Enabling Secure Internet Access with ISA Server - PowerPoint PPT Presentation

About This Presentation
Title:

Enabling Secure Internet Access with ISA Server

Description:

Enabling Secure Internet Access with ISA Server Enabling Secure Access to Internet Resources What Is Secure Access to Internet Resources? Users can access the ... – PowerPoint PPT presentation

Number of Views:132
Avg rating:3.0/5.0
Slides: 45
Provided by: phucdangF
Category:

less

Transcript and Presenter's Notes

Title: Enabling Secure Internet Access with ISA Server


1
Enabling Secure InternetAccess with ISA Server
2
Enabling Secure Access to Internet Resources
  • What Is Secure Access to Internet Resources?
  • Users can access the resources that they need
  • The connection to the Internet is secure
  • The data that users transfer to and from the
    Internet is secure
  • Users cannot download malicious programs from the
    Internet
  • Secure access to the Internet also means that the
    users actions comply with the organizations
    security or Internet usage policy.

3
What Is Secure Access to Internet Resources
  • Secure access
  • Only users who have permission to access the
    Internet can access the Internet.
  • These users can use only approved protocols and
    applications to access Internet resources.
  • These users can gain access only to approved
    Internet resources, or these users cannot gain
    access to denied Internet resources
  • These users can gain access to the Internet only
    in accordance with any other restrictions
  • the organization may establish, such as when and
    from which computers access is permitted.

4
How ISA Server Enables Secure Access to Internet
Resources
  • ISA Server provides the following functionality
    to enable secure access
  • Implementing ISA Server as a firewall
  • Implementing ISA Server as a proxy server.
  • Using ISA Server to implement the organizations
    Internet usage policy

5
Configuring ISA Server as a Proxy Server
  • What Is a Proxy Server?
  • A proxy server is a server that is situated
    between a client application and a server to
    which the client connects.
  • All client requests are sent to the proxy server.
    The proxy server creates a new request and sends
    the request to the specified server. The server
    response is sent back to the proxy server, which
    then replies to the client application.
  • A proxy server can provide enhanced security and
    performance for Internet connections.
  • Using a proxy server is to make the users
    connection to the Internet more secure.

6
Configuring ISA Server as a Proxy Server
  • Proxy servers make the Internet connection more
    secure in the following ways
  • User authentication
  • Filtering client requests
  • Content inspection
  • Logging user access
  • Hiding the internal network details

7
How Proxy Servers Work
  • How Does a Forward Proxy Server Work?
  • How Does a Reverse Web Proxy Server Work?

8
How Does a Forward Proxy Server Work?
  • When a proxy server is used to secure outbound
    Internet access, it is configured as a forwarding
    proxy server.
  • Forward proxy servers are usually located between
    a Web or Winsock application running on a client
    computer on the internal network and an
    application server located on the Internet

9
How Does a Forward Proxy Server Work?
10
  • 1. A client application, such as a Web browser,
    makes a request for an object located on a Web
    server. The client application checks its Web
    proxy configuration to determine whether the
    request destination is on the local network or on
    an external network.
  • 2. If the requested Web server is not on the
    local network, the request is sent to the proxy
    server.
  • 3. The proxy server checks the request to confirm
    that there is no policy in place that blocks
    access to the requested content.
  • 4. If caching is enabled, the proxy server also
    checks if the requested object exists in its
    local cache. If the object is stored in the local
    cache and it is current, the proxy server sends
    the object to the client from the cache. If the
    page is not in the cache or if the page is out of
    date, the proxy server sends the request to the
    appropriate
  • server on the Internet.

11
  • 5.The Web server response is sent back to the
    proxy server. The proxy server filters the
    response based on the filtering rules configured
    on the server.
  • 6. If the content is not blocked and it is
    cacheable, ISA Server saves a copy of the content
    in its cache and the object is then returned to
    the client application that made the original
    request.

12
How Does a Reverse Web Proxy Server Work?
13
  • A user on the Internet makes a request for an
    object located on a Web server that is on an
    internal network protected by a reverse proxy
    server. The client computer performs a DNS lookup
    using the fully qualified domain name (FQDN) of
    the hosting server. The DNS name will resolve to
    the IP address of the external network interface
    on the proxy server.
  • 2. The client application sends the request for
    the object to the external address of the proxy
    server

14
  • 3.The proxy server checks the request to confirm
    that the URL is valid and to ensure that there is
    a policy in place that allows access to the
    requested content.
  • 4. The proxy server also checks whether the
    requested object already exists in its local
    cache. If the object is stored in the local cache
    and it is current, the proxy server sends the
    object to the client from the cache. If the
    object is not in the cache, the proxy server
    sends the request to the appropriate server on
    the internal network.
  • 5. The Web server response is sent back to the
    proxy server.
  • 6. The object is returned to the client
    application that made the original request

15
How to Configure ISA Server as a Proxy Server
16
How to Configure Web and Firewall Chaining
  • ISA Server 2004 Standard Edition supports the
    chaining of multiple servers running ISA Server
    together to provide flexible Web proxy services

17
How to Configure Web and Firewall Chaining
18
Configuring Access Rule Elements
  • By default, ISA Server 2004 denies all network
    traffic between networks connected to the ISA
    Server computer.
  • Configuring an access rule is the only way to
    configure ISA Server so that it will allow
    traffic to flow between networks

19
What Are Access Rule Elements
  • Access rule elements are configuration objects in
    ISA Server that you use to create access rules.
  • Exampleyou may want to create an access rule
    that allows only HTTP traffic, ISA Server
    provides an HTTP protocol access rule element
    that you can use when creating the access rule

