You are on page 1of 68

Ci t, cu hnh, qun tr ISA Server 2004 Firewall

Trong s nhng sn phm tng la (firewall) trn th trng hin nay th ISA Server 2004 ca Microsoft c nhiu ngi yu thch do kh nng bo v h thng mnh m cng vi c ch qun l linh hot. ISA Server 2004 Firewall c hai phin bn Standard v Enterprise phc v cho nhng mi trng khc nhau.

ISA Server 2004 Standard p ng nhu cu bo v v chia s bng thng cho cc cng ty c quy m trung bnh. Vi phin bn ny chng ta c th xy dng firewall kim sot cc lung d liu vo v ra h thng mng ni b ca cng ty, kim sot qu trnh truy cp ca ngi dng theo giao thc, thi gian v ni dung nhm ngn chn vic kt ni vo nhng trang web c ni dung khng thch hp. Bn cnh chng ta cn c th trin khai h thng VPN Site to Site hay Remote Access h tr cho vic truy cp t xa, hoc trao i d liu gia cc vn phng chi nhnh. i vi cc cng ty c nhng h thng my ch quan trng nh Mail Server, Web Server cn c bo v cht ch trong mt mi trng ring bit th ISA 2004 cho php trin khai cc vng DMZ (thut ng ch vng phi qun s) ngn nga s tng tc trc tip gia ngi bn trong v bn ngoi h thng. Ngoi cc tnh nng bo mt thng tin trn, ISA 2004 cn c h thng m (cache) gip kt ni Internet nhanh hn do thng tin trang web c th c lu sn trn RAM hay a cng, gip tit kim ng k bng thng h thng. Chnh v l do m sn phm firewall ny c tn gi l Internet Security & Aceleration (bo mt v tng tc Internet). ISA Server 2004 Enterprise c s dng trong cc m hnh mng ln, p ng nhiu yu cu truy xut ca ngi dng bn trong v ngoi h thng. Ngoi nhng tnh nng c trn ISA Server 2004 Standard, bn Enterprise cn cho php thit lp h thng mng cc ISA Server cng s dng mt chnh sch, iu ny gip d dng qun l v cung cp tnh nng Load Balancing (cn bng ti). Bi vit ny trnh by cch thc trin khai h thng ISA Server (Standar v Enterprise) cho mt cng ty c s lng nhn vin trn 50 ngi. cung cp dch v chia s Internet, cng ty s dng mt ng ADSL v h thng ISA Server 2004 Firewall. Vi a ch modem ADSL l 1.1.1.2, h thng c hai lp mng chnh l Internal bao gm cc my tnh ca nhn vin c dy a ch IP ring l 192.168.1.1 192.168.1.255/24 v DMZ dnh cho my ch (nh Exchange Server, Web Server) s dng a ch mng 172.16.1.0/24. My ch dng ci t ISA Server chy Windows Server 2003 SP1 c 3 NIC (network interface) vi a ch IP nh sau: - Outside Interface: IP 1.1.1.1, Subnet Mask 255.255.255 v Default Gateway 1.1.1.2 (ADSL modem). - Inside Interface: IP 192.168.1.10, Subnet Mask 255.255.255.0 v DNS 192.168.1.11 (DNS Server v Domain Controler ca h thng) - DMZ Interface: IP 172.16.1.1, Subnet Mask 255.255.255.0 Nhm bo m an ton cho h thng v firewall, trn giao tip mng Outside chn Disable Netbios Over TCP IP, b chn Register this connections address in DNS v Enable LMHOST lookup nh hnh sau: Lu : Chc nng Disable NetBIOS over TCP/IP lm cho my tnh tr nn "v hnh" trn mng, cc phn mm qut li h thng nh Retina, Nmap s khng tm thy tn ca my tnh, hn ch trng hp d tm password ca nhng ti khon theo c ch brute force. Cc my ch giao tip vi Internet nh firewall thng chn chc nng ny, tuy nhin i vi cc my tnh trn mng ni b chng ta khng nn s dng v s ngn cc my tnh khc truy cp vo ti nguyn chia s trn my nh Printer, Folder Share. Mt s ng dng bo mt (nh PC Security) khi ci t s mc nh chn Disable NetBIOS over TCP/IP.

Ci t ISA Server Sau khi thit lp y cc thng tin cn thit, chng ta tin hnh ci t ISA Server 2004 Standard trn my tnh dng lm firewall. Chng ta c th chn mt trong 3 ch ci t sau: - Typical: ch ny ch ci t mt s dch v ti thiu, khng c dch v Cache.

- Complete: tt c cc dch v s c ci t nh Firewall dng kim sot truy cp; Message Screener cho php ngn chn spam v file nh km (cn phi ci IIS 6.0 SMTP trc khi ci Message Screener); Firewall Client Installation Share. - Custom: cho php chn nhng thnh phn cn ci t ca ISA Server 2004. y chng ta s s dng ch ci t Custom, mc nh ch c hai dch v Firewall Services v ISA Server Management, hy chn thm Firewall Client Installation Share. Tip theo tin trnh ci t s yu cu bn xc nh giao tip mng vi h thng mng ni b (Internal Network), trong ca s Internal Network nhn Add ri Select Network Adapter. nh du chn Inside trong trang Select Network Adapter. Tip theo, chng ta cn cung cp dy a ch IP cha cc my tnh trong mng ni b (From, To). Lu , dy a ch ny phi cha IP ca giao tip mng Inside. Trong ca s Firewall Client Connection Settings hy nh du chn Allow nonencrypted Firewall client connections v Allow Firewall clients running earlier versions of the Firewall client software to connect to ISA Server, nhn Next trong cc bc tip theo hon tt qu trnh ci t. i vi phin bn Standard chng ta nn ci bn v SP1 ISA2004-KB891024-X86-ENU.msp (c th ti v t website www.microsoft.com hay www.security365.org/downloads/software) bo m h thng hot ng n nh. Kt Ni ISA Server Vi Internet V Cu Hnh Cc ISA Client ISA Server 2004 Firewall c 3 dng chnh sch bo mt: system policy, access rule v publishing rule. - System policy thng n v c dng cho vic tng tc gia firewall v cc dch v mng khc nh ICMP, RDP... System policy c x l trc khi access rule c p dng. Sau khi ci t cc system policy mc nh cho php ISA Server s dng cc dch v h thng nh DHCP, RDP, Ping... - Access Rule: l tp hp cc quy tc truy cp Internet hay email. Cn c bit lu n th t cc access rule v lung x l ca firewall s chm dt khi n gp policy "chn" li. hiu r c ch ny, chng ta xem v d c 5 access rule vi th t nh sau: 1. Deny HTTP (khng cho php s dng HTTP protocol) 2. Allow HTTP (cho dng HTTP protocol) 3. Allow FTP (cho php s dng FTP) 4. Deny FTP (khng cho php s dng FTP) 5. Deny All (default policy) Trong trng hp chng ta cho rng i tng s dng l nh nhau, th khi mt ngi dng s dng giao thc HTTP duyt web, anh ta s b t chi truy cp v access rule u tin khng cho php s dng giao thc ny. Nhng nu ngi dng ti v tp tin thng qua FTP th anh ta s c php v access rule th 3 cho php dng FTP, v firewall s b qua cc access rule cn li. - Publishing Rule: dng cung cp cc dch v nh Web Server, Mail Server trn lp mng Internal hay DMZ cho php cc ngi dng trn Internet truy cp. Khi qu trnh ci t ISA Server 2004 hon tt, chng ta kt ni ISA Server vi Internet v cu hnh cc ISA client c th truy cp Internet thng qua ISA Server Firewall. Mc nh ISA Server ch c mt access rule sau khi ci t l Deny All, t chi mi truy cp vo/ra thng qua ISA firewall, v vy chng ta cn to cc quy tc thch hp vi nhu cu t chc hoc p dng cc quy tc mu (Predefine Template) cho ISA Server. Bn c th cu hnh ISA Firewall Policy thng qua giao din ISA Management Console trn chnh ISA Server hoc ci cng c qun l ISA Management Console trn mt my khc v kt ni n ISA Server thc hin cc thao tc qun tr t xa. Giao din qun l ca ISA Server Management console c 3 phn chnh: - Khung bn tri duyt cc chc nng chnh nh Server name, Monitoring, Firewall Policy, Cache...

- Khung gia hin th chi tit cc thnh phn chnh m chng ta chn nh System Policy, Access Rule... - Khung bn phi cn c gi l Tasks Pane cha cc tc v c bit nh Publishing Server, Enable VPN Server... ISA Server Management console 1.To Access Rule Trn ISA M giao din qun l ISA Management Server bng cch chn Start - >All Programs - > Microsoft ISA Server - > ISA Server Management. Nhn phi vo Firewall Policy v chn Create New Access Rule hoc chn t khung tc v (Task Pane) ca mn hnh qun l. t tn cho access rule cn to l Permit any traffic from internal network hoc tn ph hp vi h thng ca bn v chn Next. Trong phn Rule Action chng ta chn Allow, v y l access rule cho php client s dng cc giao thc v ng dng thng qua firewall. Xc nh nhng giao thc m ngi dng c s dng nh HTTP hay FTP... Trong ca s Protocols, hy chn All outbond trafic, nu mun thay i bn ch cn chn trong danh sch nh Selected Protocol chn mt s giao thc no hay All inbound trafic cho trng hp cung cp cc kt ni t bn ngoi vo. H thng cn bit i tng s dng cc giao thc trong access rule, trng hp ny cc client l nhng ngi s dng trong h thng mng ni b cho nn chng ta chn Add trn Access Rule Source v chn Internal. i vi User th chng ta chn All User (trong trng hp cn thit bn c th xc nh nhng Group hay User thch hp ca h thng nh Group Domain User, Administrator..., khi Firewall khng thuc Domain th hy s dng local account ca Firewall trong Local Users And Groups). Nhn Apply hiu lc firewall policy mi to, lc ny chng ta c 2 acess rule l Default Rule (c chc nng Deny All, lu Default Rule khng th xo c) v Permit Any Traffic from internal network cho php ngi dng trong mng ni b c php s dng tt c cc giao thc trn Internet. 2. Cu hnh ISA Client: s dng ISA Server th cc client trn mng phi cu hnh mt trong ba loi sau: SecureNAT, Firewall Client, Web Proxy Client hoc c 3 dng trn. * SecureNAT Client: y l phng php n gin nht, cc my tnh ch cn cu hnh Default Gateway l a ch card mng trong ca ISA Server l c (trong trng hp ny l 192.168.1.10), hoc chng ta c th cp pht thng qua DHCP server vi option 006 dnh cho Router. im thun li ca phng php ny l client khng cn ci t g thm, v c th s dng cc h iu hnh khng thuc Microsoft nh Linux, Unix m vn s dng c cc giao thc v ng dng trn Internet thng qua ISA. Tuy nhin c mt bt li l cc SecureNAT client khng gi c nhng thng tin chng thc gm username v password cho firewall c, v vy nu nh bn trin khai dch v kim sot truy cp theo domain user i hi phi c username v password th cc SecureNAT client khng ng dng c. Ngoi ra chng ta khng th ghi nht k qu trnh truy cp i vi dng client ny. Cu hnh SecureNAT client * Firewall Client: Vy nu chng ta mun c mt c ch kim sot cht ch hn, v d ngi dng phi ng nhp domain mi truy cp c Internet th phi lm nh th no? Gii php a ra l chng ta s ci t Firewall Client cho cc my tnh ny. Thng thng khi ci t ISA Server bn s ci dch v Firewall Client Installation Share, sau trn ISA Server m system policy cho php truy cp ti nguyn chia s v my tnh client ch cn kt ni n ISA Server theo a ch IP ni b vi ti khon hp l tin hnh chy tp tin ci t Firewall Client. Nu khng mun ci t Firewall Client Installation Share trn tng my client th chng ta c th chn ci dch v ny trn bt k my tnh no nh file server hoc domain controller nh sau: chn Setup Type loi Custom v chn This feature, and all subfeatures, will be installed on the local hard drive trong mc Firewall Client Installation Share. Sau trn cc my tnh client tin hnh ci t Firewall Client bng cch m Start - > Run v chy lnh \\192.168.1.10\mspclnt\setup. Trong trng hp h thng c nhiu my trm, vic ci t trn tng my gp nhiu kh khn th gii php

trin khai chng trnh mt cch t ng bng SMS Server 2003 hoc Assign thng qua Group Policy l hiu qu nht (bn c th tham kho phng php ci t t ng thng qua Group Policy trn website www.security365.org). Vi Firewall Client, bn c th tn dng c nhng kh nng mnh nht ca ISA Server nh chng thc ngi dng da trn Domain User v Group, cho php ghi nht k nhng ln truy cp... Tuy nhin im bt li chnh ca trng hp ny l cc my tnh mun ci Firewall Client phi s dng h iu hnh Windows. * Web Proxy Client: Nh chng ta bit, ngoi chc nng bo mt th ISA Server 2004 Firewall cn c chc nng Cache dng lu tr cc trang web thng c truy cp trn RAM hoc trn a cng nhm tit kim bng thng. Tuy nhin, Web Proxy Client ch s dng c cc giao thc HTTP/HTTPS, FTP, iu ny c ngha l ngi dng s khng th truy cp email vi Outlook hay s dng cc ng dng khc. s dng Web Proxy, cc my tnh client phi cu hnh trong trnh duyt web bng cch m Internet Explore, chn Tools - > Internet Options, chn tab Connections - > LAN Settings v nhp vo a ch ca Proxy server. Nh vy cch nhanh nht cho php cc my tnh trong mng c th truy cp Internet qua ISA Server l cu hnh SecureNAT client da trn h thng cp pht a ch IP ng hoc cu hnh IP tnh v tr default gateway l a ch mng ni b ca ISA Server. Ngoi ra qu trnh phn gii a ch IP din ra sun s th cc client cn cu hnh a ch DNS server ni b v c ISP DNS Server nh 210.245.31.10 hay 203.162.4.191. Thit Lp Cc Private Policy Mc d h thng kt ni c Internet, nhng mt s cng ty c nhng yu cu ring v chnh sch h thng nh khng cho php chat bng AOL hay MSN Messenger, cho php ti tp tin thng qua FTP. Bn cnh , phc v nhu cu duyt web, giao thc HTTP c cho php s dng nhng cm khng cho ti nhng tp tin c th thc thi trn h thng Windows qua HTTP ngn nga s ly nhim virus. thc hin iu ny, bn cn phi hiu chnh li firewall policy ca mnh. 1. To access rule khng cho php s dng AOL v MSN Mesenger Nhn chut phi Firewall Policy, chn Create new Access Rule v t tn l deny MSN and AIM, nhn Next. ca s Rule Action hy chn Deny v nhn Next. Trong phn This rule applies to chn Selected Protocols. Nhn Add. Sau m Protocols ca Instant Messaging v nhn p AOL Instant Messenger v MSN Messenger. Nhn Close. Tip theo chng ta chn Internal v External trong phn Network, p dng cho All user v Apply p dng policy ny cho h thng. 2. To access rule cho php client s dng FTP ti v v ti ln Trong trng hp bn mun php ngi dng s dng FTP ti v (download) v c ti ln (upload) hy tin hnh nh sau: To access rule mi thng qua Create a New Access Rule, t tn l permit FTP vi Rule Action l Allow, p dng cho All User v Internal Network. Sau khi nhn Apply th User trn h thng mng ni b c th ti v thng qua FTP bng cc chng trnh FTP Client nh FileZilla. Tuy nhin h c th ti ln cc FTP server th chng ta cn b thit lp Read Only cho FTP access rule bng cch nhn phi chut vo Access Rule permit FTP v chn Configure FTP. Trong ca s Configure FTP protocol policy b chn Read Only s cho php upload ln Ftp server. 3. To access rule cho php s dng HTTP nhng khng cho php ti v nhng file c kh nng thc thi trn h thng Windows. To access rule mi tn l permit HTTP deny executables cho php ngi dng trn lp mng Internal s dng HTTP protocol. Nhn phi chut vo permit HTTP deny executables v chn configure HTTP. nh du chn vo Block responses containing Windows executable content nh hnh sau: S Dng WPAD H Tr ISA Client T ng D Tm Firewall V Web Proxy Khi h thng s dng DHCP cp pht a ch IP ng, chng ta cn phi h tr cc client t ng d tm

