Tải bản đầy đủ

Module 2: Installing and Maintaining ISA Server







Contents
Overview 1
Installing ISA Server 2
Installing and Configuring ISA Server
Clients 15
Lab A: Installing ISA Server and
Configuring Clients 24
Maintaining ISA Server 36
Lab B: Configuring ISA Server 44
Review 51

Module 2: Installing and
Maintaining ISA Server




Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and
Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Module 2: Installing and Maintaining ISA Server iii


Instructor Notes
This module provides students with the knowledge and skills to install and
configure Microsoft
®
Internet Security and Acceleration (ISA) Server 2000 as a
cache server and as a firewall.
After completing this module, students will be able to:

Install ISA Server on a computer running Microsoft Windows
®
2000 Server.

Configure computers as Web proxy, Firewall, or SecureNAT clients for
ISA Server.

Perform administrative tasks for maintaining ISA Server.

Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the Microsoft PowerPoint
®
file 2159A_02.ppt.
Preparation Tasks
To prepare for this module, you should:

Read all of the materials for this module.

Complete the labs.

Study the review questions and prepare alternative answers to discuss.

Anticipate questions that students may ask. Write out the questions and
provide the answers.

Read RFC 1918, “Address Allocation for Private Internets,” under
Additional Reading on the Trainer Materials compact disc.

Read RFC1928, “SOCKS Protocol Version 5,” under Additional Reading
on the Student Materials compact disc.

Review the document titled “Pre-Migration-Considerations.htm” on the
Microsoft ISA Server compact disc.

Review the document readme.htm on the ISA Server compact disc.

Read the following sections in ISA Server Help: “Planning Considerations,”
“Installing ISA Server,” “Checklist: Migrating from Microsoft Proxy Server
2.0,” “Migrating from Microsoft Proxy Server 2.0,” “ISA Server Clients,”
“Installing and Configuring ISA Server Clients,” “Administering
ISA Server,” and “Troubleshooting.”

Presentation:
60 Minutes

Lab:
60 Minutes
iv Module 2: Installing and Maintaining ISA Server


Module Strategy
Use the following strategy to present this module:

Installing ISA Server
Describe the issues to consider before and during the installation of
ISA Server, including a new installation or an upgrade of a server from
Microsoft Proxy Server 2.0. Point out the CPU scalability and operating
system differences between ISA Server Standard Edition and ISA Server
Enterprise Edition. Explain that configuring the local address table (LAT)
correctly is the single most important part of installing ISA Server.

Installing and Configuring ISA Server Clients
Describe the features of each ISA Server client: Web proxy, Firewall, and
SecureNAT. Present or, if possible, demonstrate the procedures for
configuring client computers for each type of client.

Maintaining ISA Server
Present the tasks required to maintain an ISA Server computer, including
starting and stopping services and backing up and restoring ISA Server.
Point out the taskpads and the Advanced view features in ISA Management.
Present or, if possible, demonstrate the procedures for adding entries to both
the LAT and local domain table (LDT). Explain the use of the Msplat.txt
file by the Firewall client. Emphasize that for maximum security, you
should save the backup files to an NTFS file system disk partition and set
the appropriate permissions to protect against unauthorized access.

Module 2: Installing and Maintaining ISA Server v


Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.

The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet and Security Acceleration Server 2000.

Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
Performing the labs in this module introduces the following configuration
changes:

Student computers that are configured as ISA Server computers have
ISA Server installed.

Student computers that are configured as ISA Server computers have the
Default Web Site in Internet Information Services (IIS) configured to use
Transmission Control Protocol (TCP) port 8008.

Student computers that are configured as ISA Server computers have entries
added to the LAT and the LDT.

Student computers that are configured as ISA Server client computers have
the ISA Server administration tools installed.

Student computers that are configured as ISA Server client computers have
the Firewall Client software installed.

Student computers that are configured as ISA Server client computers have
the default gateway set to the Internet Protocol (IP) address of the
ISA Server computer on the private network.

Student computers that are configured as ISA Server client computers have
Microsoft Internet Explorer configured to use a Proxy server.

Important

Module 2: Installing and Maintaining ISA Server 1


Overview

Installing ISA Server

Installing and Configuring ISA Server Clients

Maintaining ISA Server

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Whether you deploy Microsoft
®
Internet Security and Acceleration (ISA)
Server 2000 as a dedicated firewall, a Web cache server, or an integrated
solution, you must plan carefully to ensure that you have the required hardware
and software. After you perform an ISA Server installation, you must configure
client computers. Depending on the client operating systems and your specific
requirements to control Internet access, you can choose to use the transparent
SecureNAT technology or deploy the ISA Firewall Client software. You can
also configure computers as Web proxy clients to improve browser
performance.
In addition, it is important to properly maintain ISA Server to ensure that all
client computers have fast and secure access to the Internet.
After completing this module, you will be able to:

Install ISA Server on a computer running Microsoft Windows
®
2000 Server.

