TRNG CAO NG NGH SI GN Tm Hiu ISA Server 2006

Gio vin hng dn: Nguyn Vn Tng Sinh Vin: V Cao Sn ng Mai Vn Mn Chu Hunh Quc Biu Nguyn Phc Trung L Tun V V Thnh Bu Tm
1

MC LC
CHNG I: Tng quan v ISA Server 2006 1. 2. 3. 4. Gii Thiu V ISA Server 2006 ......................................................... 3 Cc phin bn ca ISA Server 2006 .................................................... Tnh nng ca ISA Server 2006 ......................................................... 4 So snh ISA 2006 v 2004 ................................................................ 6

Chng II: Cu hnh ISA Server 2006 I. Ci t ISA Server 2006 1. Yu cu ci t ................................................................................ 7 2. Qu trnh ci t................................................................................. a. Ci ISA Server 2006 trn my ch 1 card mng. ............................. b. Ci ISA Server 2006 trn my ch nhiu card mng .................... 8 II. Cu hnh ISA server 2006 1. Tm tc mt s thng s mc nh............................................... 15 2. Cu hnh Web Proxy cho ISA server 2006 ....................................... a. To v s dng Access Rule ...................................................... b. To 1 s Access Rules ............................................................... c. Cu hnh Web Proxy cho ISA server 2006 .............................. 20 3. Cu hnh nng cao ISA Server 2006 ............................................ 21 a. Web Publishing and server Publishing ........................................ 4. Cu hnh VPN trn ISA server 2006 ............................................ 22 a. Gii thiu VPN ............................................................................ b. Xy dng VPN client to Gatewa ..................................................

Chng I Tng Quan V ISA Server 2006

1. Gi Thiu V ISA Server 2006
Mircosoft Internet Security and Acceleration Server (ISA Server) l phn mm tng la v share internet ca hng phn mn ni ting Microsoft. C th ni y l phn mm tng la v share internet kh hiu qu, n nh, d cu hnh, nhiu tnh nng ni bt. ISA Server c thit k ch yu hot ng nh mt tng la, nhm m bo rng tt c nhng traffic khng trng i t Internet c chn li, t bn ngoi mng ca t chc, ng thi ISA Server c th cho php cc ngi dng bn trong mng t chc truy cp mt cch c chn lc n ci ti nguyn t Internet v ngi dng trn Internet c th truy cp vo ti nguyn trong mng ca t chc sao cho ph hp vi cc chnh sch ca ISA Server, chng hn nh my ch Web hoc Mail ca t chc. V mt s chc nng khc.

2.

Cc phin bn ca ISA Server 2006

ISA Server 2006 p ng nhu cu bo v v chia s bng thng cho cc cng ty c quy m nh v trung bnh. ISA Server 2006 c hai phin bn l Enterprise v Standard Standard Edition : + Kim sot d liu ra vo h thng mng ni b ca cng ty + Kim sot qu trnh truy cp ca ngi dng theo giao thc, thi gian v ni dung nhm ngn chn vic kt ni vo nhng trang Web c ni dung khng ph hp, thi gian khng thch hp (v d trong gii lm vic) + Bn cnh chng ta cn c th trin khai h thng VPN site to site hay remote access h tr vic truy cp t xa vo h thng mng ni b ca cng ty, hoc trao i d liu vn phng v hi s. + i vi cc cng ty c nhng h thng my ch Public nh Mail Server, Web Server, FTP Server cn c nhng chnh sch bo mt ring th ISA Server 2006 cho php trin khai vng DMZ nhm ngn chn s tng tc trc tip gia ngi dng bn ngoi v bn trong h thng. + Ngoi cc tnh nng bo mt thng tin trn, ISA Server 2006 bn Standard cn c chc nng to cache cho php rt ngn thi gian, tng tc kt ni internet ca mng ni b Chnh v th m sn phm firewall ny c tn gi tn l Internet Security v Aceleration (bo mt v tng tc Internet). Enterprise Edition : ISA Server 2006 Enterprise c s dng trong cc m hnh mng ln, p ng c nhu cu truy xut ca nhiu ngi dng bn ngoi v

trong h thng. Ngoi nhng tnh nng c trn ISA Server 2006, bn Enterprise cn cho php thit lp h thng mng cc ISA Server cng s dng mt chnh sch, iu ny gip d dng qun l v cung cp tnh nng Load Balancing (cn bng ti). So sch gia phin bn Standard Edition v Enterprise Edition V c bn th bn Standard v bn Enterprise c cc chc nng tng ng nhau. Bn Enterprise c h tr thm 3 tnh nng m bn Standard khng c Centralized storage of configuration data:

