2 PDF

ISA Server
Leeven Chang
GJUN CTEK
leevenchang@msn.com
2005 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Agenda
Introduction to ISA Server 2006
Secure Application Publishing
Branch Office Protection
Firewall and Proxy Enhancements
Monitoring ISA with MOM

Service
s
Edge
Ne
tw
or
k
Server
Applications
Ac
c
es
s
Pr
ot
ec
t io
Enc
rypt
ing
File
Sys
BitL
tem
ock
(EF
er
S)
Information
Protection
n
(N
Client and
Server OS
AP
)
Identity
Management
Systems
Management
Active Directory
Federation Services
(ADFS)
Guidance
Developer
Tools

ISA Server 2006

Application Layer Firewall
Protects internal resource from the outside
Separate from the rest of the network
Control how Internet resources are used
Examines each network packet against your
rules
VPN
Proxy Server
Makes network requests and forwards data
Caches sites for improved performance

ISA Server 2006 Editions
ISA Server 2006

Standard Edition
ISA Server 2006

Enterprise Edition

Appliances
Preinstalled on optimized hardware
Partner solutions extends ISA
Antivirus gateways, URL filtering, availability
Both for Standard and Enterprise Edition

Enterprise get extended NLB and caching
functionalities
Support for unattended installation using a

USB flash drive

Appliances - Benefits
Easy deployment
Everything is tested
Hardened configuration -> Reduced
attack surface
Extra configuration tools and web
administration

Advantages of Appliances
Easier purchase process no separate
software licensing complexity
Lower cost of deployment
Plug & Play, Set & Forget
Controlled components and drivers
Automated patch management (on some
offerings)
Fewer calls to tech support

Easy roll-back to factory configuration
Quick learning curve for IT administrators
Appliances are the whole solution, not
just part

A Traditional Firewalls View of a

Packet
Only packet headers are inspected
Application layer content appears as black box
IP Header:
Source Address,
Dest. Address,
TTL,
Checksum
TCP Header:
Sequence Number
Source Port,
Destination Port,
Checksum
Application Layer Content:

???????????????????????????????
???????????????????????????????
???????????????????????????????
Forwarding decisions based on port numbers
Legitimate traffic and application layer attacks use identical

ports
Expected HTTP Traffic
Unexpected HTTP Traffic
Internet
Attacks
Non-HTTP Traffic
Corporate Network

ISA Servers View of a Packet

Packet headers and application content are
inspected
IP Header:
Source Address,
Dest. Address,
TTL,
Checksum
TCP Header:
Sequence Number
Source Port,
Destination Port,
Checksum
Application Layer Content:

<html><head><meta http-equiv="content-type"
content="text/html; charset=UTF8"><title>MSNBC - MSNBC Front
Page</title><link rel="stylesheet"
Forwarding decisions based on content
Only legitimate and allowed traffic is processed

Allowed HTTP Traffic
Internet
Prohibited HTTP Traffic

Attacks
Non-HTTP Traffic
Corporate Network

Multi-Network Support
Simplify complexity and administration of
managing network security
Subdivide network into multiple segments with a
single ISA license
Extend virtual firewall protection across each
segment
QUARANTINE VPN
Enforce rules on per

network basis
Easy setup
Network templates
Internet
VPN
ISA 2006
DMZ_1
DMZ_n
Local Area
Network
CorpNet_1
CorpNet_n
Net A

ISA 2004/2006 Policy Model
Single, ordered rule base

Logical and easier to understand
Easy to view and to audit
Default System Policy

Default System
Policy/Lockdown
System Policy a default set of access rules

applied to the ISA Server itself
Lockdown mode:
Protects the operating system when firewall

services are offline because
Security event triggers firewall service shut down
Planned firewall service shut
down
ISA Server reboot

Exploring some basic

tasks

Application Publishing
Use internal resources from the Internet
Outlook Web Access
Publish through one external IP address

Cached content to external client
Supports IIS authentication methods
Pre-authenticate users
Path configuration

OWA Publishing
x36dj23s
http://...
<a
href
2oipn49v
ISA Server is the host
ISA Server
OWA Exchange
ISA terminates all connections

Decrypts HTTPS
Inspects content
Inspects URL against rules
Re-encrypts for delivery to OWA
AD

What is Publishing?
ISA Server impersonates internal servers
through a reverse proxy process
To make internal sites/services accessible to users
outside the corporate network, including partners
To add a layer of security at the network edge
External
Web
Server
Exchange
SharePoint
DMZ
Internet
HEAD
QUARTERS
Intranet
Web
Server
Administrator
RADIUS
Internal
Network
Active
Directory

