Vous êtes sur la page 1sur 38

ISA Server 2006

Lab Manual

Module A: Secure Application Publishing with ISA Server 2006 Module B: ISA Server 2006 as Branch Office Gateway Module C: Web Access Protection with ISA Server 2006 Lab version 3.0f (6-Aug-2006) A4 - subset

5 22 36

Module A: Secure Application Publishing with ISA Server 2006

Lab Summary
Contents
There are three modules in this lab. You can complete each of these lab modules independent of the other modules. The monitor icons ( ) indicate which virtual machines are needed for each exercise. The up arrow ( ) indicates exercises that depend on the previous exercise.

De

Pa

Is

Lab Summary.............................................................................................................2 Module A: Secure Application Publishing with ISA Server 2006........................5 Exercise 1 Publishing Exchange Web Access - Certificate Management...............................5 Exercise 2 Using Cross-Site Link Translation to Publish SharePoint Server........................11 Exercise 3 Publishing a Web Farm for Load Balancing.........................................................15 Module B: ISA Server 2006 as Branch Office Gateway......................................22 Exercise 1 Configuring HTTP Compression to Reduce Bandwidth Usage...........................22 Exercise 2 Configuring ISA Server to Cache BITS Content..................................................28 Exercise 3 Configuring DiffServ Settings to Prioritize Network Traffic...............................32 Module C: Web Access Protection with ISA Server 2006...................................35 Exercise 1 Configuring ISA Server 2006 for Flood Resiliency.............................................35

Module A: Secure Application Publishing with ISA Server 2006

Lab Setup
To complete each lab module, you need to review the following: Virtual PC This lab makes use of Microsoft Virtual PC 2004, which is an application that allows you to run multiple virtual computers on the same physical hardware. During the lab you will switch between different windows, each of which contains a separate virtual machine running Windows Server 2003. Before you start the lab, familiarize yourself with the following basics of Virtual PC:

To issue the Ctrl-Alt-Del keyboard combination inside a virtual machine, use the <right>Alt-Del instead. To enlarge the size of the virtual machine window, drag the right bottom corner of the window. To switch to full-screen mode, and to return from full-screen mode, press <right>Alt-Enter. Lab Computers

The lab uses the following six computers in virtual machines.

Paris (red) runs ISA Server 2006 Standard Edition. Paris has three network adapters, which connect to the Internal network, the Perimeter network and the External network (Internet). The Perimeter network is not used in this lab. Denver.contoso.com (green) is domain controller for the contoso.com domain on the Internal network. Denver runs DNS, RADIUS, Exchange 2003 SP2, SharePoint Services 2.0 and is also Certification Authority (CA). Istanbul.fabrikam.com (purple) is Web server and client computer on the External network (Internet). Istanbul runs Outlook 2003. Istanbul is not member of a domain.

The computers cannot communicate with the host computer. To allow you to examine and understand the traffic on the network, in each virtual machine Microsoft Network Monitor 5.2, which is part of Windows Server 2003, is installed.

Module A: Secure Application Publishing with ISA Server 2006

To start the lab Before you can do any of the lab modules, you need to start the virtual machines, and then you need to log on to the computers. In each exercise you only have to start the virtual machines that are needed. To start any virtual machine: 1. 2. 3. On the desktop, double-click the shortcut Open ISA 2006 Lab Folder. In the lab folder, double-click any of the Start computer scripts. (For example: double-click Start Paris to start the Florence computer.) When the logon dialog box has appeared, log on to the computer.

To log on to a computer in a virtual machine: 1. 2. Press <right>Alt-Del (instead of Ctrl-Alt-Del) to open the logon dialog box. Type the following information: User name: Administrator Password: password and then click OK. You can now start with the exercises in this lab manual.

3.

Enjoy the lab!

Comments and feedback Please send any comments, feedback or corrections regarding the virtual machines or the lab manual to: Ronald Beekelaar v-ronb@microsoft.com Lab version 3.0f (6-Aug-2006)

Module A: Secure Application Publishing with ISA Server 2006

Module A: Secure Application Publishing with ISA Server 2006


Exercise 1 Publishing Exchange Web Access - Certificate Management
In this exercise, you will enable access to the Exchange Server for clients that use Outlook Web Access (OWA). You configure ISA Server to use SSL Bridging, because you want to encrypt the connection with the SSL protocol (HTTPS), but you also want to inspect the traffic at the ISA Server computer. This exercise also demonstrates the new certificate management functionality of ISA Server 2006. Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers. Perform the following steps on the Denver computer. 1. On the Denver computer, import the denver.contoso.com Web server certificate from the C:\Tools\Certs folder. a. On the Denver computer, use Windows Explorer (or My Computer) to open the C:\Tools\Certs folder. The Certs folder contains a Web server certificate for denver.contoso.com, and a script to import the certificate and private key in the local machine store. b. In the Certs folder, right-click denver-certload.vbs, and then click Open. c. Click Yes to confirm that you want to import the certificate. d. Click OK to acknowledge that the import of the certificate is complete. e. Close the Certs folder. a. On the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager. The IIS Manager console opens. b. In the IIS Manager console, expand DENVER (local computer), expand Web Sites, right-click Default Web Site, and then click Properties. c. In the Default Web Site Properties dialog box, on the Directory Security tab, click Server Certificate. d. In the Welcome to the Web Server Certificate Wizard dialog box, click Next. e. On the Server Certificate page, select Assign an existing certificate, and then click Next. f. On the Available Certificates page, select the certificate for denver.contoso.com that has the intended purpose of Server Authentication (do not select a certificate with another intended purpose), and then click Next. g. On the SSL Port page, in the SSL port this web site should use text

2. Configure IIS to use the denver.contoso.com Web server certificate.

Module A: Secure Application Publishing with ISA Server 2006 box, type 443, and then click Next. h. On the Certificate Summary page, click Next. i. On the Completing the Web Server Certificate Wizard page, click Finish. The Default Web Site on Denver can now use the denver.contoso.com Web server certificate for HTTPS connections. j. Click OK to close the Default Web Site Properties dialog box. k. Close the IIS Manager console. Perform the following steps on the Paris computer.

3. On the Paris computer, import the mail.contoso.com Web server certificate from the C:\Tools\Certs folder.

a. On the Paris computer, use Windows Explorer (or My Computer) to open the C:\Tools\Certs folder. The Certs folder contains a Web server certificate for mail.contoso.com, and a script to import the certificate and private key in the local machine store. b. In the Certs folder, right-click mail-certload.vbs, and then click Open. c. Click Yes to confirm that you want to import the certificate. d. Click OK to acknowledge that the import of the certificate is complete. a. In the Certs folder, open the Invalid folder. The Invalid folder contains certificates that demonstrate a few common mistakes with using certificates on ISA Server, and a script to import the certificates. b. In the Invalid folder, right-click certload-invalid-Paris.vbs, and then click Open. c. Click Yes to confirm that you want to import the certificates. d. Click OK to acknowledge that the import of the certificates is complete. Later in this exercise, you will see how ISA Server helps identify the invalid certificates. e. Close the Invalid folder.

4. For demonstration purposes, import invalid certificates from the C:\Tools\Certs\Invalid folder.

Note: On ISA Server 2006 Enterprise Edition, when you configure a Server Authentication certificate to create SSL connections, the same certificate (same name) must be installed on all array members. 5. Create a new Web listener. a. On the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. The ISA Server console opens. b. In the ISA Server console, expand Paris, and then select Firewall Policy. c. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Web Listeners, and then click New Web Listener. d. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 443, and then click Next. e. On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next. f. On the Web Listener IP Addresses page, complete the following information: Listen on network: External ISA Server will compress content: disable and then click Next. g. On the Listener SSL Certificates page, click Select Certificate. By default, the Select Certificate dialog box only shows the Web server certificates that are installed correctly. h. In the Select Certificate dialog box, disable Show only valid certificates. To help you troubleshoot common certificate mistakes, ISA Server lists imported certificates that are not valid. The certificates named cert2.contoso.com to cert5.contoso.com are the invalid certificates that you imported earlier in the exercise.

Name: External Web 443 SSL: enable Network: External Compression: disable Certificate: mail.contoso.com Authentication: HTTP Authentication - Basic

Module A: Secure Application Publishing with ISA Server 2006 i. In the certificates list, select each of the certificates cert2.contoso.com to cert5.contoso.com to see the problem with the certificate. ISA Server can identify the following problems with certificates: cert2.contoso.com - The certificate is installed in the current user store, instead of the local machine store. cert3.contoso.com - The certificate is installed without private key. cert4.contoso.com - The certificate has expired. cert5.contoso.com - The certificate is not yet valid. On ISA Server 2006 Enterprise Edition, there is one more certificate problem that is identified: The certificate is not imported on all array members. j. In the certificates list, select mail.contoso.com, and then click Select. k. On the Listener SSL Certificates page, click Next. l. On the Authentication Settings page, complete the following information: Authentication method: HTTP Authentication (is default) Basic: enable Digest: disable (is default) Integrated: disable (is default) and then click Next. m. On the Single Sign On Settings page, click Next. n. On the Completing the New Web Listener Wizard page, click Finish. A new Web listener (port 443 on the IP address on the adapter on the External network) with the name External Web 443 is created. 6. Create an OWA mail server a. In the right pane, select the first rule, or select Default rule if no other publishing rule: rule exists, to indicate where the new rule is added to the rule list. b. In the task pane, on the Tasks tab, click Name: Publish mail (OWA) Publish Exchange Web Client Access. c. In the New Exchange Publishing Rule Wizard dialog box, in the Version: Exchange Publishing rule name text box, type Publish mail (OWA), and Exchange Server 2003 then click Next. d. On the Select Services page, complete the following information: Internal site name: Exchange version: Exchange Server 2003 (is default) denver.contoso.com Outlook Web Access: enable (is default) Public name: Leave the other check boxes disabled (is default) mail.contoso.com and then click Next. e. On the Publishing Type page, select Publish a single Web site, and then Web listener: click Next. External Web 443 f. On the Server Connection Security page, select Use SSL to connect to the published Web server, and then click Next. Delegation: g. On the Internal Publishing Details page, in the Internal site name text Basic Authentication box, type denver.contoso.com, and then click Next. The specified name of the Web mail server must match exactly the name in the certificate on the Denver Web server. Otherwise Internet Explorer on the client computers fails to connect, and displays an error message (500 Internal Server Error - The target principal name is incorrect). h. On the Public Name Details page, complete the following information: Accept requests for: This domain name (type below): Public name: mail.contoso.com and then click Next. The specified public name must match exactly the name in the certificate on Paris. Otherwise the connecting client computers will display a security alert message (The name on the security certificate is invalid.). i. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 443, and then click Next. j. On the Authentication Delegation page, select Basic Authentication, and then click Next. k. On the User Sets page, click Next.

