Contents
Overview 1
Access Policy and Rules Overview 2
Creating Policy Elements 6
Configuring Access Policies and Rules 18
Configuring Bandwidth Rules 24
Using ISA Server Authentication 28
Lab A: Enabling Secure Internet Access 35
Review 52
Module 3: Enabling
Secure Internet Access
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2001 Microsoft Corporation. All rights reserved.
Operations Coordinator: John Williams
Lead Product Manager, Release Management: Bo Galford
Group Manager, Business Operations: David Bramble
Group Manager, Technical Services: Teresa Canady
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart
Module 3: Enabling Secure Internet Access iii
Instructor Notes
This module provides students with the knowledge and skills to configure
access policies for enabling secure Internet access for client computers.
After completing this module, students will be able to:
Explain the use of access policies and rules to enable Internet access.
Create policy elements.
Configure access polices and rules.
Configure bandwidth rules.
Explain the use of authentication for outgoing Web requests.
Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
Access Policies and Rules Overview
Describe the components of access policies. Use the slide graphic to explain
how Microsoft Internet Security and Acceleration (ISA) Server 2000
processes outgoing Web requests. Focus on protocol rules and site and
content rules. Mention that Internet Protocol (IP) packet filters and routing
rules are covered in later modules. Emphasize the importance of proper
planning before creating the rules for access policies.
Creating Policy Elements
Explain that before you can configure an access policy, you must create the
associated policy elements that you will use when defining the rules.
Describe each policy element.
Configuring Access Polices and Rules
Explain that proper planning helps to ensure that you configure rules that
are appropriate for your organization. Emphasize that ISA Server processes
Web requests only if a protocol rule permits the use of the protocol and a
site and content rule allows access to the site. Demonstrate the procedure
that you use to create a protocol rule to show students how protocol rules
use policy elements. Demonstrate the procedure that you use to create a site
and content rule to show students how site and content rules use policy
elements
Configuring Bandwidth Rules
Explain that ISA Server uses bandwidth rules to determine how to process
client requests when your network is congested. Mention that ISA Server
only applies bandwidth rules when there is insufficient bandwidth to process
all of the user requests. Demonstrate the procedure that you use to create a
bandwidth rule to show students how bandwidth rules use policy elements.
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Perform a full installation of ISA Server manually.
Setup Requirement 2
The lab in this module requires that the ISA Server administration tools be
installed on all of the ISA Server client computers. To prepare student
computers to meet this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Install the ISA Server administration tools manually.
Setup Requirement 3
The lab in this module requires that the Firewall Client be installed on all of the
ISA Server client computers. To prepare student computers to meet this
requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Install the Firewall Client manually.
Important
vi Module 3: Enabling Secure Internet Access
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Configure IIS manually.
Lab Results
Performing the lab in this module introduces the following configuration
changes:
The following policy elements are created on the ISA Server computer for
each student:
• A schedule that is called x High Network Utilization (where x is the
student’s assigned student number).
• A destination set that is called x Contoso Sports Site (where x is the
student’s assigned student number).
• A client address set that is called x Accounting Department (where x is
the student’s assigned student number).
• A protocol definition that is called x LoB Application (where x is the
student’s assigned student number).
• A content group that is called x New Graphics Format (where x is the
student’s assigned student number).
• A bandwidth priority that is called x High Priority (where x is the
student’s assigned student number).
Module 3: Enabling Secure Internet Access vii
The following protocol rules are created on the ISA Server computer for
each student:
Access Policies and Rules Overview
Creating Policy Elements
Configuring Access Policies and Rules
Configuring Bandwidth Rules
Using ISA Server Authentication
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Microsoft
®
Internet Security and Acceleration (ISA) Server provides policy-
based access control that enables organizations to securely control outbound
access. Network administrators can configure access policies to specify which
content and sites are accessible, whether a particular protocol is available for
outgoing Internet requests, and during which times access is allowed. In
addition, network administrators can configure authentication to restrict access
on a per-user basis or on a per-group basis.
After completing this module, you will be able to:
Explain the use of access policies and rules to enable Internet access.
Create policy elements.
