Microsoft Isa Server 2006
Microsoft ISA Server 2006 is a cost-effective solution. The simple pricing model is server based and is not tied to the number of users, which can make competing firewall products a very expensive alternative. How Metroplex Tech's Consultants Provide Microsoft ISA Server. Before we start upgrading ISA Server 2006 to Microsoft Forefront TMG, we have to understand the following upgrade and migration limitations: You cannot update ISA Server 2006 to Forefront TMG on the same machine, because ISA Server 2006 is running only on 32 Bit systems, Forefront TMG will only run on Windows 2008 64 Bit.
- Microsoft Isa Server 2006 End Of Life
- Microsoft Isa Server Replacement
- Microsoft Isa Server 2006 Enterprise Edition
- Final del formulario Getting started with Microsoft ISA Server 2006 Part I: Installation Introduction Micros Microsoft oft Intern Internet et Securi Security ty & Acceler Accelerati ation on Server Server 2006 is a firewall and proxy product from Microsoft.
- Microsoft ISA Server 2006 Unleashed - Kindle edition by Michael Noel. Download it once and read it on your Kindle device, PC, phones or tablets. Use features like bookmarks, note taking and highlighting while reading Microsoft ISA Server 2006 Unleashed.
Success! A copy of this quiz is in your dashboard.
This is a quiz made for those who want to achieve the Microsoft ISA Server 2006 MCP in Microsoft.
- Your network contains a single ISA Server 2006 computer named ISA1. ISA1 is not yet configured to allowinbound VPN access.You deploy a new application named App1. The server component of App1 is installed on an internal servernamed Server1. The client component of App1 is installed on employee and partner computers. Employees andpartners will establish VPN connections when they use App1 from outside the corporate network.You identify the following requirements regarding VPN connections to the corporate network.Employees must be allowed access to only Server1, three file servers, and an internal Web server named Web1.Employees must have installed all current software updates and antivirus software before connecting to anyinternal resources.Partners must be allowed access to only Server1.You must not install any software other than the App1 client on any partner computers.You need to plan the VPN configuration for the company.What should you do?
Configure ISA1 to accept incoming VPN connections from partners and employees.Enable Quarantine Control on ISA1.Configure Quarantine Control to disconnect users after a short period of time.Use access rules to allow access to only the permitted resources.
Configure ISA1 to accept incoming VPN connections from partners and employees.Enable Quarantine Control on ISA1.Exempt partners from Quarantine Control.Use access rules to allow access to only the permitted resources.
Configure ISA1 to accept incoming VPN connections from partners and employees.Enable Quarantine Control on ISA1.Enable RADIUS authentication and user namespace mapping.Configure a Windows Server 2003 Routing and Remote Access server as a RADIUS server.Create a single remote access policy.
Add a second ISA Server 2006 computer named ISA2.Configure ISA1 to accept VPN connections from employees. Do not enable Quarantine Control on ISA1.Configure ISA2 to accept VPN connections from partners. Enable Quarantine Control on ISA2.On each server, use access rules to allow access to only the permitted resources.
- Your network consists of a single Active Directory domain. The network contains an ISA Server 2006 computernamed ISA1. Client computers on the network consist of Windows XP Professional computers, UNIXworkstations, and Macintosh portable computers. All client computers are domain members.You configure ISA1 by using the Edge Firewall network template. You manually configure ISA1 with access rulesto allow HTTP and HTTPS access to the Internet. You configure ISA1 to require all users to authenticate.You need to provide Internet access for all client computers on the network while preventing unauthorizednon-company users from accessing the Internet through ISA1. You also want to reduce the amount ofadministrative effort needed when you configure the client computers.What Should You do?
Configure all client computers as Web Proxy clients. Configure Basic authentication on the Internal network.
Configure all client computers as Web Proxy clients. Configure Basic authentication on the Local Host network.
Configure all client computers as SecureNAT clients. Configure Basic authentication on the Internal network.
Configure the Windows-based computers as Firewall clients. Configure the non-Windows-based computers as Web Proxy clients. Configure Basic authentication on the Local Host network.