20
Access Rule Element Types
Element Description
Protocols defines protocols that you can use in an access rule.
User Sets defines a group of one or more users to which a rule will be explicitly applied, or which can be excluded from a rule.
Content Types provides common content types to which you may want to apply a rule.
Schedules allows you to designate hours of the week during which the rule applies
Network Objects . allows you to create sets of computers to which a rule will apply, or which will be excluded from a rule.
21
How to Configure Access Rule Elements
  • ISA Server includes several default access rule
    elements

22
How to Configure User Set Elements
  • access rule specifies which users will be allowed
    or denied access by the access rule.
  • To limit access to Internet resources based on
    users or groups, you must create a user set
    element.
  • When you limit an access rule to specific users,
    users must authenticate before they are granted
    access.
  • For each group of users, you can define the type
    of authentication required

23
How to Configure User Set Elements
  • All Authenticated UsersThis set includes all
    users who have authenticated using any type of
    authentication.
  • All UsersThis set includes all users, both
    authenticated and unauthenticated.
  • System and Network ServiceThis user set includes
    the Local System service and the Network service
    on the computer running ISA Server. This user set
    is used in some system policy rules

24
How to Configure User Set Elements
  • In ISA Server

25
How to Configure Content Type Elements
  • Create a new content type element, or use one of
    the existing content type elements when you
    create an access rule.
  • Content type elements define Multipurpose
    Internet Mail Extensions (MIME) types and file
    name extensions.
  • When a client such asMicrosoft Internet Explorer
    downloads information from the Internet using
    HTTP or File Transfer Protocol (FTP), the content
    is downloaded in either MIME format or as a file
    with a specified file name extension.

26
How to Configure Content Type Elements
  • Content type elements apply only to HTTP and FTP
    traffic that is tunneled in an HTTP header.
  • When a client requests HTTP content, ISA Server
    sends the request to the Web server.
  • When the Web server returns the object, ISA
    Server checks the objects MIME type or its file
    name extension, depending on the header
    information returned by the Web server.
  • ISA Server determines if a rule applies to a
    content type that includes the requested filename
    extension, and processes the rule accordingly
  • ISA Server is preconfigured with the following
    content types Application, Application data
    files, Audio, Compressed files, Documents,
    Hypertext Markup Language (HTML) documents,
    Images, Macro documents, Text, Video, and Virtual
    Reality Modeling Language (VRML).

27
  • In ISA server

28
How to Configure Schedule Elements
  • To configure access to the Internet based on the
    time of day.
  • ISA Server
  • WeekendsDefines a schedule that includes all
    times on Saturday and Sunday
  • Work HoursDefines a schedule that includes the
    hours between 0900 (900 A.M.) and 1700 (500
    P.M.) on Monday through Friday

29
  • In ISA server

30
How to Configure Network Objects
  • to define which Web sites or servers users can or
    cannot access
  • Networks
  • A network rule element represents a network,
    which is all the computers connected
  • EXInternal, External, Branch Office
  • Network Sets
  • A network-set rule element represents a grouping
    of one or more networks
  • ExAll Protected Networks

31
How to Configure Network Objects
  • Computer
  • A computer rule element represents a single
    computer, identified by its IP address
  • ExDC1 (IP Address 192.168.1.10).
  • Address Ranges
  • An address range is a set of computers
    represented by a continuous range of IP addresses
  • ExAll DCs (IP Address Range 192.168.1.10
    192.168.1.20).

32
How to Configure Network Objects
  • Subnets
  • A subnet represents a network subnet, specified
    by a network address and a mask.
  • ExBranch Office Network (IP Addresses
    192.168.2.0/24).
  • Computer Sets
  • A computer set includes a collection of computers
    identified by their IP addresses, a subnet
    object, or an address-range object
  • ExAll DCs and Exchange Servers

33
How to Configure Network Objects
  • URL Sets
  • URL sets specify one or more URLs grouped
    together to form a set.
  • ExMicrosoft Web Site (http// www.microsoft.com/
    )
  • Domain Name Sets
  • Domain name sets define one or more domain names
    as a single set, so that you can apply access
    rules to the specified domains

34
How to Configure Network Objects
  • In ISA server

35
Configuring ISA Server Authentication
  • to limit access to Internet resources based on
    users or groups
  • ISA Server Authentication Options
  • Basic authentication
  • Basic authentication sends and receives user
    information as plaintext and does not use
    encryption
  • Digest authentication
  • Digest authentication passes authentication
    credentials through a process called hashing.
  • Hashing creates a string of characters based
    onthe password but does not send the actual
    password across the network, ensuring that no one
    can capture a network packet containing the
    password and impersonatethe user.

36
  • Integrated Windows authentication
  • Uses either the Kerberos version 5 authentication
    protocol or NTLM protocol, both of which do not
    send the user name and password across the
    network.
  • Digital certificates authentication
  • Requests a client certificate from the client
    before allowing the request to be processed.
  • Users obtain client certificates from a
    certification authority that can be internal to
    your organization or a trusted external
    organization.
  • Remote Authentication Dial-In User Service
  • RADIUS is an industry-standard authentication
    protocol.

37
ISA Server Clients and Authentication
  • SecureNAT Clients
  • For SecureNAT clients, there is no user-based
    authentication
  • Restrict access to the Internet based only on
    network rules and other access rules
  • If an access rule requires authentication,
    SecureNAT clients will be blocked from accessing
    the resources defined by the rule

38
  • Firewall Clients
  • When ISA Server authenticates a Firewall client,
    it uses the credentials of the user making the
    request on the computer running the Firewall
    client

39
Configuring Access Rules for Internet Access
  • What Are Access Rules

40
How to Configure Access Rules
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com