Configure computers as Web proxy, Firewall, or SecureNAT clients for
ISA Server.

Perform administrative tasks for maintaining ISA Server.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about the installation and
maintenance tasks for
ISA Server.
2 Module 2: Installing and Maintaining ISA Server






Installing ISA Server

Identifying Hardware and Software Requirements

Identifying Pre-Installation Tasks

Selecting an Installation Mode

Specifying the Initial Cache Size

Configuring the LAT

Upgrading from Microsoft Proxy Server 2.0

Troubleshooting ISA Server Installation

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Before you install ISA Server, you must set up the hardware and configure the
software for the ISA Server computer. To help identify the choices that you will
make during installation, review the pre-installation checklist before performing
the installation. If you encounter problems during a new installation or an
upgrade from Microsoft Proxy Server 2.0, see the Troubleshooting ISA Server
Installation section.

You also can automate the installation of ISA Server. For more
information about performing an unattended setup, see “Unattended setup” in
ISA Server Help.

Topic Objective
To identify the topics related
to installing ISA Server.
Lead-in
Before you install
ISA Server, you must set up
the hardware and configure
the software of the
ISA Server computer.
Note
Module 2: Installing and Maintaining ISA Server 3


Identifying Hardware and Software Requirements
Hard Disk Space
Hard Disk Space
20 MB
Windows 2000 Server,
Windows 2000 Server,
Windows 2000 Advanced Server, or
Windows 2000 Advanced Server, or
Windows Datacenter
Windows Datacenter
Hard Disk Format
Hard Disk Format
NTFS
Internal Adapter
Internal Adapter
External Adapter
External Adapter
Active Directory
Active Directory
Arrays
RAM
RAM
256 MB
CPU
CPU
300 MHz
or higher

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The table below lists the hardware and software requirements for ISA Server.
Component Requirements

CPU 300 megahertz (MHz) or higher Pentium II-compatible
• ISA Server Standard Edition supports up to 4 processors
• ISA Server Enterprise Edition has no CPU limit
Memory 256 megabytes (MB) of random access memory (RAM)
Hard disk space 20 MB and space for cache
File system and
disk format
One local hard disk partition formatted with NTFS file system
Operating
system
Microsoft Windows 2000 Server, Microsoft Windows 2000
Advanced Server, or Microsoft Windows 2000 Datacenter Server
Windows 2000
Service Pack
If running on Windows 2000 Server or Windows 2000 Advanced
Server, ISA Server requires Service Pack 1. You should install
Service Pack 2 when it becomes available. For more information,
see “System Requirements” in the ISA Server Release Notes on the
ISA Server compact disc.
Networking A network adapter that is compatible with Windows 2000 for
communicating with the internal network and an additional network
adapter, modem, or Integrated Services Digital Network (ISDN)
adapter that is compatible with Windows 2000 for communicating
with the Internet or an upstream server.


The Active Directory

directory service for Windows 2000 must be
installed on your network to implement the array feature.

Topic Objective
To identify the hardware and
software requirements for
ISA Server.
Lead-in
Before you install
ISA Server, consider the
software and hardware
requirements.
Delivery Tip
Point out the CPU scalability
difference between ISA
Server Standard Edition and
ISA Server Enterprise
Edition.
Explain that Windows 2000
Datacenter Server does not
require Service Pack 1
because it already includes
all of the components of this
Service Pack.
Note
4 Module 2: Installing and Maintaining ISA Server


Forward Caching Requirements
The following table lists the hardware configurations of a single ISA Server
computer for the expected number of users who gain access to objects on the
Internet.
Number of
users

ISA Server computer

RAM
Disk space allocated
for caching

Up to 500 Pentium II, 300 MHz 256 MB 2-4 gigabytes (GB)
500-1,000 Pentium III, 550 MHz 256 MB 10 GB
More than
1,000
Two ISA Server computers
with Pentium III, 550 MHz
processors. Additional
ISA Server computer for
each 2,000 users.
256 MB for
each 2,000
users
10 GB for each
ISA Server computer

If the number of users exceeds 1,000 users, consider better-performing
hardware for the ISA Server computer or add more ISA Server computers.
Reverse Caching Requirements
The following table lists the hardware configurations of a single ISA Server
computer for the expected number of requests from Internet, or external, users.
The exact RAM requirements depend on the content that you are publishing.
Ideally, all cacheable content should fit into memory.
Number of hits per
second for a single
ISA Server computer


ISA Server computer

Less than 800 Pentium II, 300 MHz
~800 Pentium III, 550 MHz
More than 800 Pentium III, 550 MHz for each 800 hits per second. You
can add more processors to your computer or you can add
additional ISA Server computers.