Trong khi bn Standard lu thng tin v cu hnh (configuration information -> conf info) trong registry trn chnh my ci ISA th bn Enterprise lu conf info ca n trn mt th mc (directory) ring bit. Khi cc bn ci bn Enterprise bn phi ch ra mt hay nhiu my ng vai tr l my lu cu hnh (configuration storage server). Cc storage server ny s dng ADAM (Active Directory Application Data) lu tr cu hnh ca tt c cc ISA trong t chc. ADAM c th cng lc ci t trn nhiu my, nn bn c th c nhiu storage server (bn c th ci ADAM ln my khc lo ISA hay ci ln my ISA cng c). D liu trn cc storage server ny s t nhn bn (replicate) cho nhau theo chu k. Nh h tr tt hn cho ngi qun tr. V d bn mun thay i cu hnh ca mt hay nhiu my ISA bn ch vic ngi vo trong my server m lm. Cn vi bn Standard, bn phi n tng my cu hnh. Support for cache Array Routing Protocol (CARP):

Bn Enterprise cho php ta chia s vic cache gia mt dy cc ISA vi nhau. Vi bn Enterprise, mt dy nhiu my ISA s c cu hnh tr thnh mt vng cache ca tt cc ISA vi nhau. thc hin tnh nng ny, ISA s dng CARP. C ch nh sau : khi mt my client i mt trang web no , CARP s ch nh mt ISA trong dy cache li trang . Khi mt client bt k i mt trang web c cache th CARP s ch nh ra my ISA no cache trang tr v cho my client. CARP gip ti u ha kh nng cache. Intergation of Network Load Balancing- NLB (tch hp cn bng ti trn ISA):

NBL l mt thnh phn network c sn trong Windows 2000 server v Windows server 2003. S dng NLB tc l chng ta phi chp nhn d tha (redundancy), ta s c t 2 n nhiu my cng chc nng (vd cng l ISA) cn bng ng truyn, trnh hin tng qu ti. NLB cng l mt hnh thc backup, v nu c mt my b down (cht) th s c my khc thay th nhim v trong thi gian phc hi my kia. NLB p ng nhu cu v tnh n nh v tnh sn sng cao trong h thng. Vi bn Standard, bn phi cu hnh NLB bng tay. Cn vi bn Enterprise, NLB c tch hp vo ISA nn bn c th qun l NLB t ISA. Bn c th dng ISA Server Management Console cu hnh, qun l, gim st (monitor) NLB.

3.

Tnh nng ca ISA Server 2006

ISA Server c nhiu tnh nng cho php bn cu hnh sao cho ph hp vi mng LAN ca bn. Tc nhanh nh ch cache thng minh, vi tnh nng lu cache