- Your network consists of a single Active Directory domain named contoso.com. The network contains an ISAServer 2000 computer named ISA1.All client computers have the ISA Server 2000 Firewall Client software installed. Client computers are configuredto use an internal DNS server. Two Windows Server 2003 computers named App1 and App2 run a Web-basedapplication that is used to process company data.You configure ISA1 with protocol rules to allow HTTP, HTTPS, RDP, POP3, and SMTP access.The list of domain names available on the Internal network on ISA1 contains the following entries.*.south.contoso.com*.north.contoso.com*.east.contoso.com*.west.contoso.comYou perform an in-place upgrade of ISA1 by using the ISA Server 2006 Migration Tool. When you use NetworkMonitor on ISA1, you discover that client requests for App1 and App2 are being passed through ISA1.You need to provide a solution that will allow clients to directly access company data on App1 and App2.What should you do?
Create and configure HTTP, HTTPS, RDP, POP3, and SMTP access rules on ISA1.
Configure an Application.ini file on the client computers.
Redeploy the ISA Server 2006 Firewall Client software by distributing it to the client computers by usingGroup Policy.
Add app1.contoso.com and app2.contoso.com to the list of domain names available on the Internal network onISA1.
- Your network contains a single ISA Server 2006 computer, which is named ISA1. ISA1 provides access to theInternet for computers on the Internal network, which consists of a single subnet.The companys written security policy states that the ISA Server logs must record the user name for all outboundInternet access. All client computers are configured with the Firewall client and the Web Proxy client and are notconfigured with a default gateway.Users in the marketing department require access to an external POP3 and SMTP mail server so that they can usean alternate e-mail address when they sign up for subscriptions on competitors Web sites. You create and apply anISA Server access rule as shown in the following display.The marketing department users configure Microsoft Outlook to connect to the external mail server. They reportthat they receive error messages when they attempt to read or send e-mail from the external mail server. Youexamine the ISA1 logs and discover that ISA1 denies POP3 and SMTP connections from the client computers.You need to ensure that the marketing department users can connect to the external mail server.What should you do?
Configure the marketing computers with the IP address of a DNS server that can resolve external names to IPaddresses.
Configure the marketing computers with a default gateway address that corresponds to the IP address of ISA1on the Internal network.
On ISA1, enable Outlook in the Firewall client settings
On ISA1, create a computer set that contains the marketing computers.
- Your network contains a single ISA Server 2006 computer named ISA1. All Internet access for the localnetwork occurs through ISA1.The network contains a Web server named Server1. Server1 is configured as a SecureNAT client. A Webapplication runs on Server1 that communicates with an external Web site named www.contoso.com.You configure ISA1 with two access rules for outbound HTTP access. The rules are named HTTP Access 1 andHTTP Access 2.HTTP Access 1 is configured to use the All Authenticated Users user set as a condition. HTTP Access 2 isconfigured to use the All Users user set as a condition, and it restricts outbound HTTP traffic to the IP address of Server1.You verify that users can access external Web sites. However, you discover that the Web application cannot accesswww.contoso.com.You need to allow the Web application to use anonymous credentials when it communicates withwww.contoso.com. You also need to require authentication on ISA1 for all users when they access all externalWeb sites.What should you do?
On Server1, configure Web Proxy clients to bypass the proxy server for the IP address of the server that hostswww.contoso.com.
On ISA1, add the fully qualified domain name (FQDN) www.contoso.com to the list of domain namesavailable on the Internal network.
On ISA1, disable the Web Proxy filter for the HTTP protocol.
Modify the order of the access rules so that HTTP Access 2 is processed before HTTP Access 1.
- The network contains an ISA Server 2006 computer named ISA1.ISA1 connects to the Internet. ISA1 is configured with access rules for Internet access. A Windows Server 2003computer named CERT1 is configured as an internal certification authority (CA). ISA1 can download thecertificate revocation list (CRL) from CERT1.You are deploying 10 new ISA Server 2006 computers on the network. On ISA1 you export the firewall policysettings into a file named ISA1export.xml. You configure the network configuration settings on each new ISAServer computer. You import the firewall policy settings from the ISA1export.xml file on each new ISA Servercomputer.You test the imported configuration on each of the new ISA Server computers. You discover that each new ISAServer computer cannot download the CRL from CERT1.You need to ensure that the new ISA Server computers can download the CRL.What should you do?
Edit the ISA1export.xml file by adding the following lines:StorageType=Allow HTTP from ISA Server to all networks (for CRL downloads)String=0Enabled=1Import the ISA1export.xml file on each new ISA Server computer
Export the system policy rules on ISA1 by using the Export System Policy task. Import the system policy ruleson each new ISA Server computer.
Export the array configuration settings on ISA1 to an .xml file. Import the .xml file on the new ISA Servercomputers.
