Configuring MS ISA SERVER 2006 FIREWALL

SECURITY365 ANNINHMANG365.COM

Trong s nh ng s n ph m t ng l a trn th tr ng hi n nay th ISA Server 2004/2006 c a Microsoft l firewall c nhi u ng i yu thch nh t do kh nng b o v h th ng m nh m cng v i c ch qu n l linh h at.

Ref : http://www.isaserver.org/tutorials/ISA-Server-2006-Installing-ISA-2006-EnterpriseEdition-beta-Unihomed-Workgroup-Configuration.html M t trong cc bi vi t c ng o b n c quan tm trn cc di n n hay nh ng t p ch uy tn v tin h c chnh l bi h ng d n cch xy d ng Firewall (T ng L a) cho doanh nghi p. Cc b n c th hnh dung Firewall nh l m t b c t ng thnh kin c dng ngn ch n cc t t n cng hay xm nh p t pha bn ngai, b o v h th ng n i b thng qua cc c ch ch t ch nhng linh h at. M t firewall m nh khng nh ng c kh nng p ng t t cc yu c u b o m t h th ng, h at ng n nh m cn ph i d dng qu n l, thay i v h tr t t trong qu trnh truy c p Internet. N u xt t ng c ng cc yu c u trn th ISA Server 2004/2006 Firewall x ng ng chi m v tr qun qun trong cc dng s n ph m b o m t thng tin. Chnh v l do , chng ta c n ph i n m v ng cch h at ng, c u hnh v ci t c a ISA Server 2004/2006. Trong chng 5 c a gio trnh SCNP | TPD chng ti s h ng d n cc b n cch th c m t m hnh Firewall th c t cho m ng doanh nghi p. Hy b t tay vo qu trnh th c

hnh ngay l p t c, cc b n c th tri n khai ISA Server trn my chnh v ci Firewall Client trn my o Windows XP Pro n u khng my th c hnh (ngay c Tom Shinder cng s d ng h th ng my o trong cc bi h ng d n c a mnh) , v v y cc b n hy yn tm v s trong su tc a m hnh o so v i m hnh th t, khng c g khc nhau ng ai tr vi c b n c th lm t t c trong 1 khi xy d ng m ng o b ng VMWare hay Virtual PC.

ISA Server 2004/2006 Firewall c hai phin b n Standard v Enterprise ph c v cho nh ng mi tr ng khc nhau, ISA Server 2004/2006 Standard p ng nh c u b o v v chia s bng thng cho cc cng ty c quy m trung bnh. V i phin b n ny chng ta c th xy d ng cc firewall ki m sat cc lu ng d li u vo v ra trn h th ng m ng ni b c a cng ty. Ki m sat qu trnh truy c p c a ng i dng theo giao th c, th i gian v n i dung c a cc site nh m ngn ch n qu trnh k t n i vo nh ng trang web c n i dung khng h p l . Bn c nh chng ta cn c th tri n khai cc h th ng VPN Site to Site hay Remote Access h tr cho vi c truy c p t xa c a cc User, ho c trao i d li u gi a cc vn phng chi nhnh. i v i cc cng ty c nh ng h th ng my ch quan tr ng nh Mail, Web Server c n c b o v ch t ch trong m t mi tr ng ring bi t th ISA 2004/2006 cho php chng ta tri n khai cc vng DMZ (thu t ng ch vng phi qun s ) ngn ng a s tng tc tr c ti p c a cc Internal/External User. Ngai cc tnh nng mang tnh b o m t thng tin trn th ISA 2004/2006 cn c h th ng cache gip cho ng i dng k t n i Internet nhanh hn do thng tin trang web c th c lu gi s n trn RAM hay a c ng, i u ny lm cho bng thng c a h th ng c ti t ki m ng k . Chnh v l do m s n ph m t ng l a ny c tn g i l Internet Security & Aceleration (b o m t ng d ng v tng t c bng thng). ISA Server 2004/2006 Enterprise c s d ng trong cc m hnh m ng l n, c n nh ng h th ng m nh m p ng nhi u yu c u truy xu t c a ng i s d ng (User) bn trong v ngai h th ng. Ngai nh ng tnh nng c trn ISA Server 2006 Standard, phin b n Enterprise cn cho php chng ta thi t l p cc h th ng Array (mng) cc ISA Server cng s d ng m t chnh sch, i u ny gip d dng qu n l v cung c p tnh nng Load Balancing (cn b ng t i) ph c v t t hn cc yu c u c a t ch c. p ng nhu c u h c t p, nghin c u cng nh ng d ng h th ng t ng l a ISA Server 2006 Firewall, chng ti s trnh by cch th c tri n khai h th ng ISA Server (Standar v Enterprise) cho m t t ch c th c t v i m hnh Lab nh sau:

Lu : Trong tr ng h p th c hnh trn Virtual NETWORK, cc b n hy ci ISA Server trn my chnh (my th t) v my o dng lm ISA Client hy thay i c u hnh card m ng ch Bridge (cho php my o truy c p Internet thng qua my chnh, cn t m c nh ch host-only th my o tng ng v i 1 my tnh ngang hng v i my th t trn m ng, ch dng khi test cc server n i b nh DHCP, DNS hay Active Directory). Cc b n ti n hnh ci t v quay l i b ng Snag It cc instructor d dng ki m tra cng nh publish cho m i ng i cng tham kh o. T&C Descon l m t cng ty xy d ng c s l ng nhn vin trn 50 ng i, cung c p d ch v chia s Internet, cng ty s d ng m t ng ADSL v h th ng ISA Server 2004/2006 Firewall. a ch modem ADSL l 172.16.1.1, h th ng c hai l p m ng chnh l Internal bao g m cc my tnh c a nhn vin c dy a ch IP ring l 192.168.1.1 192.168.1.255/24 v DMZ dng t cc my ch quan tr ng nh Exchange Server, Web Server s d ng a ch m ng 10.11.12.0/24 . My ch dng ci t ISA Server ch y Windows Server 2003 SP1 c 3 NIC (network interface) v i c ch IP nh sau: Outside Interface : IP 172.16.1.11, Subnet Mask 255.255.255 v Default Gateway 172.16.1.1 (ADSL Modem). Inside Interface : IP 192.168.1.1, Subnet Mask 255.255.255.0 v DNS1 192.168.1.11 (l DNS Server v Domain Controler c a h th ng) , DNS2 210.245.31.130 DMZ Interface : IP l 10.11.12.1, Subnet Mask 255.255.255.0

Nh m b o m an tan cho h th ng v firewall, trn giao ti p m ng Outside hy ch n Disable Netbios Over TCP IP , b ch n Register this connection's address in DNS v Enable LMHOST lookup nh hnh sau:

Lu : Ch c nng Disable NetBIOS over TCP/IP lm cho my tnh tr nn v hnh trn m ng, cc ph n m m qut l i h th ng nh Retina, Nmap s khng tm th y tn c a my tnh, h n ch tr ng h p d tm password c a nh ng ti kh an theo c ch brute force v h th ng th ng t o m t s account m c nh s d ng tn Netbios ny. Do cc my ch giao ti p v i Internet nh firewall th ng ch n ch c nng ny, tuy nhin i v i cc my tnh trn m ng n i b chng ta khngnn s d ng v s ngn ng a cc my tnh khc truy c p vo ti nguyn chia s trn my c a mnh nh Printer, Folder Share..C m t s ng d ng b o m t khi ci t s Disable NetBIOS over TCP/IP m t cch m c nh nh PC Security, s gy tr ng i cho qu trnh h at ng c a h th ng.. I - Ti n Hnh Ci t ISA Server 2004/2006 :

Sau khi thi t l p y cc th ng tin c n thi t hy a a CD ISA Server 2004/2006 Standard vo my dng lm firewall, trn mn hnh hi n th hy ch n Install ISA Server 2004/2006 b t u ti n trnh ci t.

Nh n Next trn mn hnh Welcome to the Installation Wizard for Microsoft ISA Server 2004/2006 , ch n I accept the terms in the license agreement trn c a s License Agreement v nh p vo cc thng tin User Name / Organization, Product Serial Number trn nh ng mn hnh ci t ti p theo. Chng ta c th ch n m t trong 3 ch ci t sau: Typical : ch ny ch ci t m t s d ch v t i thi u, khng c d ch v Cache.

Complete : t t c cc d chv s c ci t nh Firewall dng ki m sat truy c p; Message Screener cho php ngn ch n spam mail v cc file attachment ( c n ph i ci IIS 6.0 SMTP tr c khi ci Message Screener; Firewall Client Installation Share. Custom : cho php ch n nh ng thnh ph n c n ci t c a ISA Server 2004/2006.

y chng ta s s d ng ch ci t Custom v nh n Next, m c nh ch c hai d ch v Firewall Services v ISA Server Management hy ch n thm Firewall Client Installation Share.

Ti p theo ti n trnh ci t s yu c u b n xc nh giao ti p m ng v i h th ng m ng n i b , trn c a s Internal Network nh n Add v Select Network Adapter xc nh card m ng giao ti p v i Internal Network.

nh d u vo Inside trong trang Select Network Adapter nh hnh sau:

Ti p theo chng ta c n cung c p dy a ch IP ch a cc my tnh trn m ng n i b l (From)192.168.1.0 (To)192.168.1.255 hay ty theo h th ng c a b n v nh n Add .

- Lu dy

a ch ny ph i ch a IP c a giao ti p m ng Inside.

Trn c a s Firewall Client Connection Setting hy nh d u ch n vo Allow nonencrypted Firewall client connections v Allow Firewall clients running earlier versions of the Firewall client software to connect to ISA Server r i nh n Next trong cc b c ti p theo han t t qu trnh ci t.

i v i phin b n Standard chng ta nn ci b n v SP1 ISA2004/2006-KB891024-X86ENU.msp (c th download t website www.microsoft.com ) cho ISA Server 2004/2006 m qu trnh h at ng di n ra sun s v n nh.

b o

Sau khi ci t xong ISA Server chng ta c n ph i k t n i Firewall v i Internet b ng cch t o ra nh ng policy chnh nh cho php truy c p Internet, check mail i v i cc Domain User, cho php s dung FTP...C m t i m lu l sau khi ci xong b n thn ISA Server s khng truy c p Internet c v default policy ngn ch n i u ny, do cc b n ph i b t Local Policy cho php n u mu n duy t Web trn chnh ISA 2004/2006 Firewall.