Web Proxy Server v Firewall thng qua CNAME WPAD record trn DNS Server hoc cu hnh option Predefine l wpad trn DHCP server (tham kho file demo http://www.security365.org/downloads/demo/ISA2004.rar). Lu : Vic cu hnh WPAD trn DHCP ch s dng c nu DHCP Server l dch v ca HH Windows, cn khi s dng DHCP Server ca cc hng khc th chng ta phi s dng DNS lm iu ny. 1. Trc tin chng ta cn phi bt chc nng h tr Auto Discovery trn ISA Server. Hy m ISA Management Console, trong phn Network hy nhn p vo Internal Network, chn tab AutoDiscovery v nh du chn mc Publish automatic discovery information, trong Use this port for automatic discovery request hy nhp vo s 80. 2. To CNAME record trong DNS server t tn l WPAD: M ca s DNS Management Console, nhn chut phi ln Domain Zone v chn New Alias (CNAME). Nhp vo WPAD trong phn Alias name v tn y v d WPAD.SECURITY365.ORG trong Full qualified domain name. Nhn OK hon tt. Hy s dng bt k Firewall Client hay Web Proxy Client no kim tra li. Chn Automatically detect ISA Server trong firewall client v b chn Use proxy server, thay vo l Automatically detec settings trong trnh duyt web t ng d tm Web Proxy. Chn Detect Now, sau khong thi gian ngn tn ISA Server trn h thng ca bn s xut hin Nh vy chng ta ci t v cu hnh ISA Server h tr qu trnh truy cp Internet, ti v v ti ln ti liu thng qua FTP, h tr t ng d tm Firewall v Web Proxy i vi client vi record WPAD trong DNS Server. Tuy nhin, bn nhn thy rng mt s client vn chat c bng MSN Messenger hay s dng cc chng trnh P2P tm kim ti liu. l do nhng ng dng ny c th s dng HTTP, port 80 truyn thng qua web proxy server. C th ngn chn iu ny bng cch hiu chnh permit HTTP policy nh sau: Nhn chut phi permit HTTP Access Rule v chn Configure HTTP. Trong tab Signature nhp vo cc tham s nh hnh di y v nhn OK, sau nhn Apply p dng cho h thng. Tit Kim Bng Thng Vi Tnh Nng Cache V Content Download Job C mt c tnh rt hu ch ca ISA Server tuy nhin mc nh b cm l web caching i vi http v ftp request. Vi ISA chng ta c th thc hin hai c ch caching: - Forward caching: vi c ch ny ni dung cc trang web thng xuyn c truy cp s c ti v trc v lu tr trong phn cache ca ISA server, v vy khi ngi dng m li nhng trang web ny s c tr ni dung trn cache thay v phi kt ni trc tip vi web server trn Internet. - Reverse caching: ngc li vi forward caching, khi doanh nghip hay t chc c nhng web server cho php ngi dng bn ngoi truy cp, reserver caching tit kim bng thng bng cch lu tr ni dung trang web trn cc proxy server p ng, gim ti cho web server. V vy trn mt s ti liu reverse cache cn c gi l gateway cache. V mt t chc th chng ta c th xy dng h thng cache trn ISA theo cc m hnh khc nhau ty thuc vo s lng ngi dng v kin trc mng ca mi doanh nghip. - Distributed Caching: cc ISA Server s c phn b u trn mng, nng cao kh nng p ng cho ngi dng. - Hierarchical caching: khc vi m hnh trn, trong trng hp ny ISA Server s c phn b theo tng cp, cc yu cu s c x l bi nhng ISA Server ni b trc, v vy thi gian p ng cao hn. - Hybrid caching: l s kt hp c hai m hnh trn. Vy, khi chc nng Web Cache c bt, nhng trang web thng xuyn truy cp s t ng ti v c th c lu gi trn RAM hay a cng ca ISA Server (cache), v ngi dng khi truy cp vo li trang web ny s c tr v ni dung t cache ch khng phi ti v t Internet. Tuy nhin mt s trang web tm kim th khng nn lu tr ni dung trn cache v s cho ra nhng kt qu tm kim khng c cp nht, v vy khi thit lp Web Caching cc bn nn t Caching Rule khng lu gi nhng trang Web nh www.google.com. Ngoi ra mt s trang web thng xuyn c ngi dng truy cp c tin, tham kho gi c th trng, tin tc v bo mt... chng ta c th lp lch dch v Web Proxy Server ti v trc ngoi gi lm vic thng qua chc nng Content Download Job.

1. Enable Web Caching: M ISA Management Console, chn mc Cache trong phn Configuration v nhn chut vo Define Cache Drivers (enable caching). Xc nh phn chia NTFS dnh cho vic lu tr ni dung cc trang web (cache size), v d 20 MB, nhn Set thit lp v nhn OK. Sau khi nhn Apply p dng chc nng Web Cache s c mt hp thoi thng bo Restart li Firewall Services hay ch lu li v khng Restart, hy chn Save the changes and restart the services v nhn OK. 2. To Cache Rule khng lu tr ni dung cc trang Web t www.google.com: Trn khung Task Pane chn Create a Cache Rule. t tn l No Google Cache trong khung New Cache Rule Wizard. Trong cache rule destination, chng ta cn xc nh trang web khng cn lu tr bng cch chn Add, nhn New v trn menu hin th hy chn URL Set, nhp tn l Google sau chn New v a vo a ch http://www.google.com. Nhn OK quay tr li ca s Add New Network Entities, m mc URL Sets v chn Google. Nhn Next tip tc, trn mn hnh tip theo hy chp nhn gi tr mc nh, sau nhn Next v chn Never, no content will ever be cached. Cui cng nhn Finish kt thc qu trnh thit lp. Nh vy ISA Server 2004 ca chng ta c bt chc nng Web Caching tit kim bng thng, ng thi ngn nga vic lu tr ni dung ca trang web tm kim nh Google. Lc ny chng ta c th kim tra li policy mi c to ra trn giao din qun l v nhn Apply p dng. 3. Cu hnh Content Download Job: Gi s ngi dng trn h thng thng truy cp vo trang web www.security365.org xem cc thng tin mi v virus hay cc li bo mt, do chng ta cu hnh ISA Server t ng ti v trang web ny v trc vo ngy gi xc nh no trong tun nng cao hiu qu hot ng. Nhn Content Download Job, trn khung Tasks Pane, chn Schedule a Content Download Job. Chng ta s thy thng bo nh hnh di y. Chn Yes v sau t tn cho Content Download Job l SecureSolution, nhn Next tip tc xc nh lch chy tin trnh. Nhn Next v nhp vo a ch trang web cn ti v trong Download content from this URL, trong trng hp ny chng ta nhp vo www.security365.org. Hy chn gi tr mc nh trong cc bc tip theo hon tt. Sao lu v phc hi thng tin cu hnh ISA Server 2004 Firewall i vi cc h thng ln vi nhiu phng ban v nhn vin, trong mi b phn li yu cu nhng chnh sch truy cp ring lm cho s lng policy rt nhiu v kh qun l. V vy bo m h thng lun hot ng n nh chng ta cn phi tin hnh sao lu (backup) cc policy mt cch y c th phc hi (restore) khi c s c xy ra. Chng ta c th sao lu ton b ISA Server hay ch mt s cc firewall policy no . Thao tc sau y s tin hnh backup ton b ISA Server. M ISA Management Console, chn server name (ISA) v nhn vo Backup the ISA Server Configuration trn khung Tasks Pane. Tip theo chng ta t tn ca tp tin sao lu (nn t theo dng X-XX-XXXX l ngy-thng-nm backup d phn bit khi tin hnh phc hi), chn ni lu tr v nhn nt Backup. Mt hp thoi yu cu t password cho tp tin backup hin ra, hy nhp password ri nhn OK. Sau khi tin trnh sao lu hon tt. th nghim, bn c th xo mt vi hay ton b firewall policy trn h thng ca mnh, sau chn Restore this ISA Server Configuration trn khung Tasks Pane, xc nh tp tin sao lu, chn Restore v nhp vo password c thit lp cho tp tin ny. Sau khi tin trnh phc hi hon tt chng ta c th kim tra li cc policy trc y ca h thng c phc hi y .

Trong trng hp ch sao lu mt firewall policy no chng ta cng tin hnh tng t vi chc nng Export Firewall Policy trn khung Task Pane. Thit Lp Vng DMZ V Publish Server Thng Qua ISA Mt trong nhng thut ng bo mt c nhiu ngi quan tm l DMZ (Demilitarized Zone), y l t ch vng "Phi Qun S" trong th gii thc, cn trong mi trng my tnh th DMZ l vng dnh ring cho nhng server "i ngoi" (nh web server) cho php ngi dng bn ngoi (Internet) truy cp n. Bi v DMZ c tch bit hon ton vi h thng Internal, cho nn khi ngi dng Internet truy cp vo cc my ch ny s khng nh hng v gy nguy him i vi cc my tnh v d liu ni b. Ngoi ra, cc server t trong DMZ cn ngn nga c s tng tc trc tip gia ngi dng bn trong vi ngi dng bn ngoi. Theo ng ngha truyn thng ca DMZ, cc request (yu cu truy cp) ca ngi dng bn trong n cc server "i ngoi" phi qua DMZ trc ri mi n firewall ni b, tuy nhin ngy nay DMZ bao lun c tnh hung ngi dng bn trong kt ni n firewall/router v sau yu cu s c chuyn n cc server trong DMZ da trn Firewall Policy nh trng hp m chng ta p dng sau y trn ISA Server xy dng mt DMZ cha mail v web server. 1. To DMZ: Trong phn Network hy chn Create a New Network, t tn l DMZ v chn Next, chn Perimeter Nework (chng ta c th to bao nhiu lp mng ty khng nh trn ISA 2000 ch c 3 lp, y l mt ci tin ca ISA Server 2004). Sau khi nhn Next ca s Network Address xut hin, hy chn Add Adapter la chn card mng cho vng DMZ. Nhn OK v a ch mng cho vng DMZ s xut hin nh hnh di (bn c th thay i theo yu cu h thng ca mnh), tip theo chn Next v Finish hon tt. Sau khi nhn Apply p dng cho h thng, trong phn Network chng ta s thy mt lp mng l DMZ tch bit vi h thng Internal, bn c th t Exchange Mail Server hay Apche Web Server trong lp mng ny. 2. Publish Exchange Server trong DMZ: Ly v d, cng ty c mt Exchange Server c a ch l 172.16.1.10 t trong DMZ. ngi dng bn ngoi Internet c th truy cp n mail server gi v nhn mail chng ta cn phi "publish" (cho php truy cp t Internet) chng thng qua ISA Firewall ca mnh. M ISA Management Console, chn Firewall Policy, trn khung Task Pane hy nhn vo Publish a Mail Server hin th New Mail Server Publishing Rule Wizard. t tn cho Publishing Rule ny v chn Next. Trong ca s Select Server Type chng ta chn Server-to-server Communications: SMTP, NNTP. Chn Next, trn khung Select Services hy nh du chn SMTP. Trong ca s tip theo chng ta nhp vo a ch ca Mail Server trong DMZ, y l 172.16.1.10. Cui cng l xc nh lp mng c php kt ni vi Mail Server, trong trng hp ny ngi dng bn ngoi Internet nn chng ta chn lp mng l External v nhn Next, sau chn Finish hon tt qu trnh publish mail server. Cn lu l c th truy cp email th phi c thm nhng protocol khc nh DNS, POP hay RPC. V vy c th chng ta cn cho php cc yu cu v DNS t Mail Server vi Domain Controler (c ci tch hp DNS) trong lp mng Internal hay vi cc ISP DNS. Cu Hnh Remote Access VPN Trn ISA Server Ngoi chc nng qun l truy cp Internet, Publish Web/Mail server v Caching, chng ta c th dng ISA Server lm VPN Server cung cp cc kt ni remote access cho ngi dng bn trong c th truy cp ti nguyn trn mng ni b. V d cng ty c mt s nhn vin kinh doanh s dng my tnh xch tay v h cn truy cp vo h thng mng LAN thng qua VPN Server kim tra mail, chy nhng chng trnh qun l khch hng hay cp nht cc bo co. Sau y l cc bc cu hnh Remote Access VPN trn ISA 2004. M ISA Management Console chn mc Virtual Private Network (VPN), sau chn Verify that VPN Client

Access is Enable. nh du chn Enable VPN client access v t gi tr Maximum number of VPN clients allowed bng 9 (s lng VPN client ti a c th kt ni cng lc) ri nhn OK v Apply chnh sch mi cho firewall. cc VPN client c th kt ni thnh cng hy to group VPN trn domain controler v gn quyn Allow access cho thuc tnh Dial-in i vi nhng user thuc group VPN. Hy ng nhp vo Domain Controler ca h thng v chn Start -> Administrative Tools -> Active Directory Users and Computers. Nhn chut phi trn User container, chn New -> Group. Thm nhng user thuc b phn kinh doanh (nhng ngi cn truy cp qua VPN ) vo VPN Group, v d Joe Franks. Trn thanh thuc tnh ca Joe Franks chn tab Dial-in v nh du chn Allow access. Hy tr li mn hnh qun l ISA Server trn ISA1 m chng ta ang m v chn Specify Windows Users trn danh sch VPN Client, nhn Add v chn group VPN User chng ta to. Vic tip theo cn lm cho php VPN client kt ni l cu hnh a ch IP cho cc VPN client, c hai cch l s dng DHCP cp pht IP ng cho cc client hoc dng mt static pool gn IP cho chng nh sau: Trn khung Tasks Pane nhn vo mc Define Address Assignment, chn Static address pool v nhp vo dy a ch sau: Nhn OK, xc nhn thm mt ln na v khi ng li my tnh. Cui cng, hy to access rule cho php cc VPN client c th truy cp n cc ti nguyn ni b sau khi kt ni thnh cng n VPN server. Hy chn Firewall Policy v chn Create New Access Rule t tn l VPN Client full access to Internal. Nhn Next v chn Allow, trn ca s tip theo chn All outbound trafic. Do access rule cho php VPN client truy cp ti nguyn ni b nn hy xc nh source trafic l VPN Clients trong phn Network. Ngc li khung destination hy chn Internal trong phn Network, v chn cc gi tr mc nh cho nhng bc tip theo hon tt. By gi ISA Server sn sng cho cc kt ni VPN, bn ch cn to cc VPN Connection n a ch Outside ca firewall v thc hin kt ni v truy cp vo ti nguyn h thng ni b. Bn c th tham kho file trnh din ci t ISA Server ti v ti http://www.security365.org/downloads/demo/ISA2004.rar. Hin c phin bn th nghim ISA Server 2006, bn c th ti v ti http://www.microsoft.com/isaserver/2006/beta.mspx.