vo RAM (Random Access Memory), gip bn truy xut thng tin nhanh hn, v tnh nng Schedule Cache (lp lch cho t ng download thng tin trn cc WebServer lu vo Cache v my con ch cn ly thng tin trn cc WebServer bng mng LAN). Ngoi ra cc chnh sch bo mt thng tin tng i tt. c im ni bt ca bn 2006 so vi 2004 l tnh nng Publishing v VPN ( y l nhng tnh nng m cc doanh nghip Vit Nam ta t dng. V kh nng Publishing Serviece: + ISA 2006 c th t to ra cc form trong khi ngi dng truy cp vo trang OWA (Outlock Web Access, y l Module ca Microsoft Exchanger Server (mt Server phc v Mail), n cho php ngi dng truy cp v qun tr Mailbox ca h t xa thng qua Web Browser), qua y h tr chng thc kiu form-based. Chng li cc ngi dng bt hp php vo trang Web OWA, tnh nng c pht trin di dng Add-in. + Cho php public Terminal Server theo chun RDP over SSl, m bo d liu trong phin kt c m ha trn Internet (k c password). + Block cc kt ni non-encryted MAPI n Exchanger server, cho php Outlook ca ngi dng kt ni an ton n Exchanger Server. + Rt nhiu cc Wizard cho php ngi qun tr public cc Server ni b ra Internet mt cch an ton. H c cc sn phm mi nh Exchanger 2007. Kh nng kt ni VPN: + Cung cp Wizard cho php cu hnh t ng site-to-site VPN 2 vn phng ring bit, tt nhin ai thch cu hnh bng tay ti tng thi im mt cng c. Tch hp hon ton Quanratine. + Statefull filterning and inspection , kim tra y cc VPN connection, siteto-site, secureNAT for VPN clients, + cho php public lun mt VPN server khc trong Intranet ra ngoi Internet, h tr PPTP, L2TP/IPSec, IPSec Tunnel site-to-site (vi cc sn phm VPN khc). V kh nng qun l: + D dng qun l + Rt nhiu Wizard + Backup v Restore n gin + Cho php y quyn qun tr cho cc User/Group + Log v Report chi tit c th + Khai bo thm Server vo array d dng (khng kh nh ISA 2000, 2004) + Tch hp vi gii php qun l c th ca Microsoft :MOM + SDK Cc tnh nng khc: + H tr nhiu CPU v RAM (bn Standard h tr n 4 CPU, 2GB RAM) + Max 32 node Network LoadBalancing + H tr nhiu network + Route/NAT theo tng network, + Firewall rule a dng

+ IDS + Flood Resiliency + HTTP compression + Diffserv

4. So snh ISA 2006 v 2004

ISA Server 2006 l phin bn mi nht ca sn phm Microsoft ISA Server. V giao din th ISA 2006 ging ISA 2004 n 90%. Tuy nhin, n c nhng tnh nng mi ni tri hn m ISA 2004 vn cn hn ch, chng hn nh: - Pht trin h tr OWA, OMA, ActiveSync v RPC/HTTP Publishing. - H tr SharePoint Portal Server. - H tr cho vic kt ni nhiu Certificates ti 1 Web listene - c im ni bt ca bn 2006 so vi 2004 l tnh nng Publishing v VPN

CHNG II CU HNH ISA SERVER 2006

I. Ci t ISA Server 2006
1. Yu cu ci t
Thnh phn B s l (CPU) H iu hnh (OS) Yu cu Intel hoc AMD 500MHz tr ln

Windowns server 2003 hoc Windowns server 2003 r2

B nh (RAM)

256 MB hoc 512 MB cho h thng khng s dng Web Caching, 1GB hoc cao hn cho h thng c Web-Caching hoc ISA Firewall a ci t ISA phi l NTFS file system, t nht cn khong 150MB dnh cho ISA Phi t nht c mt card mng ( ngh 2 card mng)

Khng gian a (Disk space)

Card mng (NIC)

2. Qu trnh ci t :
a. Ci ISA trn my ch 1 card mng: Khi ta ci t ISA trn my Server ch c mt card mng ( cn gi l Unihomed ISA Firewall). Ch h tr HTTP, HTTPS, HTTP-tunneled (Web proxied) FTP. ISA khng h tr mt s chc nng : SecureNat client Firewall Client Server Publishing Rule Remote Access VPN Site-to-Site VPN Multi-networking Application-layer inspection (tr giao thc HTTP)

b. Ci ISA trn my ch nhiu card mng: ISA Firewall thng c trin khai trn dual-homed host (my ch c 2 card mng) hoc multi-homed host (my ch c nhiu card mng) iu ny c ngha ISA Server c th thc thi y cc tnh nng ca n nh ISA Firewall, SecureNAT, Server Publishing Rule, VPN, Cc bc ci t ISA Firewall software Chy tp tin isaautorun.exe t CDROM ISA 2006 hoc t ISA 2006 suorce.

Nhp chut vo Install ISA Server 2006 trong hp thoi Microsoft Internet Security anh Acceleration Server 2006.

Nhp chut vo nt Next trn hp thoi Welcome to the Installation Wizard for Microsoft ISA Server 2006 tip tc ci t.

Chn ty chn Select I accept trong hp thoi License Agreement, chn Next

Nhp mt s thng tin v tn username v tn t chc s dng phn mm trong User Name v Organization textboxe. Nhp serial number trong Product Serial Number textbox. Nhp Next tip tc.