Module A: Secure Application Publishing with ISA Server 2006 l. On the Completing the New Exchange Publishing Rule Wizard page, click Finish. A new Web publishing rule is created, which publishes the three OWA virtual directories on the Web site denver.contoso.com as mail.contoso.com on the External network.

7. Examine the new OWA mail server publishing rule named Publish mail (OWA).

a. In the right pane, right-click Publish mail (OWA), and then click Properties. b. In the Publish mail (OWA) Properties dialog box, select the To tab. OWA requires that the original host headers (https://mail.contoso.com) are forwarded to the published server (Denver). c. Select the Traffic tab. The OWA publishing rule only allows HTTPS access, not HTTP access. d. Select the Paths tab. The OWA publishing rule only allows access to the three virtual directories needed for OWA (/public, /exchweb, and /exchange). e. Select the Listener tab. The certificate name (mail.contoso.com) exactly matches the name on the Public Name tab. f. Select the Bridging tab. ISA Server redirects incoming requests to the SSL port. It will create a new SSL connection from the ISA Server to Denver. The name on the To tab exactly matches the name in the certificate on Denver. g. Click Cancel to close the Publish mail (OWA) Properties dialog box.

8.

Apply the new rule.

a.

Click Apply to apply the new rule, and then click OK. The new Publish mail (OWA) rule is applied.

Perform the following steps on the Denver computer. 9. On the Denver computer, a. On the Denver computer, on the Start menu, click configure IIS to require SSL on the Administrative Tools, and then click virtual directories used by OWA: Internet Information Services (IIS) Manager. /Exchange /ExchWeb /Public The IIS Manager console opens. b. In the IIS Manager console, expand Default Web Site, right-click Exchange, and then click Properties. /Exchange, /ExchWeb and /Public are the three virtual directories used by Outlook Web Access (OWA). c. In the Exchange Properties dialog, on the Directory Security tab, in the Secure communications box, click Edit. d. In the Secure Communications box, enable Require secure channel (SSL), and then click OK. Now that IIS has a Web server certificate configured, only secure access (HTTPS) to the OWA virtual directories should be allowed. e. Click OK to close the Exchange Properties dialog box. Repeat the same configuration step for the /ExchWeb virtual directory. f. Right-click ExchWeb, and then click Properties. g. In the ExchWeb Properties dialog box, on the Directory Security tab, in the Secure communications box, click Edit. h. In the Secure Communications box, enable Require secure channel (SSL), and then click OK. i. Click OK to close the ExchWeb Properties dialog box. Repeat the same configuration step for the /Public virtual directory. j. Right-click Public, and then click Properties. k. In the ExchWeb Properties dialog box, on the Directory Security tab, in the Secure communications box, click Edit.

Module A: Secure Application Publishing with ISA Server 2006 l. In the Secure Communications box, enable Require secure channel (SSL), and then click OK. m. Click OK to close the Public Properties dialog box. n. Close the IIS Manager console. Perform the following steps on the Istanbul computer. 10. On the Istanbul computer, use Internet Explorer to securely connect to https://mail.contoso.com /exchange a. On the Istanbul computer, open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter. An authentication dialog box for mail.contoso.com appears.

Note: On Istanbul, mail.contoso.com resolves to 39.1.1.1 (Paris). b. In the Connect to mail.contoso.com dialog box, complete the following Send an e-mail to Administrator information: to test the secure OWA connection User name: Administrator to ISA Server. Password: password Remember my password: disable (is default) and then click OK. Internet Explorer displays the Outlook Web Access Inbox of the Administrator. The yellow lock icon at the bottom of the screen indicates that the connection uses SSL. Note: The root certificate of Denver CA is already installed as trusted root certificate on Istanbul. c. On the OWA toolbar, click New. d. In the new message window, complete the following information: To: Administrator Subject: Test mail through Secure OWA - 1 (Message): Publish Exchange using Secure OWA and then click Send. Internet Explorer sends the message. After a few moments a new message appears in the Inbox. This result shows that Internet Explorer successfully connected to the Exchange Server on Denver, by using a secure OWA connection to ISA Server. e. After a few moments, in the left pane, click Inbox to refresh the display of the Inbox contents. f. Close Internet Explorer. Note: In the following steps, HTML Form Authentication is configured. The advantage of using HTML Form Authentication is that the authentication credentials are not cached on the client computer. This is especially important when users are connecting from public computers. The credential information is kept in a (temporary) session-cookie while the OWA connection is open. Perform the following steps on the Paris computer. 11. On the Paris computer, configure the External Web 443 Web listener to use HTML Form Authentication. a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners, right-click External Web 443, and then click Properties. c. In the External Web 443 Properties dialog box, on the Authentication tab, in the Client Authentication Method drop-down list box, select HTML Form Authentication. d. On the Forms tab, click Advanced. The HTML Form Authentication allows you to specify idle session timeout values for client browsers on public computers and client browsers on private computers. e. Click Cancel to close the Advanced Form Options dialog box. f. Click OK to close the External Web 443 Properties dialog box. The Web listener is now configured to use HTML Form Authentication. g. Click Apply to save the changes, and then click OK.

10

Module A: Secure Application Publishing with ISA Server 2006 Perform the following steps on the Istanbul computer.

12. On the Istanbul computer, use Internet Explorer to securely connect to https://mail.contoso.com /exchange again.

a. On the Istanbul computer, open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter. The Office Outlook Web Access authentication Web page appears. b. In the Office Outlook Web Access page, complete the following information: Security: This is a private computer Use Outlook Web Access Light: disable (is default) Domain\user name: contoso\administrator Password: password and then click Log On. When using HTML Form Authentication, the user indicates whether the client browser is on a public computer or on a private computer. c. Internet Explorer displays the Outlook Web Access Inbox. Close Internet Explorer.

Note: The following task is needed to avoid conflicts with other lab exercises. Perform the following steps on the Paris computer. 13. On the Paris computer, configure the External Web 443 Web listener to use Basic authentication. a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy. b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners, right-click External Web 443, and then click Properties. c. In the External Web 443 Properties dialog box, on the Authentication tab, complete the following information: Client Authentication Method: HTTP Authentication Basic: enable Digest: disable (is default) Integrated: disable (is default) and then click OK to close the External Web 443 Properties dialog box. The Web listener is now configured to use Basic HTTP authentication. d. Click Apply to save the changes, and then click OK.

Module A: Secure Application Publishing with ISA Server 2006

11

Exercise 2 Using Cross-Site Link Translation to Publish SharePoint Server


In this exercise, you will configure ISA Server to publish a SharePoint Server. The portal Web site contains links to other Web servers. By using cross-site link translation, you can access the links from the published portal Web site. Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers. Perform the following steps on the Denver computer. 1. On the Denver computer, connect to http://portal, and examine the links on the Project-D Portal Web site. a. On the Denver computer, open Internet Explorer. In the Address box, type http://portal, and then press Enter. Internet Explorer displays a sample Project-D Portal Web site, which runs on Denver on IP address 10.1.1.10. b. In the portal Web site, under Shared Documents, move the mouse pointer over Agenda (do not click). In the status bar, notice that the Agenda.doc link refers to http://portal. c. Click Agenda. d. In the File Download dialog box, click Open to confirm that you want to open the Agenda.doc file. WordPad opens the Agenda.doc file. e. Close WordPad. f. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click). In the status bar, notice that the Research Web Site link refers to http://server1. It is very common that SharePoint sites contain links to other servers on the internal network. g. Click Research Web Site. Internet Explorer opens the research.htm file on server1. Server1 is a Web site running on Denver on IP address 10.1.1.21. h. On the toolbar, click the Back button. i. Close Internet Explorer Perform the following steps on the Paris computer. 2. On the Paris computer, create a new Web listener. Name: External Web 80 SSL: disable Network: External Compression: disable Authentication: none (If this is not done already) a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. The ISA Server console opens. b. In the ISA Server console, expand Paris, and then select Firewall Policy. c. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible). Note: If a Web Listener named External Web 80 is already created in an earlier exercise, then you can skip the rest of this task. d. If a Web listener named External Web 80 does not exist, then right-click Web Listeners, and then click New Web Listener.

12

Module A: Secure Application Publishing with ISA Server 2006 e. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80, and then click Next. f. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next. g. On the Web Listener IP Addresses page, complete the following information: Listen on network: External ISA Server will compress content: disable and then click Next. h. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next. i. On the Single Sign On Settings page, click Next. j. On the Completing the New Web Listener Wizard page, click Finish. A new Web listener (port 80 on the IP address on the adapter on the External network) with the name External Web 80 is created.