Cu hnh ISA Server 2006 HTTP Filter


Cp nht lc 11h06' ngy 27/02/2007

Bn in Gi cho bn b Phn hi

Xem thm: cau hinh isa server 2006 http filter

Bi vit ny l mt ci nhn tng quan v ISA Server 2006 HTTP Filter v cch dng HTTP Filter bo v mng ni b ca bn. Trong bi chng ti s cung cp cho bn mc khi qut cao v ISA Server 2006 HTTP Filter. Chng ti cng s hng dn bn cch dng HTTP Filter bo v mng ni b trc mt s kiu tn cng trong mi trng Webserver Publishing, cch ngn chn ngi dng s dng giao thc Universal Firewall Bypass protocol (HTTP) to ng vng cho tng la. Kiu to ng vng ny c tin hnh cho lu lng

mng nh Microsoft Live Messenger, Yahoo Messenger hay thnh phn tng t c kh nng s dng HTTP thay v cc giao thc t nhin ca chng. hiu mt cch y v khi nim v cng ngh ca giao thc HTTP, bn nn tham kho thm ti y. Cn by gi chng ta hy bt u vi mt s vn c bn v Webfilter (b lc Web) trong ISA Server 2006. Webfilter l g? Mt Webfilter (tc b lc Web) trong ISA Server 2006 l mt tp hp cc th vin lin kt ng (DDL) da trn nn tng m hnh Giao din lp trnh ng dng Server Internet IIS (IIS ISAPI). Webfilter trong ISA Server 2006 cng c load t Webproxy Filter. Mi ln s dng Webfilter, tt c thng tin s c gi n Webproxy Filter. Webproxy Filter chu trch nhim xc nh xem kiu s kin no s c gim st. Mi khi cc s kin ny xut hin Webproxy Filter s c thng bo. Bn s thy trong nh minh ha bn di thnh phn b sung Add-in ca HTTP Filter trn ISA Server 2006.

Hnh 1: Thnh phn b sung add-in h tr b lc HTTP trong ISA Server 2006 HTTP Chc nng ca Webfilter Webfilter trong ISA Server 2006 chu trch nhim thc hin cc cng vic sau: Qut v chnh sa cc yu cu HTTP. Phn tch lu lng mng. Qut v chnh sa cc p ng HTTP. Loi b mt s p ng HTTP c th. M ha v nn d liu. Ngoi ra cn nhiu chc nng khc nhng khng quan trng lm nn chng ti khng

tin lit k ra y. Quan trng: HTTP Filter trong ISA Server 2006 c mt s nguyn tc ring, tr thng s thit lp di ti a cho Header. di ti a cho Header (Maxium Header) tun theo tt c nguyn tc trong tng la vi cc nh ngha giao thc HTTP nh cc thnh phn khc. ng lu : HTTP Filter trong ISA Server 2006 cng c kh nng lc lu lng HTTPS nhng ch trong trng hp vi cc Web Server i chiu dng HTTPS Bridging. Nu bn mun kim tra HTTPS sp ht hn qua b lc ISA Server 2006 HTTP, bn phi dng phn mm c pht trin bi nhm th ba. Cu hnh b lc HTTP Filter Nu bn mun bt u cu hnh b lc HTTP, kch phi chut ln mt quy tc c cha nh ngha giao thc HTTP v chn Configure HTTP t menu ng cnh.

Hnh 2: Cc thit lp chung cho b lc ISA Server 2006 HTTP. Request Header

Maximum Headers length (bytes): l s byte ln nht cho mt yu cu HTTP trong URL v HTTP Header cho ti khi ISA Server loi b yu cu. Request Payload Maximum payload length (bytes): Vi ty chn ny bn c th gii hn s byte ln nht cho ngi dng khi gi cc yu cu nh HTTP POST trong mi trng Web Server. URL-Protection Maximum URL Length (Bytes): di ln nht ca mt URL c php. Maximum Query length (Bytes): di ln nht ca mt URL trong yu cu HTTP. Verify normalization Bn c th chn hp kim ny c t cc yu cu ng dn URL cha k t vit hoa sau k t thng v s c s c thay th bng ch thng. Bnh thng ha l qu trnh gii m cc yu cu URL c m ha. Sau khi gii m, URL s c bnh thng tr li chc chn rng chng trnh khng dng k t % khi m ha URL. Nu HTTP Filter tm ra im khc nhau trong URL sau ln bnh thng ha th hai, cc yu cu s b loi b. Block High bit character Cc ng dn URL c cha K t byte kp (DBCS) hay kiu Latin1 s c loi b nu thit lp ny c kch hot. Mt thit lp kch hot thng thng s loi b cc ngn ng i hi hn 8 bit trong hin th k t. Executables Loi b cc p ng cha ni dung thc thi Windows. Ty chn ny loi b vic download v thc hin cc ni dung thc thi nh file EXE. Tip theo chng ta s cu hnh cc phng thc HTTP c php hoc loi b.

Hnh 3: Cc phng thc HTTP Trong v d ny chng ta ang loi b lnh HTTP POST khng ai c th upload ni dung ln cc website bn ngoi.

Hnh 4 Loi b cc thc thi Vi ty chn ny bn c th loi b hoc cho php mt s ui file m rng c th trong

quy tc tng la (Firewall).

Hnh 5: Dng ISA Server 2006 loi b mt s ui m rng ca file Loi b cc yu cu cha tn m rng m h Ty chn ny ch th cho b lc HTTP loi b tt c tn file m rng ISA Server 2006 khng th xc nh c. Trong v d ny chng ta s loi b quyn truy cp vo tn file m rng .EXE.

Hnh 6: Loi b tn file m rng .EXE iu khin HTTP Header Khi mt Web Client gi yu cu ti Web Server hoc Web Server tr li yu cu, phn u tin ca cu tr li l mt HTTP request hoc HTTP response. Sau HTTP request hoc HTTP response, Client hay Server s gi HTTP Header. Trng Header request cho php Client gi thng tin thm ti Server. HTTP Header cha thng tin v trnh duyt, h iu hnh v cc chi tit cp php Header client s dng phn phi UserAgent xc nh xem ng dng no chu trch nhim thc hin yu cu. Vi s tr gip ca b lc HTTP Filter, bn c th loi b mt s HTTP Header no nu mun.

Hnh 7: Phn Header ca b lc HTTP Filter. Cc thit lp trong trng Server Header cung cp cho ngi qun tr kh nng iu khin loi b cc Header HTTP hoc chnh sa HTTP Header trong phn tr li v mt s thit lp khc. v d di chng ta dng thnh phn HTTP Header trong ISA Server 2006 loi b Kazaa, thng tin nm trn Request Header.

Hnh 8: Loi b Kazaa

Cc k hiu trong HTTP Filter Mt k hiu HTTP c th tn ti trong phn thn HTTP hoc phn tiu . Bn c th dng cc k hiu HTTP t chi thc thi trn cc ng dng c th. Mun tm mt k hiu HTTP ring no , bn phi bit k hiu no ang dng cho ng dng no. Mt s ti liu trn Internet c th gip bn tham kho thm thng tin v cc k hiu HTTP, nhng bn cng c th dng sniffer mng xc nh cc k hiu ny. Ti s ch cho bn cch dng sniffer mng phn di. Quan trng: Vic lc cc k hiu HTTP trong ISA Server 2006 ch c tin hnh khi cc yu cu v p ng (request/response) c m ha kiu UTF-8.

Hnh 9: Loi b cc k hiu HTTP Trong v d di chng ta s loi b quyn truy cp giao thc Windows Live Messenger.

Hnh 10: Loi b Windows Live Messenger Nu bn mun bit nhiu hn v cc k hiu ng dng, xin mi click vo y. Quan trng: ISA Server 2006 ch kim tra 100 byte u tin trong thn yu cu v p ng. Bn c th tng thm s byte ln nht nhng iu ny s th khin mt s thc thi Server b gim hiu qu. Thng bo li HTTP nu HTTP Filter loi b ni dung

Hnh 11: Thng bo truy cp HTTP Filter Tm ra cc HTTP Header c th nh th no Mun tm cc k hiu HTTP cha c bit n, bn c th dng mt sniffer mng nh Windows Netmon 3.0 d tm lu lng mng HTTP. Phn minh ha di th hin mt kiu d tm mng mu trn Microsoft Netmon 2.0, nhng bn c th dng bt k chng trnh gim st mng khc nh Wireshark (trc y l Ethereal).

Hnh 12: D tm Netmon HTTP V d ny a ra yu cu kiu (GET), yu cu HTTP Header (HTTP/1.1) User-Agent (Mozilla/4.0) v k hiu (MSIE 6.0). HTTPFILTERCONFIG.VBS

Bn c th dng HTTPFILTERCONFIG.VBS t th mc C:\PROGRAMME\MICROSOFT ISA SERVER 2006 SDK\SDK\SAMPLES\ADMIN trn ISA Server 2006 SDK nhp v xut cc cu hnh HTTP-Filter.

Hnh 13: HTTPFILTERCONFIG.VBS trn ISA 2006 SDK Kt lun Trong bi ny chng ta tm hiu v cch thc hot ng ca b lc HTTP ISA Server 2006. HTTP Filter trong ISA Server 2006 l mt cng c ln gip loi b mt s ni dung nguy him bo v chng li cc m c hi hoc Trojan, worm. Bn cng c th dng HTTP Filter loi b mt s k hiu HTTP c th. Loi b cc k hiu ny s gip ngi qun tr hn ch c mt s kiu ng dng nh Windows Live Messenger. Cc kiu ng dng ny c to ra t HTTP nu giao thc thng thng c loi b bi cc phn hn ch trong tng la.

http://forums.2it.in/threads/16373-ISA-server-l -g http://www.hvaonline.net/hvaonline/posts/list/15345.hva
Nghe ni nhiu n ISA server m khng bit cng dng ca n lm g! C phi n y nhanh tc trnh duyt hay nh th no! Pc no bit ch gim nh....Post ln chi tit nh!
Ln trn

kengmost
Thnh vin

Bi gi: 14/09/2005 lc 04:34 | IP Logged

Ngy tham gia: 14/06/2005 Quc gia: Vietnam Tnh trng: Offline Bi vit: 48

ISA server l mt chng trnh chuyn dng dng share internet t my ch c ni mng cho cc my client trong cng mt Lan, ngoi mt share internet n cn kh nhiu cc cng dng nh: Ngn chn mt my con no h Lan khng truy cp internet hoc ngn chn cc web sex web en khi cc my con truy cp vo. Bnh thng khi bn ci t win xp tr ln dng cho my n cng h tr sn cho my ch share interrnet cho cc my khc cng trong mng Lan ri, Nhng nu bn mun cho mng internet chy n nh hn hay ch bo mt tt hn th bn hy dng ISA server n h tr share internet c tt hn.... Chc bn thnh cng

__________________ Cuc sng la mt chui ngay dai chin u, Trc tin la phai chin u vi chinh minh...
Ln trn

nasaka

Bi gi: 14/09/2005 lc 05:38 | IP Logged

Thnh vin nng n

Uh hm nay t gp 1 my h ci chng trnh ! nhng h li dng giao thc kt ni IP Proxy.....ch khng dng Lan Auto.........vy 2 ci khc nhau th no!.........gii thch gim t nh thank!

Ngy tham gia: 19/05/2005 Quc gia: Vietnam Tnh trng: Offline Bi vit: 53 Ln trn

kengmost
Thnh vin

Bi gi: 21/09/2005 lc 00:25 | IP Logged

a khi mnh ci ISA c h tr c proxy, ngha l bn ln mng kim mt proxy server free v dng cho server v khi bn dng isa share internet cho cc my con th cc my con

Ngy tham gia: 14/06/2005 Quc gia: Vietnam Tnh trng: Offline Bi vit: 48

cng vo mng qua IP proxy v nguyn tc kt ni l : kt ni n server cha ip proxy trc ri mi n cc a ch bn mun n v khi truy cp internet bng proxy th c th du a ch ip thc ca mnh khi lt web

http://hp-aptech.edu.vn/hpa/networking/archive/2009/01/08/l-234-n-k-ho-ch-gi-225-m-s225-t-isa-server-ph-n-ii-alert.aspx
ISA l g, dng lm g..?

