Title: Enabling Secure Internet Access with ISA Server
1Enabling Secure InternetAccess with ISA Server
2Enabling Secure Access to Internet Resources
- What Is Secure Access to Internet Resources?
- Users can access the resources that they need
- The connection to the Internet is secure
- The data that users transfer to and from the
Internet is secure - Users cannot download malicious programs from the
Internet - Secure access to the Internet also means that the
users actions comply with the organizations
security or Internet usage policy.
3What Is Secure Access to Internet Resources
- Secure access
- Only users who have permission to access the
Internet can access the Internet. - These users can use only approved protocols and
applications to access Internet resources. - These users can gain access only to approved
Internet resources, or these users cannot gain
access to denied Internet resources - These users can gain access to the Internet only
in accordance with any other restrictions - the organization may establish, such as when and
from which computers access is permitted.
4How ISA Server Enables Secure Access to Internet
Resources
- ISA Server provides the following functionality
to enable secure access - Implementing ISA Server as a firewall
- Implementing ISA Server as a proxy server.
- Using ISA Server to implement the organizations
Internet usage policy
5Configuring ISA Server as a Proxy Server
- What Is a Proxy Server?
- A proxy server is a server that is situated
between a client application and a server to
which the client connects. - All client requests are sent to the proxy server.
The proxy server creates a new request and sends
the request to the specified server. The server
response is sent back to the proxy server, which
then replies to the client application. - A proxy server can provide enhanced security and
performance for Internet connections. - Using a proxy server is to make the users
connection to the Internet more secure.
6Configuring ISA Server as a Proxy Server
- Proxy servers make the Internet connection more
secure in the following ways - User authentication
- Filtering client requests
- Content inspection
- Logging user access
- Hiding the internal network details
7How Proxy Servers Work
- How Does a Forward Proxy Server Work?
- How Does a Reverse Web Proxy Server Work?
8How Does a Forward Proxy Server Work?
- When a proxy server is used to secure outbound
Internet access, it is configured as a forwarding
proxy server. - Forward proxy servers are usually located between
a Web or Winsock application running on a client
computer on the internal network and an
application server located on the Internet
9How Does a Forward Proxy Server Work?
10- 1. A client application, such as a Web browser,
makes a request for an object located on a Web
server. The client application checks its Web
proxy configuration to determine whether the
request destination is on the local network or on
an external network. - 2. If the requested Web server is not on the
local network, the request is sent to the proxy
server. - 3. The proxy server checks the request to confirm
that there is no policy in place that blocks
access to the requested content. - 4. If caching is enabled, the proxy server also
checks if the requested object exists in its
local cache. If the object is stored in the local
cache and it is current, the proxy server sends
the object to the client from the cache. If the
page is not in the cache or if the page is out of
date, the proxy server sends the request to the
appropriate - server on the Internet.
11- 5.The Web server response is sent back to the
proxy server. The proxy server filters the
response based on the filtering rules configured
on the server. - 6. If the content is not blocked and it is
cacheable, ISA Server saves a copy of the content
in its cache and the object is then returned to
the client application that made the original
request.
12How Does a Reverse Web Proxy Server Work?
13- A user on the Internet makes a request for an
object located on a Web server that is on an
internal network protected by a reverse proxy
server. The client computer performs a DNS lookup
using the fully qualified domain name (FQDN) of
the hosting server. The DNS name will resolve to
the IP address of the external network interface
on the proxy server. - 2. The client application sends the request for
the object to the external address of the proxy
server
14- 3.The proxy server checks the request to confirm
that the URL is valid and to ensure that there is
a policy in place that allows access to the
requested content. - 4. The proxy server also checks whether the
requested object already exists in its local
cache. If the object is stored in the local cache
and it is current, the proxy server sends the
object to the client from the cache. If the
object is not in the cache, the proxy server
sends the request to the appropriate server on
the internal network. - 5. The Web server response is sent back to the
proxy server. - 6. The object is returned to the client
application that made the original request
15How to Configure ISA Server as a Proxy Server
16How to Configure Web and Firewall Chaining
- ISA Server 2004 Standard Edition supports the
chaining of multiple servers running ISA Server
together to provide flexible Web proxy services
17How to Configure Web and Firewall Chaining
18Configuring Access Rule Elements
- By default, ISA Server 2004 denies all network
traffic between networks connected to the ISA
Server computer. - Configuring an access rule is the only way to
configure ISA Server so that it will allow
traffic to flow between networks
19What Are Access Rule Elements
- Access rule elements are configuration objects in
ISA Server that you use to create access rules. - Exampleyou may want to create an access rule
that allows only HTTP traffic, ISA Server
provides an HTTP protocol access rule element
that you can use when creating the access rule
20Access Rule Element Types
Element Description
Protocols defines protocols that you can use in an access rule.
User Sets defines a group of one or more users to which a rule will be explicitly applied, or which can be excluded from a rule.
Content Types provides common content types to which you may want to apply a rule.