3. Create a Web publishing a. In the right pane, select the first rule, or select Default rule if no other rule to publish a SharePoint server. rule exists, to indicate where the new rule is added to the rule list. b. In the task pane, on the Tasks tab, click Publish SharePoint Sites. Name: Portal Web Site c. In the New SharePoint Publishing Rule Wizard dialog box, in the SharePoint publishing rule name text box, type Portal Web Site, and then Publishing type: click Next. single Web site d. On the Publishing Type page, select Publish a single Web site, and then click Next. Internal site name: portal e. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server, and then click Next. Public name: f. On the Internal Publishing Details page, in the Internal site name text portal.contoso.com box, type portal, and then click Next. g. On the Public Name Details page, in the Public name text box, type Web listener: portal.contoso.com, and then click Next. External Web 80 h. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80, and then click Next. Delegation: none i. On the Authentication Delegation page, select No delegation, and client cannot authenticate directly, and then click Next. j. On the Alternate Access Mapping Configuration page, select SharePoint AAM is not yet configured, and then click Next. ISA Server forwards the public name (portal.contoso.com) to the SharePoint site. If SharePoint limits which names can be used to access the site, then you have to add portal.contoso.com to the Extranet URL list (Alternate Access Mapping list) on the SharePoint site. k. On the User Sets page, click Next. l. On the Completing the New SharePoint Publishing Rule Wizard page, click Finish. A new Web publishing rule is created, which publishes the SharePoint site portal as portal.contoso.com on the External network. 4. Apply the changes. a. Click Apply to apply the changes, and then click OK. Perform the following steps on the Istanbul computer. 5. On the Istanbul computer, connect to http://portal.contoso.com, and examine the links on the Project-D Portal Web site. a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://portal.contoso.com, and then press Enter. Internet Explorer displays the sample Project-D Portal Web site. This result demonstrates that you have successfully published the SharePoint site. b. In the portal Web site, under Shared Documents, move the mouse pointer over Agenda (do not click). In the status bar, notice that the Agenda.doc link refers to http://portal.contoso.com. The SharePoint publishing rule wizard configured the Web

Module A: Secure Application Publishing with ISA Server 2006

13

publishing rule to forward the original host header (http://portal.contoso.com) to the SharePoint site. SharePoint uses that information to create URLs that refer to the host name (portal.contoso.com) that the client can use. c. Click Agenda. d. In the File Download dialog box, click Open to confirm that you want to open the Agenda.doc file. WordPad opens the Agenda.doc file. You can access documents on the published SharePoint Web site, in the same way you can access them on the internal network when connecting to http://portal. e. Close WordPad. f. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click). In the status bar, notice that the Research Web Site link refers to http://server1. g. Click Research Web Site. Internet Explorer on Istanbul is not able to resolve the name server1 name to connect to the Web server on the internal network. h. On the toolbar, click the Back button. i. Close Internet Explorer. Perform the following steps on the Paris computer. 6. On the Paris computer, create a Web publishing rule. Name: Server1 Web Site Publishing type: single Web site Internal site name: server1 Public name: web1.contoso.com Web listener: External Web 80 Delegation: none a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy. b. In the right pane, select the first rule to indicate where the new rule is added. c. In the task pane, on the Tasks tab, click Publish Web Sites. d. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name, type Server1 Web Site, and then click Next. e. On the Select Rule Action page, select Allow, and then click Next. f. On the Publishing Type page, select Publish a single Web site, and then click Next. g. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server, and then click Next. h. On the Internal Publishing Details page, in the Internal site name text box, type server1, and then click Next. i. On the next Internal Publishing Details page, leave the Path text box empty, and then click Next. j. On the Public Name Details page, in the Public name text box, type web1.contoso.com, and then click Next. k. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80, and then click Next. l. On the Authentication Delegation page, select No delegation, and client cannot authenticate directly, and then click Next. m. On the User Sets page, click Next. n. On the Completing the New Web Publishing Rule Wizard page, click Finish. A new Web publishing rule is created, which publishes the Web site server1 as web1.contoso.com on the External network. 7. Apply the changes. a. a. b. Click Apply to apply the changes, and then click OK. In the left pane, expand Configuration, and then click General. In the right pane, click Configure Global Link Translation. 8. Examine the list of per-server link translation mappings.

ISA Server 2006 maintains a per-server (or per-array) list of URL text replacement mappings that are applied to the content of HTTP response packets through any Web publishing rule in the array.

14

Module A: Secure Application Publishing with ISA Server 2006 c. Select the Global Mappings tab.

The mappings are created automatically based on the internal site name and the public name of existing Web publishing rules, but you can also add custom mappings. Notice that a mapping to replace http://server1/ with http://web1.contoso.com/ is in the list. d. Click Cancel to close the Link Translation dialog box. Note: On ISA Server 2006 Enterprise Edition, you can enable link translation across arrays. This means that an array can use link translation entries from other arrays in the same Enterprise. Perform the following steps on the Istanbul computer. 9. On the Istanbul computer, connect to http://portal.contoso.com, and examine the links on the Project-D Portal Web site. a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://portal.contoso.com, and then press Enter. Internet Explorer displays the sample Project-D Portal Web site. The site is published through the Portal Web Site publishing rule. b. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click). In the status bar, notice that the Research Web Site link refers to http://web1.contoso.com. The Portal Web Site rule used the link translation entry from the Server1 Web Site rule. c. Click Research Web Site. Internet Explorer displays the Research Web page from Server1. The site is published through the Server1 Web Site publishing rule. d. On the toolbar, click the Back button. e. Close Internet Explorer.

Module A: Secure Application Publishing with ISA Server 2006

15

Exercise 3 Publishing a Web Farm for Load Balancing


In this exercise, you will publish two Web servers (10.1.1.21 and 10.1.1.22) as a Web farm. ISA Server load balances Web requests to servers in a Web farm. The exercise uses both Cookie-Based Load Balancing and Source-IP Based Load Balancing. Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers. Perform the following steps on the Paris computer. 1. On the Paris computer, create a new Web listener. Name: External Web 80 SSL: disable Network: External Compression: disable Authentication: none (If this is not done already) a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. The ISA Server console opens. b. In the ISA Server console, expand Paris, and then select Firewall Policy. c. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible). If a Web Listener named External Web 80 is already created in an earlier exercise, you can skip the rest of this task. d. If a Web Listener named External Web 80 does not exist, then right-click Web Listeners, and then click New Web Listener. e. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80, and then click Next. f. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next. g. On the Web Listener IP Addresses page, complete the following information: Listen on network: External ISA Server will compress content: disable and then click Next. h. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next. i. On the Single Sign On Settings page, click Next. j. On the Completing the New Web Listener Wizard page, click Finish. A new Web listener (port 80 on the IP address on the adapter on the External network) with the name External Web 80 is created. 2. Create a new Server Farm network element. Name: Shop Web Servers Addresses: - 10.1.1.21 - 10.1.1.22 Monitoring: http://*/ a. In the task pane, on the Toolbox, in the Network Objects section, right-click Server Farms, and then click New Server Farm. The New Server Farm Definition Wizard opens. b. In the New Server Farm Definition Wizard dialog box, in the Server farm name text box, type Shop Web Servers, and then click Next. c. On the Servers page, click Add. d. In the Server Details dialog box, complete the following information: Computer name or IP address: 10.1.1.21 Description: Shopping Web Server 1 and then click OK. e. On the Servers page, click Add again. f. In the Server Details dialog box, complete the following information: Computer name or IP address: 10.1.1.22 Description: Shopping Web Server 2

16

Module A: Secure Application Publishing with ISA Server 2006 and then click OK. Note: The Denver computer runs two Web sites at addresses 10.1.1.21 and 10.1.122. g. On the Servers page, click Next. h. On the Server Farm Connectivity Monitoring page, complete the following information: Send an HTTP/HTTPS GET request: enable (is default) Current URL: http://*/ (is default) and then click Next. ISA Server will monitor the connectivity to the servers in the Shop Web Servers farm by connecting to each of the Web servers (using GET http://10.1.1.21/, and GET http://10.1.1.22/) every 30 seconds. i. On the Completing the New Server Farm Wizard page, click Finish. j. In the HTTP Connectivity Verification dialog box, click Yes to confirm that you want the connectivity verifiers system policy to be enabled. The wizard enables system policy 19 to allow the HTTP GET request from the ISA Server to the Web servers in the Shop Web Servers farm.

3. Create a new Web publishing rule. Name: Sales Web Site Type: Publish server farm Internal name: store.contoso.com/shop Server farm: Shop Web Servers Load balance mechanism: Cookie-based Public name: www.contoso.com/shop Web listener: External Web 80 Delegation: none

a. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list. b. In the task pane, on the Tasks tab, click Publish Web Sites. c. In the New Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Sales Web Site, and then click Next. d. On the Select Rule Action page, select Allow, and then click Next. The Publishing Type page has three choices: Publish a single Web site - You create a single rule for a single Web site. Publish a server farm - You create a single rule for multiple Web sites with identical content. ISA Server load balances requests. Publish multiple Web sites - You create a separate rule for each published Web site with only a single run of the wizard. e. On the Publishing Type page, select Publish a server farm of load balanced Web servers, and then click Next. f. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server or server farm, and then click Next. g. On the Internal Publishing Details page, in the Internal site name text box, type store.contoso.com, and then click Next. Note: When you publish a server farm, ISA Server does not use the internal site name (store.contoso.com) to find the published servers. Instead, later in the wizard you specify the Server Farm network element, which lists the addresses of the servers in the farm. The internal site name is used as host header when connecting to the farm servers, and it is used in automatic Link Translation mappings. h. On the next Internal Publishing Details page, complete the following information: Path: shop/* Forward the original host header: disable (default) and then click Next. i. On the Specify Server Farm page, complete the following information: Select the server farm (drop-down list box): Shop Web Servers Cookie-based Load Balancing: enable (is default) and then click Next. ISA Server can use two different methods to load balance request to the servers in the farm: Cookie-based Load Balancing - ISA Server uses round-robin to distribute new connections to the Web servers. It sends a temporary session cookie to each client that connects, so that client session affinity to the selected Web server is maintained. Source-IP based Load Balancing - ISA Server uses a hash value of the

Module A: Secure Application Publishing with ISA Server 2006 client's IP address to distribute connections to the Web servers. All requests from the same client IP address go the same Web server.

17

Note: For load balancing Outlook Web Access or SharePoint access, both of which use Internet Explorer, the Cookie-based Load Balancing is the recommended solution. For load balancing Outlook RPC over HTTP access, you need to use Source-IP based Load Balancing. Outlook cannot work with HTTP cookies. j. On the Public Name Details page, complete the following information: Accept request for: This domain name (type below) Public name: www.contoso.com Path (optional): /shop/* (automatic) and then click Next. k. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80, and then click Next. l. On the Authentication Delegation page, in the drop-down list box, select No delegation, and client cannot authenticate directly, and then click Next. m. On the User Sets page, click Next. n. On the Completing the New Web Publishing Rule Wizard page, click Finish. A new Web publishing rule named Sales Web Site is created. The icon with the four small servers indicates that this rule publishes a server farm. 4. Apply the changes. a. a. b. Click Apply to apply the changes, and then click OK. In the ISA Server console, in the left pane, select Monitoring. In the right pane, select the Connectivity Verifiers tab. 5. Examine the connectivity verifiers for the Shop Web Servers farm.

Note: You may (temporarily) need to close the task pane in order to see the Connectivity Verifiers tab. c. Right-click the first Farm: Shop Web Servers connectivity verifier, and then click Properties. d. In the Farm: Shop Web Servers Properties dialog box, select the Connectivity Verification tab. Every 30 seconds, ISA Server connects to the published Web servers (using GET http://10.1.1.21/, and GET http://10.1.1.22/). If the Web server responds with HTTP code 200 (OK) within 5 seconds, ISA Server considers the Web server to be available, and load balances requests to the Web server. Note: For the GET http://*/ request to succeed, the Web server must accept anonymous access to the root, and must have a default document available. Otherwise, the connectivity verifier fails to connect. e. Click Cancel to close the Farm: Shop Web Servers Properties dialog box. When the Web servers are available, the connectivity verifier icon contains a green check mark, and the Result column displays the observed response time.