ISA l g ? Microsoft Internet Security and Acceleration Sever (ISA Server) l phn mm share internet ca hng phn mm ni ting Microsoft. C th ni y l mt phn mm share internet kh hiu qu, n nh, d cu hnh, firewall tt, nhiu tnh nng cho php bn cu hnh sao cho tng thch vi mng LAN ca bn. Tc nhanh nh ch cache thng minh, vi tnh nng lu Cache vo RAM (Random Access Memory), gip bn truy xut thng tin nhanh hn, v tnh nng Schedule Cache (Lp lch cho t ng download thng tin trn cc WebServer lu vo Cache v my con ch cn ly thng tin trn cc Webserver bng mng LAN). Ngoi ra cn rt nhiu cc tnh nng khc na ISA c phin bn mi nht (2006) c im ni bt ca bn 2006 so vi 2004 l tnh nng Publishing v VPN (y li l nhng tnh nng m cc doanh nghip VN ta t dng. ) V kh nng Publishing Service - ISA 2006 c th t to ra cc form trong khi ngi dng truy cp vo trang OWA, qua y h tr chng thc kiu form-based. chng li cc ngi dng bt hp php vo trang web OWA. tnh nng ny c pht trin di dng Add-ins. - Cho php public Terminal Server theo chun RDP over SSL, m bo d liu trong phin kt ni c m ha trn Internet (k c password). - Block cc kt ni non-encrypted MAPI n Exchange Server, cho php Outlook ca ngi dng kt ni an ton n Exchange Server - Rt nhiu cc Wizard cho php ngi qun tr public cc Server ni b ra internet 1 cch an ton. h tr c cc sn phm mi nh Exchange 2007. Kh nng kt ni VPN - Cung cp Wizard cho php cu hnh t ng site-to-site VPN 2 vn phng ring bit. tt nhin ai thch cu hnh bng tay ti tng im mt cng c. tch hp hon ton Quanratine, - Stateful filtering and inspection (ci ny th quen thuc ri), kim tra y cc iu kin trn VPN Connection, Site to site, secureNAT for VPN Clients, ... - Cho php Public lun 1 VPN Server khc trong Intranet ra ngoi Internet, h tr PPTP, L2TP/IPSec, IPSec Tunnel site-to-site (vi cc sn phm VPN khc). V kh nng qun l

- D dng qun l - Rt nhiu Wizard - Backup v Restore n gin. - Cho php y quyn qun tr cho cc User/Group - Log v Report chi tit c th. - Cu hnh 1 ni, chy mi ni (bn ISA Enterprise) - Khai bo thm server vo array d dng (khng kh khn nh hi ISA 2000, 2004 ) - Tch hp vi gii php qun l ca Microsoft: MOM - SDK, Cc tnh nng khc H tr nhiu CPU v RAM ( bn standard h tr n 4CPU, 2GB RAM) Max 32 node Network Loadbalancing H tr nhiu network, Route/NAT theo tng network, Firewall rule a dng IDS Flood Resiliency: HTTP compression Diffserv

ngun http://itn.com.vn/forum/showthread.php?t=218

HUONG DAN CAI DAT ISA SERVER 2006


chantroitinhoc on Fri Feb 22, 2008 6:24 am ISA Server l g? Microsoft Internet Security and Acceleration Sever (ISA Server) l phn mm share internet v cng l phn mm xy dng bc tng la (Firewall) kh ni ting v c s dng kh ph bin ca hng phn mm Microsoft. C th ni y l mt phn mm share internet kh hiu qu, n nh, d cu hnh, firewall tt, nhiu tnh nng cho php bn cu hnh sao cho tng thch vi mng LAN ca bn. Tc nhanh nh ch cache thng minh, vi tnh nng lu Cache vo RAM (Random Access Memory), gip bn truy xut thng tin nhanh hn, v tnh nng Schedule Cache (Lp lch cho t ng download thng tin trn cc WebServer lu vo Cache v my con ch cn ly thng tin trn cc Webserver bng mng LAN). Ngoi ra cn rt nhiu cc tnh nng khc na

c im ni bt ca bn 2006 so vi 2004 l tnh nng Publishing v VPN (y li l nhng tnh nng m cc doanh nghip VN ta t dng. )

V kh nng Publishing Service

- ISA 2006 c th t to ra cc form trong khi ngi dng truy cp vo trang OWA, qua y h tr chng thc kiu form-based. chng li cc ngi dng bt hp php vo trang web OWA. tnh nng ny c pht trin di dng Add-ins. - Cho php public Terminal Server theo chun RDP over SSL, m bo d liu trong phin kt ni c m ha trn Internet (k c password). - Block cc kt ni non-encrypted MAPI n Exchange Server, cho php Outlook ca ngi dng kt ni an ton n Exchange Server - Rt nhiu cc Wizard cho php ngi qun tr public cc Server ni b ra internet 1 cch an ton. h tr c cc sn phm mi nh Exchange 2007.

Kh nng kt ni VPN

- Cung cp Wizard cho php cu hnh t ng site-to-site VPN 2 vn phng ring bit. tt nhin ai thch cu hnh bng tay ti tng im mt cng c. tch hp hon ton Quanratine, - Stateful filtering and inspection (ci ny th quen thuc ri), kim tra y cc iu kin trn VPN Connection, Site to site, secureNAT for VPN Clients, ... - Cho php Public lun 1 VPN Server khc trong Intranet ra ngoi Internet, h tr PPTP, L2TP/IPSec, IPSec Tunnel site-to-site (vi cc sn phm VPN khc).

V kh nng qun l

- D dng qun l - Rt nhiu Wizard - Backup v Restore n gin. - Cho php y quyn qun tr cho cc User/Group - Log v Report chi tit c th. - Cu hnh 1 ni, chy mi ni (bn ISA Enterprise) - Khai bo thm server vo array d dng (khng kh khn nh hi ISA 2000, 2004 ) - Tch hp vi gii php qun l ca Microsoft: MOM - SDK,

Cc tnh nng khc

- H tr nhiu CPU v RAM ( bn standard h tr n 4CPU, 2GB RAM) - Max 32 node Network Loadbalancing - H tr nhiu network,

- Route/NAT theo tng network, - Firewall rule a dng - IDS - Flood Resiliency: - HTTP compression - Diffserv

bit cch cu hnh cc click chut vo link sau y HNG DN CI T ISA SERVER 2006 xem hng dn chi tit nh!

Tnh hung gi lp: Gi s by gi ci ISA. My ch lm ISA cng l DC (Domain Controller), vi 2 card mng: card 1 ni vi mng ni b vi a ch ip l 10.202.1.250/8, default gateway 10.202.1.250 (l a ch my DC), DNS cng l 10.202.1.250. Card 2 ni Internet card ny ni trc tip vi modem vi a ch nh sau: ip: 10.202.1.251, gateway 10.202.1.1 (a ch modem), DNS ca vnn.

Sau cu hnh cho ISA nh sau:

M chng trnh ISA Server Access Internet.

- Click Firewall Policy->New->Access Rule.

- Nhp Rule name, click Next.

- Chn Allow, click Next

- Chn All outbound traffic, click Next.

- Access Rule Sources, chn Local Host, click Add.

- Click Next.

- Chn External, click Next.

- Chn All Users, click Next.

- Click Finish kt thc.

- Apply.

Khi my ch v internet c. Nhng cu hnh nh vy cc bn s gp mt s rc li sau: + My con khng vo domain c (tuy nhin DHCP chy bnh thng). + Khng c my con no trong mng truy xut c my ch, khng phn gii tn min nh DNS c na, do cng khng ra Internet c.

X l li trn: + n gin v trong cch cu hnh ch cho Local Host chy thi nn cha cho mng con bn trong chy. Do vy ta phi thm Internal Network. + Nu cha gii quyt c phi xo i v ci li. + c bit, ta khng nn ci ISA server trn my ch DC. V ta lm nh vy rt nguy him cho My Server. + Cch cu hnh ln sau m t tip.

http://www.quantrimang.com.vn/hethong/lan-wan/61772_Tao-may-chu-Server-2008-SSLVPN-bang-ISA-2006-Firewalls-P-1.aspx
ISA l g, dng lm g..?

ISA l g ? Microsoft Internet Security and Acceleration Sever (ISA Server) l phn mm share internet ca hng phn mm ni ting Microsoft. C th ni y l mt phn mm share internet kh hiu qu, n nh, d cu hnh, firewall tt, nhiu tnh nng cho php bn cu hnh sao cho tng thch vi mng LAN ca bn. Tc nhanh nh ch cache thng minh, vi tnh nng lu Cache vo RAM (Random Access Memory), gip bn truy xut thng tin nhanh hn, v tnh nng Schedule Cache (Lp lch cho t ng download thng tin trn cc WebServer lu vo Cache v my con ch cn ly thng tin trn cc Webserver bng mng LAN). Ngoi ra cn rt nhiu cc tnh nng khc na ISA c phin b n m i nh t (2006) c im ni bt ca bn 2006 so vi 2004 l tnh nng Publishing v VPN (y li l nhng tnh nng m cc doanh nghip VN ta t dng. )

V kh nng Publishing Service


- ISA 2006 c th t to ra cc form trong khi ngi dng truy cp vo trang OWA, qua y h tr chng thc kiu form-based. chng li cc ngi dng bt hp php vo trang web OWA. tnh nng ny c pht trin di dng Add-ins. - Cho php public Terminal Server theo chun RDP over SSL, m bo d liu trong phin kt ni c m ha trn Internet (k c password).

- Block cc kt ni non-encrypted MAPI n Exchange Server, cho php Outlook ca ngi dng kt ni an ton n Exchange Server - Rt nhiu cc Wizard cho php ngi qun tr public cc Server ni b ra internet 1 cch an ton. h tr c cc sn phm mi nh Exchange 2007.

Kh nng kt ni VPN
- Cung cp Wizard cho php cu hnh t ng site-to-site VPN 2 vn phng ring bit. tt nhin ai thch cu hnh bng tay ti tng im mt cng c. tch hp hon ton Quanratine, - Stateful filtering and inspection (ci ny th quen thuc ri), kim tra y cc iu kin trn VPN Connection, Site to site, secureNAT for VPN Clients, ... - Cho php Public lun 1 VPN Server khc trong Intranet ra ngoi Internet, h tr PPTP, L2TP/IPSec, IPSec Tunnel site-to-site (vi cc sn phm VPN khc).

V kh nng qun l
D dng qun l Rt nhiu Wizard Backup v Restore n gin. Cho php y quyn qun tr cho cc User/Group Log v Report chi tit c th. Cu hnh 1 ni, chy mi ni (bn ISA Enterprise) Khai bo thm server vo array d dng (khng kh khn nh hi ISA 2000, 2004 ) Tch hp vi gii php qun l ca Microsoft: MOM SDK,

Cc tnh nng khc


H tr nhiu CPU v RAM ( bn standard h tr n 4CPU, 2GB RAM) Max 32 node Network Loadbalancing H tr nhiu network, Route/NAT theo tng network, Firewall rule a dng IDS Flood Resiliency: HTTP compression Diffserv

http://vnexpress.net/GL/Vi-tinh/Kinh-nghiem/2003/04/3B9C6EE6/

Chn truy cp Web trong ISA Server 2006


Hin c v s mi e da t bn ngoi mng hng ginh quyn truy cp v khai thc ti nguyn mng ni b khi c c hi. Ni chung, h thng tng la l tm l chn chnh ca mng, chn nhng lu lng khng mong mun v nhng phin truy cp khng c cho php. V l do m ISA Server 2006 c nhiu h thng s dng nhm ngn chn nhng vn bo mt c th xy ra.

Tuy nhin nhng mi e da bn ngoi khng phi l mi quan tm duy nht. Bi v trong h thng lun c rt nhiu ngi dng, v bn khng th khng nh rng khng c ai truy cp vo nhng trang web khng lin quan ti cng vic, v tnh hung xu nht c th xy ra l lm tn hi ti nguyn h thng khi truy cp vo cc trang web c hi. Hu ht cc h thng u c nhng chnh sch hn ch nhng thao tc m ngi dng c php truy cp Internet s dng ti nguyn my tnh ca cng ty. Qun tr vin phi gi st v kim sot phin truy cp , v c th chn phin truy cp vo nhng trang c hi hay khng ph hp. Domain Name Sets trong ISA Server 2006 C nhiu phng n khc nhau c th p dng vo nhng tnh hung trn, nhng trong bi vit ny chng ta s tp trung vo phng php s dng Domain Name Sets v URL Sets chn truy cp vo nhng trang nguy him hay khng thch hp. Tt c cc loi my trm ISA Server c th s dng Domain Name Sets chn phin truy cp. Tuy nhin, ch nhng my trm Web Proxy v Firewall c th c kim sot cp nhm hay cp ngi dng. Domain Name Sets cho php ngi dng chn truy cp hon ton vo mt trang, chng bn nh espn.com. Nu to mt Domain Name Set vi mc *.espn.com, bn s chn ngi dng truy cp vo mi trang trong min espn.com. Tng t, bn c th to nhiu Domain Name Set chn truy cp vo nhiu min khc nhau. Chng ta cng c th s dng Domain Name Sets chn truy cp cp ln hn bng cch ch nh mt my ch c th trn min. Chng hn, bn c th to mt mc cho www3.espn.com chn truy cp vo my ch www3 trong khi vn cho php truy cp vo phn cn li ca min espn.com. Domain Name Sets p dng cho mi giao thc v mi loi my trm. iu c ngha khi mc Domain Name Set c to th mi lu lng ti min s b chn m khng quan tm ti loi my trm ISA Server 2006. Nu ch ch ti kt ni Web, v khng ch ti giao thc mng th bn c th s dng URL Sets chn truy cp thay cho Domain Name Sets. URL Sets trong ISA Server 2006 URL Sets cng ging nh Domain Name Sets ngoi tr URL Sets ch chn truy cp vo nhng kt ni web. URL Sets hot ng hiu qu, nhng kt ni phi s dng giao thc HTTP hoc HTTPS (my ch FTP c cu hnh nh my trm Web Proxy cng c th b chn) v phi c b lc Web Proxy x l.

