Professional Documents
Culture Documents
Gio vin hng dn: Nguyn Vn Tng Sinh Vin: V Cao Sn ng Mai Vn Mn Chu Hunh Quc Biu Nguyn Phc Trung L Tun V V Thnh Bu Tm
1
MC LC
CHNG I: Tng quan v ISA Server 2006 1. 2. 3. 4. Gii Thiu V ISA Server 2006 ......................................................... 3 Cc phin bn ca ISA Server 2006 .................................................... Tnh nng ca ISA Server 2006 ......................................................... 4 So snh ISA 2006 v 2004 ................................................................ 6
Chng II: Cu hnh ISA Server 2006 I. Ci t ISA Server 2006 1. Yu cu ci t ................................................................................ 7 2. Qu trnh ci t................................................................................. a. Ci ISA Server 2006 trn my ch 1 card mng. ............................. b. Ci ISA Server 2006 trn my ch nhiu card mng .................... 8 II. Cu hnh ISA server 2006 1. Tm tc mt s thng s mc nh............................................... 15 2. Cu hnh Web Proxy cho ISA server 2006 ....................................... a. To v s dng Access Rule ...................................................... b. To 1 s Access Rules ............................................................... c. Cu hnh Web Proxy cho ISA server 2006 .............................. 20 3. Cu hnh nng cao ISA Server 2006 ............................................ 21 a. Web Publishing and server Publishing ........................................ 4. Cu hnh VPN trn ISA server 2006 ............................................ 22 a. Gii thiu VPN ............................................................................ b. Xy dng VPN client to Gatewa ..................................................
2.
ISA Server 2006 p ng nhu cu bo v v chia s bng thng cho cc cng ty c quy m nh v trung bnh. ISA Server 2006 c hai phin bn l Enterprise v Standard Standard Edition : + Kim sot d liu ra vo h thng mng ni b ca cng ty + Kim sot qu trnh truy cp ca ngi dng theo giao thc, thi gian v ni dung nhm ngn chn vic kt ni vo nhng trang Web c ni dung khng ph hp, thi gian khng thch hp (v d trong gii lm vic) + Bn cnh chng ta cn c th trin khai h thng VPN site to site hay remote access h tr vic truy cp t xa vo h thng mng ni b ca cng ty, hoc trao i d liu vn phng v hi s. + i vi cc cng ty c nhng h thng my ch Public nh Mail Server, Web Server, FTP Server cn c nhng chnh sch bo mt ring th ISA Server 2006 cho php trin khai vng DMZ nhm ngn chn s tng tc trc tip gia ngi dng bn ngoi v bn trong h thng. + Ngoi cc tnh nng bo mt thng tin trn, ISA Server 2006 bn Standard cn c chc nng to cache cho php rt ngn thi gian, tng tc kt ni internet ca mng ni b Chnh v th m sn phm firewall ny c tn gi tn l Internet Security v Aceleration (bo mt v tng tc Internet). Enterprise Edition : ISA Server 2006 Enterprise c s dng trong cc m hnh mng ln, p ng c nhu cu truy xut ca nhiu ngi dng bn ngoi v
trong h thng. Ngoi nhng tnh nng c trn ISA Server 2006, bn Enterprise cn cho php thit lp h thng mng cc ISA Server cng s dng mt chnh sch, iu ny gip d dng qun l v cung cp tnh nng Load Balancing (cn bng ti). So sch gia phin bn Standard Edition v Enterprise Edition V c bn th bn Standard v bn Enterprise c cc chc nng tng ng nhau. Bn Enterprise c h tr thm 3 tnh nng m bn Standard khng c Centralized storage of configuration data:
Trong khi bn Standard lu thng tin v cu hnh (configuration information -> conf info) trong registry trn chnh my ci ISA th bn Enterprise lu conf info ca n trn mt th mc (directory) ring bit. Khi cc bn ci bn Enterprise bn phi ch ra mt hay nhiu my ng vai tr l my lu cu hnh (configuration storage server). Cc storage server ny s dng ADAM (Active Directory Application Data) lu tr cu hnh ca tt c cc ISA trong t chc. ADAM c th cng lc ci t trn nhiu my, nn bn c th c nhiu storage server (bn c th ci ADAM ln my khc lo ISA hay ci ln my ISA cng c). D liu trn cc storage server ny s t nhn bn (replicate) cho nhau theo chu k. Nh h tr tt hn cho ngi qun tr. V d bn mun thay i cu hnh ca mt hay nhiu my ISA bn ch vic ngi vo trong my server m lm. Cn vi bn Standard, bn phi n tng my cu hnh. Support for cache Array Routing Protocol (CARP):
Bn Enterprise cho php ta chia s vic cache gia mt dy cc ISA vi nhau. Vi bn Enterprise, mt dy nhiu my ISA s c cu hnh tr thnh mt vng cache ca tt cc ISA vi nhau. thc hin tnh nng ny, ISA s dng CARP. C ch nh sau : khi mt my client i mt trang web no , CARP s ch nh mt ISA trong dy cache li trang . Khi mt client bt k i mt trang web c cache th CARP s ch nh ra my ISA no cache trang tr v cho my client. CARP gip ti u ha kh nng cache. Intergation of Network Load Balancing- NLB (tch hp cn bng ti trn ISA):
NBL l mt thnh phn network c sn trong Windows 2000 server v Windows server 2003. S dng NLB tc l chng ta phi chp nhn d tha (redundancy), ta s c t 2 n nhiu my cng chc nng (vd cng l ISA) cn bng ng truyn, trnh hin tng qu ti. NLB cng l mt hnh thc backup, v nu c mt my b down (cht) th s c my khc thay th nhim v trong thi gian phc hi my kia. NLB p ng nhu cu v tnh n nh v tnh sn sng cao trong h thng. Vi bn Standard, bn phi cu hnh NLB bng tay. Cn vi bn Enterprise, NLB c tch hp vo ISA nn bn c th qun l NLB t ISA. Bn c th dng ISA Server Management Console cu hnh, qun l, gim st (monitor) NLB.
