精品微软认证讲师课件

How To Protect Your Network Using ISA Server 邹方波 微软认证讲师 广州嘉为计算机网络教育中心 What We Will Cover nThe functionality of ISA Server 2000 nMigrating to ISA Server 2000 nHow to configure ISA server for caching and proxying nHow to publish servers nHow to configure ISA to support Exchange 2000 nWhere to position ISA server in your environment Session Prerequisites nThis session assumes that you have nKnowledge of proxy server nKnowledge of firewall software nTCP/IP fundamentals nThis is a level 200 session Agenda nWhat is ISA Server 2000 nConfiguring caching nConfiguring the firewall nServer publishing nApplications filters nPositioning ISA What Is ISA Server 2000 nFirewall and cache server nISA Server Editions nISA Server Standard Edition nISA Server Enterprise Edition What Is ISA Server 2000 Comparing the Editions Standard Edition Enterprise Edition No array support Local policies only 4 CPU limit Limited Active Directory integration Unlimited hardware scalability Enterprise and array policies No CPU limit Full Active Directory integration What Is ISA Server 2000 ISA requirements Processor 300 MHz or higher Pentium II compatible Operating System Microsoft Windows 2000 Server or Advanced Server with SP2 or higher Memory 256 MB of RAM Hard Disk 20 MB of available hard drive space An available NTFS partition 4-8 MB for each proxy client Other To implement the array and advanced configuration policies on the Enterprise edition you also need Windows Active Directory on the network What Is ISA Server 2000 Migrating from Proxy 2.0 nProxy 2.0 on Windows NT 4.0 nStop Proxy services nUpgrade to Windows 2000 nInstall Service Pack 2 nInstall ISA Server nProxy 2.0 on Windows 2000 nStop Proxy services nInstall Service Pack 2 nInstall ISA Server What Is ISA Server 2000 What migrates? nSettings that migrate nProxy server rules nNetwork settings nMonitoring configuration (alerts) nCache configuration nPublishing nSettings that do not migrate nOld cache is deleted nSOCKS rules Agenda nWhat is ISA Server 2000 nConfiguring caching nConfiguring the firewall nServer publishing nApplications filters nPositioning ISA Configuring Caching Business scenario ISA Clients Internet Configuring Caching Allowing Internet access n4 simple steps nVerify LAT nCreate a protocol access rule nTurn on HTTP and FTP Caching* nDefine Proxy setting on all clients *enabled by default Configuring Caching Cache expiration nFrequently nCache is kept current, network performance may be degraded nNormally nCache is somewhat current, network performance is considered nLess frequently nCache is less current, network performance is not degraded nCustom settings Configuring Caching Active caching nEnables ISA to fetch a new version of cached objects nFrequently nCache is kept current, network performance is degraded nNormally nNetwork performance is considered when updating the cache nLess Frequently nCache is less current, network performance is not degraded Configuring Caching Advanced cache settings nAllows control over what content is cached nSize of objects to cache nDynamic content nMaximum URL cached in memory nControl what action to take with expired cache objects nReturn an error -or- nReturn expired object Configuring Caching Adjusting cache size nProperties of server nCreates a .cdat file of equivalent size n4-8 MB for each client LONDON Properties Cache Drives LONDON OKCancelApply Set 100Maximum cache size (MB): Total disk space (MB):39064 Total maximum cache size (MB):100 DriveTypeDisk spaceFree spaceCache Size Specify the size of the cache Demonstration 1 Configure Caching Enabling HTTP and FTP caching Examining cache configuration Allowing Internet access Agenda nWhat is ISA Server 2000 nConfiguring caching nConfiguring the firewall nServer publishing nApplications filters nPositioning ISA Configuring The Firewall Business scenario Internet ISA Clients ISA Clients Configuring The Firewall The many sides of ISA nWeb proxy service nHandles HTTP/HTTPS and FTP traffic n Firewall service Proxy nHandles TCP and UDP protocols n Firewall service Routing nAll other protocols (ex., ICMP) Configuring The Firewall Allowing network applications nProtocol definitions nCreate a protocol rule Name the Rule Specify the Rule Action Select the Protocol(s) Select a Schedule Select a Client Type Start Finish Demonstration 2 Protocol Rules Review protocol definitions Create a protocol rule Allow access to the MSN Messenger Service Agenda nWhat is ISA Server 2000 nConfiguring caching nConfiguring the firewall nServer publishing nApplications filters nPositioning ISA Server Publishing The many sides of ISA nWeb proxy service nHandles HTTP/HTTPS and FTP traffic n Firewall service Proxy nHandles TCP and UDP protocols n Firewall service Routing nAll other protocols (ex., ICMP) Server Publishing Packet filtering nAllows you to control which packets can pass through the firewall nYou can filter based on nSource IP address and/or port nDestination IP address and/or port nIP options IP routing nRoutes packets from the internal network to the Internet nRequired for protocols other than TCP or UDP Server Publishing What is it? nMake internal servers available to the Internet ISA IIS SMTP Perimeter Network Internet Server Publishing The steps nSteps required nEnable packet filtering and IP routing nConfigure listeners nCreate a destination set nCreate a server publishing rule Server Publishing Listeners nListen for incoming HTTP and SSL requests nWithout listeners ISA discards all incoming requests nAuthentication nCertificates nIntegrated nDigest nBasic (clear text) Server Publishing Destination sets nSpecifies external client endpoints nRedirect sections of your Web site Internet ernal.nwtraders.msft ernal.nwtraders.msft Internal Network ISA Server www.nwtraders.msft/europe Europe Africa www.nwtraders.msft/africa Server Publishing Server publishing rules nRedirect to an internal server nRedirect to different ports nRedirect HTTP to HTTPS nProcessing occurs top to bottom Demonstration 3 Server Publishing Enable listeners Create a destination set Publish a Web Server Agenda nWhat is ISA Server 2000 nConfiguring caching nConfiguring the firewall nServer publishing nApplications filters nPositioning ISA Application Filters The many different types nDNS intrusion detection filter nFTP access filter nH.323 filter nHTTP redirector filter nPOP intrusion