Firewall Requirements
The following table lists the hardware configurations for the expected rate of
data transfer for Firewall and SecureNAT clients that gain access to objects on
the Internet.
Rate of data transfer ISA Server computer RAM

1–25 megabits per second Pentium II, 300 MHz 256 MB
25–50 megabits per second Pentium III, 550 MHz 256 MB
More than 50 megabits per
second
Pentium III, 550 MHz for
each 50 megabits per
second
256 MB


Although it is important to have the required hardware configuration, the
rate of data transfer is highly dependent on the speed of your connection to the
Internet.

Delivery Tip
Summarize the hardware
configurations that are listed
in the tables. It is not
necessary to describe each
configuration in detail.

Emphasize that these
recommendations are only
guidelines. Students can
monitor ISA Server for
actual performance and
adjust the ISA Server
computers accordingly.
Note
Module 2: Installing and Maintaining ISA Server 5


Identifying Pre-Installation Tasks
Locate CD Key
Locate CD Key
Select an Array to Join, If Applicable
Select an Array to Join, If Applicable
Select an Installation Option
Select an Installation Option
Select an Installation Mode
Select an Installation Mode
Configure Address Ranges for the LAT
Configure Address Ranges for the LAT
Configure a Drive to Use for the Cache
Configure a Drive to Use for the Cache

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Before installing ISA Server, test your network connectivity to minimize the
need for troubleshooting connection problems after installation is complete.

Before installing ISA Server, ensure that the Windows 2000 routing
table on the ISA Server computer is configured correctly. The internal adapter
of the ISA Server computer must be able to route packets to all internal network
destinations, and the external network adapter must be able to route packets to
the Internet. To ensure proper routing, add explicit routes for all internal
network destinations, and configure a default gateway on only the external
network adapter.

When you install ISA Server, you must provide the following information:

CD Key. This is the 10-digit number located on back of the CD-ROM case.

Installation options. As part of the installation process, you can install
options from the following ISA Server components:

ISA Services. Controls access of network services for the traffic between
networks. This component is required for the installation.

Add-In Services. Includes the Microsoft H.323 Gatekeeper service, which
allows Microsoft NetMeeting
®
or other H.323-compliant applications to
reach users inside your network. The H.323 protocol is a set of standards
that enable real-time multimedia conferencing and communications over
packet-based networks. Also includes the Message Screener, which
performs content filtering on incoming Simple Mail Transfer Protocol
(SMTP) traffic.
Both of these add-in services are optional.
Topic Objective
To identify the tasks to
perform before installing
ISA Server.
Lead-in
You must provide certain
information when you install
ISA Server.
Delivery Tip
Emphasize that configuring
the Windows 2000 routing
table before installing
ISA Server will help ensure
the proper operation of
ISA Server.
Important
6 Module 2: Installing and Maintaining ISA Server



Administration Tools. Includes the ISA Server administration tools, which
are required for the installation, and the H.323 Gatekeeper administration
tools, which are optional.

You can also install the administration tools separately on a computer
running Windows 2000 Server or Microsoft Windows 2000 Professional to
remotely administer a stand-alone ISA Server computer or one or more
arrays of ISA Server computers.



Array selection. If you previously modified the Active Directory schema to
initialize the enterprise, you can either select to create an enterprise array or
can select an array to join. If you did not initialize the enterprise, ISA Server
is installed in a stand-alone array, which contains only a single ISA Server
computer.

Installation Mode. You can select to install ISA Server in Firewall mode,
Cache mode, or Integrated mode.

Cache configuration. If you install ISA Server in Integrated or Cache mode,
you must configure the drives to use for the cache.

Local Address Table (LAT) configuration. If you install ISA Server in
Integrated or Firewall mode, you must configure the address ranges to
include in the LAT. The LAT is a table containing all of the internal Internet
Protocol (IP) address ranges that the network behind the ISA Server
computer uses.


You must install Windows 2000 Service Pack 1 or later before you
install ISA Server.

Note
Importan
t
Module 2: Installing and Maintaining ISA Server 7


Selecting an Installation Mode
Microsoft ISA Server Status
Select the mode for this server:
Firewall mode
Select this option to install enterprise firewall
functionality.
Cache mode
Select this option to install cache and Web hosting
functionality.
Cache mode installation is recommended only for computers
that are not directly connected to the Internet. If this
computer is directly connected to the Internet, install ISA
Server in integrated mode.
Integrated mode
Select this option to install integrated enterprise
firewall, cache, and Web hosting functionality.
Continue Exit Setup
Microsoft Internet Security and Acceleration Server Setup
Setup has stopped your IIS publishing service (W3SVC). After Setup is
complete, uninstall IIS or reconfigure all IIS sites not to use ports 80 and
8080.
OK Help
Help