V d, bn c th to mt URL Set vi mt mc dnh cho hotmail.com ng thi to mt rule chn truy cp vo hotmail.com s dng mi giao thc. Mi n lc truy cp vo trang hotmail.com vi mt ng dng trnh duyt s b chn, tuy nhin ngi dng s dng my trm SMTP hay POP3 c cu hnh s vn c th truy lc mail t hotmail.com bi v URL Set ch p dng cho phin truy cp HTTP, HTTPS v FTP thng qua Web Proxy. Lun phi nh n s khc bit gia Domain Name Sets v URL Sets. URL Sets cho php bn gii hn truy cp, chn lu lng ti URL mong mun s dng giao thc HTTP v HTTPS min l my trm kt ni ang s dng giao thc qua b lc Web Proxy. Ngc li, Domain Name Sets chn ton b truy cp ti min d s dng bt k giao thc. To Access Rule Domain Name Sets v URL Sets cn pha s dng Access Rules. Bn c th to Domain Name Sets hay URL Sets nh mt chc nng ca wizard Access Rule. Thc hin cc bc di y to mt Access Rule v Domain Name hay URL Set lin quan chn truy cp: 1. M Management Console ca ISA Server 2006. 2. M rng tn my ch ri la chn Firewall Policy. 3. Click chn tab Tasks trong Task Pane. 4. La chn Create a New Access Rule. 5. Nhp tn cho Access Rule (V d Block ESPN) ri nhn Next. 6. La chn Deny trn trang Rule Action ri nhn Next. 7. Trn trang Protocols, bn hy la chn to Domain Name Set hay URL Set. Nu to Domain Name Set, hy la chn All Outbound Traffic. Nu to URL Set, hy la chn Selected Protocols sau la chn tip HTTP v HTTPS. 8. Click Next. 9. Click nt Add trn trang Access Rule Sources. 10. Click tip vo Networks ri chn Internal. Sau nhn Close. 11. Click Next. 12. La chn Add trn trang Access Rule Destinations. 13. Trn trang Add Network Entities, la chn Domain Name Set hoc URL Set. 14. Sau nhp tn cho Domain Name hay URL Set trong hp thoi hin th.

15. Nhn nt New ri nhp tn min mun chn truy cp. V d *.espn.com. 16. Nhn OK. Nh rng Access Rule c x l theo trt t trc sau. Bn cn di chuyn Access Rule mi v mi Deny Rule khc ln u danh sch h thng x l nhng rule t chi trc sau mi x l n rule cho php truy cp.

Nhng bai vit trong chu nay c s tham khao tai liu Training Kit 70-350 cua Microsoft. Microsoft Internet Security and Acceleration (ISA) Server 2004 l g v s gip ch cho doanh nghip hoc t chc ca chng ta? Trong hu ht cc trng hp, khi hc hi mt cng ngh mi, chng ta lun c nhu cu bit c bc tranh ton cnh, m c th gip chng ta hnh dung cng ngh lm vic nh th no v s em li li ch g trc khi mun bit thm cc chi tit v vic trin khai v qun l cng ngh . Chnh v th ti s gii thiu vi cc bn mt s vn m hu ht chng ta quan tm trc ht v MS ISA Server 2004, sau bn c th quyt nh c nn theo di tip ch ny hay khng. ISA Server c thit k ch yu hot ng nh mt tng la, hng m bo rng tt c nhng traffic khng trong i t Internet c chn li bn ngoi mng ca t chc. ng thi, ISA Server c th cho php cc user bn trong mng t chc truy cp mt cch c chn lc n cc ti nguyn Internet v user trn Internet c th truy cp vo ti nguyn trong mng t chc sao cho ph hp vi cc rule ca ISA Server, chng hn nh my ch Web hoc Mail ca t chc. C th hnh dung ISA Server c trin khai trn vnh ai bao quanh mng t chc, l ni kt ni mng t chc vi mt mng khc bn ngoi (nh Internet). Chng ta s ln lt xem xt cc vn :

2004

Tng quan cc chc nng ca MS ISA Server

Cc edition ca MS ISA Server 2004 Cc m hnh trin khai MS ISA Server 2004 Tng quan v cng vic qun tr h thng MS ISA Server 2004 TNG QUAN CC CHC NNG CA MS ISA SERVER 2004

ISA Server l mt cng c hu hiu cho mt k hoch tng th bo mt cho mng ca t chc. Vai tr ca ISA Server l rt trng yu, bi v n c trin khai ti im kt ni gia mng bn trong t chc v Internet. Hu ht cc t chc cung cp mt vi mc truy cp Internet cho ngi dng ca h. ISA Server c th p c cc chnh sch bo mt (security polices) phn pht n user mt s cch thc truy cp Internet m h c php. ng thi, nhiu t chc cng cung cp cho cc user xa (remote user) mt s cch thc truy cp n cc my ch trong mng t chc. V d, nhiu cng ty cho php my ch Mail trn Internet kt ni n my ch Mail trong mng ca cng ty gi e-mail ra Internet. ISA Server c s dng m bo chc chn rng nhng s truy cp nh vy c bo mt. Cc thc lm vic ca ISA Server 2004 ISA Server c thit k bo v vnh ai ca mng t chc. Trong hu ht trng hp, vnh ai ny l gia mng cc b (LAN) ca t chc v mng dng chung (nh Internet). Hnh bn di cho chng ta mt v d n gin v vic trin khai mt ISA Server.
xem c Link hoc Hnh nh, bn phi c s bi vit ln hn 1. Hin ti bn c 0 bi vit.

Hnh 1. Mng bn trong (interal network) hay gi l mng c bo v thng c t trong t chc v c s gim st ca nhn vin IT trong t chc. Internal network coi nh c bo mt mt cch tng i, tc l, thng thng nhng user c chng thc mi c quyn truy cp vt l n interal network. Ngoi ra, Nhn vin IT c th quyt nh nhng loi traffic no c cho php trn internal network. Thm chi cho du interal network an toan hn Internet, thi ban cung khng nn co y nghi sai lm rng, ban chi cn bao v vanh ai mang. bao v mang cua ban mt cach y u, ban phai vach ra k hoach bao v theo chiu su, no bao gm nhiu bc am bao cho mang cua ban c an toan, thm chi trong trng hp vanh ai bi thung. Nhiu cuc tn cng mang gn

y nh virus va worm a tan pha nhng mang co vanh ai an toan. ISA Server la thit yu trong vic bao v vanh ai mang, nhng ban ng nghi, sau khi trin khai ISA Server thi vic cua ban a xong. Mt t chc khng c s gim st xem ai truy cp Internet hoc bo mt cc traffic ca mng trn Internet. Th bt k mt ngi no trn th gii vi mt kt ni Internet u c th xc nh v truy cp vo cc kt ni Internet khc s dng hu nh bt k giao thc v ng dng g. Ngoi ra, nhng gi tin trn mng (network packet) gi qua Internet khng c an ton, bi v chng c th b bt ly v xem trm bi bt k ai ang chy packet sniffer trn mt phn on mng Internet. Packet Sniffer l mt ng dng m bn c th s dng bt ly v xem tt c cc traffic trn mt mng, iu kin bt c traffic mng l packet sniffer phi kt ni c n phn on mng gia hai router. Internet l mt pht minh kh tin v y quyn r. Bn c th tm kim trn mng ny nhiu thng tin hu ch. Bn c th gp g nhng ngi khc, chia s vi h s thch ca bn v giao tip vi h. Nhng ng thi Internet cng l mt ni nguy him, rt n gin, bi l ai cng truy cp c. V d, Internet khng th bit c ai l mt ngi dng bnh thng v hi, ai l ti phm mng nhng k ph hoi, c hai u c quyn truy cp Internet. iu c ngha l, khng sm th mun, khi t chc ca bn to mt kt ni n Internet th kt ni s c phi bi ra cho bt k ai kt ni Internet. c th l mt ngi dng hp php tm kim thng tin trn Website ca t chc, cng c th l k xu c gng deface ton b d liu trn Website hoc nh cp d liu khch hng t t chc ca bn. V l bn cht ht sc t nhin ca Internet, vic bo mt cho n l hu nh khng th. Nn tt nht, bc u tin trong vic bo v kt ni Internet ca bn l xem tt c user kt ni n bn u l k xu cho ti khi thn phn ca h c chng minh. Hinh 1 a cho thy mt vi du n gian cua mt cu hinh mang ma o, ranh gii gia internal network va Internet c inh nghia mt cach d dang. Trong thc t, vic inh nghia ranh gii gia interal network cua t chc vi phn con lai cua th gii la khng h n gian. Hinh 2 cho thy mt s phc tap hn, nhng thc t hn va kich tinh hn.

xem c Link hoc Hnh nh, bn phi c s bi vit ln hn 1. Hin ti bn c 0 bi vit.

Hnh 2. Vanh ai mang a tr nn kho inh nghia hn theo nh kich ban trong hinh 2. Kich ban nay cung khin vic bao mt kt ni Internet kho khn hn rt nhiu. Cho du la vy ISA Server c thit k em lai s an toan theo yu cu vanh ai mang. Vi du, theo kich ban trong hinh 2, ISA Server co th em lai s an toan cho vanh ai, bng cach thc hin cac vic nh sau: Cho phep truy cp nc danh n Website dung chung (public website), trong khi o loc ra ma c hai nhm n vic gy hai Website. Chng thc user t t chc cua i tac trc khi gan quyn truy cp n Website dung ring (private website). Cho phep truy cp VPN gia nhng vung ia ly khac nhau, nh o user chi nhanh vn phong co th truy cp n tai nguyn trong interal network. Cho phep nhn vin xa truy cp internal Mail Server, va cho phep client truy cp VPN n internal File Server. Ap c chinh sach truy cp Internet cua t chc hong gii han nhng giao thc c dung ti user, va loc tng request chc chn ho chi ang truy cp n cac tai nguyn Internet cho phep.

Bai vit k tip chung ta se tim hiu chc nng tng la (Firewall) cua ISA Server...
thay i ni dung bi: Ryan, 19-12-2008 lc 11:21 AM

The Following 5 Users Say Thank You to Ryan For This Useful Post:
aragong, chungnd99, dr-amater, kingtun, vohuutinh86
Ryan Xem h s Gi nhn tin ti Ryan Ti trang web ca Ryan

Tm bi gi bi Ryan #2 13-09-2008, 11:13 AM Tham gia ngy: Sep 2008 n t: Earth Bi gi: 245 Thanks: 158 Thanked 166 Times in 85 Posts im Uy tin: 6

Ryan
V.I.P

ISA Server hot ng nh mt tng la Tng la (firewall) l mt thit b c t gia mt phn on mng vi mt phn on mng khc trong mt mng. Firewall c cu hnh vi nhng rule lc traffic, trong nh ngha nhng loi network traffic s c php i qua. Firewall c th c b tr v cu hnh bo v mng ca t chc, hoc c b tr bn trong bo v mt vng c bit trong mng. Trong hu ht trng hp, firewall c trin khai vnh ai mng. Chc nng chnh ca firewall trong trng hp ny l m bo khng c traffic no t Internet c th ti c internal network ca t chc tr khi n c cho php. V d, trong t chc bn c mt internal Web Server cn cho internet user c th ti c. Firewall c th c cu hnh cho php cc traffic t Internet ch c truy cp n Web Server . V mc chc nng ISA Server chnh l mt firewall. Bi mc nh, khi bn trin khai ISA Server, n s kha tt c traffic gia cc mng m n lm Server, bao gm internal network, vng DMZ(*) v Internet. ISA Server 2004 dng 3 loi quy tc lc (filtering rule) ngn chn hoc cho php network traffic, l: packet filtering, stateful filtering v applicationlayer filtering. Packet Filtering Lc gi tin Packet filtering lm vic bng cch kim tra thng tin header ca tng network packet i ti firewall. Khi packet i ti giao

: Tim hiu MS ISA Server t A-Z.

tip mng ca ISA Server, ISA Server m header ca packet v kim tra thng tin (a ch ngun v ch, port ngun v ch). ISA Server so snh thng tin ny da vo cc rule ca firewall, nh ngha packet no c cho php. Nu a ch ngun v ch c cho php, v nu port ngun v ch c cho php, packet c i qua firewall n ch. Nu a ch v port khng chnh xc l nhng g c cho php, packet s b nh rt v khng c i qua firewall. Stateful Filtering Lc trng thi Stateful filtering dng mt s kim tra thu o hn i vi network packet dn n quyt nh c cho qua hay l khng. Khi ISA Sever dng mt s xem xt k trng thi, n kim tra cc header ca Internet Protocol (IP) v Transmission Control Protocol (TCP) xc nh trng thi ca mt packet bn trong ni dung ca nhng packet trc i qua ISA Server, hoc bn trong ni dung ca mt phin (session) TCP. V d, mt user trong internal network c th gi mt request n mt Web Server ngoi Internet. Web Server p li request . Khi packet tr v i ti firewall, firewall kim duyt thng tin TCP session (l mt phn ca packet). Firewall s xc nh rng packet thuc v mt session ang hot ng m c khi to bi mt user trong internal network, v th packet c chuyn n my tnh ca user . Nu mt user bn ngoi mng c gng kt ni n mt my tnh bn trong mng t chc, m firewall xc nh rng packet khng thuc v mt session hin hnh ang hot ng th packet s nh rt. Application-Layer Filtering Lc lp ng dng ISA Server cng dng b lc application-layer ra quyt nh mt packet c c cho php hay l khng. Application-layer filtering kim tra ni dung thc t ca packet quyt nh liu packet c th c i qua firewall hay khng. Application filter s m ton b packet v kim tra d liu thc s bn trong n trc khi a ra quyt nh cho qua. V d, mt user trn Internet c th yu cu mt trang t

internal Web Server bng cch dng lnh GET trong giao thc HTTP (Hypertext Transfer Protocol). Khi packet i ti firewall, application filter xem xt k packet v pht hin lnh GET. Application filter kim tra chnh sch ca n quyt nh. Nu mt user gi mt packet tng t n Web Server, nhng dng lnh POST ghi thng tin ln Web Server, ISA Server mt ln na kim tra packet. ISA Server nhn thy lnh POST, da vo chnh sch ca mnh, ISA Server quyt nh rng lnh ny khng c php v packet b nh rt. HTTP application filter c cung cp cng vi ISA Server 2004 c th kim tra bt k thng tin no trong d liu, bao gm: virus signature, chiu di ca Uniform Resource Location (URL), ni dung page header v phn m rng ca file. Ngoi HTTP filter, ISA Server cn c nhng application filter khc dnh cho vic bo mt nhng giao thc v ng dng khc. Cc firewall mm hin nay x l lc packet v stateful. Tuy nhin, nhiu firewall khng c kh nng thc hin vic lc lp ng dng (application-layer). V application-layer filtering tr thnh mt trong nhng thnh phn thit yu trong vic bo mt vnh ai mng. V d, gi nh rng tt c cc t chc u cho php HTTP traffic (port 80) t internal network n Internet. Kt qu l, nhiu ng dng gi y c th hot ng thng qua giao thc HTTP. Chng hn nh Yahoo! Messenger v mt vi ng dng mng ngang hng chia s file nh KazaA. HTTP traffic cng c th cha virus v m c (malicious code). Cch ngn chn nhng network traffic khng mong mun, trong khi vn cho php s dng HTTP mt cch ph hp, ch c th thc hin c bng vic trin khai mt firewall c kh nng lc lp ng dng. Application-layer firewall c th kim tra ni dung ca cc packet v ngn traffic trn phng thc HTTP ( ngn ng dng) hoc signature ( ngn virus, m c hi, hoc ng dng). ISA Server chnh xc l mt loi applicationlayer firewall tinh vi, v v th m tr nn thit yu trong vic bo v mng. ----------------(*): DMZ (Demilitarized Zone), y l t ch vng "Phi Qun S" trong th gii thc, cn trong mi trng my tnh th DMZ l

vng dnh ring cho nhng server "i ngoi" (nh web server) cho php ngi dng bn ngoi (Internet) truy cp n. Chng ta s c dp tho lun nhiu hn v DMZ trong nhng bi vit sp ti.
thay i ni dung bi: Ryan, 19-12-2008 lc 11:22 AM