The Solution
Strong
user/group
based access
controls
Automatic
translation of links
to internal shares
Remote
User
Hacker
Smartcard
& one-time
password
support
Exchange &
SharePoint
publishing
tools
NTLM,
Kerberos
authentication
support
Exchang
e
Farm
Internet link
ISA
2006
Inspection of
encrypted traffic
using SSL Bridging
Load
balancing of
server farms
Active
Director
y
Single sign-on for

access to multiple
servers
Pre-authentication
so only valid traffic
reaches servers
SharePoin
t
Internal
Network
Authentication with
Active directory via
LDAP

18
Branch Office Gateway

Key Differentiating Points
Easy Integration with Existing Branch Office Infrastructure
Integrated Application-Layer Firewall Provides Added Protection
Integrated Cache Functionality Increases Speed
Integrated S2S VPN Functionality Lowers TCO

Centralized Management from HQ

Branch Office
Performance Improvements
BITS caching for Microsoft update platform
Reduce the impact of software updates on network bandwidth
in the branch office
Improve value of ISA 2006 by reducing days-of-risk in branch
office locations
Compression of HTTP content

Compress HTTP content before going over the WAN to
accelerate Web browsing and improve bandwidth usage
Cache compressed and uncompressed content
Diffserv (Differentiated Services) to prioritize HTTP and

HTTPS application traffic
Improve response time for critical HTTP and HTTPS
applications
Determine what traffic has priority over other traffic based on
URL and corresponding configured Diffserv service level

Branch Office Scenario

Branch 1
Headquarters
Leased
lines
Branch 2
Branch 3

Branch Office Gateway

ISA Server 2004/2006 Features
Easy Deployment
Flexible Branch Office Network Topology
Better Protection
Integrated Firewall
Better Management
Lower Connectivity Costs
Bandwidth Optimization
Windows
Server R2
Integrated S2S VPN Gateway

HTTP Caching
Distributed Caching & Web Proxy Chaining
BITS Caching Complements R2 Remote Differential Caching

Enterprise Policies
Enterprise policies:
Multiple template policies for an
organization
Arrays are assigned Enterprise Policies
Effective policy:
Calculated from Enterprise Policies and Array
Policies
Result: An ordered set of allow/deny rules

Enterprise Policy Structure

An enterprise policy consists of:
Enterprise rules (before)
Array policy Place Holder
Enterprise rules (after)

Configuration Storage Server

Management
Console
ISA 2006 Server

Array
ISA 2006 Server

Array
Local
configuration
copy
Local
configuration
copy
ISA 2006 Server

Array
Local
configuration
copy
Replication
CSS
CSS

Balancing Published Servers

ISA- 1 - Internal
DIP : 10.10.10.2
VIP : 10.10.10.100
External Client : 192.168.1.8 ISA- 1 - External

DIP : 128.1.1.2
1
VIP : 128.1.1.100
3
2
4
NLB Cluster
Internet
ISA 1
ISA 2
ISA- 2 - External
DIP : 128.1.1.1
VIP : 128.1.1.100
NLB Cluster
Published
Server 1 :
11.11.11.1
Published
Server 2 :
11.11.11.2
ISA- 2 - Internal
DIP : 10.10.10.1
VIP : 10.10.10.100

Balancing Outbound Access
4
2
ISA 1
NLB Cluster
Internet
ISA- 1 - Internal
DIP : 10.10.10.2
VIP : 10.10.10.100
ISA- 1 - External
DIP : 128.1.1.2
VIP : 128.1.1.100
NLB Cluster
ftp.microsoft.com
157.31.56.100
ISA 2
ISA- 1 - External
DIP : 128.1.1.1
VIP : 128.1.1.100
Laptop
Internal
Client :
12.12.12.1
ISA- 2 - Internal
DIP : 10.10.10.1
VIP : 10.10.10.100

ISA Server 2006

Integrated security
Branch 1
Application filtering, BITS caching

Headquarters
Secure access
HTTP compression, traffic prioritization
Efficient management
Site-tosite VPN
Branch 2
Easy deployment, fast propagation of policies

Branch 3

Integrated Security
BITS caching, Background Intelligent
Transfer Service
Transfers files between client and server
Uses leftover bandwidth
Maintains transfers if disconnected
Windows Updates
Data is cached on the ISA Server
Subsequent users pull them from the local
cache

Secure Access
HTTP compression
When someone requests the response are
compressed at the ISA server at the HQ
It reaches the branch and gets decompressed
Traffic Prioritizing
Control when bandwidth is limited
Diffserv protocol
ISA inspects requests and assigns priority
depending on destination