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Before you can select an installation mode, you must launch the ISA Server
installation program and enter the information described in the pre-installation
checklist. As part of the setup process, you select the mode for ISA Server:
Firewall, Cache, or Integrated. After you select the server mode, if you have
Internet Information Services (IIS) installed and configured to use port 80 or
port 8080, ISA Server Setup informs you that it will stop the IIS Web service.
To start the ISA Server installation:
1. Insert the compact disc into the CD-ROM drive, or if you copied the
contents of the ISA Server compact disc to a network location, open a
command prompt window, and then run the ISAautorun.exe file.
2. In the Microsoft ISA Server Setup window, select Install ISA Server, and
then click Continue.
3. Type the CD Key, and then click OK twice.
4. Read the licensing agreement, and then if you agree, click I Agree.
5. Click one of the following installations, and then click OK:
• Typical Installation. Includes the most commonly used components.
• Full Installation. Includes all ISA Server components and extensions.
• Custom Installation. Includes the ISA Server components and
extensions that you specify.
Topic Objective
To describe the procedure
that you use to select an
installation mode.
Lead-in
You must select one of
three installation modes for
ISA Server during Setup.
8 Module 2: Installing and Maintaining ISA Server


6. If you are installing ISA Server Enterprise Edition and the computer is not
part of a Windows 2000 domain, click Yes to install ISA Server as a stand-
alone server.

For more information about installing ISA Server as an array
member, see Module 9, “Configuring ISA Server for the Enterprise,” in
Course 2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

7. Click Firewall mode, Cache mode, or Integrated mode, and then click
Continue.
8. When the Setup Information message prompts you to stop the IIS service,
click OK.
After the ISA Server installation is complete, uninstall IIS or configure all
Web sites on the server to use a port other than port 80 or port 8080.

Setup stops the IIS Web service because its default listening port
is 80, which ISA Server also uses. Because ISA Server listens on port 80
and may listen on port 8080, you must modify the listening port settings for
IIS because two different services cannot bind to the same port.


Note
Im
portant
Module 2: Installing and Maintaining ISA Server 9


Specifying the Initial Cache Size
Microsoft Internet Security and Acceleration Server Setup
Specify the NTFS drives on which caches should be located
and the maximum size of each cache.
Drive: C: [NTFS]
Available space (MB) 28722
Cache size (MB): 100
Total cache size (MB): 100MB
OK
Set
Drive [File System] Maximum Size (MB)
C: [NTFS] 100
Cancel
Help
C: [NTFS] 100
Initial cache size is
100 MB. Add 0.5 MB
for each Web Proxy
client.

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
If you install ISA Server in Cache mode or in Integrated mode, the Setup
program prompts you to select the drive for the cache location and the initial
cache size. Select an NTFS-formatted hard disk of sufficient size to make the
cache as large as possible. For optimal performance, select a hard disk that you
use exclusively for caching. You can increase cache size later by allocating
more empty disk space or by adding more disk volumes.
Consider the following settings when specifying the size of the cache:

Default cache size. 100 MB if at least 150 MB of free disk space is
available.

Minimum cache size. Allocate at least one drive and 5 MB on that drive.

Recommended cache size. Allocate at least 100 MB and add 0.5 MB for
each Web Proxy client, rounded up to the nearest full megabyte.


Although Windows 2000 allows you to format a drive without assigning
a drive letter, you cannot use a drive without a drive letter for ISA Server
caching.

Topic Objective
To describe the procedure
that you use to specify the
initial size of the cache.
Lead-in
You specify the initial size of
the cache during Setup.
Note
10 Module 2: Installing and Maintaining ISA Server


Configuring the LAT
Microsoft Internet Security and Acceleration Server Setup
Enter the IP address ranges that span the internal network address space.
Internal IP ranges:
From To
Edit
From
To
Add->
Remove->
OK Cancel Help
192.168.1.200 192.168.255
Microsoft Internet Security and Acceleration Server Setup
Enter the IP address ranges that span the internal network address space.
Internal IP ranges:
From To
Edit
From
To
Add->
Remove->
Remove->
To construct a local address table, click Construct
Table.
Construct Table…
OK Cancel Help
Click Construct Table to
construct a local address
table.
1
1
Select options to add
private IP address ranges
or routing table entries.
2
2
192 168 1 200
192 168 255 255
To construct a local address table, click Construct
Table.
Construct Table…
Local Address Table
Select the address ranges (based on the Windows 2000 routing table) for inclusion in
the local address table (LAT). The LAT should include all the addresses in you
internal network.
Add the following private ranges: 10.xxx, 192.168.xx and 172.16.xx-
173.31.xx and 169.254.xx..
Add address ranges based on the Windows 2000 Routing Table
Select the address ranges that are associated with the following
internal network adapters:
MS LoopBack Driver 169.254.25.129
3Com EtherLink PCI (Micros… 192.168.1.200
OK
OK Cancel Help
Card IP Addresses
Verify the IP addresses
that display in the local
address table.
3
3