Chn loi ci t (Installation type) trong hp Setup Type, chn ty chon Typical, chn Next.

10

Ta c 2 cc nh ngha internet network addresses trong hp thoi Internal Network setup. Cch th nht ta m t dy a ch ni b (Internal Network range) t From v To text boxes. Cch th hai ta cu hnh default Internal Nextwork bng cch chn nt Select Network Adapter sau ta nhp chut vo du chn Select Network Adapter kt ni vo mng ni b. Bn chn nt Add hp thoi Internal Network.

Trong ca s Address bn chn Add Adapter.

11

Trong ca s Select Network Adapters bn chn vo card mng m kt ni vi h thng mng ni b ca bn. V chn OK cho cc ca s tip theo tip tc ci t.

Trong hp thoi Internal Network bn kim tra li nhng ng mng c ng vi bn routing table trong t chc. Chn Next tip tc

12

Chn du check Allow computers running earlier versions of Firewall Client software toconnect nu ta mun ISA h tr nhng phin bn Firewall client trc, chn Next

Xut hin hp thoi Services cnh bo ISA Firewall s stop mt s dch v SNMP v IIS Admin Service trong qu trnh ci t. ISA Firewall cng s v hiu ha (disable) Connection Firewall (ICF)/Internet Connection Sharing (ICF), v IP Network Address Translation (RRAS NAT service) services.

13

Chn Install

Chn Finish hon tt qu trnh ci t. V bn restart li my.

14

II. Cu hnh ISA Server 2006

1. Tm tt mt s thng tin mc nh:
System Policies cung cp sn mt s lut cho php truy cp vo/ra ISA Firewall. Tt c cc traffic cn li u b cm. Cho php nh tuyn gia VPN/VPN-Q Networks v Internal Network. Cho php NAT gia Internal Network v External Network. Ch cho php Adminstrator c th thay i chnh sch bo mt cho ISA firewall. Ta c th xem cc chnh sch mc nh ca h thng ISA Firewall (system policy rule) bng cch chn Firewall Policy t hp thoi ISA Management, sau chn item Show system policy rule trn ct System policy. Ta cng c th hiu chnh tng system policy bng cch nhp i chut vo system policy item.

2. Cu hinh web proxy cho ISA:

Cc bc lm sao cu hnh ISA Firewall cung cp dch v Web Proxy chia s kt ni Internet cho mng ni b. Mc nh ISA Firewall cho php tt c mng ni b ch c th truy xut Internet Web thng qua giao thc HTTP/HTTPS ti mt s site c ch nh sn trong Domain Name Sets c m t di tn system policy allow sites. Cnh to Domain Name Sets. a. To v s dng Access Rules Access Rules dng iu khin outbound access. ISA Firewall kim tra Access Rules trong Access Policy theo c ch top down (lu rng system Policy c kim tra trc Access Policy do user nh ngha), nu packet ph hp vi mt lut no th ISA Firewall s thc thi action (permit/deny) ty theo lut, sau ISA Firewall s b qua tt c cc lut cn li. Nu khng ph hp vi bt k System Access Policy v User-Defined Policy th ISA Firewall deny packet ny. Mt s tham s m Access Rule s kim tra trong connection request: Protocol: Giao thc s dng. From : a ch ngun. Schedule Thi gian thc thi lut To: a ch ch. Users: Ngi dng truy xut. Content type: Loi ni dung cho HTTP connection. b. To mt s Access Rule: Kch hot vo Start vo Programs bn vo Microsoft ISA Server chn ISA Server Management, m rng server name, nhp chut phi vo Firewall Policy, chn New v nhp chut vo Access Rules

15

Hin th hp thoi Welcome to the New Access Rule Wizard. in vo tn Access Rulename, nhp chut vo nt Next tip tc.

Hin th hp thoi Rule Action c hai ty chn: Allow hoc Deny. Ty chn Deny c t mc nh ty vo loi Rule ta cn m t m chn Allow hoc Deny cho ph hp, chn Next tip tc.

Hin th hp thoi Protocols y bn c chn rt nhiu Protocols.