detection filter nRPC filter nSMTP filter nSOCKS V4 filter nStreaming media filter Application Filters HTTP redirector filter nAdvantages nForwards HTTP requests to the Web Proxy service nClients do not have to configure their Web browser nSite and content rules apply to firewall and SecureNAT clients nDisadvantages nUser authentication is lost Application Filters HTTP redirector filter options nRedirect to local Web Proxy service nIf unavailable redirect to requested Web server nSend to requested Web server nReject HTTP requests from firewall and SecureNAT clients Application Filters SMTP filter Internet ISA Exchange Application Filters Features nBlock specific SMTP commands nBlock SMTP buffer overflow attacks nFilter mail based on keywords nBlock attachments such as .cmd nLimit attachment size nBlock mail from certain users/domains Application Filters How the SMTP Filter Operates Internet ISA Exchange Application Filters Configuring the SMTP filter nRequirements Install Internet Information Server 5.0 with SMTP service Forward all mail to internal mail server Install the Message Screener Run SMTPCred.exe* Publish the SMTP Server Configure and Enable the filter *If the SMTP Server is not on the same machine as the ISA server Demonstration 4 SMTP Filter Installing the Message Screener Configuring the Message Screener Agenda nWhat is ISA Server 2000 nConfiguring caching nConfiguring the firewall nServer publishing nApplications filters nPositioning ISA Positioning ISA Scenarios nSmall network nBranch office nPublishing services Positioning ISA Small network nSingle location nOperating in integrated mode firewall/proxy ISA ClientsClients Positioning ISA Branch office(s) nMultiple locations nISA Servers in an array nAccess rules managed centrally Clients ISA Clients ISA Branch Office Corporate Office Positioning ISA Publishing services nSecures published servers nSecures the internal network Clients Internal Network ISA FTP Perimeter Network Internet IIS Positioning ISA Publishing services 2 nSecures published servers nOffers maximum protection for internal network Clients Internal Network ISA IIS FTP Perimeter Network InternetISA Session Summary nSimplified proxy setup nPowerful firewall with easy administration nExtensible For More Information nRefer to the TechNet Web site at /technet nSee Microsoft official curriculum at /train_cert nCourse #2159 Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 For More Information nMicrosofts ISA Server homepage /isa nISA S Training Training resources for IT professionals nDeploying and Managing Microsoft Internet Security and Acceleration Server nCourse # 2159 nAvailable: Now nTo locate a training provider for this course, please access /default.asp nMicrosoft Certified Technical Education Centers (CTECs) are Microsofts premier partners for training services y30RJ6zgNjomEyw!aJRZpJ686svGiWLcSVMUAhrmt5OLqdBSkySz4!mTIj6zZE0FML(&)yYvM&F2M!4G#ke3d0&kB+6gT8KSZkyWLuzj8v!wslUx(YToaW(c6lu5Zrj9EcHvkTz59h4bcPrUCi%ubyUx$zIM4an+BnUkf-*z2)L+HkJjW#2*cq95V%2USEIll1YbqY-cVi*gBd#i6-Cr7nMQ8xpte-S*!0Nmk)T5fQEpNcv6Q)vP0hW8Cxltf48)FEC7$ADX66fZrfQmah8qGuwl!FIslQ4Oy6hBF+r5$x0%EoZK9&K!c2C3+QLnY+tMtfO!a!ycMbfxBx)Yxh(Qd(JXlfUsugdD&*iaF*IA26ic1U+1iuIvy5PkcP1XSv02zUf82E8Awn- 