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The LAT is a table of all internal IP addresses. If you install ISA Server in
Firewall mode or Integrated mode, you can configure the LAT during Setup.
ISA Server uses the LAT to determine which IP addresses are inside an
organization’s network and assumes that all other IP addresses are external.
ISA Server uses the LAT to control how computers on the internal network
communicate with external networks. In addition, Firewall clients automatically
download LAT updates from the ISA Server computer. Firewall clients use the
LAT updates to determine which IP addresses they can directly connect to and
which requests they need to forward to the ISA Server computer.
Overview of the LAT
ISA Server can construct the LAT and add the following IP address ranges:

Private IP addresses. ISA Server can add IP addresses that are reserved by
the Internet Assigned Numbers Authority (IANA) for internal use. Many
organizations use these addresses for internal addresses. These addresses
include 10.0.0.0 to 10.255.255.255, 192.168.0.0 to 192.168.255.255, and
172.16.0.0 to 172.31.255.255. Add private IP addresses to the LAT only if
you use private IP addressing on your network.

For more information about private IP addresses, see RFC 1918,
“Address Allocation for Private Internets,” under Additional Reading on
the Student Materials compact disc.


Networks from the routing table. ISA Server adds all of the networks that
your computer connects to by using one or more network adapters that you
select. When adding entries from the routing table, ensure that the network
adapter that is configured to connect to your internal network has the correct
routing information for all network segments on your internal network.

Topic Objective
To describe the LAT and the
procedure for configuring
the LAT during Setup.
Lead-in
You can add IP addresses
based on routing table
entries or private IP address
ranges.
Key Points
ISA Server uses the LAT to
determine which IP
addresses are inside an
organization’s network and
assumes that all other IP
addresses are external.
Note
Module 2: Installing and Maintaining ISA Server 11


Configuring the LAT
To configure the LAT during Setup:

When configuring the LAT, add addresses on the private network
only. Do not add the external interface of the ISA Server computer or any
external addresses. In addition, never configure a network adapter with both an
external IP address and an IP address that is in the LAT—doing so can cause
ISA Server to incorrectly enforce security rules and can present a serious
security risk.

1. In the Microsoft Internet Security and Acceleration Server 2000 Setup
dialog box, click Table.
2. Choose from the following options, and then click OK twice:
• To add private IP address ranges, select the Add the following private
ranges check box.
• To add routing table entries, select the Add address ranges based on
the Windows 2000 Routing Table check box, and then select the check
box for the network adapter that is connected to your internal network.
3. In the Internal IP ranges box, review the list of IP address ranges, make
the following corrections if necessary, and then click OK:
• To remove an address range, in the Internal IP Ranges box, click the
range, and then click Remove.
• To add an address range, in the Edit box, type the beginning and end
addresses of the range, and then click Add.

After configuring the LAT, Setup copies all of the required files and completes
all configuration steps. Unless you specify a different location during an
unattended setup, Setup installs ISA Server in the C:\Program Files\Microsoft
ISA Server folder.
Key Points
Configuring the LAT
correctly is the single most
important part of installing
ISA Server. When
configuring the LAT, include
addresses on the private
network only. Do not add
the external interface of the
ISA Server computer or any
external addresses.
Important
12 Module 2: Installing and Maintaining ISA Server


Upgrading from Microsoft Proxy Server 2.0
Upgrading from
Microsoft
Windows NT
Upgrade to Windows 2000
Proxy Server 2.0
ServerSOCKS Rules
Comparing
Proxy 2.0 and
ISA Server
Configurations
Cache
Content
SOCKS
Rules
2.0
2000
Publishing
Winsock
Proxy Client
SecureNAT
Client
Proxy
Server 2.0
ISA
Server
IPX
Protocol
ISA
Server
Upgrading Client
Computers
Port 80
Client
Requests
Port
8080
ISA Server 2000
Proxy Server 2.0
ISA Server
Winsock Proxy Clients
and Firewall Clients
Proxy
Server 2.0

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
ISA Server supports a full migration path for Microsoft Proxy Server 2.0 users.
Setup migrates most Proxy Server 2.0 rules, network settings, monitoring
configurations, and cache configurations to ISA Server when you perform an
upgrade.
Before migrating from Proxy Server 2.0, review
“PreMigrationConsiderations.htm” on the ISA Server compact disc and review
the following sections in ISA Server Help: “Checklist: Migrating from
Microsoft Proxy Server 2.0” and “Migrating from Microsoft Proxy Server 2.0.”