Perform the following steps on the Istanbul computer. 6. On the Istanbul computer, use Internet Explorer to connect to http://www.contoso.com/ shop/web.asp a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter. Internet Explorer displays the web.asp page from Web server 10.1.1.21 (Server1). The client did not include a cookie in the Web request. Note: Due to the round-robin nature of the Cookie-based Load Balancing, and depending on earlier Web requests that you may have done, it is possible that the Web page in this task is returned from 10.1.1.22. In that case, close the Internet Explorer window, and connect to the Web address again. b. On the toolbar, click the Refresh button to refresh the content of the Web page. The same Web server handles the Web request. For the second and the subsequent requests, the client includes the session cookie (starting with

18

Module A: Secure Application Publishing with ISA Server 2006 ISAWPLB), which it received in the response of the first request. The cookie text contains a Global Unique Identifier (GUID) that ISA Server uses to identify which Web server it should send the Web request to. This ensures the session affinity with the same Web server. (ISAWPLB stands for ISA Web Publishing Load Balancing.) Note: In the response, ISA Server also forwards an ASP Session cookie from the Web server to the client computer.

7. Create two new Internet Explorer sessions, and connect to http://www.contoso.com/ shop/web.asp

a. On the Start menu, click All Programs, and then click Internet Explorer. A second Internet Explorer window opens. b. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter. The new Web request does not contain a session cookie. Therefore ISA Server forwards the request to the other Web server 10.1.1.22 (Server2), and includes a new cookie in the response. c. On the toolbar, click the Refresh button to refresh the content of the Web page. The second Internet Explorer session uses a different cookie. d. On the Start menu, click All Programs, and then click Internet Explorer again. A third Internet Explorer window opens. e. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter. ISA Server load balances the third session to Web server 10.1.1.21 (Server1) again.

Perform the following steps on the Denver computer. 8. On the Denver computer, stop the Server1 Web Site to simulate a connectivity problem with the Web server on 10.1.1.21. a. On the Denver computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager. The IIS Manager console opens. b. In the IIS Manager console, expand DENVER (local computer), expand Web Sites, and then select Server1 Web Site. c. Right-click Server1 Web Site, and then click Properties. d. e. Notice that Server1 Web Site is listening on IP address 10.1.1.21. Click Cancel to close the Server1 Web Site Properties dialog box. Right-click Server1 Web Site, and then click Stop. The Web site at 10.1.1.21 is no longer responding to Web requests.

Perform the following steps on the Istanbul computer. 9. On the Istanbul computer, attempt to refresh the content of the Web pages that were from 10.1.1.21 (Server1). a. On the Istanbul computer, switch to one of the Internet Explorer windows that currently displays the web.asp page from 10.1.1.21 (Server1). b. On the toolbar, click the Refresh button to refresh the content of the Web page. Internet Explorer displays an error message: Bad request (invalid hostname). c. Wait 20 seconds, and then on the toolbar, click the Refresh button again. Internet Explorer displays the web.asp page from 10.1.1.22 (Server2). ISA Server has forwarded the Web request to the remaining Web server in the farm. Note: Because ISA Server checks the connectivity to the 10.1.1.21 Web server every 30 seconds, and then waits for the timeout for another 5 seconds, on average it takes 15+5 seconds after the Web server is no longer available, before ISA Server forwards all the Web requests to the other Web server. Due the way http.sys works on the Denver computer, it still returned a response (Bad request) when connecting to 10.1.1.21.

Module A: Secure Application Publishing with ISA Server 2006 d. Switch to the other Internet Explorer window that displays the web.asp page from 10.1.1.21 (Server1). e. On the toolbar, click the Refresh button. Internet Explorer immediately displays the web.asp page from 10.1.1.22 (Server2). Perform the following steps on the Paris computer. 10. On the Paris computer, examine the connectivity verifier and the alert for the connection to 10.1.1.21. a. On the Paris computer, in the ISA Server console, in the left pane, select Monitoring. b. In the right pane, select the Connectivity Verifiers tab. Notice that the icon for the connectivity verifier to 10.1.1.21 contains a red mark, indicating a connectivity issue. c. In the right pane, select the Alerts tab. d. In the task pane, on the Tasks tab, click Refresh Now. e. In the right pane, expand the No Connectivity alert, and then select the lower No Connectivity line. The alert information describes that the connection to 10.1.1.21 failed. f. Right-click the lower No Connectivity line, and then click Reset. g. Click Yes to confirm that you want to reset the No Connectivity alert. Perform the following steps on the Denver computer. 11. On the Denver computer, start the Server1 Web Site. a. On the Denver computer, in the IIS Manager console, right-click Server1 Web Site, and then click Start. The Web site at 10.1.1.21 is available again.

19

Perform the following steps on the Istanbul computer. 12. On the Istanbul computer, refresh the Web page from 10.1.1.22, and create a new connection to http://www.contoso.com/ shop/web.asp. a. On the Istanbul computer, switch to any of the Internet Explorer windows that currently displays the web.asp page from 10.1.1.22 (Server2). b. On the toolbar, click the Refresh button to refresh the content of the Web page. ISA Server continues to forward the Web requests to 10.1.1.22 (Server2), even though 10.1.1.21 is available again. All current sessions already use a cookie that contains the GUID of Server2, and will stay on this Web server. This is referred to as client stickiness. c. On the Start menu, click All Programs, and then click Internet Explorer. A new Internet Explorer session opens. d. Wait 20 seconds, and then in Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and press Enter. Internet Explorer displays the web.asp page from 10.1.1.21 (Server1). ISA Server load balances all new connections. Note: It may take 30+5 seconds before ISA Server detects that the Web server at 10.1.1.21 is available again. If the web.asp page is returned from 10.1.1.22, then close the Internet Explorer window, wait a few seconds, and try again. e. Close all Internet Explorer windows. Perform the following steps on the Paris computer. 13. On the Paris computer, change the load balancing mechanism for the Sales Web Site rule to Source-IP based. a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy. b. In the right pane, right-click the Sales Web Site rule, and then click Properties. c. In the Sales Web Site Properties dialog box, on the Web Farm tab, in the Load Balancing Mechanism section, select Source-IP based. ISA Server will no longer send cookies to manage load balancing

20

Module A: Secure Application Publishing with ISA Server 2006 Web requests, but will use a hash of the source IP address instead. d. Click OK to close the Sales Web Site Properties dialog box.

14.

Apply the changes.

a.

Click Apply to apply the changes, and then click OK.

Perform the following steps on the Istanbul computer. 15. On the Istanbul computer, create two new Internet Explorer sessions, and connect to http://www.contoso.com/ shop/web.asp a. On the Istanbul computer, on the Start menu, click All Programs, and then click Internet Explorer. b. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter. Internet Explorer displays the web.asp page from Web server 10.1.1.22 (Server2). c. On the toolbar, click the Refresh button to refresh the content of the Web page. In the response to the first Web request, ISA Server did not include an ISAWPLB cookie, but instead only forwarded the ASP Session cookie that the Web server provides. d. On the Start menu, click All Programs, and then click Internet Explorer. A second Internet Explorer window opens. e. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter. The new Web request is also handled by the same Web server 10.1.1.22 (Server2). Unlike cookie-based load balancing, ISA Server does not round-robin the Web requests to the Web servers, but uses the hash of the client IP address (39.1.1.7). All Web requests from the Istanbul computer will go to the same Web server. Perform the following steps on the Denver computer. 16. On the Denver computer, stop the Server2 Web Site to simulate a connectivity problem with the Web server on 10.1.1.22. a. On the Denver computer, in the IIS Manager console, right-click Server2 Web Site, and then click Stop. The Web site at 10.1.1.22 is no longer responding to Web requests.

Perform the following steps on the Istanbul computer. 17. On the Istanbul computer, attempt to refresh the content of the Web page that was from 10.1.1.22 (Server2). a. On the Istanbul computer, switch to one of the Internet Explorer windows that currently displays the web.asp page from 10.1.1.22 (Server2). b. On the toolbar, click the Refresh button to refresh the content of the Web page. Internet Explorer displays an error message: Bad request (invalid hostname). c. Wait 20 seconds, and then on the toolbar, click the Refresh button again. Internet Explorer displays the web.asp page from 10.1.1.21 (Server1). ISA Server has forwarded the Web request to the remaining Web server in the farm. Perform the following steps on the Denver computer. 18. On the Denver computer, start the Server2 Web Site. a. On the Denver computer, in the IIS Manager console, right-click Server2 Web Site, and then click Start. b. The Web site at 10.1.1.22 is available again. Close the IIS Manager console.

Perform the following steps on the Istanbul computer. 19. On the Istanbul computer, attempt to refresh the content of the Web page that was from 10.1.1.21 (Server1). a. On the Istanbul computer, switch to the Internet Explorer window that currently displays the web.asp page from 10.1.1.21 (Server1). b. On the toolbar, click the Refresh button to refresh the content of the

Module A: Secure Application Publishing with ISA Server 2006 Web page. ISA Server may still forward the Web request to 10.1.1.21. After an average of 20 seconds, the connectivity verifier on ISA Server detects that Web server 10.1.1.22 is available again. c. Wait 20 seconds, and then on the toolbar, click the Refresh button again. Internet Explorer displays the web.asp page from 10.1.1.22 (Server2).

21

Note: With cookie-based load balancing, ISA Server continues to forward requests to the same Web server, after the original Web server is available again - called client stickiness. With source-IP based load balancing, ISA Server falls back to forwarding Web request to the original Web server. There is no client stickiness. d. Close all Internet Explorer windows. Note: The following tasks are needed to avoid conflicts with other lab exercises. Perform the following steps on the Paris computer. 20. On the Paris computer, delete the Sales Web Site rule, and delete the Shop Web Servers farm. a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy. b. In the right pane, right-click the Sales Web Site rule, and then click Delete. c. Click Yes to confirm that you want to delete Sales Web Site. The Sales Web Site rule is deleted. d. In the task pane, on the Toolbox tab, in the Network Objects section, expand Server Farms. e. Under Server Farms, right-click Shop Web Servers, and then click Delete. f. Click Yes to confirm that you want to delete Shop Web Servers. The Shop Web Servers farm and the two related connectivity verifiers are deleted. 21. Apply the changes. a. Click Apply to apply the changes, and then click OK.