Create a destination set for the new ISA Server 2006 computers. Add this destination set to the destination liston the Allow all HTTP traffic from ISA Server to all networks (for CRL downloads) system policy rule.
Recently I had the opportunity to assist one of my customers with configuring their ISA firewalls to log to a central, remote SQL server. As it turns out, configuring remote SQL logging was not as simple and straightforward as I had anticipated, so I decided to document the process here for reference.
I’ll start out by saying that I’m not particularly a big fan of remote SQL logging for ISA because there are some serious risks involved in doing so. Remote SQL logging brings added complexity and introduces additional moving parts and potential single points of failure. By default, the ISA firewall will shut down if it is unable to write to the log, which means that if the SQL database is unavailable for any reason (offline for maintenance, out of disk space, network communication failure, etc.) the firewall service will go into lockdown mode and it will stop servicing requests (there is a workaround for this, but since it is something that I strongly discourage, I have chosen not to document that here. Also, Forefront Threat Management Gateway includes new functionality that addresses this specific issue – see below). It also requires (obviously) that you purchase an SQL license and have another server to install the software on (NEVER install SQL on the ISA firewall itself!).
Of course if you take steps to mitigate some of these concerns, there are some advantages to remote SQL logging for ISA. It certainly is much more robust that MSDE, and using an SQL database for logging allows you to access historical data from the ISA management console as well (this requires that you install the advanced logging components, even though you will not be using the local MSDE database). There are some advantages to having all of the ISA firewalls in your enterprise log to a central location, and of course you can also leverage any existing SQL reporting tools that you may already have and be familiar with, too. Ultimately the decision to use remote SQL logging for ISA is up to you. Before making that decision I would strongly encourage you to review the Best Practices for Logging in ISA Server 2004/2006 document on TechNet. If you decide to use remote SQL logging, the best advice I can give you is to ensure you have abundant, highly reliable network bandwidth between your ISA firewalls and your SQL server. In very busy network environments it might even be desirable to dedicate a separate network interface solely for SQL communication in order to accomplish this.
Configuring the Database Server
Before we configure the ISA firewall for remote SQL logging, the first thing that we need to do is configure the database on the SQL server (I am going to make the assumption that the reader has some familiarity with SQL, as detailed SQL configuration is beyond the scope of this article).
To create a database, open Microsoft SQL Server Management Studio, then click on ‘New Query’. In the new query window, execute the following commands:
create database [isalogs]
go
use [isalogs]
go
This is a very simplistic way to create a database, of course. Ideally you (or your DBA) would follow SQL best practices and place the data and log files on separate partitions, configure database sizes, specify autogrowth options, and whatever else a ‘real’ DBA would do (that’s not me, for sure!).
Next, locate the two SQL scripts that will be used to create the required tables for ISA logging. The two script files are ‘fwsrv.sql’ and ‘w3proxy.sql’ and they are located in the Program FilesMicrosoft ISA Server folder on the ISA firewall itself, or on the ISA installation CD in the FPCProgram FilesMicrosoft ISA Server folder. Copy these scripts to a location that is accessible from the SQL server, then in the ‘Microsoft SQL Server Management Studio’ window, choose ‘File | Open | File’ (or just Ctrl-O) and select each script. Once the script appears in the query window, execute the script by pressing ‘F5’ and then close the window.
To continue we’ll need to create a SQL login for the new database. In the Microsoft SQL Server Management Studio console window, expand the ‘Security’ node in the ‘Object Explorer’ in the left pane, then right-click ‘Logins’ and choose ‘New login’.
Best practices dictate that Windows authentication should be used for optimum security, so enter the name of the ISA firewall in the ‘Login name’ box as domaincomputername$. For the ‘Default database’ select ‘isalogs’.
Select ‘User Mapping’, then select the checkbox next to the ‘isalogs’ database. Choose the ‘db_datareader’ and ‘db_datawriter’ database roles (‘public’ is checked by default) and then choose ‘Ok’.
Repeat this process for each ISA firewall that will be logging to this database.
Now that we’ve created the login, we need to grant some additional privileges in order for the ISA firewall to successfully log data to the database. First we’ll begin by creating a new database role for our database. In the ‘Object Explorer’, expand the ‘isalogs’ database, then expand ‘Security’ and then ‘Roles’. Right-click on ‘Database Role’ and choose ‘New Database Role’.
Microsoft Isa Server 2006 End Of Life
Call the new role name ‘db_batch_insert’, then add each of the ISA firewall logins you created earlier. Choose ‘Ok’ twice to complete.