Ryan Xem h s Gi nhn tin ti Ryan Ti trang web ca Ryan Tm bi gi bi Ryan #3 03-10-2008, 03:10 PM Tham gia ngy: Sep 2008 n t: Earth Bi gi: 245 Thanks: 158 Thanked 166 Times in 85 Posts im Uy tin: 6

Ryan
V.I.P

ISA Server bo mt truy cp internet nh th no? Hu ht cc t chc u phi cho nhn vin ca mnh truy cp internet v s dng World Wide Web nh mt ngun ti nguyn v mt cng c giao tip. iu c ngha l khng t chc no trnh c vic truy cp internet, v vic bo mt kt ni internet tr nn thit yu. ISA Server c th c dng bo mt cc kt ni ca my trm n ngun ti nguyn trn internet. lm c iu , bn phi cu hnh tt c my trm u phi thng qua ISA Server kt ni internet. Khi bn cu hnh nh vy, ISA Server s hot ng nh mt proxy server gia my trm trong mng t chc v ngun ti nguyn trn internet. iu ny c ngha l khi mt my trm gi yu cu n Web Server trn internet, th s khng c kt ni trc tip gia my trm v Web Server. Thnh phn proxy server trn ISA Server s lm vic trc tip vi Web

Server (thay my trm gi yu cu n Web Server, cng nh thay Web Server hi p li cho my trm trong mng ni b). Nh m thng tin mng ca my trm s khng b phi bi ra mng bn ngoi. V vic my trm dng ng dng g truy cp internet hoc truy cp n ti nguyn g trn internet cng c ISA Server kim sot. ISA Server cng hot ng nh mt caching server. ISA Server 'publishing' cc ngun ti nguyn trong mng ni b nh th no? Mt s t chc mun ngi dng trn internet c th truy cp n ngun ti nguyn t trong mng ni b ca t chc. Ti thiu, hu ht t chc u mun cung cp kh nng truy cp ti Website ca t chc, nht l i vi cc doanh nghip m hot ng kinh doanh ca h ch yu da trn nn Web. Nhiu t chc cng cn cung cp kh nng truy cp n nhng ngun ti nguyn khng da trn nn Web nh DNS Server, hoc Database Server. Cho php ti nguyn trong mng ni b c th c truy cp thng qua internet s lm tng cc nguy c v bo mt cho mt t chc. gim thiu cc nguy c , firewall c vnh ai mng phi c kh nng chn tt c traffic c hi i vo mng ca t chc, v m bo rng ngi dng trn internet ch c th truy cp n nhng my ch cho php. cu hnh vic publish trong ISA Server, bn cu hnh mt publishing rule ch nh cch thc m ISA Server p li nhng yu cu t internet. ISA Server cung cp 3 loi publishing rule khc nhau: Web publishing rule, secure Web publishing rule, v Server publishing rule. ISA Server hot ng nh mt VNP Server. Ngoi vic cho php ngi dng trn internet c php truy cp n cc my ch c bit trong mng ni b, nhiu t chc cn c nhu cu cung cp cho ngi dng

xa kh nng truy cp n cc ti nguyn c trn cc my ch ni b. Hoc mt t chc c vn phng c nhiu ni, nhn vin t mt vn phng c nhu cu truy cp n ti nguyn mng mt ni khc. cho php mc truy cp nh vy, nhiu t chc trin khai VPN (Virtual Private Network Mng ring o). Mt VPN l mt kt ni mng bo mt c to thng qua mt mng dng chung nh internet. VPN c bo mt bng cch s dng chng thc v m ha, v th, thm ch nu network packet b bt ly trn mng dng chung (internet) th packet cng khng th m ra hoc c c. VPN c th c to ra gia mt ngi dng vi mng ni b (Client-to-Site) hoc gia hai vn phng ca cng ty vi nhau (Site-to-Site). Mt ngi dng c th kt ni n internet t bt k u v sau kt ni n gateway ca VPN. Tt c packet gi qua internet dng VPN c bo mt. ISA Server cung cp mt gii php truy cp VPN t xa c tch hp trong firewall. Khi nhng my trm xa kt ni n ISA Server bng VPN, th cc my trm c a vo mng VPN Clients network. Mng ny c xem nh bt k mt mng no khc trn ISA Server, ngha l bn c th cu hnh firewall rule lc tt c traffic t cc my trm VPN. ISA Server cn cung cp chc nng gim st cch ly VPN (VPN quarantine control). VPN quarantine control hon li s truy cp t xa n mt mng ring cho n khi cu hnh ca my trm truy cp t xa c kim nh v cng nhn bi mt client-side-script. Nu bn bc VPN quarantine control, tt c cc my trm VPN c cho l Quarantined VPN Clients network cho n khi h vt qua nhng s kim tra bo mt c bit. Bn c th cu hnh firewall rule lc tt c cc traffic t cc my trm trong Quarantine VPN Clients network n bt k mng no khc. ISA Server cng cho php VPN site-to-site. Trong kch bn ny, bn cu hnh mt ISA Server trong mi chi nhnh

hoc vn phng xa nhau. Khi ISA Server mt ni nhn network traffic t mt ni khc, ISA Server s khi to mt kt ni VPN Site-to-Site v nh tuyn traffic thng qua n n cc ni khc. cu hnh nhng kt ni VPN Site-to-Site, bn to mt remote-site network trn ISA Server, v sau nh ngha cc access rule gim st nhng loi traffic c php trao i gia cc mng.
thay i ni dung bi: Ryan, 22-04-2009 lc 12:28 PM

Ryan Xem h s Gi nhn tin ti Ryan Ti trang web ca Ryan Tm bi gi bi Ryan #4 14-10-2008, 05:55 PM Tham gia ngy: Sep 2008 n t: Earth Bi gi: 245 Thanks: 158 Thanked 166 Times in 85 Posts im Uy tin: 6

Ryan
V.I.P

S KHC NHAU GIA PHIN BN STANDARD V ENTERPRISE ISA Server 2004 c 2 phin bn: Standard v Enterprise. Hai phin bn ny cung cp nhng chc nng nh nhau. Hu ht s khc bit quan trng gia 2 phin bn ny l Enterprise Edition cung cp mt s tnh nng nng cao nh sau:

hnh

Lu tr tp trung cc thng tin v cu

H tr Cache Array Routing Protocol (CARP) Tch hp network load balancing Nu bn trin khai mt ISA Server n cho mt vai tr c trng no , hoc bn c th trin khai cc ISA Server n cho cc chi nhnh vn phng cng nh vn

phng trung tm th bn nn dng bn Standard. Tuy nhin, nu bn trin khai nhiu Server cng thc hin mt vi tr, bn nn chn bn Enterprise. V d, bn lm vic trong mt t chc ln, yu cu bn trin khai nhiu Server m nhn vi tr cache v proxy, bn nn xem xt trin khai bn Enterprise. Lu tr tp trung cc thng tin v cu hnh Mt trong nhng s khc quan trng gia hai phin bn Standard v Enterprise l cch m hai phin bn ny lu tr thng tin cu hnh. C ngha l nu bn mun trin khai hai my tnh chy phin bn Standard, v cu hnh chng ging nhau. Th bn phi cu hnh mt trong hai ci, sau xut thng tin cu hnh ra v nhp li thng tin cu hnh vo ci cn li. Nu bn mun thay i thng tin cu hnh, bn phi lm trn c hai m bo thng tin cu hnh ca chng ging nhau. ISA Server phin bn Enterprise lu tr thng tin cu hnh trong mt th mc ring bit thay v trong registry nh phin bn Standard. Khi bn ci phin bn Enterprise, bn phi cu hnh mt hoc nhiu Configuration Storage server. Configuration Storage server dng Active Directory Application Mode (ADAM) lu tr thng tin cu hnh cho tt c my ISA Server trong t chc. Bi v ADAM c th c ci ln nhiu server v d liu c sao chp gia cc server, bn c th c nhiu Configuration server. thay i cu hnh ca ISA Server phin bn Enterprise, bn ch n gin thay i cu hnh trn Configuration Storage server. Cc my ISA Server phin bn Enterprise s truy cp nh k n Configuration Storage server kim tra, nu c bt k thng tin cu hnh no thay i, cc server ny s cp nht ln ni lu tr cc b ca chng (registry) ph hp vi nhng thay i hin ti. H tr Cache Array Routing Protocol (CARP)

ISA Server phin bn Enterprise cung cp mt tnh nng nng cao cho php chia vic m (cache) Web trn mt mng c to thnh bi nhiu server. Vi phin bn Enterprise, nhiu my ISA Server c th c cu hnh thnh mt b m cc b n l duy nht, v sc m ca n l s kt hp sc m ca tt c cc my ISA Server c nhm li vi nhau. dng tnh nng ny, ISA Server dng Cache Array Routing Protocol (CARP). Ngoi ra, CARP cn gip ISA ti u vic m Web, ngha l sc m ca ISA Server c th co dn dung lng lu tr ty , khng b gii hn kch thc nu p ng nhu cu v phn cng. Tch hp Network load balancing Chc nng th ba ch c phin bn Enterprise l tch hp Network load balancing (NLB) vi ISA Server. Vi ISA Server 2004 phin bn Standard, bn c th cu hnh NLB mt cch nhn cng. Vi phin bn Enterprise, NLB c tch hp, nh NLB c th c qun l t ISA Server. iu ny c ngha l vic cu hnh NLB c tin hnh thng qua ISA Server management.
__________________
Trch:

xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit.

xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit.

xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit.

- Cng ngh bn s ph bin nht Vit Nam.


xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit. thay i ni dung bi: Ryan, 19-12-2008 lc 11:29 AM

Ryan

Xem h s Gi nhn tin ti Ryan Ti trang web ca Ryan Tm bi gi bi Ryan #5 19-12-2008, 10:58 AM Tham gia ngy: Sep 2008 n t: Earth Bi gi: 245 Thanks: 158 Thanked 166 Times in 85 Posts im Uy tin: 6

Ryan
V.I.P

CC TNH HUNG TRIN KHAI ISA SERVER Bn c th dng ISA Server 2004 cung cp tnh bo mt cho s truy cp n Internet v n internal network t Internet. Cu hnh chnh xc ca ISA Server s ty thuc vo nhng i hi v truy cp v bo mt ca tng t chc. Phn ny s tho lun n hu ht cc tnh hung thng thng nht, bao gm: lm sao ISA Server c dng nh mt vnh ai bo mt chnh yu hoc mt firewall th hai trong mt cu hnh nhiu firewall; v lm th no ISA Server c th c s dng cho c nhng t chc ln c vn phng nhiu ni v t chc nh ch cn duy nht mt my ISA Server. ISA Server hot ng nh mt Internet-edge firewall Mt trong cc tnh hung trin khai chnh ca ISA Server 2004 l n hot ng nh mt Internet-edge firewall. Mt Internet-edge firewall c trin khai ti im kt ni gia Internet v internal network. Trong tnh hung ny, ISA Server cung cp c mt secure gateway cho user bn trong mng ra internet v mt firewall ngn chn truy cp tri php v c hi vo bn trong mng.
xem c Link hoc Hnh nh, bn phi c s bi vit ln hn 1. Hin ti bn c 0 bi vit. xem c Link hoc Hnh nh, bn phi c s bi vit ln hn 1. Hin ti bn c 0

bi vit. xem c Link hoc Hnh nh, bn phi c s bi vit ln hn 1. Hin ti bn c 0 bi vit.

ISA Server s c trin khai vi mt giao tip mng (network interface card NIC) kt ni n internet v mt NIC th hai kt ni n internal network. Trong mt vi trng hp, ISA Server c th c mt NIC th ba kt ni n perimeter network (DMZ). Trong trng hp ny, xy ra nh sau: ISA Server kha tt c traffic t internet vo bn trong mng t chc tr khi c s cho php. Tt c cc thnh phn firewall ca ISA Server u c trin khai, bao gm lc lu lng a tng (multilayered traffic filtering), lc ng dng (application filtering) v pht hin xm nhp. Thm vo , h iu hnh trn my ISA Server phi c bo v chc chn trnh nhng s tn cng nhm vo h iu hnh. ISA Server c dng to iu kin cho mt s my ch hoc dch v trong internal network c kh nng truy cp t internet. Nhng s truy cp ny c cu hnh bng cch ph bin (publishing) my ch hoc cu hnh cc access rule. ISA Server lc tt c yu cu vo bn trong v ch cho php nhng traffic c xc nh bi access rule. ISA Server cng c th l mt im truy cp VPN n internal network. Trong trng hp ny, tt c cc kt ni VPN t internet c nh tuyn thng qua ISA Server. Tt c access rule v nhng yu cu cch ly dnh cho VPN client c p t bi ISA Server. Tt c yu cu ca client n ti nguyn trn internet u thng qua ISA Server. ISA Server p t mt chnh sch ca t chc nh ngha nhng user no c php truy cp internet, ng dng v giao thc no c th

dng lm iu , v nhng website no c cho php.


Hnh Km Theo Internet-edge firewall.jpg (48.9 KB, 132 ln ti) __________________
Trch:

xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit.

xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit.

xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit.

- Cng ngh bn s ph bin nht Vit Nam.


xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit. thay i ni dung bi: Ryan, 19-12-2008 lc 03:25 PM

Ryan Xem h s Gi nhn tin ti Ryan Ti trang web ca Ryan Tm bi gi bi Ryan #6 19-12-2008, 04:10 PM Tham gia ngy: Sep 2008 n t: Earth Bi gi: 245 Thanks: 158 Thanked 166 Times in 85 Posts im Uy tin: 6

Ryan
V.I.P

ISA Server hot ng nh mt Back-End Firewall Trong mt s trng hp, mt t chc c th chn trin khai ISA Server nh mt firewall th hai trong mt cu hnh a firewall. Tnh hung ny cho php nhiu t chc tip tc dng firewall c, ng thi cho php s dng

ISA Server nh mt firewall nng cao vi kh nng lc ng dng.


xem c Link hoc Hnh nh, bn phi c s bi vit ln hn 1. Hin ti bn c 0 bi vit.