3.
ISA Server c nhiu tnh nng cho php bn cu hnh sao cho ph hp vi mng LAN ca bn. Tc nhanh nh ch cache thng minh, vi tnh nng lu cache
vo RAM (Random Access Memory), gip bn truy xut thng tin nhanh hn, v tnh nng Schedule Cache (lp lch cho t ng download thng tin trn cc WebServer lu vo Cache v my con ch cn ly thng tin trn cc WebServer bng mng LAN). Ngoi ra cc chnh sch bo mt thng tin tng i tt. c im ni bt ca bn 2006 so vi 2004 l tnh nng Publishing v VPN ( y l nhng tnh nng m cc doanh nghip Vit Nam ta t dng. V kh nng Publishing Serviece: + ISA 2006 c th t to ra cc form trong khi ngi dng truy cp vo trang OWA (Outlock Web Access, y l Module ca Microsoft Exchanger Server (mt Server phc v Mail), n cho php ngi dng truy cp v qun tr Mailbox ca h t xa thng qua Web Browser), qua y h tr chng thc kiu form-based. Chng li cc ngi dng bt hp php vo trang Web OWA, tnh nng c pht trin di dng Add-in. + Cho php public Terminal Server theo chun RDP over SSl, m bo d liu trong phin kt c m ha trn Internet (k c password). + Block cc kt ni non-encryted MAPI n Exchanger server, cho php Outlook ca ngi dng kt ni an ton n Exchanger Server. + Rt nhiu cc Wizard cho php ngi qun tr public cc Server ni b ra Internet mt cch an ton. H c cc sn phm mi nh Exchanger 2007. Kh nng kt ni VPN: + Cung cp Wizard cho php cu hnh t ng site-to-site VPN 2 vn phng ring bit, tt nhin ai thch cu hnh bng tay ti tng thi im mt cng c. Tch hp hon ton Quanratine. + Statefull filterning and inspection , kim tra y cc VPN connection, siteto-site, secureNAT for VPN clients, + cho php public lun mt VPN server khc trong Intranet ra ngoi Internet, h tr PPTP, L2TP/IPSec, IPSec Tunnel site-to-site (vi cc sn phm VPN khc). V kh nng qun l: + D dng qun l + Rt nhiu Wizard + Backup v Restore n gin + Cho php y quyn qun tr cho cc User/Group + Log v Report chi tit c th + Khai bo thm Server vo array d dng (khng kh nh ISA 2000, 2004) + Tch hp vi gii php qun l c th ca Microsoft :MOM + SDK Cc tnh nng khc: + H tr nhiu CPU v RAM (bn Standard h tr n 4 CPU, 2GB RAM) + Max 32 node Network LoadBalancing + H tr nhiu network + Route/NAT theo tng network, + Firewall rule a dng
B nh (RAM)
256 MB hoc 512 MB cho h thng khng s dng Web Caching, 1GB hoc cao hn cho h thng c Web-Caching hoc ISA Firewall a ci t ISA phi l NTFS file system, t nht cn khong 150MB dnh cho ISA Phi t nht c mt card mng ( ngh 2 card mng)
2. Qu trnh ci t :
a. Ci ISA trn my ch 1 card mng: Khi ta ci t ISA trn my Server ch c mt card mng ( cn gi l Unihomed ISA Firewall). Ch h tr HTTP, HTTPS, HTTP-tunneled (Web proxied) FTP. ISA khng h tr mt s chc nng : SecureNat client Firewall Client Server Publishing Rule Remote Access VPN Site-to-Site VPN Multi-networking Application-layer inspection (tr giao thc HTTP)
b. Ci ISA trn my ch nhiu card mng: ISA Firewall thng c trin khai trn dual-homed host (my ch c 2 card mng) hoc multi-homed host (my ch c nhiu card mng) iu ny c ngha ISA Server c th thc thi y cc tnh nng ca n nh ISA Firewall, SecureNAT, Server Publishing Rule, VPN, Cc bc ci t ISA Firewall software Chy tp tin isaautorun.exe t CDROM ISA 2006 hoc t ISA 2006 suorce.