T o Access Rule Trn ISA

Ti p theo l c u hnh cc client, l nh ng my tnh khc trn m ng n i b c n truy c p Internet thng qua Firewall. C 3 d ng client chnh l Web Proxy, Secure Nat v Firewall Client, m t my tnh c th ng vai tr c 3 d ng client trn.

II - K t N i ISA Server V i Internet V C u Hnh Cc ISA Client: Trn ISA Server 2004/2006 Firewall c 3 d ng firewall policy l system policy, access rule v publishing rule . System policy th ng n v c dng cho vi c tng tc gi a firewall v cc d ch v m ng khc nh ICMP, RDP..system policy c x l tr c khi access rule c p d ng. Sau khi ci t cc system policy m c nh cho php ISA server s d ng cc d ch v h th ng nh DHCP, RDP, Ping ..

 Access Rule : l nh ng t p h p cc quy t c p d ng cho h th ng nh access rule cho php truy c p internet hay check mail b ng POP3 client nh Outlook Express.. . C n c bi t lu n th t cc Access Rule, v lu ng x l c a firewall s ch m d t khi n b t g p policy u tin c nh ng thi t l p tng ng v i giao th c truy c p. n m r thm c ch ny chng ta xem v d sau: C 5 Access rule v i th t t trn xu ng d i nh sau: 1. 2. 3. 4. 5. Deny HTTP (khng cho php s d ng HTTP protocol) Allow HTTP (cho dng HTTP protocol) Allow FTP (cho php s d ng FTP) Deny FTP (khng cho php s d ng FTP) Deny All (default policy)

Trong tr ng h p chng ta cho r ng i t ng s d ng l nh nhau, th khi m t user s d ng giao th c HTTP duy t Web, anh ta s b t ch i truy c p v access rule u tin khng cho php s d ng protocol ny. Cn n u user download t p tin thng qua FTP th anh ta s c php v access rule th 3 cho php dng FTP, v firewall s b qua cc access rule cn l i. - Publishing Rule: dng publish cc d ch v nh Web, Mail server trn l p m ng Internal hay DMZ cho php cc user trn Internet truy c p. Khi qu trnh ci t ISA Server 2004/2006 han t t chng ta k t n i ISA Server v i internet v ti p theo l c u hnh cc ISA client c th truy c p internet thng qua ISA Server Firewall. M c nh ISA server ch c m t access rule sau khi ci t l Deny All, t ch i m i truy c p vo/ra thng qua ISA firewall v v y chng ta c n t o cc quy t c thch h p v i nhu c u t ch c ho c p d ng cc Predefine Template cho ISA Server. Cc b n c th c u hnh ISA Firewall Policy thng qua giao di n ISA Management Console trn chnh ISA Server ho c ci cng c qu n l ISA Management Console trn m t my khc v k t n i n ISA Server th c hi n cc thao tc qu n tr t xa c a mnh.Giao di n qu n l c a ISA Server Management console c 3 ph n chnh: - Khung bn tri dng Policy, Cache.. duy t cc ch c nng chnh nh Server name, Monitoring, Firewall

- Khung gi a hi n th chi ti t cc thnh ph n chnh m chng ta ch n nh System Policy, Access Rule.. - Khung bn ph i cn c g i l Tasks Pane ch a cc tc v Enable VPN Server c bi t nh Publishing Server,

ISA Server Management console 1.T o Access Rule Trn ISA : step1_begin_install_and_create_permit_all_acess_rule.avi M giao di n qu n l ISA Management Server b ng cch ch n Start - > All Programs - > Microsoft ISA Server - > ISA Server Management . Click ph i vo Firewall Policy v ch n Create New Access Rule ho c ch n t khung tc v (Task Pane) khung bn ph i c a mn hnh qu n l nh hnh sau:

t tn cho access rule c n t o l Permit Any trafic from internal network ho c tn ph h p v i h th ng c a b n v ch n Next:

Trong ph n Rule Action chng ta ch n Allow, v y l access rule cho php client s d ng cc giao th c v ng d ng thng qua firewall.

Xc nh nh ng giao th c m User c s d ng nh HTTP hay FTPtrong c a s Protocols, hy ch n All outbond trafic , n u mu n thay i cc b n ch c n b m vo mi tn v xc nh nh ng ch c nng tng ng nh Selected Protocol ch n m t s giao th c no hay All inbound trafic dnh cho tr ng h p cung c p cc k t n i t bn ngai vo.