22

Module A: Secure Application Publishing with ISA Server 2006

Module B: ISA Server 2006 as Branch Office Gateway


Exercise 1 Configuring HTTP Compression to Reduce Bandwidth Usage
In this exercise, you will configure ISA Server to compress HTTP content when responding to requests from client computers, and to request compressed HTTP content when connecting to other servers. Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers. Perform the following steps on the Istanbul computer. 1. On the Istanbul computer, examine the uncompressed file size of content.htm in the Default Web Site. a. On the Istanbul computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager. The IIS Manager console opens. b. In the IIS Manager console, expand ISTANBUL (local computer), expand Web Sites, and then select Default Web Site. c. The Default Web Site contains a file named content.htm. Right-click Default Web Site, and then click Open. The c:\inetpub\wwwroot folder opens.

Notice that the uncompressed size of the content.htm file is 91 KB. You will request this file in compressed form later in the exercise. d. Close the c:\inetpub\wwwroot window. e. Close the IIS Manager console. 2. Open the C:\Tools\ Perfmon-sent.msc console. a. b. Use Windows Explorer (or My Computer) to open the C:\Tools folder. In the Tools folder, right-click Perfmon-sent.msc, and then click Open.

Perfmon-sent.msc is a saved MMC console containing a preconfigured System Monitor Control. It shows the Bytes Sent/sec counter for the network adapter. c. You will use the results in this console later in the exercise. Close the C:\Tools folder.

Perform the following steps on the Paris computer. 3. On the Paris computer, create a new access rule. Name: Allow Web access (Branch) Applies to: HTTP From network: Internal a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. The ISA Server console opens. b. In the left pane, expand Paris, and then select Firewall Policy. c. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list. d. In the task pane, on the Tasks tab, click Create Access Rule. e. In the New Access Rule Wizard dialog box, in the Access rule name

Module A: Secure Application Publishing with ISA Server 2006 To network: External text box, type Allow Web access (Branch), and then click Next. f. On the Rule Action page, select Allow, and then click Next. g. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add. h. In the Add Protocols dialog box, click Common Protocols, click HTTP, click Add, and then click Close to close the Add Protocols dialog box. i. On the Protocols page, click Next. j. On the Access Rule Sources page, click Add. k. In the Add Network Entities dialog box, click Networks, click Internal, click Add, and then click Close to close the Add Network Entities dialog box. l. On the Access Rule Sources page, click Next. m. On the Access Rule Destinations page, click Add. n. In the Add Network Entities dialog box, click Networks, click External, click Add, and then click Close to close the Add Network Entities dialog box. o. On the Access Rule Destinations page, click Next. p. On the User Sets page, click Next. q. On the Completing the New Access Rule Wizard page, click Finish. A new firewall policy rule is created that allows the HTTP protocol from the Internal network to the External network. 4. Apply the changes. a. Click Apply to apply the new rule, and then click OK. Perform the following steps on the Denver computer. 5. On the Denver computer, open the C:\Tools\ Perfmon-received.msc console. a. On the Denver computer, use Windows Explorer (or My Computer) to open the C:\Tools folder. b. In the Tools folder, right-click Perfmon-received.msc, and then click Open. Perfmon-received.msc is a saved MMC console containing a preconfigured System Monitor Control. It shows the Bytes Received/sec counter for the network adapter. c. Close the C:\Tools folder. 6. Use Internet Explorer to connect to http:// istanbul.fabrikam.com/ content.htm a. Open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/content.htm, and then press Enter. Internet Explorer connects to ISA Server and retrieves the content.htm Web page from Istanbul. 7. Examine the peak bytes received per second in the Performance console. a. The content.htm Web page contains 90 KB of text. Switch to the Performance - Bytes Received console.

23

Notice that the network adapter on Denver has a peak bytes received per second of approximately 90 KB. This result confirms that the content.htm Web page is currently not compressed when delivered from the ISA Server to Denver.

Perform the following steps on the Istanbul computer. 8. On the Istanbul computer, examine the peak bytes sent per second in the Performance console. a. On the Istanbul computer, switch to the Performance - Bytes Sent console. The network adapter on Istanbul has a peak bytes sent per second of approximately 90 KB. This result confirms that the content.htm Web page is currently not compressed when delivered from the Web server (Istanbul) to the ISA Server. Perform the following steps on the Paris computer. 9. On the Paris computer, examine the two Web filters for a. On the Paris computer, in the ISA Server console, under Paris, expand Configuration, and then select Add-ins.

24

Module A: Secure Application Publishing with ISA Server 2006 b. In the right pane, select the Web Filters tab.

HTTP compression.

ISA Server 2006 installs two Web Filters that provide HTTP compression functionality: Compression Filter - Compresses and decompresses HTTP responses. Caching Compressed Content Filter - Stores and retrieves compressed content in the cache. Note: Do not move the Compression Filter lower in the list of Web Filters. Decompression must take place before any other Web filter inspects the content. Other Web filters cannot inspect compressed content. 10. Configure HTTP Compression. Return Compressed Data: Internal Content types: - Documents - HTML Documents - Macro Documents - Text a. In the left pane, under Configuration, select General. HTTP Compression is a global HTTP Policy setting. This means that is applies to all HTTP traffic that passes through ISA Server to or from a specified network or computer set. HTTP Compression is not a per-rule setting. b. In the right pane, click Define HTTP Compression Preferences. c. In the HTTP Compression dialog box, on the Return Compressed Data tab, click the top Add button. By default HTTP compression is enabled, but no network elements are configured to use compression. Note: It is possible that you already added one or more Web Listeners to the Return Compressed Data list, while creating new Web Publishing rules in earlier exercises. d. In the Add Network Entities dialog box, click Networks, click Internal, and click Add, and then click Close to close the Add Network Entities dialog box. You configured compression of HTTP responses when requested by clients on the Internal network. Note: Do not confuse the two compression settings per network element: Return Compressed Data - ISA Server returns compressed content in HTTP response packets when clients from the specified network request compression. Request Compressed Data - ISA Server asks for compressed content in HTTP request packets when sending requests to servers on the specified network. e. On the Return Compressed Data tab, click Content Types. The Content Types dialog box lists all defined Content Types on ISA Server. Some content types, for example Audio, Video and Compressed Files, are already compressed at the application level. Do not enable HTTP compression for these content types. f. In the Content Types dialog box, complete the following information: Compress the selected content types only: enable (is default) Documents: enable HTML Documents: enable (is default) Macro Documents: enable Text: enable (is default) All other check boxes: disable. and then click OK to close the Content Types dialog box. Branch office functionality: When branch offices connect to ISA Servers at the main office to access HTTP content from the Internet or from Web servers at the main office, you should add the branch office networks to the Return Compressed Data list to reduce bandwidth usage for the response traffic. g. Click OK to close the HTTP Compression dialog box. h. Click Apply to apply the changes, and then click OK. Perform the following steps on the Denver computer. 11. On the Denver computer, configure Internet Explorer to use HTTP 1.1 when connection a. On the Denver computer, in Internet Explorer, on the Tools menu, click Internet Options. b. In the Internet Options dialog box, on the Connections tab, click

Module A: Secure Application Publishing with ISA Server 2006 through a proxy server. LAN Settings. Notice that Denver is currently configured to use a proxy server at IP address 10.1.1.1. c. Click Cancel to close the Local Area Network (LAN) Setting dialog box. d. On the Advanced tab, in the Settings list box, scroll to the HTTP 1.1 settings section. By default, Internet Explorer uses HTTP 1.1, except when connecting through a proxy server. HTTP compression requires HTTP 1.1. e. Enable the Use HTTP 1.1 through proxy connections check box, and then click OK. 12. Refresh the content of the Web page at http:// istanbul.fabrikam.com/ content.htm, by pressing Ctrl-F5 or Ctrl-Refresh. a. In Internet Explorer, ensure that the http://istanbul.fabrikam.com/content.htm Web page is opened. b. Hold the Ctrl-key, and then click the Refresh button on the toolbar, to refresh the content of the Web page. Internet Explorer connects to the ISA Server and retrieves the content.htm Web page from Istanbul again. Note: The use of the Ctrl-key to refresh the Web page ensures that Internet Explorer does not use its caching mechanism. 13. Examine the peak bytes received per second in the Performance console. a. Switch to the Performance - Bytes Received console. The network adapter on Denver has a peak bytes received per second of approximately 35 KB.

25

This result confirms that the content.htm Web page, which has a file size of 91 KB, is compressed when delivered from the ISA Server to Denver. Note: When Internet Explorer uses HTTP 1.1, it will always include the HTTP request header Accept-Encoding: gzip, deflate, to request compressed content from a Web server. The response packet will include the HTTP response header Content-Encoding: gzip to indicate that the content is compressed. If you want to examine the network traffic in more detail in the lab environment, then you can use Network Monitor. The Microsoft Network Monitor 5.2 is installed in each virtual machine. Perform the following steps on the Istanbul computer. 14. On the Istanbul computer, examine the peak bytes sent per second in the Performance console. a. On the Istanbul computer, switch to the Performance - Bytes Sent console. The network adapter on Istanbul has a peak bytes sent per second of approximately 90 KB. Currently, ISA Server receives the content.htm Web page uncompressed from Istanbul, and then compresses the content when sending to Denver. 15. Configure IIS to enable HTTP compression. Application files: yes Static files: yes a. On the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager. The IIS Manager console opens. b. In the IIS Manager console, expand, ISTANBUL (local computer), right-click Web Sites, and then click Properties. By default, IIS 6.0 does not compress content in HTTP response packets. c. In the Web Sites Properties dialog box, on the Service tab, complete the following information: Compress application files: enable Compress static files: enable and then click OK. If you enable HTTP compression of application files (.asp, .dll, and .exe) and static files (.htm, .html, and .txt), IIS compresses the content when requested by clients that indicate they can accept gzip-encoded responses. 16. Restart IIS. a. In the IIS Manager console, in the left pane, right-click ISTANBUL (local computer), click All Tasks, and then click Restart IIS.

26

Module A: Secure Application Publishing with ISA Server 2006 After enabling HTTP compression, you must restart IIS. b. In the Stop/Start/Restart dialog box, in the drop-down list box, select Restart Internet Services on ISTANBUL, and then click OK. c. The IIS services restart. Close the IIS Manager console.