Once the database role has been configured, open a new query window in the Microsoft SQL Server Management Studio console and execute the following command:
use [isalogs]
go
grant execute on [dbo].[sp_batch_insert] to [db_batch_insert]
go
If you are performing these steps on a Forefront Threat Management Gateway system, you will need to also execute the additional following command:
use [isalogs]
go
grant execute on [dbo].[sp_batch_discard] to [db_batch_insert]
go
Note: If you have only a single ISA firewall, you can skip the above steps creating a new database role and simply grant execute access for the ISA firewall directly to the stored procedure itself by executing the following command:
use [isalogs]
go
grant execute on [dbo].[sp_batch_insert] to [domaincomputername$]
go
That’s it for the database configuration! Now let’s move on to the ISA firewall configuration.
Configuring the ISA Firewall
To allow for remote SQL logging, two specific system policy rules need to be enabled. In the ISA management console, right-click on ‘Firewall Policy’ and choose ‘Edit System Policy’. In the left pane of the System Policy Editor, under the ‘Logging’ configuration group, highlight the ‘Remote Logging (NetBIOS)’ policy and select the option to enable the configuration group. Next click on the ‘To’ tab. You’ll notice that the rule applies to traffic sent to the Internal network. While this works, I prefer to follow the principle of least privilege wherever possible, so I would suggest that you restrict this policy to only your authorized SQL servers.
Repeat these steps for the ‘Remote Logging (SQL)’ system policy, choose ‘Ok’, then apply the changes.
Next, in the ISA Management console, expand your array and then highlight the ‘monitoring’ node. Click on the ‘Logging’ tab, then in the right hand pane under ‘Tasks’ choose ‘Configure Firewall Logging’.
Select the ‘SQL Database’ option, then click on ‘Options’. Enter the FQDN for the database server, then enter the name of the database you created earlier. Since ISA firewall logging data is potentially sensitive, it is highly recommended that you select the option to ‘Force data encryption’. This will require that a valid server certificate be installed on your SQL server, however (for more information on how to configure SQL to use SSL, please read How to enable SSL encryption for an instance of SQL Server). Click on the ‘Test’ button and if everything is configured correctly, you should receive a message stating that the connection succeeded.
Microsoft Isa Server Replacement
Once the test has been completed successfully, choose ‘Ok’, then click on the ‘Fields’ tab. At the bottom of the window, choose the option to ‘Select All’. This will ensure that all logging fields are recorded in the SQL database.
Microsoft Isa Server 2006 Enterprise Edition
When finished, repeat these steps to configure web proxy logging, then apply the configuration changes to complete the process.
That’s it! You should now be logging data to your remote SQL server. To verify operation, open a new query window in the Microsoft SQL Server Management Studio console and enter the following commands:
use [isalogs]
go
select * from [firewalllog]
go
select * from [webproxylog]
go
If everything is working correctly you should now see data populated in both of these tables (for an explanation of why the IP address field does not return data in the familiar dotted decimal notation, see this blog post) . It takes a minute or two before the ISA firewall begins to populate the database with data, so be patient. : )
One last note in regard to remote SQL logging; if you choose not to install the ISA advanced logging components, you can still log to a remote SQL server. You will not, however, be able to view historical data in the ISA management console. This was something that I discovered when I configured my lab for documentation purposes. If you want to conserve resources and reduce the attack surface on the ISA firewall (an excellent idea!), I recommend removing (or not installing) the ISA advanced logging components. Keep in mind that to view historical data you will need to query your SQL server directly.
A Note about Logging with Forefront Threat Management Gateway
At the beginning of this post I had indicated that there are some potential issues with SQL logging for the ISA firewall. The good news is that there have been some significant improvements in the area of logging in Forefront Threat Management Gateway. First, TMG now uses SQL 2005 Express instead of MSDE, which is wonderful. Second, and very important for those of you considering remote SQL logging, TMG now has the capability to queue log data on the firewall itself.
This means that in very busy environments with high utilization, the likelihood of a logging failure (and subsequent firewall shutdown) due to the inability to write to the logs in a timely manner is greatly reduced. The TMG firewall can now queue logging requests during periods of high utilization, then write them out to the log later when more resources are available. Another benefit to this queuing is that when you are using a remote SQL server, the TMG firewall can continue to log and service requests even if the remote SQL server is offline for some reason. The TMG firewall will simply spool any queued log data out to the remote SQL server once it is back online. Great stuff!