H th ng c n bi t i t ng s d ng cc giao th c trong access rule, tr ng h p ny cc client l nh ng ng i s d ng trong h th ng m ng n i b cho nn chng ta ch n Add trn Access Rule Source v ch n Internal . i v i User th chng ta ch n All User (trong tr ng h p c n thi t cc b n c th xc nh nh ng Group hay User thch h p c a h th ng nhGroup Domain

User, Administrator.., khi Firewall khng thu c Domain th hy s d ng local account c a Firewall trong Local Users And Groups.)

Nh n Apply hi u l c firewall policy m i t o ra,lc ny chng ta c 2 Acess Rule l Default Rule (c ch c nng Deny All, lu default rule khng th xa c) v Permit Any Trafice from internal network cho php cc user trn m ng n i b c php s d ng t t cc cc giao th c trn Internet.

2. C u hnh ISA Client: s d ng ISA Server th cc client trn m ng ph i c u hnh m t trong ba l ai sau SecureNAT, Firewall Client, Web Proxy Client ho c c 3 d ng trn: i. SecureNAT Client : y l phng php n gi n nh t, cc my tnh ch c n c u hnh Default Gateway l a ch card m ng trong c a ISA Server l c (trong tr ng h p ny l 192.168.1.10), ho c chng ta c th c p pht thng qua DHCP server v i option 006 dnh cho Router. i m thu n l i c a phng php ny l Client khng c n ci t g thm, v c th s d ng cc h i u hnh khng thu c Microsoft nh Linux, Unix m v n s d ng c cc giao th c v ng d ng trn internet thng qua ISA. Tuy nhin c m t b t l i l cc SecureNAT client khng g i c nh ng thng tin ch ng th c g m Username & Password cho Firewall c, v v y n u nh cc b n tri n khai d ch v ki m sat truy c p theo domain user i h i ph i c username&password th cc SecureNAT Client khng ng d ng c. Ngai ra chng ta khng th ghi nh t k qu trnh truy c p i v i d ng client ny.

C u hnh SecureNAT client trn Client1 ii. Firewall Client : V y n u chng ta mu n c m t c ch ki m sat ch t ch hn, v d User ph i log-in domain m i truy c p c Internet th ph i lm nh th no? Gi i php a ra l chng ta s ci t Firewall Client cho cc my tnh ny. Thng th ng khi ci t ISA Server cc b n s ci d ch v Firewall Client Installation Share, sau trn ISA server m system policy cho php truy c p ti nguyn chia s v my tnh Client ch c n k t n i n ISA Server theo a ch IP n i b v i ti kho n h p l ti n hnh ch y t p tin ci t Firewall Client . N u khng mu n ci t Firewall Client Installation Share th chng ta c th ch n ci d ch v ny trn b t k my tnh no nh file server ho c domain controller nh sau: a. a ISA Server 2004/2006 CD-ROM vo domain controller, ch n Install ISA Server 2004/2006. b. Trn mn hnh Welcome to the Installation Wizard for Microsoft ISA Server 2004/2006 nh n N ext . c. Ti p theo ch n I accept the terms in the license agreement , nh n Next . d. Nh p vo User name , Organization v Product Serial Number trn c a s Customer Information . Ch n Next . e. Trong Setup Type , xc nh ty ch n Custom v enable This feature, and all subfeatures, will be installed on the local hard drive trong m c Firewall Client Installation Share nh hnh d i y v nh n Next trong cc b c ti p theo han t t:

Sau trn cc my tnh client ti n hnh ci ch y l nh \\192.168.1.10\mspclntsetup

t Firewall Client b ng cch m Start - > Run v

Trong tr ng h p h th ng c nhi u my tr m, vi c ci t trn t ng my g p nhi u kh khn th gi i php tri n khai chng trnh m t cch t ng b ng SMS Server 2003 ho c Assign thng qua Group Policy l hi u qu nh t (cc b n c th tham kh o phng php ci t t ng thng qua Group Policy trn website www.hoctructuyen.org do R ng ng Dng th c hi n.) V i firewall client cc b n c th t n d ng c nh ng kh nng m nh m nh t c a ISA Server nh ch ng th c ng i dng d a trn Domain User & Group, cho php ghi nh t k nh ng l n truy c p..Tuy nhin i m b t l i chnh c a tr ng h p ny l cc my tnh mu n ci Firewall Client ph i s d ng h i u hnh c a Microsoft . iii. Web Proxy Client: nh chng ta bi t ngai ch c nng b o m t th ISA Server 2004/2006 Firewall cn c ch c nng Cache dng lu tr cc trang Web th ng c truy c p trn RAM ho c trn a c ng nh m ti t ki m bng thng. Tuy nhin, Web Proxy Client ch s d ng c cc giao th c HTTP / HTTPs, FTP (upload/download), i u ny c ngha l User s khng l y mail v i Outlook hay s d ng cc ng d ng khc. s d ng Web Proxy, cc my tnh Client ph i c u hnh trong trnh duy t Web b ng cch m Internet Explore ch n Tools - > Internet Options ch n tab Connections - > LAN Settings v nh p vo a ch c a Proxy server :