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
One of the primary functions of ISA Server is connecting your internal network
to the Internet while implementing your organization’s policies that define the
type of Internet access that you allow. By creating an access policy and
associated rules, you can allow or deny users access to specific protocols,
Internet sites, and content. When ISA Server processes an outgoing request, it
uses the access policy to determine if access should be allowed or denied. It is
important to plan a strategy before creating an access policy to ensure that the
rules that you create meet the needs of your organization.
Topic Objective
To list the topics related to
access policies and rules.
Lead-in
One of the primary functions
of ISA Server is connecting
your internal network to the
Internet while protecting
your internal users from
inappropriate or malicious
content.
Module 3: Enabling Secure Internet Access 3
Understanding Access Policy Components
Site and Content
Rule
Site and Content
Deny
Allow or
Deny
Allow or
Deny
Allow or
Deny
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
An access policy consists of the following components:
Protocol rules. Define the protocols that the ISA Server clients can use to
communicate between the internal network and the Internet.
Site and content rules. Define the type of content and the sites to which Web
Proxy clients are allowed or denied access.
Policy elements. Define settings that you use as parts of rules. For example,
you can create policy elements that define a schedule or a specific type of
content.
Topic Objective
To describe the components
of an access policy.
Lead-in
An access policy consists of
protocol rule that allows
the request?
Yes
No
No
Yes
Yes
No
No
Is there a
site and content
rule that allows the
request?
Is there a
site and content
rule that allows the
request?
Yes
No
Yes
Does an IP packet filter
block the request?
Does an IP packet filter
block the request?
Does a routing
rule specify routing to an
upstream server?
Does a routing
rule specify routing to an
upstream server?
outgoing client requests.
Lead-in
When ISA Server processes
an outgoing client request, it
checks protocol rules and
site and content rules to
determine if access is
allowed.
Delivery Tip
Use the slide graphic to
explain how ISA Server
processes outgoing client
requests. Focus on protocol
rules and site and content
rules. Mention that IP packet
filters and routing rules are
covered in later modules.
Note
Key Points
By default, a site and
content rule named "Allow
Rule" allows access to all
content on all sites.
Module 3: Enabling Secure Internet Access 5
Planning an Access Policy Strategy
Determine Organizational Requirements
Determine Organizational Requirements
Define Rules
Define Rules
specific computers or directories at www.contoso.msft.
Create rules that use the policy elements.
When you create rules, you use policy elements to define the rules.
Test rules.
Ensure that the rules allow the required access for your users, without
providing more access than necessary. Ensure that you test all of the rules
before allowing users to gain access to the Internet.
Topic Objective
To identify the tasks that
you must perform to plan an
access policy strategy.
Lead-in
You should perform the
following tasks when
planning an access policy
strategy.
Delivery Tip
Emphasize the importance
of proper planning before
creating the rules for an
access policy.
6 Module 3: Enabling Secure Internet Access
Topic Objective
To identify the topics related
to creating policy elements.
Lead-in
Policy elements are the
components that you use to
create ISA Server rules.
Important
Module 3: Enabling Secure Internet Access 7
Policy Element Overview
Policy Elements Can Include:
Schedules
Bandwidth Priorities
Destination Sets
Client Address Sets
Protocol Definitions
Content Groups
Dial-up Entries
*****************************
ILLEGAL FOR NON
-
connection that is configured for the remote access server and the user name
and password for a user who has permissions to gain access to the dial-up
connection.
Topic Objective
To describe the policy
elements that are available
in ISA Server.
Lead-in
Before you can configure an
access policy, you must
create the associated policy
elements that you will use
when defining the rules.
Key Points
Before you can configure an
access policy, you must
create the associated policy
elements that you will use
when defining the rules.
Emphasize that policy
elements are the building
blocks of rules.
8 Module 3: Enabling Secure Internet Access
Creating Schedules
New schedule
Name: Lunch Hours and Weekends
Description: Use this schedule to permit access to sites
lunch hours and weekends.
Schedules, and then in the details pane, click Create a Schedule.
2. In the New schedule dialog box, in the Name box, type the name of the
schedule.
3. In the Description box, type a description for the schedule.
4. In the schedule table, click a cell, day, or hour, or drag multiple cells, to
select the specified times.