17. Examine the IIS Temporary Compressed Files folder.

a. Use Windows Explorer (or My Computer) to open the C:\Windows\IIS Temporary Compressed Files folder. To reduce processor usage, IIS caches compressed static files in the IIS Temporary Compressed Files folder, the first time those files are requested. Application files are compresses every time they are requested. b. The folder is currently empty. Do not close the IIS Temporary Compressed Files folder.

Perform the following steps on the Paris computer. 18. On the Paris computer, configure HTTP Compression. Request Compressed Data: External a. On the Paris computer, in the ISA Server console, in the left pane, select General. b. In the right pane, click Define HTTP Compression Preferences. c. In the HTTP Compression dialog box, on the Request Compressed Data tab, click the top Add button. d. In the Add Network Entities dialog box, click Networks, click External, and click Add and then click Close to close the Add Network Entities dialog box. ISA Server will include the HTTP request header Accept-Encoding: gzip when requesting Web content from servers on the External network, to indicate that it can accept compressed traffic. Branch office functionality: When ISA Servers in branch offices connect to the main office or directly to the Internet to access HTTP content, you should add the main office network or External network to the Request Compressed Data list to reduce bandwidth usage for the response traffic. e. Click OK to close the HTTP Compression dialog box. f. Click Apply to apply the changes, and then click OK. Perform the following steps on the Denver computer. 19. On the Denver computer, refresh the content of the Web page at http:// istanbul.fabrikam.com/ content.htm, by pressing Ctrl-F5 or Ctrl-Refresh twice. a. On the Denver computer, in Internet Explorer, ensure that the http://istanbul.fabrikam.com/content.htm Web page is opened. b. Hold the Ctrl-key, and then click the Refresh button on the toolbar, to refresh the content of the Web page. c. Wait five seconds, and then hold the Ctrl-key, and click the Refresh button on the toolbar again. Internet Explorer connects to the ISA Server and retrieves the content.htm Web page from Istanbul twice. 20. Examine the peak bytes received per second in the Performance console. a. Switch to the Performance - Bytes Received console. The network adapter on Denver has two peak bytes received per second of approximately 35 KB. Denver. The content is compressed when delivered from the ISA Server to

Perform the following steps on the Istanbul computer. 21. On the Istanbul computer, examine the peak bytes sent per second in the Performance console. a. On the Istanbul computer, switch to the Performance - Bytes Sent console. The network adapter on Istanbul first has a peak bytes sent per second of approximately 90 KB, followed by a peak of approximately 30 KB. On the first request for content.htm, IIS sends the uncompressed content immediately, and compresses the file for subsequent requests. On the second request, IIS sends the compressed content.

Module A: Secure Application Publishing with ISA Server 2006 b. 22. Examine the IIS Temporary Compressed Files folder. a. Close the Performance - Bytes Sent console. Switch to the IIS Temporary Compressed Files folder.

27

IIS has stored the compressed version of content.htm in this folder. The file size is 29 KB. b. Close the IIS Temporary Compressed Files folder.

Note: By default, ISA Server is configured to inspect the content of compressed HTTP response packets. This means that ISA Server performs the following steps when receiving the response from Istanbul: 1) - The Compression Filter uncompressed the content. 2) - The HTTP Filter and other Web filters inspect the uncompressed HTTP content. 3) - The Cached Compressed Content Filter caches the uncompressed content. and then when sending the response to Denver: 4) - The Compression Filter compresses the content again. It is possible to disable inspection of compressed content. In that case, ISA Server does not uncompress the HTTP content, and the Cached Compressed Content Filter caches the compressed version of the content. Note: The following tasks are needed to avoid conflicts with other lab exercises. 23. Configure IIS to disable HTTP compression. Application files: no Static files: no a. On the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager. The IIS Manager console opens. b. In the IIS Manager console, expand, ISTANBUL (local computer), right-click Web Sites, and then click Properties. c. In the Web Sites Properties dialog box, on the Service tab, complete the following information: Compress application files: disable Compress static files: disable and then click OK. 24. Restart IIS. HTTP compression is disabled. a. In the IIS Manager console, in the left pane, right-click ISTANBUL (local computer), click All Tasks, and then click Restart IIS. b. In the Stop/Start/Restart dialog box, in the drop-down list box, select Restart Internet Services on ISTANBUL, and then click OK. c. The IIS services restart. Close the IIS Manager console.

Perform the following steps on the Paris computer. 25. On the Paris computer, disable HTTP Compression. a. On the Paris computer, in the ISA Server console, in the left pane, select General. b. In the right pane, click Define HTTP Compression Preferences. c. In the HTTP Compression dialog box, on the Return Compressed Data tab, select Internal, and then click Remove. d. On the Request Compressed Data tab, select External, and then click Remove. HTTP Compression is no longer enabled for responses to the Internal network, or requests to the External network. e. Click OK to close the HTTP Compression dialog box. f. Click Apply to apply the changes, and then click OK. Perform the following steps on the Denver computer. 26. Close the Performance console and close Internet Explorer. a. b. Close the Performance - Bytes Received console. Close Internet Explorer.

28

Module A: Secure Application Publishing with ISA Server 2006

Exercise 2 Configuring ISA Server to Cache BITS Content


In this exercise, you will configure ISA Server to cache Background Intelligent Transfer Service (BITS) content, and request ranges from cached files. Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers. Perform the following steps on the Paris computer. 1. On the Paris computer, define a cache drive. Cache size: 10 MB a. On the Paris computer, in the ISA Server console, under Configuration, select Cache. By default, caching is disabled on ISA Server. b. In the right pane, select the Cache Drives tab. c. In the task pane, on the Tasks tab, click Define Cache Drives (Enable Caching). d. In the Define Cache Drives dialog box, in the Maximum cache size (MB) text box, type 10, and then click Set. For demonstrative purposes, a very small disk cache file of 10 MB is created. Normally you would configure a much bigger cache file. e. Click OK to close the Define Cache Drives dialog box. 2. Apply the changes and restart the Firewall service. a. Click Apply to apply the changes. b. In the ISA Server Warning dialog box, CHANGE the current selection, and select Save the changes and restart the services, and then click OK. c. Click OK to close the Saving Configuration Changes dialog box. a. b. c. Open a Command Prompt window. At the command prompt, type cd \urlcache, and then press Enter. Type dir, and then press Enter.

3. Open a Command Prompt window to verify the existence of the disk cache file. File: c:\urlcache\Dir1.cdat

The Dir1.cdat file is the disk cache file that ISA Server uses. The file size is 10 MB. You will use the Dir1.cdat file later in the exercise. In the ISA Server console, in the left pane, select Cache. In the right pane, select the Cache Rules tab. a. b.

4. Examine the BITS caching setting for the Default rule.

ISA Server 2006 has two predefined cache rules: the Microsoft Update Cache Rule and the Default rule. c. d. You cannot change or delete the Default rule. Right-click Default rule, and then click Properties. In the Default rule Properties dialog box, select the Advanced tab.

Notice that the built-in Default rule does not enable caching of Background Intelligent Transfer Service (BITS) content. e. Click Cancel to close the Default rule Properties dialog box. 5. Examine the BITS caching setting for the Microsoft Update Cache Rule. a. In the right pane, right-click Microsoft Update Cache Rule, and then click Properties. b. In the Microsoft Update Cache Rule Properties dialog box, select the Advanced tab. BITS caching is enabled in the Microsoft Update Cache Rule. The Microsoft Update Cache Rule is predefined, but you can disable or delete the rule if required. c. On the To tab, select Microsoft Update Domain Name Set, and then click Edit.

Module A: Secure Application Publishing with ISA Server 2006 The rule applies to requests to the Windows Update and Microsoft Update Web sites. Those are examples of Web sites that use BITS. Client computers that use BITS to download the update files, use the HTTP Range request header to download only the parts of the update files that contain the update information they need. ISA Server 2006 provides BITS Caching. This means that ISA Server can cache the HTTP ranges requested by BITS, without having to download the entire file. Note: Although this feature is called BITS Caching, it applies to all HTTP range requests, not only to HTTP range requests from BITS. d. Click Cancel to close the Microsoft Update Domain Name Set Properties dialog box. e. Click Cancel to close the Microsoft Update Cache Rule Properties dialog box. Branch office functionality: By using BITS Caching on an ISA Server in a branch office, you can reduce bandwidth usage from the branch office for connections from client computers to Windows Server Update Services (WSUS) in the main office, or Windows Update and Microsoft Update on the Internet. The responses to HTTP range requests for update files are cached at the ISA Server in the branch office. The same benefit also applies to other applications in the branch office that use HTTP range requests or the BITS protocol.

29

Note: The computers in the lab environment are not connected to the Internet, and cannot connect to any of the Windows Update or Microsoft Update Web sites. To demonstrate BITS caching, in the next task you will add istanbul.fabrikam.com to the list of Web sites in Microsoft Update Domain Name Set. 6. Add istanbul.fabrikam.com to Microsoft Update Domain Name Set. a. Right-click Microsoft Update Cache Rule, and then click Properties. b. On the To tab, select Microsoft Update Domain Name Set, and then click Edit. c. In the Microsoft Update Domain Name Set Properties dialog box, click Add. d. Replace the New Domain text by typing istanbul.fabrikam.com, and then press Enter. e. Click OK to close the Microsoft Update Domain Name Set Properties dialog box. The destination istanbul.fabrikam.com is included in Microsoft Update Domain Name Set. f. Click OK to close the Microsoft Update Cache Rule Properties dialog box. 7. Apply the changes. a. a. Click Apply to apply the changes, and then click OK. In the left pane, select Firewall Policy. 8. Verify the existence of the Allow Web access (Branch) firewall rule.

In the right pane, notice the Allow Web access (Branch) firewall rule. This rule allows HTTP access from the Internal network to the External network. You created the rule in an earlier exercise. The BITS service uses the normal HTTP protocol, and adds the HTTP Range request header in order to request parts of the file.

Perform the following steps on the Denver computer. 9. On the Denver computer, examine the BITS service. a. On the Denver computer, on the Start menu, click Administrative Tools, and then click Services. The Services console opens. b. In the Services console, in the right pane, select Background Intelligent Transfer Service. The BITS service on the client computer transfers data between clients and servers. It has three functions: It asynchronously transfers files or file ranges in the background. It transfers the date in small chunks, utilizing unused bandwidth as it becomes available. It automatically resumes the download later if the computer restarts or if the

30

Module A: Secure Application Publishing with ISA Server 2006 network disconnects. c. Note: The BITS service is automatically started when needed. Close the Services console.