It is recommended that you perform a full backup of the current
Proxy Server 2.0 settings before the upgrade and that you disconnect the
computer to be upgraded from the Internet during the installation.

Upgrading from Microsoft Windows NT 4.0
You can install ISA Server on only computers running Windows 2000 Server
with Service Pack 1 installed. If you are currently running Proxy Server 2.0 on
Microsoft Windows NT
®
4.0, you must complete the following steps:
1. Stop and disable all Proxy Server services including:
• Microsoft Winsock Proxy Service (wspsrv)
• Microsoft Proxy Server Administration (mspadmin)
• Proxy Alert Notification Service (mailalrt)
• World Wide Web Publishing Service (w3svc)
2. If Proxy Server 2.0 is installed as an array, remove the server running Proxy
Server 2.0 from the array.
Topic Objective
To describe the topics that
are related to upgrading to
ISA Server from
Proxy Server 2.0.
Lead-in
ISA Server supports a full
migration path for Microsoft
Proxy Server 2.0 users.
Key Points
Perform a full backup of the
Proxy Server 2.0 settings
before upgrading, and
disconnect the computer
that you are upgrading from
the Internet during the
installation.
Important
Module 2: Installing and Maintaining ISA Server 13


3. Perform the upgrade to Windows 2000. During the upgrade to
Windows 2000, you may receive a message indicating that Proxy Server 2.0
will not work on a computer running Windows 2000. You can disregard this
message and continue installing ISA Server.
4. Install Windows 2000 Service Pack 1.
5. Begin installing ISA Server.

Comparing Proxy Server 2.0 and ISA Server
Configurations
When you upgrade to ISA Server, most rules, network settings, monitoring
configurations, and cache configurations in Proxy Server 2.0 are migrated to
ISA Server. The differences and exceptions between Proxy Server 2.0 and
ISA Server are listed as follows:

Publishing. Proxy Server 2.0 requires that you configure publishing servers
as Winsock Proxy clients. ISA Server allows you to publish internal servers
without requiring any special configuration or software installation on the
publishing server. Instead, ISA Server recognizes the publishing servers as
SecureNAT clients.

Cache. Proxy Server 2.0 cache content is not migrated because of the vastly
different cache storage engine in ISA Server. ISA Server Setup deletes
Proxy Server 2.0 cache content and initializes the new storage engine based
on existing cache and drive settings.

SOCKS. ISA Server policy does not support the migration of Proxy Server
2.0 SOCKS rules. ISA Server includes the SOCKS applications filter, which
allows client SOCKS applications to communicate with the network by
using the applicable array or enterprise policy to determine if the client
request is allowed.

For more information about using SOCKS Version 5 protocol, also
known as Authenticated Firewall Traversal (AFT), see RFC1928, “SOCKS
Protocol Version 5,” under Additional Reading on the Student Materials
compact disc.


Internet Protocol Exchange (IPX) Protocol. ISA Server does not support the
IPX protocol.

Upgrading Client Computers
After you install ISA Server, you may have to upgrade your client computers:

Winsock Proxy clients. Because both the Winsock Proxy Client that is
included with Proxy Server 2.0 and the Firewall Client that is included with
ISA Server are compatible with both server products, you can upgrade client
computers at any time after installing ISA Server and maintain a mixed
environment during migration.

Web Proxy clients. Proxy Server 2.0 uses port 80 for client Hypertext
Transfer Protocol (HTTP) requests. By default, ISA Server uses port 8080.
Therefore, you must configure all downstream chain members and browsers
that connect to the ISA Server computer to connect to port 8080.
Alternatively, you can configure ISA Server to use port 80 for client HTTP
requests.

Key Points
Migration of Proxy Server
2.0 SOCKS rules to
ISA Server policy is not
supported.
Note
14 Module 2: Installing and Maintaining ISA Server


Troubleshooting ISA Server Installation
Users Cannot Connect to Resources After Upgrading from Proxy Server 2.0
Err
or
Users Can Gain Access to Internet Without Defined Rules
Err
or
You Cannot Find Array to Join During Installation
Err
or
ISA Server Presents Error Messages During Installation
Err
or
You Cannot Connect to Internet Resources After Installation
Err
or
LAT Contains Inaccurate Information After Installation
Err
or

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The following list includes common installation problems and solutions:

The LAT that the Setup program generates is incorrect. Always double-
check the LAT that the Setup program generates before you continue and
make any required changes. The automatically generated LAT depends on a
correct and complete configuration of your routing table.

You are unable to connect to Internet resources immediately after
installing ISA Server. This result is expected. Before you can fully test
your configuration, you must configure access rules.

ISA Server presented one or more error messages during installation.
Review the event logs in Windows 2000 for more information about the
errors. Remove ISA Server by using Add/Remove Programs in Control
Panel, and then reinstall it. If you cannot remove ISA Server by using
Add/Remove Programs, use the RMISA.exe program, which is located in
the \isa\i386 folder on the ISA Server compact disc.