5. To modify the schedule, do the following tasks, and then click OK:
• Click Active to add portions of the week to the schedule.
• Click Inactive to remove portions of the week from the schedule.
When a blue cell appears, the rule is in effect during that period; when a
white cell appears, the rule is not in effect during that period. By default, ISA Server contains the Weekends schedule and the Work
hours schedule, which you can modify for use in policy rules.
Topic Objective
To describe the procedure
that you use to create
schedules.
Lead-in
You can apply a schedule to
a rule to determine when a
rule is in effect.
Delivery Tip
Compare the New
schedule dialog box to
other Windows 2000
schedule dialog boxes, such
as the one that you use to
-
TRAINER USE
******************************
Use bandwidth priorities to create bandwidth rules that assign a higher priority
to specific traffic that is moving to or from the Internet. For example, you can
create a bandwidth rule that assigns a high bandwidth priority to traffic for
specific employees or departments. Before you can assign this type of
bandwidth rule, you must create the associated bandwidth priorities.
How Bandwidth Priorities Work
Bandwidth priorities assign priorities to connections that pass through ISA
Server. Bandwidth priorities are directional and can be controlled for both
inbound connections and outbound connections.
When there is limited bandwidth, ISA Server allocates this bandwidth
according to bandwidth priorities that you assign to traffic that is processed by
ISA Server. You can use a number between 1 and 200 to specify a bandwidth
priority. A higher number indicates a higher priority.
When you assign a bandwidth priority, you must assess the impact of that
bandwidth priority in relationship to the other bandwidth priorities that you
assign. For example, if you assign bandwidth priority A to30 and you assign
bandwidth priority B to 20, ISA Server will allocate 60 percent of the available
bandwidth to traffic with bandwidth priority A and will allocate 40 percent of
the available bandwidth to traffic with bandwidth priority B when processing
bandwidth rules.
Topic Objective
To describe the procedure
that you use to create
bandwidth priorities.
Lead-in
Bandwidth priorities define a
priority level for connections
Creating Destination Sets
Remove
Remove
Remove
New Destination Set
Name: Partner Web
Description
(optional):
Cancel
Include these computers:
Name/IP Range Path
OK
Edit…
Edit…
Edit…Add…
Add/Edit Destination
Computer name: nwtraders.msft
IP addresses:
Cancel
To include a specific directory in the destination set, type the path
below.
To include all the files, use this format: /dir/*.
To select a specific file, use this format: /dir/filename.
Path:
/sales/accounts.xls
OK
Browse…
From:
To (optional):
all of the computers in the contoso.msft domain, you would
type *.contoso.msft
IP address Click IP addresses. In the From box, type the first IP
address in the range, and then in the To box, type the last IP
address in the range. To include a single computer, type the
same IP address in the From box and in the To box.
Topic Objective
To describe the procedure
that you use to create
destination sets.
Lead-in
You can specify destination
sets by using a domain
name or by using a range of
IP addresses.
12 Module 3: Enabling Secure Internet Access
5. To specify a particular path on a Web site, in the Path box, type the path of
the specified computer by using the format listed in the following table, and
then click OK twice:
To specify Use the format
A specific directory /dir
All of the files in a directory /dir/*
A specific file in a directory /dir/filename ISA Server processes path components of a rule for only client
requests that use the Hypertext Transfer Protocol (HTTP) protocol and for
From To
Edit…
Edit…
Edit…Add…
CancelOK
Add/Edit IP Addresses
Client set IP addresses:
CancelOK
From: 192 . 168 . 101 . 0
To: 192 . 168 . 101 . 255
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Use client address sets to create rules that allow or deny access to outgoing
Web requests from a single computer or from a set of computers. Other rules,
such as bandwidth rules, also use client address sets.
To create a client address set:
1. In ISA Management, in the console tree, click Client Address Sets, and
then in the details pane, click Create a Client Set.
2. In the Client Set dialog box, in the Name box, type a name for the client
address set.
3. In the Description box, type a description for the client address set.
4. Click Add.
5. In the Add/Edit IP Addresses dialog box, in the From box, type the first IP
address in the range, and then in the To box, type the last IP addresses in the
range. To include a single computer, type the same IP address in the From
box and the To box.