Nh v y cch nhanh chng nh t cho php cc my tnh trong t ch c c th truy c p Internet qua ISA Server l c u hnh SecureNAT client d a trn h th ng c p pht a ch IP ng ho c c u hnh IP tnh v tr default gateway l a ch m ng n i b c a ISA Server. Ngai ra qu trnh phn gi i a ch IP di n ra sun s th cc client c n c u hnh a ch DNS server n i b v c ISP DNS Server nh 210.245.31.10 hay 203.162.4.191 Trn di n n isaserver.org c kh nhi u cu h i lin quan n nh ng v n c bi t trong chnh sch c a ISA Server nh lm th no ch n khng cho User s d ng cc chng trnh Chat (Anh Hunh Hang T n c trnh by bi vi t v v n ny kh hay trn Security365.Org), hay nh ng chng trnh P2P Trong ph n III cc b n s th y cch gi i quy t nh ng v n trn ISA 2004/2006 kh n gi n so v i h th ng ISA Server 2000 tr c y.

III. Thi t L p Cc Private Policy:

M c d h th ng k t n i c internet, nhng m t s cng ty c nh ng yu c u ring v chnh sch h th ng nh khng cho php chat b ng AOL hay MSN Messenger, cho php download file thng qua FTP (upload v download) . Bn c nh , ph c v nhu c u nghin c u v duy t Web giao th c HTTP c cho php s d ng nhng c m khng cho download nh ng t p tin c th th c thi trn h th ng Windows qua HTTP ngn ng a s ly nhi m virus, trojan. th c hi n i u ny cc b n hi u ch nh l i firewall policy c a mnh. A. T o Access Rule Khng Cho Php S D ng Aol V Msn Mesenger: Click chu t ph i v Firewall Policy ->ch n Create new Access Rule -> and AIM -> ch n Next. c a s Rule Action hy ch n Deny v nh n Next . Trong ph n This rule applies to ch n Selected Protocols . Nh n nt Add . Sau m Protocols c a Instant Messaging v double click AOL Instant Messenger v MSN Messenger . Nh n Close . t tn l deny MSN

Ti p theo chng ta ch n Internal v External trong ph n Network, p d ng cho All user v Apply p d ng policy ny cho h th ng.

B. T o Access Rule Cho Php Client S D ng Ftp Download V Upload Trong tr ng h p b n mu n cc client s d ng FTP sau: download v c upload hy ti n hnh nh

T o access rule m i thng qua Create a New Access Rule t tn l permit FTP v i Rule Action l Allow , p d ng cho All User v Internal Network.

Sau khi click vo nt Apply th User trn h th ng m ng n i b c th download thng qua FTP b ng cc chng trnh FTP Client nh FileZilla, tuy nhin h c th upload ln cc FTP server th chng ta c n b thi t l p Read Only cho FTP access rule b ng cch click ph i chu t vo Access Rule permit FTP v ch n Configure FTP

Trn c a s hi n th Configure FTP protocol policy b ch n Read Only s cho php upload ln Ftp server.

c. T o Access Rule Cho Php S D ng HTTP Nhng Khng Cho Php Download Nh ng File C Kh Nng Th c Thi Trn H Th ng Windows. T o access rule m i tn l permit HTTP deny executables cho php cc user trn l p m ng Internal s d ng HTTP protocol

Click ph i chu t vo permit HTTP deny executables v ch n configure HTTP

nh d u ch n vo B lock responses containing Windows executable content nh hnh sau:

IV. S D ng WPAD H Tr ISA Client T

ng D Tm Firewall V Web Proxy

Khi h th ng s d ng DHCP c p pht a ch IP ng, chng ta c n ph i h tr cc client t ng d tm Web Proxy Server v Firewall thng qua CNAME WPAD record trn DNS Server ho c c u hnh option Predefine l wpad trn DHCP server (tham kh o file demo www.security365.org//demo/ISA2004/2006). Lu : Vi c c u hnh WPAD trn DHCP ch s d ng c n u DHCP Server l d ch v c a h i u hnh Windows, cn khi cc b n s d ng DHCP Server c a cc hng khc th chng ta ph i s d ng DNS lm i u ny. Tr c tinchng ta c n ph i b t ch c nng h tr Auto Discovery trn ISA Server. Hy m ISA Management Console, trong ph n Network hy double click vo Internal Network ch n tab AutoDiscovery v check vo m c Publish automatic discovery information , trong Use this port for automatic discovery request hy nh p vo s 80.

ii. T o CNAME record trong DNS server

t tn l WPAD

M c a s DNS Management Console, nh n chu t ph i ln Domain Zone v ch n New Alias (CNAME)

Nh p vo WPAD trong ph n Alias name v tn Full qualified domain name

v d WPAD.SECURITY365.ORG trong

Nh n OK han t t. Hy s d ng b t k Firewall Client hay Web Proxy Client no ki m tra l i. Ch n Automatically detect ISA Server trong firewall client v b ch n Use proxy server thay vo l Automatically detec settings trong trnh duy t Web t ng d tm Web Proxy.