16

Ta s chn giao thc (Protocol) cho php /cm outbound traffic t source n destination. Ta c th chn ba ty chn trong danh sch This rule applies to. All outbound traffic: cho php tt c cc protocols outbound. Tm nh hng c th ca ty chn ny ph thuc vo loi Client (client type) s dng truy xut lut. i vi Firewall clients, th ty chn ny cho php tt c cc Protocol ra ngoi (outbound), bao gm c secondary protocols c nh ngha hoc cha c nh trong ISA Firewall. Tuy nhin i vi SecureNAT client kt ni ISA Firewall th outbound access ch cho php cc protocol m c nh ngha trong Protocols list ca Isa Firewall, nu SecureNAT client khng th truy xut ti nguyn no bn ngoi bng mt Protocol no th ta phi m t Protocol vo ProtocolPanel c cung cp trn ISA Firewall c th h tr kt ni cho SecureNAT client. Selected Protocols: Ty chn ny cho php ta c th la chn tng Protocols p t vo lut(rule). Ta c th la chn mt s protocol c sn trong hp thoi hoc c th to mi m Protocol Definition. All outbound traffic except selected: Ty chn ny cho php tt c cc protocol cho lut m khng c nh ngha trong hp thoi. Nu ta chn ty chn Selected Protocols ta s chn danh sch cc Protocol cn m t cho lut. Bn chon vo nt Add vo Add vo nhng protocols thch hp. Sau chn Next tip tc.

17

Hin th hp thoi Access Rule Soureces, chn a ch ngun (source location) p t vo lut bng cch chn nt Add, hin th hp thoi Add Network Entities, sau ta chn a ch ngun t hp thoi ny.

Chn Next thc hin bc tip theo.

18

Hin th hp thoi Access Rule Destinations cho php chn a ch ch (destination) cho lut bng cch chn nt Add sau xut hin hp thoi Add Network Entities, trong hp thoi hoc c th nh ngha mt destination mi, thng thng ta chn External network cho destination rule.

sau khi hon tt chn nt Next tip tc hin th hp thoi User Sets cho php ta la chn User truy xut cho Access Rule. Mc nh lut s p t cho tt c user (All Users), ta c th hiu chnh thng s ny bng cch Edit hoc thm User mi vo Rule thng qua nt Add, chn Next tip tc.

19

Chn Finish hon tt.

c. Cu hnh Web Proxy cho ISA Trong phn ny ta s kho st nhanh cc bc lm sao cu hnh Isa Firewall cung cp dch v Web Proxy chia s kt ni Internet cho mng ni b. Mc nh ISA Firewall cho php tt c mng ni b ch c th truy xut Internet Web thng qua giao thc HTTP/HTTPS ti mt s Site c ch nh sn trong Domain Name Sets c m t di tn l System Policy Allow Sites bao gm: *.windows.com *.windowsupdate.com *.microsoft.com Do khi ta mun cu hnh cho mng ni b c th truy xut n bt k mt Internet Web no bn ngoi th ta phi hiu chnh li thng tin trong System Policy Allowed Sites hoc hiu chnh li System Policy Rule c tn. Hiu chnh System Policy Allowed Sites bng cch chn Firewall Policy trong ISA Mangement Console, sau chn ct Toolbox, chn Domain Name Sets, nhp i vo item System Policy Allowed Sites m t mt s Site cn thit cho php mng ni truy xut theo c php *.domain_name.

20

Nu ta mun cho mng ni b truy xut bt k Internet Website no th ta phi Enable lut 18 c tn Allow HTTP/HTTPS requests from ISA Server to selected servers for connectivity verifiers sau ta chn nt Apply trong Firewall Policy pannel p dng s thay i vo h thng. Nu ISA Firewall kt ni trc tip Internet th ta phi cu hnh mt s thng s trn, ngc li nu ISA Firewall cn phi thng qua mt h thng ISA Firewall hoc Proxy khc th ta cn phi m t mt s tham s Uptream Server chuyn yu cu truy xut ln Proxy cha Proxy cha ly thng tin t Internet Web Server. cho php Client c th s dng Web Proxy ta cu hnh Proxy Server c a ch l a ch ca Internal interface ca ISA Firewall trong trnh duyt Web cho tng Client, hot ta ci ISA Client Share trn tng Client Client ng vai tr l ISA Firewall Client. Ch nh a ch ca Web Proxy trong Textbox Addrress. Ch Web Proxy Port trong Textbox Port l 8080.