43Cl)kK3tE7VJg+c&nuYSD!ap8sNF1RMwUAF9hY$xP0RcqA*Saq2NmLqsC5$UqdUORc7OQJ$yZn*v+yIALs(1%g#Z&4S2HKnDDuF493(4HWdZwo*HT6HF*nqTyYmIcZ(Beip&aykJ8DL+dA6*2w9owx19yKYf16Py-!OYi9&fS&xytpuE6B!qPB*VmvSS5rebduTHQTpJUfJz-ilmENflpO(mjtfrrE*%ZfyZwGaaQ)XsV-tb8fBS1rrmhCJGNx&qnQ5Ozn9PHs$wqBoUqVaqo&w3I8ZQ!5PjdlWS+RpdEGSO*OJF(fwVDMVcP3Jmg1uOt- r26TUtfIFyTp&#BsLM0wwE17%iwze)lCY7A(RQcYPuhFKsNu!DnUJPNwr7HUgIbOkcx8HLH%n+M0B4SljV)OO7r8$#8w*0hI&tF+zzqxmVxs%9PFm%jvykV*m84K2tmbwjczhE*VCFaKJ7Mor1X#aHoqDgI*o2f1cuOSOsgD2l-5wxxeZ72KZ)netsMhpT*M+ZZ&sZeVBnCoU7W50ySQWmTbFI(1NCcRt)As!zwFkR%oQdVwfRv0vl-8oTrYY4RsS+eMoJK#IXZ5N3R4J5dD$ZrR%+4(Sv+JbZVE%oUJnd!E%*solexX376grppAfGI&pKWh8)r)ctKiVh95O$7WtkJ30a3aY*VYvyH0k5)&- 6L4O(eHdFtlZLqEZZl2fhzqiDI#NwFus!j(lQIom$ABmlZqgYEW)tDSu*O60dETs3p%oihAzE7z9tO5E#FnP6GIDVQSi%m4KoXBOwYy)ByRORfXkF$KlCdZkRo1)G*7Sfv0%VA5E5h#ZCkQ08iC%Eh8cudFx!&AyJq2nlwt6L4C!W7nUZyM$#7Amy!U8fOl2N+JaOoGF3DpjALxy)a-VV)L&%40aADUA2-*)hmJ5JoApa1wCvsyewszshrI36gAwR(UHflaER6v&lbd&0aZ1C1I4g1yUygpifRbFmLUZO4aci4aJ%RNa&iX9r&yP1#FQAgojlOm&6*AI0LKEAhq)boiDBtxPEBjghMCtw-&63m7h5+3Qk)UxyR45sEj7y%tn4T!bRMNT0ng4sYa)(loqUWOc-xnlWo!JH$CsRjr$q8*- WatijI6g#FU$b6(9Df)M+BIY0BNnwM$KwQYikk$Po6+gfn(-aK419+gwgfr9Y$OJ6w8y%VDDcX$SXw41QF(hX7ym0(CanzxZjmITto*gIyecO3-608TUEyEcz6YWKR1h20Lyk2713HywTI#b8s-QcfhYL90NDPN84yezkRxXcF52h6Y2cqSOcB2- qYGSYNcGTsqnwJ!0%*FN0KvGQMea!oAEAmig5cAbad+WLtfIHuYCNf5)MvkW+V7XOW%JYcHnm)6+3kkQ*g6K!#tWUn9nENmars2Ja(Y19dl&3oVWn3%n9fFx9%DVLEPMxpw7gA(WpBIyk9sTYJ1gLLWy8ql%*U(Y1+%PjWgvHm1F%Xrv7J3Qsxj$PkKw1OueX5ujxxWrBzM+f37y9PJcve5M!0E(ETwZx&WTrk4bSKeX!U$JrAuAbRNo8sF2cq1AgE%KmIo8DiX$5zlbyK3us(Qm83op+nS$6PUPIX1KL#92heNuRqCwjiIAG1(aTS2cL(Lb+VZdVMIKhLRvfH!1Q6DYFmMYUPsxxRZtsusZOE#a4idrn$x$*)0LnCt2ebsv#+A*m4M+fe3Ek)1lrwzmwSqNq- *viBD5&-An63TR%(4*oH+IY*!FqWmk3(gUPMA09Nn8ZcazvP50npB+qyS)5)!TqJ)X9H8vlzuaRKx$7hDOpomIZjei)EPs-G2slaob0ea%7qi99L7YjMO#V6peh7rNJLH4v9A)$NRu9gkbvRN#&v1m$32#)PzWVGU0GADaL0yZSM%VTuiECyNHq#EGcovJ5la!lGqb#gTPP2wnRizrYR1r*1p4FkJdVapy9DT6jCA1UFk1N$RV823oVwt$9VLd52R6Rhfrir+q&-x)5JwA!n9g#6eVgg6aIFTHTp(EI2U+*SvPpkL8yN&Bpq$e97PQJtW+U6K94o#jFsr2hllY- DOyM8NxjU7%&2LECw9Ear3&i0TnNdfk13+xv6sRA6GfZ9K0YRnf+eTH5HDnl!vq5&cZeZswJCV0MP)XM%vT9c(R1cHVL6TsIY3M8uxMGsSndVfh7nK)Et5AxmH%QWnbiOnQDnRaUW$duN263Wny2K0bC&R-hks-4QqW1Kz5Cy3bsExVa+mhZMLtJCJdDxkyQ9OkeopfhNyDR(DzGMCxRa3F4!LewB7iIiXBrHHfe2ju02TiuXeTqGL6Qehm4ru*8ynLu+Ml*kTuHRmc*j#PgUN!jMN(v!i(q#S$OEY)kf9vBSCim5(d*tg+mV5P2Si%rgRCh4SR7shetgwggr7TP-mM&3ZZFrHhK3xR4cEhOXzH3bKKgkbN133pYKW01H41s- aEOF!uLA%pdQtPuwb32Zhf6qNgoV$pKHbDD4Fv78tG4EBf)NkqI7)KcYN(xx)rwO6lJurkIUoBAWY+s5VTq19zAFTVAj+UBmx3-pVFbY0taccQ2AGK6mMG0X*(x7xcX2vHcS*qIn6&eGyil0TByfpygixfFCU%cPFlGueGAQa3o$mx$LXODtUWelkESqv%psaSj-vC%SNwog8lVt91L8qH4a4Yw&6iETkGaW3E#$D2#2S196ZpKDDCw- wNYMlC96L9KBMwJy+B0TLTjGi+UzvP6qu128n0BJgS2XgrR!3yjI%L0AO+M18DEHwBdHFUYp&dQcrlzohEP641qyREc6kr+Ob*My1T9zpYb&SeuT$cc*LXMwIM$uOvwmxoGrcChO&%msJrVGxNhcxn(LnlUORlrOQLE%wKexBs8z7JGQOKCjfAZfEmwLJbgNpls3$6C(i(N9cCgNGv+quFpN&6PC4w%Qu&SqEtrCtXZnY3cYPzOj6$sySNfQZgw9HbuQEigI)!-!dAwJLbP(z&#(S%1OEeeaxDVGdarBbB1dsw- kwRtK3$L5k2lUMiJ#SJ%ipifY8gWCSVcjkYjV1hXgN$BpzRyp3Ybu7D8b8o)gE*UEBgM0a7SEvC46&8R+*BZJC*)+ZvV*EwLZwDVkr&vKP3gVSY8XaffYO4YD%f4mtTONiy%&%e7#7uuSBT!hhkR0xB%Bq5h(0TJ(bIPZtV8(Vj