Nhiu t chc trin khai mt cu hnh back-to-back firewall. Trong cch cu hnh ny, mt network adapter trn front-end firewall c kt ni internet trong khi network adapter th hai trn firewall kt ni ti perimeter network. Back-end firewall c mt network adapter kt ni n perimeter network v network adapter th hai kt ni vi internal network. Tt c network traffic qua li gia internet v internal network phi i qua c hai firewall v perimeter network. i vi nhng t chc c mt firewall trn nn tng phn cng (hardware-based) c trin khai nh Internetedge firewall, ISA Server c th cung cp chc nng b sung ng gi nh mt back-end firewall. Ring trong trng hp ny, chc nng lc ng dng nng cao ca ISA Server c th m bo cc ng dng xc nh c ph bin (publish) mt cch an ton. Trong tnh hung ny, ISA Server lm nh sau: ISA Server c th c dng cung cp truy cp an ton n nhng my Exchange Server ca t chc. Bi v nhng my tnh ang chy Exchange Server phi l nhng thnh vin ca Active Directory domain, c vi t chc khng thch t nhng my Exchange Server bn trong perimeter network. ISA Server cho php truy cp n nhng my Exchange Server trong internal network thng qua: sercure OWA publishing, secure SMTP server publishing, v secure Exchange RPC publishing dnh cho cc Outlook client. ISA Server cng c th c dng publish cc secure Website hoc secure Web application. Nu cc Web server c t trong internal network, ISA Server c th c

cu hnh publish Web server ra internet. Trong trng hp ny, nhng b lc ng dng nng cao ca ISA Server c th c dng xem xt tt c cc network traffic c chuyn tip n Web server. ISA Server cng c th c dng nh mt Web proxy v caching server trong tnh hung ny. Nu th, tt c client yu cu truy cp ti nguyn trn internet hoc bn trong perimeter network phi thng qua ISA Server. ISA Server s c th p t cc chnh sch ca t chc cho vic bo mt truy cp internet.
Hnh Km Theo Back-End firewall.jpg (65.4 KB, 133 ln ti) __________________
Trch: xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit.

xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit.

xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit.

- Cng ngh bn s ph bin nht Vit Nam.

xem c Links va Hinh anh ban phai co trn 20 bai vit. Hin tai ban co 0 bai vit. thay i ni dung bi: Ryan, 19-12-2008 lc 05:21 PM

Ryan Xem h s Gi nhn tin ti Ryan Ti trang web ca Ryan Tm bi gi bi Ryan #7 20-12-2008, 10:39 AM

Ryan
V.I.P

Tham gia ngy: Sep 2008 n t: Earth Bi gi: 245 Thanks: 158 Thanked 166 Times in 85 Posts im Uy tin: 6

ISA Server hot ng nh mt Branch Office Firewall Tnh hung trin khai th ba dnh cho mt ISA Server l n ng vai tr Branch office firewall. Trong tnh hung ny, ISA Server c th c s dng bo mt mng ca vn phng chi nhnh khi cc s e da t bn ngoi cng nh l kt ni t mng ca vn phng chi nhnh n tr s chnh dng cc kt ni VPN site-to-site.
xem c Link hoc Hnh nh, bn phi c s bi vit ln hn 1. Hin ti bn c 0 bi vit. xem c Link hoc Hnh nh, bn phi c s bi vit ln hn 1. Hin ti bn c 0 bi vit.

Dnh cho nhng t chc c s phn b vn phng nhiu ni, ISA Server c th hot ng nh mt branch office firewall trong s lin kt vi nhng ISA Server nhng ni khc. Nu mt chi nhnh c kt ni trc tip n internet, ISA Server c th hot ng nh mt Internet-edge firewall cho chi nhnh, bo mt mng ca chi nhnh cng nh ph bin cc ngun ti nguyn my ch ra internet. Nu chi nhnh ch c mt kt ni WAN n cc vn phng khc, ISA Server c th c dng ph bin nhng my ch trong chi nhnh nh Microsoft SharePoint Portal Server hoc Exchange Server cc b. Mt trong cc li ch ca vic dng ISA Server nh mt branch office firewall l n c th hot ng nh mt VPN gateway kt ni mng ca chi nhnh n mng ca vn phng chnh dng mt kt ni VPN site-to-site. VPN site-to-site cung cp mt phng thc bo mt gi r cho kt ni gia cc vn phng. Trong tnh hung ny, ISA

Server c th thc hin cc chc nng sau: ISA Server c th c dng to mt VPN t mt chi nhnh vn phng n nhng vn phng ni khc. VPN gateway nhng ch khc c th c cc my tnh chy ISA Server hoc nhng VPN gateway ca mt hng th ba (third-party). ISA Server h tr s dng 3 giao thc ng hm (tunneling protocol) cho vic to VPN: IPSec tunnel mode, Point-to-Point Tunneling Protocol (PPTP), v Layer Two Tunneling Protocol (L2TP) over IPSec.

ISA Server c th tin hnh xem xt k trng thi v lc lp ng dng (applicationlayer filtering) ca VPN traffic gia nhng vn phng ca t chc. iu ny c th c dng gii hn nhng mng xa c th truy cp mng cc b v m bo rng ch nhng network traffic c chp thun mi c kh nng truy cp n.
DMZ l g?
conghuong91 Cc anh va lin ch ai bt DMZ l g ko. ch li cho em ci tieugiang94

02-03-2010, 09:11 PM

02-03-2010, 09:22 PM Theo Google.com Mc ch n s tn cng t bn ngoi v bn trong, ging nh cc site chung 1 Server u nhau Mnh Search trn Wikipedia......MDZ l khu phi qun s, vng bo an Trch dn y 1972 Chin tranh Vit Nam : Tn cng Nguyn Hu bt u sau khi qun i Vit Nam Dn Ch Cng Ha bng qua vng phi qun s (DMZ) Link: http://vi.wikipedia.org/wiki/Special:Search?search=DMZ&go=Go NgocThao_SC ISA Server DMZ. ISA Server h tr thit lp DMZ l n v lu lng Internet ring r t mng cc b. DMZ l khu vc bo mt thc hin ngn nhng lu lng Internet cch xa h thng mng cuc b. Thit lp DMZ, bn khng th ph bin (public) server trn h thng mng cc b. ISA Server lm cng vic ph bin (public) server trong mng cc b d dng hn. Nhng khi ph bin

02-03-2010, 09:23 PM

(public) server, th cc client Internet c th truy cp c. H c th truy cp d liu trong mng cc b, h thng mng khng an ton. thc hin mc tiu trn, bn c th to lp mng bo mt bn ngai ca mng cc b. chnh l DMZ. DMZ l vng m c 2 mng u khng th kt ni c nu khng c s ng ca n. Nhng nu c To get around this, you can create secure networks outside of the internal network. This is what a DMZ is. The term DMZ or Demilitarized Zone comes from military. The DMZ area is an area that both sides agree there will be no military actions. But if one side does violate the agreement, then both sides can start firing. This is a buffer zone between the two parties and is designed to protect the populace on both sides of the DMZ. Cc bc cu hnh DMZ : Trihomed DMZ a ch Back to Back Private DMZ a ch Back to Back Public DMZ Trihomed DMZ Trihomed DMZ (three-homed DMZ) c to bi 3 card mng trn vng ISA Server: 1 card mng kt ni thng vi Internet. 1 card mng kt ni vi h thng mng cc b. 1 card kt ni thng vi DMZ Cu hnh c dng nh hnh sau: http://vietcert.net/dataimages/Uploads/Training/Microsoft/70227/ISA_Server_DMZ/image002.gif Nhng cu hnh Trihomed DMZ: DMZ phi s dng a ch IP cng cng (public) Mng cc b th nn s dng a ch IP ring (private) Mng bn ngai kt ni thng Internet. Trihomed DMZ phi c a ch IP cng cng (public) Trn Trihomed DMZ cn phi c a ch public. Vi ngi khi xy dng h thng ny b li, v h s dng a ch ring (private) trn DMZ. Bn to 2 giao din mng cc b hay giao din mng bn ngai m khng th truy cp d liu mng cc b hay mng bn ngai. DMZ phi cu hnh l giao din mng bn ngai. D liu bn ngai khng c y thc (trusted) bi mng cc b. cu hnh DMZ l d liu mng bn ngai, bn KHNG cn phi thm a ch IP ca DMZ trong LAT. LAT chi cha a ch mng cc b. Cc gi tin c nh tuyn n DMZ m khng cn thng dch (Packets are Routed to the DMZ NOT Translated) Cc gi tin t Internet n DMZ tht ra c nh tuyn n DMZ. iu tri ngc vi cch cc gi tin t Internet n mng cc b c dch v khng nh tuyn n mng ni b. ly c a ch IP DMZ, bn cn ngn chn a ch Ip, subnet. Mt trong nhng Network ID phi xc nhn giao din mng bn ngai ca ISA Server. Bt c li yu cu Network IDs no u c th s dng DMZ. Ch : Bn cn phi hiu v a ch IP, Variable Length Subnet Masking (VLSM), subnet v cng vic supernet nu bn mun c kh nng qun l ISA Server v h thng mng TCP/IP V nhng gi tin ny c nh tuyn n DMZ, nn n li i nhng qui tc (bypass the rules). Nu nhng qui tc ny c thc hin chuyn nhng gi tin gia mng cc b v mng bn ngai. Nhng qui tc c thc hin nhng gi tin chuyn gia DMZ v Internet l cc qui tc packet filter. Packet filter qun l s truy cp bn ngai, bn trong v t DMZ. Cu hnh Packet Filter v IP Routing

Bt chc nng Packet Filter v cng bt chc nng IP Routing. Click phi IP Packet Filters ct bn tri ISA Management v click Properties http://vietcert.net/dataimages/Uploads/Training/Microsoft/70227/ISA_Server_DMZ/image003.gif Chn nh du 2 Enable packet filtering v Enable IP routing Tm tt v Trihomed DMZ: Khng t a ch IP DMZ trong LAT DMZ s dng subnet b ngn chn ca a ch public Bt chc nng packet filtering v IP Routing trn ISA Server To packet filters cho php truy cp vo v ra t DMZ Back to Back DMZ vi a ch ring (Private) trn DMZ Back to back DMZ s dng a ch ring (private) l cu hnh bo mt nht ca DMZ m ISA thit lp nn. Cu hnh ny s dng dy a ch IP ring (IP private) trn DMZ. V s dng a ch ring (IP privarte) v bao gm DMZ trn LAT bn ngai ca ISA Server, th bn c nhiu h tr ca ISA Server m Trihomed DMZ khng c, nh: s dng nhng IP public, khng y thc (untrusted) trn DMZ. a ch ring (private) back to back DMZ c nhng c im sau : Gm 2 ISA Server: ISA Server bn trong (internal) v bn ngai (external) ISA Server bn ngai gm c 2 card: 1 dng kt ni vi Internet v trn DMZ ISA Server bn trong c 2 card mng: 1 card kt ni vi DMZ v cn li kt ni vi h thng mng cc b. DMZ s dng a ch IP ring (private IP) Mng DMZ trong LAT ca ISA Server bn ngai. Mng DMZ khng nm trong bng LAT ca ISA Server bn trong. Bn c th s dng qui tc (rule) ph bin (public) Web v Server qun l truy cp n DMZ. Back to back a ch ring (private) DMZ. http://vietcert.net/dataimages/Uploads/Training/Microsoft/70227/ISA_Server_DMZ/image005.gif Cu hnh ISA Server bn ngai (External) ISA Server bn ngai c giao din kt ni thng vi Internet v 1 giao din kt ni vi DMZ. a ch IP ca DMZ nn thuc bng a ch cc b (LAT) ca ISA Server bn ngai, bn c th qun l truy cp bng qui tc (rule) Web and Server publishing. Ch , k c khi chng ta t DMZ trong LAT ca ISA Server bn ngai th lu lng Internet cng khng th kt ni/truy cp vi mng cc b. Tng qut, nhng yu cu (request) Internet v tr li l ca mng cc b. iu ny gip bo v lu lng Internet tng t m hnh Trihomed DMZ v thc hin tt hn Khng cn to v s dng packet filter, m hnh back to back a ch IP ring (private) DMZ s dng qui tc (rule) Web and Server publishing. Nu bn c Web Server trn DMZ, bn c th s dng qui tc Web Publishing, c to ra trn ISA Server bn ngai. Nu bn c server khc, v d nh SMTP mail server, bn cng c th s dng qui tc (rule) Server Publishing trn ISA Server bn ngai. Cu hnh ISA Server bn trong (Internal) ISA Server bn trong (internal) cu hnh LAT l dy a ch mng cc b. Nu a ch IP ca DMZ l a ch ring (private IP) th n cng khng c kt n/truy cp mng cc b, v vy bn khng nn a ch IP trong LAT. G b a ch DMZ trong LAT ca ISA Server bn trong th bn c th tch DMZ vi mng cc b. Ch : LAT ca ISA Server bn trong ch l dy a ch IP ca mng cc b. Bi v DMZ gm a ch IP trong cu hnh back to back a ch ring DMZ (back to back private address DMZ ). Cho php DMZ truy cp mng cc b Bn c th cu hnh qui tc publishing cho php ch c Server trn DMZ c th kt ni vi server

