Content Download Job Immediately
    4. Summary
13. 9. Using ISA Firewall 2006’s Monitoring, Logging, and Reporting Tools
    1. Introduction
    2. Exploring the ISA 2006 Dashboard
       1. Dashboard Sections
          1. Dashboard Connectivity Section
          2. Dashboard Services Section
          3. Dashboard Reports Section
          4. Dashboard Alerts Section
          5. Dashboard Sessions Section
          6. Dashboard System Performance Section
       2. Configuring and Customizing the Dashboard
    3. Creating and Configuring ISA 2006 Alerts
       1. Alert-Triggering Events
       2. Viewing the Predefined Alerts
       3. Creating a New Alert
       4. Modifying Alerts
       5. Viewing Alerts that have been Triggered
    4. Monitoring ISA 2006 Connectivity, Sessions, and Services
       1. Configuring and Monitoring Connectivity
          1. Creating Connectivity Verifiers
          2. Monitoring Connectivity
       2. Monitoring Sessions
          1. Viewing, Stopping and Pausing Monitoring of Sessions
          2. Monitoring Specific Sessions Using Filter Definitions
          3. Disconnecting Sessions
          4. Exporting and Importing Filter Definitions
       3. Monitoring Services
    5. Working with ISA Firewall Logs and Reports
       1. Understanding ISA Firewall Logs
          1. Log Types
             1. Logging to an MSDE Database
             2. Logging to a SQL Server
             3. Logging to a File
          2. How to Configure Logging
             1. Configuring MSDE Database Logging
             2. Configuring Logging to a File
             3. Configuring Logging to a SQL Database
          3. How to Use the Log Viewer
          4. How to Filter the Log Information
          5. Saving Log Viewer Data to a File
          6. Exporting and Importing Filter Definitions
       2. Generating, Viewing, and Publishing Reports with ISA 2006
          1. How to Generate a One-Time Report
          2. How to Configure an Automated Report Job
          3. Other Report Tasks
          4. How to View Reports
          5. Publishing Reports
    6. Using the ISA Firewall’s Performance Monitor
       1. Recommended Performance Counters
    7. ISA Firewall 2004 Upgrade Considerations
       1. Preserving Log Files Prior to Upgrade
       2. File Logging
       3. MSDE Logging
       4. SQL Logging
       5. Preserving SQL Logging Options Prior to Upgrade