10. Examine the bitsclient.cmd a. Open a Command Prompt window. and bitsadmin.exe tools. b. At the command prompt, type cd \tools, and then press Enter. c. Type dir, and then press Enter. Folder: C:\Tools The Tools folder contains a script file named bitsclient.cmd that you can use to transfer files or file ranges with the BITS protocol. The bitsclient.cmd script is created for use with this lab. It uses the bitsadmin.exe tool, which you can download from the Microsoft Web site as part of the Windows XP SP2 Support Tools. See http://support.microsoft.com/?kbid=838079 for more information. Note: If you want to examine the network traffic in more detail in the lab environment, then you can use Network Monitor. The Microsoft Network Monitor 5.2 is installed in each virtual machine. 11. Use the bitsclient tool to download the content2.htm file from Istanbul. a. At the command prompt, type bitsclient, and then press Enter. As parameters, the BITS Client tool needs a remote URL, and optional an offset and length indicating the file range in bytes. b. Type bitsclient http://istanbul.fabrikam.com/content2.htm, and then press Enter. The BITS service connects to the ISA Server, and downloads the content2.htm file from Istanbul. Perform the following steps on the Paris computer. 12. On the Paris computer, use the find command to verify the presence of the content2.htm content in the disk cache file. a. On the Paris computer, in the Command Prompt window, in the C:\urlcache folder, type find /i "content2.htm" dir1.cdat, and then press Enter. file. You can use the find command to search for text in the disk cache

The find command displays multiple entries for content2.htm, indicating the URL of cached content. The entries ending with a semicolon followed by two numbers, are 32 KB cached BITS chunks of the content2.htm file. b. After a few seconds, press Ctrl-C to interrupt the find command, and to avoid searching the entire 10 MB disk cache file. c. Close the Command Prompt window. Perform the following steps on the Istanbul computer. 13. On the Istanbul computer, disable the Local Area Connection network adapter. a. On the Istanbul computer, on the Start menu, click Control Panel, and then right-click Network Connections, and click Open. The Network Connections window opens. b. In the Network Connections window, right-click Local Area Connection, and then click Disable. The network adapter is disabled. This helps demonstrate that ISA Server does not obtain the content2.htm file from Istanbul, but responds to subsequent file range requests from its cache. Perform the following steps on the Denver computer. 14. On the Denver computer, for demonstrative purposes, request the 11 bytes starting at position 749 in the content2.htm file. a. On the Denver computer, in the Command Prompt window, in the C:\Tools folder, type bitsclient http://istanbul.fabrikam.com/content2.htm 749:11, and then press Enter. Note: You can use the up-arrow key to easily recall the previous command at the command prompt. For demonstrative purposes, the 11 bytes starting at position 749 in the content2.htm file are requested. The BITS service connects to ISA Server, and requests bytes 749-759 in the content2.htm file. ISA Server obtains this file range from the cache, and sends the 11 bytes to Denver, which saves the data

Module A: Secure Application Publishing with ISA Server 2006 in the bits-job1.txt file. b. Type type bits-job1.txt, and then press Enter. The 11 bytes at that position in the file happen to spell "Lorem ipsum". This result verifies that ISA Server responded to the BITS file range requests from its cache. ISA Server did not connect to Istanbul, whose network adapter is disabled. c. Close the Command Prompt window. Note: The following tasks are needed to avoid conflicts with other lab exercises. Perform the following steps on the Istanbul computer. 15. On the Istanbul computer, enable the Local Area Connection network adapter. a. On the Istanbul computer, in the Network Connections window, rightclick Local Area Connection, and then click Enable. b. The network adapter is enabled. Close the Network Connections window.

31

Perform the following steps on the Paris computer. 16. On the Paris computer, disable caching. a. On the Paris computer, in the ISA Server console, in the left pane, select Cache. b. In the right pane, select the Cache Drives tab. c. In the task pane, on the Tasks tab, click Disable Caching. d. Click Yes to confirm that you want to disable caching. 17. Apply the changes and restart the Firewall service. Caching is disabled. a. Click Apply to apply the changes. b. In the ISA Server Warning dialog box, CHANGE the current selection, and select Save the changes and restart the services, and then click OK. c. Click OK to close the Saving Configuration Changes dialog box.

32

Module A: Secure Application Publishing with ISA Server 2006

Exercise 3 Configuring DiffServ Settings to Prioritize Network Traffic


In this exercise, you will configure ISA Server to use Differentiated Services (DiffServ) tagging of HTTP and HTTPS network packets. Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers. Perform the following steps on the Paris computer. 1. On the Paris computer, enable the Web filter for DiffServ tagging. a. On the Paris computer, in the ISA Server console, under Paris, expand Configuration, and then select Add-ins. b. In the right pane, select the Web Filters tabs. ISA Server 2006 installs one new Web Filter that provides tagging of network packets, by using the Differentiated Services (DiffServ) model: DiffServ Filter - Enables DiffServ tagging of Web traffic. c. In the right pane, select DiffServ Filter, and then in the task pane, on the Tasks tab, click Enable Selected Filters. The DiffServ Filter is enabled. Note: Do not move the DiffServ Filter lower in the list of Web Filters. The filter assigns the packet priority to network packets based on several properties, including the size of the network packet on the network. For an accurate assessment of packet sizes, it has to inspect the traffic as close to the network adapter as possible. d. Click Apply to apply the changes, and then click OK. 2. Define new DiffServ priorities. Name: High priority DiffServ bits: 100110 Size limit: 700 bytes Name: Medium priority DiffServ bits: 110110 Size limit: None a. In the left pane, select General. DiffServ configuration is a global HTTP Policy setting. This means that it applies to all HTTP and HTTPS traffic that passes through ISA Server to a specified URL, domain or network. DiffServ tagging is not a per-rule setting. b. In the right pane, click Specify DiffServ Preferences. c. In the HTTP DiffServ dialog box, on the General tab, select Enable network traffic prioritization. d. On the Priorities tab, click Add. ISA Server tags network packets by setting a few bits in the Type of Service (TOS) field of the IP header of the network packet. These are called the DiffServ bits, and form a specific value called DiffServ Codepoint (DS codepoint). Note: ISA Server does not have any notion of the actual prioritization of certain DS codepoint values over other DS codepoint values. Routers on the network must handle that. ISA Server only assigns the DS codepoint value. e. In the Add Priority dialog box, complete the following information: Priority name: High priority DiffServ bits: 100110 Apply a size limit to this priority: enable Size limit: 700 and then click OK. The size limit specifies a maximum size in bytes of network packets that can use this priority. f. On the Priorities tab, click Add. g. In the Add Priority dialog box, complete the following information:

Module A: Secure Application Publishing with ISA Server 2006 Priority name: Medium priority DiffServ bits: 110110 Apply a size limit to this priority: disable (is default) and then click OK. You have defined two priorities with an associated DiffServ value. On the other tabs in this dialog box, you will assign specific URLs and domains to the defined priorities. The order of the priorities only matters for network packets that exceed the size limit. Those packets will be assigned to the next priority in the list. 3. Assign priorities to URLs. a. In the HTTP DiffServ dialog box, on the URLs tab, click Add. The DiffServ filter uses the URL priority assignments for HTTP network traffic, and uses the domain priority assignments for HTTPS network traffic. For outgoing HTTPS network packets, ISA Server does not know the complete URL. b. In the Add URL Priority dialog box, complete the following information: URL: istanbul.fabrikam.com/sales/* Priority: High priority and then click OK. High priority (DiffServ bits 100110) is assigned to HTTP network packets for URL istanbul.fabrikam.com/sales. c. On the URLs tab, click Add. d. In the Add URL Priority dialog box, complete the following information: URL: istanbul.fabrikam.com/* Priority: Medium priority and then click OK. Medium priority (DiffServ bits 110110) is assigned to all other HTTP network packets to the Fabrikam Web site. Notice that the order of the URLs is important. 4. Assign priorities to Domains. Domain: *.fabrikam.com Priority: Medium priority a. In the HTTP DiffServ dialog box, on the Domains tab, click Add. b. In the Add Domain Priority dialog box, complete the following information: Domain: *.fabrikam.com Priority: Medium priority and then click OK. Medium priority is assigned to all HTTPS network packets to the entire fabrikam.com domain.

33

URL: istanbul.fabrikam.com /sales Priority: High priority URL: istanbul.fabrikam.com Priority: Medium priority

5. Enable DiffServ tagging for a. In the HTTP DiffServ dialog box, on the Networks tab, select External. the External network. You have enabled DiffServ tagging for network traffic to the External network. b. Click OK to close the HTTP DiffServ dialog box. 6. 7. Apply the changes. Start the log viewer. a. a. b. Click Apply to apply the changes, and then click OK. In the ISA Server console, in the left pane, select Monitoring. In the right pane, select the Logging tab.

Note: You may (temporarily) need to close the task pane in order to see the Logging tab. c. In the task pane, on the Tasks tab, click Start Query. The log viewer will display all current network activity based on the Firewall log file and the Web Proxy log file. 8. Verify the existence of the Allow Web access (Branch) firewall rule. a. In the left pane, select Firewall Policy. In the right pane, notice the Allow Web access (Branch) firewall rule. This rule allows HTTP access from the Internal network to the External network. You created the rule in an earlier exercise.

34

Module A: Secure Application Publishing with ISA Server 2006 Perform the following steps on the Denver computer.

9. On the Denver computer, use Internet Explorer to connect to http:// istanbul.fabrikam.com/ default.htm

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com/default.htm, and then press Enter. b. Internet Explorer displays the home page from Istanbul. Close Internet Explorer.