Schedules allows you to designate hours of the week during which the rule applies
Network Objects . allows you to create sets of computers to which a rule will apply, or which will be excluded from a rule.
21How to Configure Access Rule Elements
- ISA Server includes several default access rule
elements
22How to Configure User Set Elements
- access rule specifies which users will be allowed
or denied access by the access rule. - To limit access to Internet resources based on
users or groups, you must create a user set
element. - When you limit an access rule to specific users,
users must authenticate before they are granted
access. - For each group of users, you can define the type
of authentication required
23How to Configure User Set Elements
- All Authenticated UsersThis set includes all
users who have authenticated using any type of
authentication. - All UsersThis set includes all users, both
authenticated and unauthenticated. - System and Network ServiceThis user set includes
the Local System service and the Network service
on the computer running ISA Server. This user set
is used in some system policy rules
24How to Configure User Set Elements
25How to Configure Content Type Elements
- Create a new content type element, or use one of
the existing content type elements when you
create an access rule. - Content type elements define Multipurpose
Internet Mail Extensions (MIME) types and file
name extensions. - When a client such asMicrosoft Internet Explorer
downloads information from the Internet using
HTTP or File Transfer Protocol (FTP), the content
is downloaded in either MIME format or as a file
with a specified file name extension.
26How to Configure Content Type Elements
- Content type elements apply only to HTTP and FTP
traffic that is tunneled in an HTTP header. - When a client requests HTTP content, ISA Server
sends the request to the Web server. - When the Web server returns the object, ISA
Server checks the objects MIME type or its file
name extension, depending on the header
information returned by the Web server. - ISA Server determines if a rule applies to a
content type that includes the requested filename
extension, and processes the rule accordingly - ISA Server is preconfigured with the following
content types Application, Application data
files, Audio, Compressed files, Documents,
Hypertext Markup Language (HTML) documents,
Images, Macro documents, Text, Video, and Virtual
Reality Modeling Language (VRML).
27 28How to Configure Schedule Elements
- To configure access to the Internet based on the
time of day. - ISA Server
- WeekendsDefines a schedule that includes all
times on Saturday and Sunday - Work HoursDefines a schedule that includes the
hours between 0900 (900 A.M.) and 1700 (500
P.M.) on Monday through Friday
29 30How to Configure Network Objects
- to define which Web sites or servers users can or
cannot access - Networks
- A network rule element represents a network,
which is all the computers connected - EXInternal, External, Branch Office
- Network Sets
- A network-set rule element represents a grouping
of one or more networks - ExAll Protected Networks
31How to Configure Network Objects
- Computer
- A computer rule element represents a single
computer, identified by its IP address - ExDC1 (IP Address 192.168.1.10).
- Address Ranges
- An address range is a set of computers
represented by a continuous range of IP addresses - ExAll DCs (IP Address Range 192.168.1.10
192.168.1.20).
32How to Configure Network Objects
- Subnets
- A subnet represents a network subnet, specified
by a network address and a mask. - ExBranch Office Network (IP Addresses
192.168.2.0/24). - Computer Sets
- A computer set includes a collection of computers
identified by their IP addresses, a subnet
object, or an address-range object - ExAll DCs and Exchange Servers
33How to Configure Network Objects
- URL Sets
- URL sets specify one or more URLs grouped
together to form a set. - ExMicrosoft Web Site (http// www.microsoft.com/
) - Domain Name Sets
- Domain name sets define one or more domain names
as a single set, so that you can apply access
rules to the specified domains
34How to Configure Network Objects
35Configuring ISA Server Authentication
- to limit access to Internet resources based on
users or groups - ISA Server Authentication Options
- Basic authentication
- Basic authentication sends and receives user
information as plaintext and does not use
encryption - Digest authentication
- Digest authentication passes authentication
credentials through a process called hashing. - Hashing creates a string of characters based
onthe password but does not send the actual
password across the network, ensuring that no one
can capture a network packet containing the
password and impersonatethe user.
36- Integrated Windows authentication
- Uses either the Kerberos version 5 authentication
protocol or NTLM protocol, both of which do not
send the user name and password across the
network. - Digital certificates authentication
- Requests a client certificate from the client
before allowing the request to be processed. - Users obtain client certificates from a
certification authority that can be internal to
your organization or a trusted external
organization. - Remote Authentication Dial-In User Service
- RADIUS is an industry-standard authentication
protocol.
37ISA Server Clients and Authentication
- SecureNAT Clients
- For SecureNAT clients, there is no user-based
authentication - Restrict access to the Internet based only on
network rules and other access rules - If an access rule requires authentication,
SecureNAT clients will be blocked from accessing
the resources defined by the rule
38- Firewall Clients
- When ISA Server authenticates a Firewall client,
it uses the credentials of the user making the
request on the computer running the Firewall
client
39Configuring Access Rules for Internet Access
40How to Configure Access Rules
41(No Transcript)
42(No Transcript)
43(No Transcript)
44(No Transcript)