Ch n Detect Now, sau kh ang th i gian ng n tn ISA Server trn h th ng c a b n s xu t hi n

Nh v y, chng ta ci t v c u hnh ISA Server h tr qu trnh truy c p Internet, download v upload ti li u thng qua FTP, h tr t ng d tm Firewall v Web Proxy i v i Client v i record WPAD trong DNS Server. Tuy nhin, b n nh n th y r ng m t s client v n chat c b ng MSN Messenger hay s d ng cc chng trnh P2P tm ki m ti li u. l do nh ng ng d ng ny c th s d ng HTTP, port 80 truy n thng qua web proxy server. Cc b n c th ngn ch n i u ny b ng cch hi u ch nh permit HTTP policy nh sau: Click chu t ph i permit HTTP Access Rule v ch n Configure HTTP. Trong tab Signature nh p vo cc tham s nh hnh d i y v nh n OK, sau chn Apply p d ng cho h th ng:

V - Ti t Ki m Bng Thng V i Tnh Nng Cache V Content Download Job:

C m t c tnh r t h u ch c a ISA Server tuy nhin b disable m t cch m c nh chnh l web caching i v i http v ftp request. V i ISA chng ta c th th c hi n c hai c ch caching l: Forward Caching : v i c ch ny n i dung cc trang web th ng xuyn c truy c p nh www.anninhmang365.com s c t i v tr c v lu tr trong ph n Cache c a Isa server, v v y khi ng i dng m l i nh ng trang web ny s c tr n i dung trn Cache thay v ph i k t n i tr c ti p v i web server tren Internet. Reverse Caching : ng c l i v i forward caching, khi doanh nghi p hay t ch c c nh ng web server cho php ng i dng bn ngai truy c p reserver caching ti t ki m bng thng b ng cch lu tr n i dung trang web trn cc proxy server ( t t i cc ng bin m ng - network edge) p ng cho internet user, gi m t i cho web server. Vi v y trn m t s ti li u reverse cache cn c g i l gateway cache hay surrogate cache. V m t t ch c th chng ta c th xy d ng h th ng cache trn ISA theo cc m hnh khc nhau ty thu c vo s l ng user v ki n trc m ng c a m i doanh nghi p: Distributed Caching : cc ISA server s ng cho ng i dng. c phn b u trn m ng, nng cao kh nng p

Hierarchical caching: khc v i m hnh trn, trong tr ng h p ny ISA server s c phn b theo t ng c p, cc yu c u s c x l b i nh ng ISA server n i b tr c, v v y th i gian p ng cao hn.

 Hybrid caching : l s k t h p c hai m hnh trn.

V y, khi ch c nng Web Cache c b t, nh ng trang web th ng xuyn truy c p s t ng t i v c th c lu gi trn RAM hay a c ng c a ISA Server (cache), v nh ng User khi truy c p vo l i trang web ny s c tr v n i dung t cache ch khng ph i download trn Internet. Tuy nhin m t s trang web tm ki m th khng nn lu tr n i dung trn cache v s cho ra nh ng k t qu tm ki m khng c c p nh t.., v v y khi thi t l p Web Caching cc b n nn t Caching Rule khng lu gi nh ng trang Web nh www.google.com . Ngai ra m t s trang web th ng xuyn c ng i dng truy c p c tin, tham kh o gi c th tr ng, tin t c v b o m t..chng ta c th l p l ch d ch v Web Proxy Server t i v tr c ngai gi lm vi c thng qua ch c nng Content Download Job . i. Enable Web Caching:

M ISA Management Console, ch n m c Cache trong ph n Configuration v click chu t vo Define Cache Drivers (enable caching):

Xc nh ph n chia NTFS dnh cho vi c lu tr n i dung cc trang Web (cache size), v d 20 MB, nh n Set thi t l p v click OK:

Sau khi click Apply p d ng ch c nng Web Cache s c m t h p th ai thng bo Restart l i Firewall Services hay ch lu l i v khng Restart, hy ch n Save the changes and restart the services v click OK.

ii. T o Cache Rule khng lu tr n i dung cc trang Web t www.google.com : Trn khung Task Pane ch n Create a Cache Rule:

t tn l No Google Cache trong khung New Cache Rule Wizard:

Trong cache rule destination, chng ta c n xc nh trang web khng c n lu tr b ng cch ch n Add, click New v trn menu hi n th hy ch n URL Set, nh p tn l Google sau ch n New v a vo a ch http://www.google.com nh hnh i y:

Nh n OK

quay tr l i c a s Add New Network Entities, m m c URL Sets v ch n Google:

Next ti p t c, trn mn hnh ti p theo hy ch p nh n gi tr m c nh, sau nh n Next v ch n Never, no content will ever be cached . Cu i cng nh n Finish k t thc qu trnh thi t l p.