ILLEGAL FOR NON
-
TRAINER USE
******************************
Protocol definitions define the communications parameters that a protocol uses.
You use protocol definitions to create rules that allow or deny access based on
specific protocols. ISA Server includes many predefined protocol definitions
for the most popular protocols. If you use a protocol for which ISA Server does
not contain a definition, you can create a new protocol definition for that
protocol.
You can create protocol definitions for only the Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP) protocols. To control
network traffic that uses any other protocol types, such as the Internet Control
Message Protocol (ICMP), you must create packet filters. For more information
about packet filters, see Module 6, “Configuring the Firewall,” in Course
2159A, Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Protocol Definition Overview
Before you create a new protocol definition, you must know how the protocol
works. This knowledge includes the port number that a protocol uses, the
protocol type, and the direction of the connection. Generally, you obtain port
information from an application vendor or from a protocol specification, such
as a Request for Comments (RFC).
The Internet Assigned Numbers Authority (IANA) maintains a registry
of assigned protocol and port numbers. For more information, see the IANA
Web site at
definition, you must specify which port the protocol uses to establish the
session. This port is the primary connection. For example, the Simple Mail
Transfer Protocol (SMTP) uses TCP port 25 for a client connection to a mail
server. To create a protocol definition for SMTP, you must specify a primary
connection that uses TCP port 25 for outgoing connections.
Secondary Connections
Some protocols use multiple ports during the same session. When creating a
protocol definition for this type of protocol, you must define one or more
secondary connections in addition to the primary connection. For example, the
FTP protocol uses TCP port 21 for a client to establish an initial connection
with a server and then, by default, the FTP server uses TCP port 20 for a
connection to the client to transfer data. To create a protocol definition for the
FTP protocol, in addition to configuring a primary connection that uses TCP
port 21 for an outgoing connection, you must configure a secondary connection
that uses TCP port 20 for incoming connections.
Before deleting a protocol definition that you created, always ensure
that no rules use that protocol definition. If a rule uses a protocol definition that
you delete, ISA Server will not start. In addition, you cannot modify or delete
built-in protocol definitions or the protocol definitions that are defined by
application filters. For more information about protocol definitions and
application filters and for a list of protocol definitions included with ISA
Server, see “Configuring protocol definitions” in ISA Server Help.
Creating a New Protocol Definition
To create a new protocol definition:
1. In ISA Management, in the console tree, right-click Protocol Definitions,
and then in the details pane, click Create a Protocol Definition.
2. In the New Protocol Definition Wizard, in the Name box, type the name of
the protocol definition, and then click Next.
click OK, and then click Next.
5. On the Completing the New Protocol Definition Wizard page, review your
choices, and then click Finish.
Module 3: Enabling Secure Internet Access 17
Creating Content Groups
ISA Server includes several
preconfigured content groups.
ISA Management
Action View
Tree
Name Description Content Types
Internet Security and Acceleration Server
Servers and Arrays
LONDON
Monitoring
Computer
Access Policy
Publishing
Bandwidth Rules
Policy Elements
Schedules
Bandwidth Priorities
Destination Sets
Client Address Sets
Protocol Definitions
Application Applications application/hta.application/x-internet-signup.application/x-pkcs7-certific
Application Data Files Files containing data for applications application/x-mscardfile.application/x-perform.application/x-msclip.appl
Audio Audio files audio.*,.ra,.ram,.rmi,.au,.snd,.aif,.aifc,.wav,.m3u,.mid,.mp3
the content group.
3. In the Description box, type a description for the content group.
4. In the Available Types box, do one of the following:
To In the Available types box
Select an existing content type Select a file extension or a MIME type.
Add a new content type Type a new file extension or a MIME type.
5. Click Add, repeat this step for additional content types, and then click OK. ISA Server uses content groups only when applying rules to HTTP
requests from all client types and to FTP requests from Web Proxy clients.
Topic Objective
To describe the procedure
that you use to create
content groups.
Lead-in
In addition to limiting access
to particular destinations,
you can apply rules to
specific content groups.
Note
Key Points
Explain that ISA Server only
uses content groups when
applying rules to HTTP
requests from all client types
and to FTP requests from
Copyright: Tài liệu đại học ©