Nhp chut vo Install ISA Server 2006 trong hp thoi Microsoft Internet Security anh Acceleration Server 2006.
Nhp chut vo nt Next trn hp thoi Welcome to the Installation Wizard for Microsoft ISA Server 2006 tip tc ci t.
Chn ty chn Select I accept trong hp thoi License Agreement, chn Next
Nhp mt s thng tin v tn username v tn t chc s dng phn mm trong User Name v Organization textboxe. Nhp serial number trong Product Serial Number textbox. Nhp Next tip tc.
Chn loi ci t (Installation type) trong hp Setup Type, chn ty chon Typical, chn Next.
10
Ta c 2 cc nh ngha internet network addresses trong hp thoi Internal Network setup. Cch th nht ta m t dy a ch ni b (Internal Network range) t From v To text boxes. Cch th hai ta cu hnh default Internal Nextwork bng cch chn nt Select Network Adapter sau ta nhp chut vo du chn Select Network Adapter kt ni vo mng ni b. Bn chn nt Add hp thoi Internal Network.
11
Trong ca s Select Network Adapters bn chn vo card mng m kt ni vi h thng mng ni b ca bn. V chn OK cho cc ca s tip theo tip tc ci t.
Trong hp thoi Internal Network bn kim tra li nhng ng mng c ng vi bn routing table trong t chc. Chn Next tip tc
12
Chn du check Allow computers running earlier versions of Firewall Client software toconnect nu ta mun ISA h tr nhng phin bn Firewall client trc, chn Next
Xut hin hp thoi Services cnh bo ISA Firewall s stop mt s dch v SNMP v IIS Admin Service trong qu trnh ci t. ISA Firewall cng s v hiu ha (disable) Connection Firewall (ICF)/Internet Connection Sharing (ICF), v IP Network Address Translation (RRAS NAT service) services.
13
Chn Install
14
15
Hin th hp thoi Welcome to the New Access Rule Wizard. in vo tn Access Rulename, nhp chut vo nt Next tip tc.
Hin th hp thoi Rule Action c hai ty chn: Allow hoc Deny. Ty chn Deny c t mc nh ty vo loi Rule ta cn m t m chn Allow hoc Deny cho ph hp, chn Next tip tc.
16
Ta s chn giao thc (Protocol) cho php /cm outbound traffic t source n destination. Ta c th chn ba ty chn trong danh sch This rule applies to. All outbound traffic: cho php tt c cc protocols outbound. Tm nh hng c th ca ty chn ny ph thuc vo loi Client (client type) s dng truy xut lut. i vi Firewall clients, th ty chn ny cho php tt c cc Protocol ra ngoi (outbound), bao gm c secondary protocols c nh ngha hoc cha c nh trong ISA Firewall. Tuy nhin i vi SecureNAT client kt ni ISA Firewall th outbound access ch cho php cc protocol m c nh ngha trong Protocols list ca Isa Firewall, nu SecureNAT client khng th truy xut ti nguyn no bn ngoi bng mt Protocol no th ta phi m t Protocol vo ProtocolPanel c cung cp trn ISA Firewall c th h tr kt ni cho SecureNAT client. Selected Protocols: Ty chn ny cho php ta c th la chn tng Protocols p t vo lut(rule). Ta c th la chn mt s protocol c sn trong hp thoi hoc c th to mi m Protocol Definition. All outbound traffic except selected: Ty chn ny cho php tt c cc protocol cho lut m khng c nh ngha trong hp thoi. Nu ta chn ty chn Selected Protocols ta s chn danh sch cc Protocol cn m t cho lut. Bn chon vo nt Add vo Add vo nhng protocols thch hp. Sau chn Next tip tc.
17
Hin th hp thoi Access Rule Soureces, chn a ch ngun (source location) p t vo lut bng cch chn nt Add, hin th hp thoi Add Network Entities, sau ta chn a ch ngun t hp thoi ny.