Nh v y ISA Server 2004/2006 c a chng ta c b t ch c nng Web Caching ti t ki m bng thng, ng th i ngn ng a vi c lu tr n i dung c a trang web tm ki m nh Google h n ch cc thng tin khng c n thi t. Lc ny chng ta c th ki m tra l i policy m i c t o ra trn giao din qu n l v nh n Apply p d ng.

iii. C u hnh Content Download Job: Gi s User trn h th ng th ng truy c p vo trang web www.security365.org xem cc thng tin m i v virus/trojan hay cc l i b o m t, do chng ta c u hnh ISA server t ng download trang web ny v tr c vo ngy gi xc nh no trong tu n nng cao hi u qu h at ng. Click Content Download Job, trn khung Tasks Pane , ch n Schedule a Content Download Job . Chng ta s th y thng bo nh d i y

Ch n Yes v sau t tn cho Content Download Job l SecureSolution, nh n Next ti p t c xc nh ngy gi l ch y ti n trnh ny m t ngy m t l n (Daily), m t tu n m t l n (Weekly)..:

Nh n Next v nh p vo a ch trang web c n t i v trong Download content from this URL, trong tr ng h p ny chng ta nh p vo www.security365.org Hy ch n gi tr m c nh trong cc b c ti p theo han t t. i v i cc nh qu n tr h th ng th vi c sao lu, ph c h i d li u l thao tc c c k quan tr ng. Chnh v v y m cc t p an hay nh ng cng ty l n s n sng chi tr hng trm tri u cho qu trnh backup & restore nh k. Trong ph n ti p theo, chng ta s ti n hnh backup h th ng t ng l a m mnh cng phu thi t l p c th ph c h i khi b h ng hc. VI Backup V Restore Cc Thng Tin C u Hnh C a ISA Server 2004/2006 Firewall: i v i cc h th ng l n v i nhi u phng ban v nhn vin, trong m i b ph n l i yu c u nh ng chnh sch truy c p ring lm cho s l ng policy r t nhi u v kh qu n l. V v y b o m h th ng lun h at ng n nh chng ta c n ph i ti n hnh sao lu (backup) cc policy m t cch y c th ph c h i (restore) khi c s c x y ra. Chng ta c th backup tan b ISA Server hay ch m t s cc firewall policy no . Thao tc sau y s ti n hnh backup tan b ISA Server, m ISA Management Console, ch n server name (ISA) v click vo Backup the ISA Server Configuration trn khung Tasks Pane

Ti p theo chng ta t tn c a t p tin backup (nn t theo d ng X-XX-XXXX l ngy-thngnm ti n hnh backup d dng phn bi t khi ti n hnh ph c h i), ch n ni lu tr v nh n nt Backup m t h p th ai yu c u t password cho t p tin backup hi n ra, hy nh p password vo v ch n OK ti n trnh backup s di n ra nh hnh sau:

Hnh nh hi n th ti n trnh backup han t t

th nghi m, cc b n c th xa m t vi hay tan b firewall policy trn h th ng c a mnh, sau ch n Restore this ISA Server Configuration trn khung Tasks Pane, xc nh t p tin backup ch n Restore v nh p vo password c thi t l p cho t p tin ny. Sau khi ti n trnh ph c h i han t t chng ta c th ki m tra l i cc policy tr c y c a h th ng c ph c h i y .

Hnh hi n th ti n trnh ph c h i thnh cng Qua thao tc backup v restore trn chng ta th y vi c sao lu v ph c h i cc firewall policy hay tan b h th ng c ti n hnh kh n gi n v d dng. Trong tr ng h p ch backup m t firewall policy no chng ta cng ti n hnh tng t v i ch c nng Export Firewall Policy trn khung Task Pane. VII - Thi t L p Vng DMZ V Publish Server Thng Qua ISA M t trong nh ng thu t ng b o m t c nhi u ng i quan tm l DMZ (Demilitarized Zone), y l t ch vng Phi Qun S trong th gi i th c, cn trong mi tr ng my tnh th DMZ l ni t nh ng Server c publish ra ngai internet cc ng i dng bn ngai (internet user) c th truy c p n Web Server v i m c ch gia tng tnh nng an tan cho h th ng m ng. B i v DMZ c tch bi t han tan v i h th ng Internal, cho nn khi internet user truy c p vo cc my ch ny s khng nh h ng v gy nguy hi m i v i cc my tnh v d li u n i b . Ngai ra, khi cc Server t trong DMZ cn ngn ng a c s tng tc tr c ti p c a internal user v i chng. Theo ng ngha truy n th ng c a DMZ, cc request (yu c u truy c p) c a interent user n cc publish server ph i qua DMZ tr c r i m i n Firewall n i b , tuy nhin ngy nay DMZ bao lun c tnh hu ng internet user k t n i n Firewall/Router v sau

 yu c u s c chuy n cc server trong DMZ d a trn Firewall Policy nh tr ng h p m chng ta p d ng sau y trn ISA Server xy d ng 1 DMZ ch a mail v web server. i. T o DMZ: Trong ph n Network hy ch n Create a New Network, t tn l DMZ v ch n Next, ch n Perimeter Nework (chng ta c th t o bao nhiu l p m ng ty khng nh trn ISA 2000 ch c 3 l p, y l m t c i ti n c a ISA Server 2004/2006):

Sau khi click Next c a s Network Address xu t hi n, hy ch n Add Adapter m ng cho vng DMZ:

l a ch n card

Nh n OK, v a ch m ng cho vng DMZ s nh hnh d i (cc b n c th thay h th ng c a mnh), ti p theo ch n Next v Finish han t t.