You cannot join an array because the installation program cannot find
the array. Ensure that the computer can communicate with the other array
members and a domain controller for the current domain.

Users can gain access to Internet sites even though you have not defined
rules that allow access. Your LAT may not be configured correctly. Ensure
that the LAT contains only internal IP addresses.

After upgrading from Proxy Server 2.0, client computers can no longer
connect to Internet resources. Change the port that Web Proxy clients use
to gain access to the ISA Server computer or configure automatic discovery
for clients. ISA Server uses port 8080 for client connections, whereas Proxy
Server 2.0 uses port 80.


The “Troubleshooting” section of ISA Server Help contains information
about solving other common problems.

Topic Objective
To identify common
ISA Server installation
problems.
Lead-in
After installing ISA Server
and ISA Server clients, you
may have to troubleshoot
installation problems.
Tip
Module 2: Installing and Maintaining ISA Server 15






Installing and Configuring ISA Server Clients

Client Overview

Configuring Web Proxy Clients

Configuring SecureNAT Clients

Installing and Configuring Firewall Clients

Troubleshooting Client Installation

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Before you deploy or configure clients for ISA Server, you must consider the
requirements of your organization. Some of the considerations include the level
of access control required, the operating systems installed on client computers,
the applications and services that your internal clients will use, and how you
will publish servers on your internal network. If you encounter problems while
installing or configuring clients, see the Troubleshooting Client Installation
section.
Topic Objective
To identify the topics related
to installing and configuring
ISA Server clients.
Lead-in
Before you install and
configure ISA Server clients,
evaluate the needs of your
organization and compare
the features of each client.
16 Module 2: Installing and Maintaining ISA Server


Client Overview
Internet
Internet
ISA Server
ISA Server
SecureNAT Client
Do not require you to deploy client
software or configure client computers.
SecureNAT Client
Do not require you to deploy client
software or configure client computers.
Firewall Client
Allow Internet access only for
authenticated users.
Firewall Client
Allow Internet access only for
authenticated users.
Web Proxy Client
Improve the performance of Web requests for
internal clients.
Web Proxy Client
Improve the performance of Web requests for
internal clients.

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
ISA Server supports three types of clients: Web Proxy clients, SecureNAT
clients, and Firewall clients.
Comparing ISA Server Clients
The following list describes the features of each type of ISA Server client:

Web Proxy clients. Improve the performance of Web requests. A Web Proxy
client sends requests directly to the ISA Server computer, but Internet
access is limited to the browser. You can configure most Web browsers that
support HTTP 1.1 as Web Proxy clients. Other applications, such as
streaming media client applications, can also function as Web Proxy clients.

SecureNAT clients. Provide security and caching of HTTP requests, but do
not allow for user-level authentication. SecureNAT clients can support most
Transmission Control Protocol/Internet Protocol (TCP/IP) protocols,
including Internet Control Message Protocol (ICMP). To configure a
SecureNAT client, you configure the client computer to route all packets to
the Internet through the ISA Server computer. You typically do this by
setting the default gateway on the client computer to the IP address of the
ISA Server computer. Because a SecureNAT client requires no
configuration other than changing the default gateway, any computer that
uses the TCP/IP protocol can be a SecureNAT client.

Some protocols and applications require secondary connections.
For example, when you use the File Transfer Protocol (FTP) protocol, by
default the client initiates a primary connection to the server, and the server
then initiates a secondary connection to the client. ISA Server must use an
application filter that edits the data stream to allow SecureNAT clients to
use such protocols and applications. ISA Server includes several application
filters, such as an FTP filter and an H.323 filter. If ISA Server does not
contain the appropriate application filter for a protocol or application,
SecureNAT clients cannot use this protocol or application.

Topic Objective
To describe the clients that
are supported by
ISA Server.
Lead-in
ISA Server supports three
types of clients.
Key Points
Only Firewall clients can be
identified and fully
authenticated by
ISA Server.
Important
Module 2: Installing and Maintaining ISA Server 17



Firewall clients. Restrict access on a per-user basis for outbound access for
requests that use the TCP and User Datagram Protocol (UDP) protocols. To
configure a Firewall client, you must install the Firewall Client software on
each client computer. You can install the Firewall Client software on
computers running Microsoft Windows Millennium Edition, Microsoft
Windows 95 OSR2, Microsoft Windows 98, Windows NT 4.0, or
Windows 2000 only.


You can configure a computer to use multiple client types
simultaneously. For example, you can configure a computer as a Web Proxy
client for requests that are issued from within a browser, as a Firewall client to
forward all requests from Winsock applications that use the TCP and UDP
protocols, and as a SecureNAT client for all other protocols, such as ICMP.