18
Hin th hp thoi Access Rule Destinations cho php chn a ch ch (destination) cho lut bng cch chn nt Add sau xut hin hp thoi Add Network Entities, trong hp thoi hoc c th nh ngha mt destination mi, thng thng ta chn External network cho destination rule.
sau khi hon tt chn nt Next tip tc hin th hp thoi User Sets cho php ta la chn User truy xut cho Access Rule. Mc nh lut s p t cho tt c user (All Users), ta c th hiu chnh thng s ny bng cch Edit hoc thm User mi vo Rule thng qua nt Add, chn Next tip tc.
19
c. Cu hnh Web Proxy cho ISA Trong phn ny ta s kho st nhanh cc bc lm sao cu hnh Isa Firewall cung cp dch v Web Proxy chia s kt ni Internet cho mng ni b. Mc nh ISA Firewall cho php tt c mng ni b ch c th truy xut Internet Web thng qua giao thc HTTP/HTTPS ti mt s Site c ch nh sn trong Domain Name Sets c m t di tn l System Policy Allow Sites bao gm: *.windows.com *.windowsupdate.com *.microsoft.com Do khi ta mun cu hnh cho mng ni b c th truy xut n bt k mt Internet Web no bn ngoi th ta phi hiu chnh li thng tin trong System Policy Allowed Sites hoc hiu chnh li System Policy Rule c tn. Hiu chnh System Policy Allowed Sites bng cch chn Firewall Policy trong ISA Mangement Console, sau chn ct Toolbox, chn Domain Name Sets, nhp i vo item System Policy Allowed Sites m t mt s Site cn thit cho php mng ni truy xut theo c php *.domain_name.
20
Nu ta mun cho mng ni b truy xut bt k Internet Website no th ta phi Enable lut 18 c tn Allow HTTP/HTTPS requests from ISA Server to selected servers for connectivity verifiers sau ta chn nt Apply trong Firewall Policy pannel p dng s thay i vo h thng. Nu ISA Firewall kt ni trc tip Internet th ta phi cu hnh mt s thng s trn, ngc li nu ISA Firewall cn phi thng qua mt h thng ISA Firewall hoc Proxy khc th ta cn phi m t mt s tham s Uptream Server chuyn yu cu truy xut ln Proxy cha Proxy cha ly thng tin t Internet Web Server. cho php Client c th s dng Web Proxy ta cu hnh Proxy Server c a ch l a ch ca Internal interface ca ISA Firewall trong trnh duyt Web cho tng Client, hot ta ci ISA Client Share trn tng Client Client ng vai tr l ISA Firewall Client. Ch nh a ch ca Web Proxy trong Textbox Addrress. Ch Web Proxy Port trong Textbox Port l 8080.
21
Server Publishing: Tng t nh Web Publishing, Server Publishing cung cp mt s c ch cng b (Publishing) cc Server thng qua ISA Firewall.
- Tip theo cu hnh trn my ISA Server - nh ngha nhm VPN Client Bn vo ISA Server Management, chn Firewall Policy, nhn vo Toolbox chn Users v nhp chut vo New .
22
Trong ca s Welcom to the New User Set Wizard bn t tn cho nhm User. Sau chn Next tip tc
Hp thoi tip theo chn Add v chn Windows user and Group.
23
Trong hp thoi Virual Private Network, qua tab Address Asignment, chn Static Address pool, nhn Add bn nhp vo range IP s cp cho Client.Nhn Apply
24
Mc nh khi ci t hon tt ISA Server s khng bt VPN Clients ln nn bn tip tc bt chc nng ny ln. Bn chn Virual Private Network (VPN) chn tab Configure VPN Client Access v Enable chc nng VPN Client. Bn nn nh sau khi chn xong phi chn Apply.
- To Access rule cho php kt ni VPN vi yu cu: + Access rule name : VPNClient + Rule Action : Allow + Protocol : All outbound Traffic + Access Rule Source : VPN Clients + Access Rule Destinations: Internal + User Sets: chn user c cho php dng VPN Apply -> OK. - Kim tra kt ni VPN Trn my Client, m Network Connection Trong ca s Network Connection, chn Create a New Network Connection
25
Trong hp thoi Welcome to the New Connection Wizard, nhn chn Next
Trong hp thoi Network Connection Type, chn Connection to the NetWork at my workplace
26
27
Trong hp thoi VPN Server Selection, nhp vo IP Public ca my Server v chn Next tip tc ci t.
28
Chut phi vo Connection VPNClient, chn Connect Nhp vo Username v Password, nhn Connect
THE END
Ngun tham kho: http://www.kythuatvien.com/forum/Network/70-351/Part_38_-_ISA_Server__VPN_Client_to_Gateway.html
29