i theo yu c u

Sau khi click Apply p d ng cho h th ng, trong ph n Network chng ta s th y m t l p m ng l DMZ tch bi t v i h th ng Internal, cc b n c th t cc Exchange Mail Server hay Apche Web Server v i trong l p m ng ny.

ii. Publish Exchange Server trong DMZ: L y v d , cng ty T&C Descon c m t Exchange Server c a ch l 172.16.1.10 t trong DMZ. cc User bn ngai Internet c th truy c p n mail server g i v nh n mail chng ta c n ph i publish chng thng qua ISA Firewall c a mnh. M ISA Management Console, ch n Firewall Policy, trn khung Task Pane hy click vo Publish a Mail Server hi n th New Mail Server Publishing Rule Wizard. t tn cho Publishing Rule ny v ch n Next Trong c a s Select Server Type chng ta ch n Server-to-server Communications: SMTP, NNTP

Ch n Next, trn khung Select Services hy check vo SMTP

Trn c a s ti p theo chng ta nh p vo

a ch c a Mail Server torng DMZ,

y l 172.16.1.10

Cu i cng l xc nh l p m ng c php k t n i v i Mail Server, trong tr ng h p ny User bn ngai Internet nn chng ta ch n l p m ng l External v click Next, sau ch n Finish han t t qu trnh publish mail server.

C n lu l c th check mail th ph i c thm nh ng protocol khc nh DNS, POP hay RPC. V v y c th chng ta c n cho php cc yu c u v DNS t Mail Server v i Domain Controler (c ci tchh p DNS) trong l p m ng Internal hay v i cc ISP DNS. VIII C u Hnh Remote Access VPN Trn ISA Server 2004/2006: Ngai ch c nng qu n l truy c p Internet, Publish Web/Mail server v Caching, chng ta c th dng ISA Server 2004/2006 lm VPN Server cung c p cc k t n i remote access cho internet user c th truy c p ti nguyn trn m ng n i b . V d cng ty c m t s nhn vin kinh doanh s d ng Laptop v h c n truy c p vo h th ng m ng LAN thng qua VPN Server check mail, ch y nh ng chng trnh qu n l khch hng CRM hay c p nh t cc bo co..Sau y l cc b c c u hnh Remote Access VPN trn ISA 2004/2006. M ISA Management Console ch n m c Virtual Private Network (VPN), sau ch n Verify that VPN Client Access is Enable

nh d u vo Enable VPN Client access v t gi tr Maximum number of VPN clients allowed b ng 9 (s l ng VPN client t i a c th k t n i cng lc) r i nh n OK v Apply chnh sch m i cho firewall.

cc VPN client c th k t n i thnh cng hy t o group VPN trn domain controler DC v gn quy n Allow access cho thu c tnh Dial-in i v i nh ng user thu c group VPN. Hy log in vo Domain Controler (DC) c a h th ng v ch n Start - > Administrative Tools - > Active Directory Users and Computers . Nh n chu t ph i trn User container ch n New - > Group nh hnh sau:

Add nh ng user thu c b ph n kinh doanh (nh ng ng i c n truy c p qua VPN ) vo VPN Group, v d Joe Franks. Trn thanh thu c tnh c a Joe Franks ch n tab Dial-in v check Allow access

Hy tr l i mn hnh qu n l ISA server trn ISA1 m chng ta ang m v ch n Specify Windows Users trn danh sch VPN Client, nh n Add v ch n group VPN User chng ta t o. Vi c ti p theo c n lm cho php VPN client k t n i l c u hnh a ch IP cho cc VPN client, c hai cch l s d ng DHCP c p pht IP ng cho cc client ho c dng m t static pool gn IP cho chng nh sau: Trn khung Tasks Pane nh n vo m c Define Address Assignment, ch n Static address pool v nh p vo dy a ch sau:

Nh n OK, xc nh n thm m t l n n a v restart l i my tnh.

Cu i cng, hy t o access rule cho php cc VPN client c th truy c p n cc ti nguyn n i b sau khi k t n i thnh cng n VPN server. Hy ch n Firewall Policy v ch n Create New Access Rule t tn l VPN Client full access to Internal .

Nh n Next v ch n Allow, trn c a s ti p theo ch n All outbound trafic. Do access rule cho php VPN client truy c p ti nguyn n i b nn hy xc nh source trafic l VPN Clients trong ph n Network. Ng c l i khung destination hy ch n Internal trong ph n Network, v ch n cc gi tr m c nh cho nh ng b c ti p theo han t t. By gi ISA Server s n sng cho cc k t n I VPN, cc b n ch c n t o cc VPN Connection n a ch Outside c a firewall v th c hi n k t n I v truy c p vo ti nguyn h th ng n i b .

Cc T p Tin Minh H a Ti n Trnh Ci

T/g : Nguy n Tr n T ng Vinh

t V Tri n Khai ISA Server 2006

SCNP | TPD Lesson 5 : Topic B Microsft ISA Server Firewall