Determining Which ISA Clients to Use
Use the following guidelines to determine which clients to deploy for
ISA Server.
If you want to Then use

Improve the performance of Web
requests for internal clients
Web Proxy clients.
Avoid deploying client software or
configuring client computers
SecureNAT clients. SecureNAT clients do not
require any software or specific configuration.
Improve Web performance in an
environment with non-Microsoft
operating systems
SecureNAT clients. SecureNAT client
requests are transparently passed to the
Microsoft Firewall service and then to the
caching service for caching.
Publish servers that are located on your
internal network
SecureNAT clients. You can publish internal
servers to make them available to external
users. When you publish internal servers, you
configure the servers as SecureNAT clients.
Because the published servers are SecureNAT
clients, you do not need to configure settings
on the published server. Microsoft does not
recommend configuring published servers as
Firewall clients.
Allow Internet access for only
authenticated users
Firewall clients or Web Proxy clients. You
can configure user-based access policy rules
for Firewall clients and Web Proxy clients.

Importan
t
18 Module 2: Installing and Maintaining ISA Server


Configuring Web Proxy Clients
Select the Use a
proxy server
check box.
Type the port number
in the Port box, and
then click OK.
1
1
3
3
Local Area Network (LAN) Settings
Automatic configuration
OK Cancel
Automatic configuration may override manual settings. To ensure
the use of manual settings, disable automatic configuration.
Automatically detect settings
Use automatic configuration script
192.168.1.200
8080
Proxy Server
Use a proxy server
Address:
Port:
Bypass proxy server for local addresses
Type the IP address or name
of the ISA Server computer in
the Address box.
2
2

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You do not need to install any software to configure Web Proxy clients.
However, you must configure the Web browser on the client computer to use
the ISA Server computer as the proxy server. Other applications that use Web
protocols may also be able to function as Web Proxy clients. Some of these
applications can obtain their configuration settings from your Web browser.
Others may require additional configuration steps. The exact configuration
steps for configuring ISA Server depend on the Web browser that you use.

Web browser helper applications that use protocols other than
HTTP, such as Microsoft Windows Media

Player, do not use ISA Server to
connect to the Web. To allow helper applications to connect to the Web, you
must use the SecureNAT client or the Firewall client in addition to the Web
Proxy client.

To configure Microsoft Internet Explorer 5 or later to use the Microsoft Web
Proxy service:
1. Open the Properties dialog box for Internet Explorer. On the Connections
tab, click LAN Settings, and then in the Local Area Network (LAN)
Settings dialog box, select the Use a proxy server check box.
2. In the Address box, type a valid path to the ISA Server computer.
3. In the Port box, type the port number that the ISA Server computer uses for
Web Proxy client connections, which is 8080 by default, and then click OK
twice.
If you want your Web browser to bypass the ISA Server computer when
connecting to local computers, you can also select the Bypass proxy server
for local addresses check box. Bypassing the ISA Server computer for
local computers may improve Web browser performance.

Topic Objective
To describe the procedure
that is used to configure
Web Proxy clients.
Lead-in
To configure Web Proxy
clients, you must configure
the Web browser on the
client computer to use the
ISA Server computer as the
proxy server.
Key Points
Web browser helper
applications that use
protocols other than HTTP,
such as Windows Media
Player, do not use
ISA Server to connect to the
Web.
Important
Module 2: Installing and Maintaining ISA Server 19


Configuring SecureNAT Clients

Configuring Clients on Networks That Do Not Use
Routers

Configuring Clients on Networks That Use Routers

Resolving Names for SecureNAT Clients

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Although SecureNAT clients do not require specific software, you must
configure SecureNAT clients to route all network traffic to the Internet through
the ISA Server computer. How you configure the client computer depends on
whether your network uses routers between the ISA Server computer and the
SecureNAT clients.
Configuring Clients on Networks That Do Not Use
Routers
To configure SecureNAT clients on a network without routers, set the
SecureNAT client's IP default gateway settings to the IP address of the
ISA Server computer's internal network adapter by manually changing the
default gateway setting or by using Dynamic Host Configuration Protocol
(DHCP).
Configuring Clients on Networks That Use Routers
To configure SecureNAT clients on a network with routers, set the default
gateway settings to the router closest to the SecureNAT client. Ensure that the
router is configured to forward IP packets to the Internet so that all packets are
routed through the ISA Server computer. Optimally, routers should use a
default gateway that routes along the shortest path to the ISA Server computer.
In addition, do not configure routers to discard packets destined for addresses
outside of the internal network. The ISA Server computer will determine how
to route these packets.
Topic Objective
To identify the topics related
to configuring SecureNAT
clients.
Lead-in
Consider your network
topology when you
configure the default
gateway for SecureNAT
clients.

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay

×

×