Perform the following steps on the Paris computer. 10. On the Paris computer, stop a. On the Paris computer, in the ISA Server console, in the left pane, select the log viewer. Monitoring. b. In the right pane, select the Logging tab. c. In the task pane, on the Tasks tab, click Stop Query. ISA Server displays information about all the network connections since you started the log viewer. 11. Add the Filter Information a. In the right pane, right-click the Log Time column header (or another column to the list of displayed column header), and then click Add/Remove Columns. columns. b. In the Add/Remove Columns dialog box, in the Available columns list box, select Filter Information, and then click Add. The Filter Information log field is moved from the Available columns list to the Displayed columns list. c. In the Displayed columns list, select Filter Information, and then click Move Up, so that the new column is not last in the list. d. Click OK to close the Add/Remove Columns dialog box. 12. Examine the contents of the a. In the right pane, scroll the list of log field columns, so that you can see Filter Information log field. the Filter Information column near the end of the list. b. In the column headers, double-click the small line between the Filter Information column, and the next column. The width of the Filter Information column is changed to display the longest value in the Filter Information log field. c. Scroll the list of log entries until you see text in the Filter Information field. The log entry represents the connection from 10.1.1.5 (Denver) to 39.1.1.7 (Istanbul) on TCP port 80. The Filter Information field shows the used DiffServ priority for the request to the server, and the response to the client (Client/Server) for the first packet (First:0/Medium), and the remaining packets (Last:0/Medium). You did not enable DiffServ on the Internal network, so ISA Server does not use DiffServ tagging in the response to the client (Denver). The rest of the Filter Information field contains HTTP Compression information.

Module A: Secure Application Publishing with ISA Server 2006

35

Module C: Web Access Protection with ISA Server 2006


Exercise 1 Configuring ISA Server 2006 for Flood Resiliency
In this exercise, you will configure ISA Server to block a large number of TCP connections from the same IP address. Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers. Perform the following steps on the Paris computer. 1. On the Paris computer, examine the flood mitigation settings. a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. The ISA Server console opens. b. In the ISA Server console, in the left pane, expand Paris, expand Configuration, and then select General. c. In the right pane, under Additional Security Policy, click Configure Flood Mitigation Settings. ISA Server 2006 can help stop the flooding of connections from three different kind of attacks: Worm propagation - A computer on the internal network starts sending out network packets to different IP addresses on the Internet. TCP denial-of-service attack - An attacker sends out TCP packets in order to use up all the resources at the firewall, or server behind the firewall. HTTP denial-of-service attack - A computer on the internal network sends a very large number of HTTP request over the same connection. In all these cases, the Firewall Engine component of ISA Server limits the number of connections, connection requests, and half-open connections per minute, or per rule, from a particular IP address. d. In the Flood Mitigation dialog box, on the Flood Mitigation tab, click the second Edit button. As an example of a limit, ISA Server allows a maximum of 160 concurrent TCP connections from the same IP address. There is also a custom limit (400) that applies to a set of exception IP addresses. e. Click Cancel to close the Flood Mitigation Settings dialog box. f. In the Flood Mitigation dialog box, select the IP Exceptions tab. You can specify the IP addresses of computers to which the custom limit applies. 2. Disable the logging of network traffic blocked by flood mitigation settings. a. b. In the Flood Mitigation dialog box, select the Flood Mitigation tab. Clear the Log traffic blocked by flood mitigation settings check box.

To avoid overwhelming the log file with identical block entries, after the flood mitigation settings have blocked an attack, you can disable the logging of those blocked network connections.

36

Module A: Secure Application Publishing with ISA Server 2006 c. Click OK to close the Flood Mitigation dialog box.

3.

Create a new access rule.

Name: Allow Web access (Flood) Applies to: HTTP From network: Internal To network: External

a. In the left pane, select Firewall Policy. b. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access Rule. d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (Flood), and then click Next. e. On the Rule Action page, select Allow, and then click Next. f. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add. g. In the Add Protocols dialog box, click Common Protocols, click HTTP, click Add, and then click Close to close the Add Protocols dialog box. h. On the Protocols page, click Next. i. On the Access Rule Sources page, click Add. j. In the Add Network Entities dialog box, click Networks, click Internal, click Add, and then click Close to close the Add Network Entities dialog box. k. On the Access Rule Sources page, click Next. l. On the Access Rule Destinations page, click Add. m. In the Add Network Entities dialog box, click Networks, click External, click Add, and then click Close to close the Add Network Entities dialog box. n. On the Access Rule Destinations page, click Next. o. On the User Sets page, click Next. p. On the Completing the New Access Rule Wizard page, click Finish. A new firewall policy rule is created that allows the HTTP protocol from the Internal network to the External network.

4.

Apply the changes.

a.

Click Apply to apply the changes, and then click OK.

Perform the following steps on the Denver computer. 5. On the Denver computer, configure Internet Explorer not to use a proxy server. a. On the Denver computer, open Internet Explorer. b. In Internet Explorer, on the Tools menu, click Internet Options. c. In the Internet Options dialog box, on the Connections tab, click LAN Settings. d. In the Local Area Network (LAN) Settings dialog box, clear the Use a proxy server for your LAN check box, and then click OK. When you configure Internet Explorer to use a proxy server, all HTTP connections to the ISA Server use the same connection to the Web Proxy TCP port 8080. In this exercise, you use two Internet Explorer windows, which should count as two separate connections. e. Click OK to close the Internet Options dialog box. 6. Use Internet Explorer to connect to http:// istanbul.fabrikam.com/ web.asp 7. Use the C:\Tools\tcpflooder.vbs tool to create 200 concurrent TCP connections. a. In Internet Explorer, in the Address bar, type http://istanbul.fabrikam.com/web.asp, and then press Enter. Internet Explorer displays the content of the web.asp page from Istanbul. This is a single TCP connection from the Denver computer. b. Do not close Internet Explorer. a. Use Windows Explorer (or My Computer) to open the C:\Tools folder. The Tools folder contains a script named tcpflooder.vbs, which attempts to set up 200 connections to IP addresses 42.1.0.0 through 42.1.19.9. Note: By default, ISA Server allows a maximum of 160 concurrent TCP connections from the same IP address. b. Right-click tcpflooder.vbs, and then click Open. c. Click Yes to confirm that you want to start TCP Flooder. Please wait 10 seconds while TCP Flooder attempts to set up the

Module A: Secure Application Publishing with ISA Server 2006 200 TCP connections. Note: The IP addresses on the 42.1.0.0 network do not exist in the lab environment, but Denver will set up a maximum of 160 TCP connections with ISA Server. ISA Server blocks the remaining 40 TCP connections. d. Press OK to acknowledge that 200 TCP connections are created. e. Close the Tools folder. 8. In Internet Explorer, refresh the existing Web page, and attempt to create a second connection to http:// istanbul.fabrikam.com/ web.asp a. In the Internet Explorer windows, on the toolbar, click the Refresh button. If the Internet Explorer connection did not time out yet, then the Server time on the Web page is changed. That is an indication that the page refreshed successfully. Even though ISA Server has blocked connections from Denver (10.1.1.5), existing connections, such as the one in the Internet Explorer window can still be used. b. On the Start menu, click All Programs, and then click Internet Explorer. A second Internet Explorer window opens. c. In Internet Explorer, in the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter. ISA Server blocks new connections from 10.1.1.5. After a few moments, Internet Explorer displays an error page to indicate that it cannot display the page. d. Close the Internet Explorer windows.

37

Note: ISA Server blocks traffic based on the flood mitigation settings for 60 seconds. To avoid the situation where an attacker uses a large number of network packets with a spoofed sender IP address to intentionally block another computer, ISA Server will first complete a TCP three-way handshake to verify that the sender IP address is not spoofed. Perform the following steps on the Paris computer. 9. On the Paris computer, examine the flooding alert. a. On the Paris computer, in the ISA Server console, in the left pane, select Monitoring. b. In the right pane, select the Alerts tab. c. In the task pane, on the Tasks tab, click Refresh Now. d. In the alert list, expand the Concurrent TCP Connections from One IP Address Limit Exceeded alert, and then select the alert line below that. Notice in the Alert Information description that ISA Server identifies which IP address (10.1.1.5) exceeded the configured limit of concurrent TCP connections. This information allows you to further investigate the cause of the high number of connection attempts. 10. Configure the log viewer filter conditions: Log Time: Last Hour Client IP: Equals 10.1.1.5 Destination IP: Greater or Equal 42.1.0.0 a. In the right pane, select the Logging tab. Note: You may (temporarily) need to close the task pane in order to see the Logging tab. b. In the task pane, on the Tasks tab, click Edit Filter. c. In the Edit Filter dialog box, in the conditions list, select the Log Time - Live condition. d. In the Condition drop-down list box, select Last Hour, and then click Update. The condition is changed to Log Time - Last Hour. e. Complete the following information: Filter by: Client IP Condition: Equals Value: 10.1.1.5 and then click Add To List. f. Complete the following information: Filter by: Destination IP Condition: Greater or Equal Value: 42.1.0.0

38

Module A: Secure Application Publishing with ISA Server 2006 and then click Add To List. g. Click Start Query to close the Edit Filter dialog box. After a few moments, the log viewer displays all log entries from 10.1.1.5 to the 42.1.0.0 network from the last hour. The most recent log entry is listed first. h. Scroll to the top of the list of log entries. Notice that the most recent log entry is for the connection to an IP address that is a close to 42.1.15.9. That is a exactly 160 concurrent TCP connections. The last IP address may be a little lower, if ISA Server had existing connections, or may be a little higher if ISA Server closed a few TCP connections already. To avoid overwhelming the log file with identical block entries, you configured Flood Mitigation to not log traffic that is blocked by the flood mitigation settings (all connections to IP address close to 42.1.16.0 through 42.1.19.9). Note: The following tasks are needed to avoid conflicts with other lab exercises.

11. Restore the log viewer filter a. In the task pane, on the Tasks tab, click Edit Filter. conditions: b. In the Edit Filter dialog box, in the conditions list, select Log Time - Last Hour. Log Time: Live c. In the Condition drop-down list box, select Live, and then click Update. Client IP: (remove) The condition is changed to Log Time - Live. Destination IP: (remove) d. In the conditions list, select the Destination IP condition, and then click Remove. e. In the conditions list, select the Client IP condition, and then click Remove. f. Click Start Query to close the dialog box. g. In the task pane, on the Tasks tab, click Stop Query. Perform the following steps on the Denver computer. 12. On the Denver computer, configure Internet Explorer to use a proxy server. a. On the Denver computer, open Internet Explorer. b. In Internet Explorer, on the Tools menu, click Internet Options. c. In the Internet Options dialog box, on the Connections tab, click LAN Settings. d. In the Local Area Network (LAN) Settings dialog box, complete the following information: Use a proxy server for your LAN: enable Address: 10.1.1.1 Port: 8080 Bypass proxy server for local address: enable and then click OK to close the Local Area Network (LAN) Settings dialog box. e. Click OK to close the Internet Options dialog box. f. Close Internet Explorer.