Effective Management
Branch Office Connectivity Wizard
Answer files for unattended installation
More effective policy propagation

Reduced server requirements
Optimization for low bandwidth use
Secure Remote Management is possible
Templates and configuration tools

Configure the Branch

Office Gateway

Proxy server features

Enhanced worm resiliency, mitigate
the impact on the network
Faster alert triggers and responses
To avoid DOS attacks ISA Server
controls:
Log throttling measures the volume of denied
records
Memory consumption
Pending DNS queries

The Solution
Attacker
Enhanced
protection
against DoS,
DDoS &
DNS attacks
Integrated
application-layer
firewall & web
proxy
Integrated
Network Load
Balancing for
high availability
Comprehensive
alert triggers &
responses
External
Web Site
Internet
Securityenhanced
remote
management
using TLS
ISA Server
2006 Array
Built-in traffic
inspection for
over 120
protocols
INTERNA
L
NETWOR
K
Customizable
cache rules for
flexibility
Fast RAM & ondisk caching for
fast web page
response times
Enhanced worm
protection through
connection quotas

Flood Resiliency
Protect ISA Server from
Worm propagation
Syn floods
Denials of service
Distributed DoS
HTTP bombing
In some cases, computers behind

ISA are also protected, but this isnt
the primary goal of the feature

Web Access Protection

Key Differentiating Points
Deep Content Inspects Actual Content of Traffic
Multi-network Architecture Eases Infrastructure Integration
Flexible SDK allows Easy Development of New Application Filters
CARP Provides High Performance for Caching
Easy-to-Use UI Makes Configuration Easier

Monitoring ISA Server 2006

MOM Management pack
Health indicators
Knowledge from the designers

Monitoring and Alarming

Real-time Firewall Status
Alarming Mechanism

Report
Firewall Active Log
Detail Message
Scheduling
Browseable
Exportable

Summary
Firewall, VPN, Proxy
Application Publishing
Branch Office
Caching
Compression
Prioritizing of traffic


2 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2 PDF

Uploaded by

Copyright:

Available Formats

ISA Server

2005 Microsoft Corporation. All rights reserved.

2005 Microsoft Corporation. All rights reserved.

2005 Microsoft Corporation. All rights reserved.

ISA Server 2006

2005 Microsoft Corporation. All rights reserved.

ISA Server 2006 Editions

ISA Server 2006

ISA Server 2006

2005 Microsoft Corporation. All rights reserved.

Both for Standard and Enterprise Edition

Support for unattended installation using a

2005 Microsoft Corporation. All rights reserved.

2005 Microsoft Corporation. All rights reserved.

Fewer calls to tech support

2005 Microsoft Corporation. All rights reserved.

A Traditional Firewalls View of a

Application Layer Content:

Forwarding decisions based on port numbers

Legitimate traffic and application layer attacks use identical

2005 Microsoft Corporation. All rights reserved.

ISA Servers View of a Packet

Application Layer Content:

Forwarding decisions based on content

Only legitimate and allowed traffic is processed

Prohibited HTTP Traffic

2005 Microsoft Corporation. All rights reserved.

Enforce rules on per

2005 Microsoft Corporation. All rights reserved.

ISA 2004/2006 Policy Model

Single, ordered rule base

Default System Policy

2005 Microsoft Corporation. All rights reserved.

System Policy a default set of access rules

Protects the operating system when firewall

ISA Server reboot

2005 Microsoft Corporation. All rights reserved.

Exploring some basic

2005 Microsoft Corporation. All rights reserved.

Publish through one external IP address

2005 Microsoft Corporation. All rights reserved.

ISA Server is the host

ISA terminates all connections

2005 Microsoft Corporation. All rights reserved.

2005 Microsoft Corporation. All rights reserved.

Single sign-on for

2005 Microsoft Corporation. All rights reserved.

Branch Office Gateway

Integrated S2S VPN Functionality Lowers TCO

2005 Microsoft Corporation. All rights reserved.

Compression of HTTP content

Diffserv (Differentiated Services) to prioritize HTTP and

2005 Microsoft Corporation. All rights reserved.

Branch Office Scenario

2005 Microsoft Corporation. All rights reserved.

Branch Office Gateway

Flexible Branch Office Network Topology

Integrated S2S VPN Gateway

BITS Caching Complements R2 Remote Differential Caching

2005 Microsoft Corporation. All rights reserved.

2005 Microsoft Corporation. All rights reserved.

Enterprise Policy Structure

2005 Microsoft Corporation. All rights reserved.