3. Cu hnh nng cao Server 2006

a. Web Publishing and Server Publishing: Publishing services l mt k thut dng cng b (publishing) dch v ni b ra ngoi mng Internet thng qua ISA Firewall. Thng qua ISA Firewall ta c th Publish cc dch v SMTP, NNTP, POP3, IMAP4, Web, OWA, NNTP, Terminal Services. Web Publishing: Dng publish cc Web Site v dch v Web. Web Publishing i khi c gi l reverser proxy trong ISA Firewall ng vi tr l Web Proxy nhn cc Web request t bn ngoi sau n s chuyn yu cu vo Web Site hoc Web Services ni b x l. Mt s c im ca Web Publishing: Cung cp c ch truy xut y quyn Web Site thng qua ISA Firewall. Chuyn hng theo ng dn truy xut WebSite (Path redirection) Reverse Caching of Published Web Site Cho php Publish nhiu Web Site thng qua mt a ch IP. C kh nng thay i (re-write) URLs bng cch s dng Link Translator ca ISA Firewall. Thit lp c ch bo mt v h tr chng thc truy xut cho Web Site (SecurID Authentication, RADIUS Authentication, Basic Authentication) Cung cp c ch chuyn theo Port v Protocol.

21

Server Publishing: Tng t nh Web Publishing, Server Publishing cung cp mt s c ch cng b (Publishing) cc Server thng qua ISA Firewall.

4. ISA VPN Client To Gateway

a. Gii thiuVPN (Virtual Private Network): VPNl gii php hu hiu kt ni h thng mng ca doanh nghip c nhiu chi nhnh v nm khc v tr a l hoc doanh nghip ca bn c nhiu nhn vin phi i cng tc xa v h mun truy cp vo ti nguyn mng ni b. V ISA Server 2006 c th p ng nhng nhu cu ca doanh nghip bn thng chc nng VPN Client to Gateway. b. Xy dng VPN Client to Gateway: - u tin ta phi to mt UserVPN trn my server v cho UserVPN quyn Allow Access.

- Tip theo cu hnh trn my ISA Server - nh ngha nhm VPN Client Bn vo ISA Server Management, chn Firewall Policy, nhn vo Toolbox chn Users v nhp chut vo New .

22

Trong ca s Welcom to the New User Set Wizard bn t tn cho nhm User. Sau chn Next tip tc

Hp thoi tip theo chn Add v chn Windows user and Group.

Chn User VPN Client v nhn Next ri kt thc Finish.

23

Bn chut phi vo Virual Private Network, chn Propterties

Trong hp thoi Virual Private Network, qua tab Address Asignment, chn Static Address pool, nhn Add bn nhp vo range IP s cp cho Client.Nhn Apply

24

Mc nh khi ci t hon tt ISA Server s khng bt VPN Clients ln nn bn tip tc bt chc nng ny ln. Bn chn Virual Private Network (VPN) chn tab Configure VPN Client Access v Enable chc nng VPN Client. Bn nn nh sau khi chn xong phi chn Apply.

- To Access rule cho php kt ni VPN vi yu cu: + Access rule name : VPNClient + Rule Action : Allow + Protocol : All outbound Traffic + Access Rule Source : VPN Clients + Access Rule Destinations: Internal + User Sets: chn user c cho php dng VPN Apply -> OK. - Kim tra kt ni VPN Trn my Client, m Network Connection Trong ca s Network Connection, chn Create a New Network Connection

25

Trong hp thoi Welcome to the New Connection Wizard, nhn chn Next

Trong hp thoi Network Connection Type, chn Connection to the NetWork at my workplace

Trong hp thoi Network Connection, Nhn Next tip tc ci t.

chn Virtual Private Network connection.

26

Trong hp thoi Connnection Name, bn t tn cho VPN kt ni

27

Trong hp thoi VPN Server Selection, nhp vo IP Public ca my Server v chn Next tip tc ci t.

Trong hp thoi Completing the New Connection Wizard, nhn Finish.

28

Chut phi vo Connection VPNClient, chn Connect Nhp vo Username v Password, nhn Connect

THE END
Ngun tham kho: http://www.kythuatvien.com/forum/Network/70-351/Part_38_-_ISA_Server__VPN_Client_to_Gateway.html

29