mng cc b. Trong trng hp, bn c WebServer trn DMZ, cn truy cp vi SQL Server mng cc b. Bn nn to Client Address Set gm nhng a ch IP ca Web Server v ch cho nhng a ch client c thit lp truy cp. Cho php i ra/i vo Internet. Bn c th cu hnh qui tc giao thc (protocol rule) trn ISA Server, cho php lu lng tng t nh ISA Server bn trong. Nhng thc hin nh vy th khng an tan bo mt (nonsecure). gii quyt trng hp trn, cu hnh ISA Server bn trong s dng ISA Server bn ngai trong dy srever. Bn c th cu hnh 2 dch v: Firewall v Web Proxy trong ISA Server bn ngai. (khng cn cu hnh li qui tc giao thc protocol rule.) Tm tt cu hnh Back to Back Private Address DMZ Gm 2 ISA Server ISa Server bn trong v bn ngoi. ISA Server bn ngai cha a ch DMZ trong LAT ISA Server bn ngai s dng a ch dnh ring (private IP) cho DMZ Qun l truy cp n Server trn DMZ bng cch s dng qui tc publishing trn ISA Server bn ngai. Khng s dng packet filter qun l s truy cp n DMZ. ISA Server bn trong khai bo a ch IP mng cc b trong LAT. Khng t a ch DMZ trong LAT ca ISA Server bn trong. Bn c th s dng qui tc publishing nu bn c yu cu server trn DMZ truy cp vo server ca mng cuc b. Bn nn bt chc nng packet filter trn c 2 ISA Server bn torng v bn ngai ti u bo mt. Cu hnh Web v Firewall trn ISA Server bn trong. Back to Back DMZ vi a ch cng cng (public IP) trn DMZ Vi ngi mun cu hnh back to back ISA Server v s dng a ch public trn DMZ. Phi c my DMZ v nhng my c sn m ha a ch IP trong DNS public. Khng cn thay i a ch IP trong giao din bn ngai ca ISA Server. Bn c th thc hin cu hnh back to back ISA Server s dng a ch IP public trn DMZ. Tuy nhin bn cn ch vi trng hp c bit : Bn s dng packet filter qun l quyn i ra / vo ca DMZ. Bn cn ci card gi v ch nh IP gi. ISA Server bn ngai c 3 card mng bn ngai, DMZ v card gi Bn cn subnet b chn v ch nh a ch cho DMZ DMZ khng c trong LAT ca ISA bn ngai http://vietcert.net/dataimages/Uploads/Training/Microsoft/70227/ISA_Server_DMZ/image007.gif To card mng bogus (Create a Bogus NIC) Th thut to cu hnh back to back a ch IP public DMZ l cu hnh ISA Server bn ngai l Trihomed ISA Server. S khc nhau gia Trihomed ISA Server v card bogus . Card gi c th l Microsoft Loopback. Nguyn nhn cn ci card bogus l bn cn c 1 card mng trong h thng mng ring bit (private network). ISA Server khng cho ci 2 card mng vi giao din bn ngai. Nu bn khng c a ch no trong LAT th cn khai bo, ngc li th ISA Server khng hat ng. V vy, bn cn ci card bogus v ch nh n l a ch ring bit (private IP) v a ch ny c trong LAT. Tng t nh cu hnh Trihomed ISA Server Tng t nh Trihomed DMZ, bn cn to packet filter cho php truy cp t ngai vo hay t trong i ra ca DMZ. Bn cng c th to packet filter lu lng i ra bn ngai ca mng cc b v lu lng ny khng phi ca mng cuc b; hn na phi i qua DMZ n ISA Server bn ngai. Back to back a ch IP public ISA Server c th tt hay m ty theo yu cu packet filter. Tuy nhin, nu bn c thi quen thit lp firewall, th tin hnh cu hnh packet filter router nh

firewall vi mc thp Tm tt back to back public IP address DMZ: Cn to Trihomed DMZ trn ISA Server bn ngai Card th 3 l card gi (bogus card) vi a ch IP ring bit gi (private Ip) Cn cu hnh packet filter cho php truy cp vo bn trong t DMZ Cn cu hnh packet filters cho tt c truy cp vo v ra t mng cc b thng qua DMZ v ra Internet. Bn khng cn s dng qui tc Web and Server publishing trn ISA Server bn ngai Tm tt Ty tnh hung khc nhau s dng 3 trng hp ISA Server DMZ. Tm hiu nhng u im v khuyt im ca Trihomed DMZ, back to back private IP address DMZ v back to back public IP address. tieugiang94 02-03-2010, 09:25 PM Di qu, dng ci no ngn cho d hiu bn i. Thanks nha, cng hay ----> B SUNG BI VIT<-----------------------------------------------------------------Hi tha na ka conghuong91 02-03-2010, 09:34 PM ko c ai bi gn gn r hiu a` em dang hc CCna c bi cu hnh linksys c ci DMZ ko hu? l gi` ln hi my anh. em sp c bi thi SKin.m ci bi cu hinh em li ngh hc.ln hem bit gi`.mong my anh gii p gip em tieugiang94 02-03-2010, 09:37 PM Gii thch vy ri bn i. khp Google cng ch c vng n s tn cng thi conghuong91 02-03-2010, 09:42 PM hi kh hu tieugiang94 02-03-2010, 09:45 PM Thit lp DMZ, bn khng th ph bin (public) server trn h thng mng cc b. ISA Server lm cng vic ph bin (public) server trong mng cc b d dng hn. Nhng khi ph bin (public) server, th cc client Internet c th truy cp c. H c th truy cp d liu trong mng cc b, h thng mng khng an ton. thc hin mc tiu trn, bn c th to lp mng bo mt bn ngai ca mng cc b. chnh l DMZ. DMZ l vng m c 2 mng u khng th kt ni c nu khng c s ng ca n. c xong hiu ngay bn ----> B SUNG BI VIT<-----------------------------------------------------------------Trch dn: H c th truy cp d liu trong mng cc b, h thng mng ==> ci ci DMZ vo th ko vo h s ko truy cp hay nh cp dc d liu m chng ta ci DMZ conghuong91 02-03-2010, 09:52 PM ti tng cho tt c port vo ci a ch m mnh mnh cu hnh tieugiang94 02-03-2010, 09:54 PM

Ci ny ngn chn Hacker chm cha file thi, ko bit gn vo file Config.php dc ko na. gn dc th hay bit my itachi 03-03-2010, 11:42 PM Ngn gn d hiu : - DMZ l mt vng mng trung lp gia mng ni b v mng internet. - DMZ l ni cha cc thng tin cho php ngi dng t internet truy xut vo v chp nhn cc ri ro tn cng t internet. - Cc dch v thng c trin khai trong vng DMZ l: Mail, Web, FTP - C hai cch thit lp vng DMZ: + t DMZ gia 2 firewall, mt lc cc thng tin t internet vo v mt kim tra cc lung thng tin vo mng cc b. http://data.sinhvienit.net/2010/T03/img/SinhVienIT.Net---946_DMZ1.jpg + S dng Router c nhiu cng t vng DMZ vo mt nhnh ring tch ri vi mng cc b http://data.sinhvienit.net/2010/T03/img/SinhVienIT.Net---435_DMZ.png

Qun l bng thng bng ISA server 2004 Th nm, 10 Thng 7 2008 17:00 C l i vi nhiu qun tr mng ta khng cn xa l g i vi ISA. C nhiu ngi rt chung ISA v chc nng tng la vt tri ca n. Microsoft a ra ti nay l 3 bn ISA: ISA 2000, 2004 v 2006. Nhiu ngi yu thch ISA do tnh nng bo v h thng mnh m cng c ch qun l linh hot. ISA Server lun c 2 bn Standard v Enterprise phc v cho nhng mi trng khc nhau Tuy nhin, hm nay chng ta s khng i su vo phn tng la m s tn dng tng la c th chia s bng thng cho cc my trm. y chng ta s s dng phin bn ISA Server 2004 Standard v thc t ISA Server 2006 c thm 1 s chc nng mi nhng iu khng cn thit cho cng vic chng ta trong phm vi bi vit ny. ISA Server Standard p ng nhu cu bo v v chia s bng thng cho cc cng ty c quy m trung bnh. Chng ta c th xy dng firewall kim sot cc lung d liu vo v ra h thng trong mng ni b ca cng ty, kim sot ngn chn nhng ni dung trang web khng thch hp v kim sot khng cho nhn vin s dng nhng vic ring khi ang lm vic v rt nhiu vic khc. Nhu cu ca bn hin ti l mun gii hn bng thng (Bandwidth) hay dung lng truy cp ca my khch (MB) ca nhn vin, group hay bn c th qun l theo IP. V d: bn mun hn ch dung lng ca phng k thut ti a l 100KB/s, ca sp l 200KB/s... Hoc bn m ca hng Internet v mun gii hn mi my ch s dng ti a bng thng l bao nhiu khng nh hng n cc my khc. Trong trng hp ny gii hn bng thng rt tin dng. Thc t, hin cng c 1 s phn mm i km vi ISA h tr cng vic gii hn bng thng, bn c th chn Tquota hoc Bandwidth Splitter. y, chng ta chn Splitter v Splitter cho php dng free n 10 user/IP. Bn c th download Tquota y: http://www.digirain.com/download/tquota/TQuotaTrial.exe v Bandwidth Splitter y: (c 1 bn dng cho ISA Server 2000 v 1 bn dng cho ISA 2004/2006). Bn mi nht tnh n hin ti l phin bn 1.23: Bandwidth Splitter cho ISA 2000: http://www.bsplitter.com/download/bsplitter.zip Bandwidth Splitter cho ISA 2004/2006: http://www.bsplitter.com/download/bsplitter2004.zip Bn download Bandwidth Splitter v, gii nn v ci t:

Sau khi ci t xong, m ISA Server ra chng ta s c thm 1 ct chc nng mi:

gii hn bng thng, chng ta to 1 Rule mi trong Shaping Rules: Chut phi vo Shaping Rules chn New - Rule...:

Tip theo ca s hin ra chng ta s t tn cho Rules:

ca s Apply To bn c th chn qun l theo User (nu mun qun l theo User, bn phi to 1 nhm User trc trong phn Toolbox trong ISA. Nhm User ny c th l User thuc domain, hoc User ngay my ca bn), y d dng, chng ta s qun l theo a ch IP v vy, bn hy chn IP address sets specified below v Add vng mng hay a ch bn cn qun l vo, y ti dng qun l mng ni b Internal (c vng IP thuc mng ni b bn mun qun l) v bm Next

Trong ca s Destinations, chng ta chn Add. y ti chn l External , bm Close v Next

ca s tip theo Schedule, bn s chn thi gian c th m bn s thit lp qun l bng thng ca mng. Nu nh chng ta , cc ISP hin nay nh FPT v Viettel c p dng kh nng qun l ny. H Schedule tc download ca bn vo ban ngy v d l khong 1280Kbit/s (tc l bn c th down 160Kbyte/s) v bui m, h s th cho bn down mt mc 400Kbyte/s vi 1 Rules thit lp khc. Hin ti ISA thit lp sn cho chng ta 3 ch l Always, Weekends v Work hours.

Bn c th chnh sa li thng s c th gi truy cp mc Schedule trong ToolBox

Trong ca s Shaping, bn c th la chn: Shape total traffic (incoming + outgoing): bn c th dng cho php bng thng tng s download v upload. Shape incoming and outgoing traffic: bn qun l tc download v upload ring bit Shape incoming traffic only: ch qun l tc download. Shape outgoing traffic only:ch qun l tc upload. Chng ta c th thy, cc ISP qun l chng ta theo la chn 2: Shape incoming and outgoing traffic nn chng ta mi thy l tc download v upload trong nhng gi Net nh l download 512Kbit/s v upload l 256Kbit/s. y, chng ta c thm la chn HTTP Boost, bn c th Boost tc duyt web ln tng duyt web my trm lc mi u bng la chn HTTP Boost duration (seconds), ty thuc bn c thch ch ny hay khng m bn tick vo Enable HTTP Boost hoc khng.

ca s Connection settings, bn c th gii hn s kt ni m my khch c th truy cp qua ISA Server. y, ti khng gii hn s truy cp:

Ti ca s Shaping Type, bn c 2 la chn. Lu bn, la chn ny s c nh hng quyt nh n kiu bn qun l tc my trm: Nu bn chn: Assign bandwidth individually to each applicable users/addresses: thit lp qun l bng thng lc ny bn lm s p dng cho tng my (v d, lc ny chng ta thit lp l 512kbit/s th mi my s c th truy cp vi tc 512kbit/s) Distribute bandwidth between all applicable users/addresses: tng bng thng bn thit lp trn s c chia cho cc my trm, nu my no dng nhiu th my khc s truy cp net chm i (v d, nu chng ta thit lp tc download 512kbit/s th khi my A download chim 400kbit/s, th

my B s ch c th download v truy cp net tc cn li 112kbit/s). y, chng ta c thm 1 la chn khc :Static bandwidth distribution: s chia u tc download v d 512kbit/s ca bn cho c my A v B mi my l 256kbit/s.

Extra parameters cho php bn cho php s thit lp rule trn trong trng hp nu my khch bn thit lp vt qu s MB down, upload hoc khng p dng tnh traffic vi Traffic Quota (s MB down,upload) nu s dng rule ny.

Nh vy l chng ta thi rule qun l bng thng cho ISA:

t lp xong,

M li mc Shaping Rule trong ISA chng ta s thy nh hnh:

Chuyn qua Tab Monitoring, chng ta s thy cc my khch ang b qun l lng bng thng truy cp, khng c download vt qu mc download chng ta cho php: 512kbit/s

http://www.scribd.com/doc/23859326/-Part-38-IsA-Server-Array-Installation
K ho ch Gim st ISA server

K hoch Gim st ISA server (phn I) ISA Server c vai tr quan trng then cht trong cu trc mng ca bn. Nu bn trin trai ISA theo m hnh Internet Edge Firewall, ISA s hot ng nh mt tng la v bo v cho mng ni b ca bn. ISA bo mt cc truy cp ra ngoi Internet t trong mng

Internal v ngc li, cho php truy cp ti cc ti nguyn bn trong mng cc b t ngoi Internet. Nu ISA gp vn , ngi dng s khng th s dng nhng tnh nng ca n. Nu ISA b tn cng t Internet, mng cc b ca bn s gp nguy him. C nhiu l do phi gim st ISA Server. Sau y l mt vi l do quan trng. Gim st lu lng gia cc mng. Bn cn gim st lu lng gia cc Network m bo cc Access Rules ca bn c cu hnh chnh xc, rng ch nhng lu thng bn cho php mi c qua, v khng c nhng lu lng mng khng cn thit so vi nhu cu ca ngi dng. o Sa cc li kt ni mng. Gim st ISA l mt mt xch quan trng trong vic xc nh v sa cc li kt ni mng. Nu ngi dng thng bo rng h khng th truy cp ti nguyn trn Internet th li c th do cu hnh ca my ngi dng, do cu hnh ca ISA khng ng, hay do chnh ti nguyn trn Internet. Bng cch gim st ISA, bn c th xc nh chnh xc nguyn nhn ca vn . o iu tra cc cuc tn cng. Nu ISA hot ng nh mt tng la, n c th s b tn cng. Nu bn cu hnh chnh xc, n c th pht hin v ngn chn hu ht cc cuc tn cng. Tuy nhin, ngay c khi ISA Server ngn chn thnh cng cuc tn cng, bn cng ng vi mng v hy lun ngh rng chng c th li bt u bt c lc no. Sau mi cuc tn cng, nu gim st ISA thng xuyn, bn s c c nhiu d liu v kiu tn cng, cch thc tn cng phng th cho nhng ln sau . o Ln k hoch cho s thay i. Nh gim st ISA thng xuyn, bn s thu thp c nhiu thng tin da vo , bn c th ln k hoch chnh sa cu hnh hin ti ca ISA cho ph hp hn vi h thng mng.
o

ISA Server Monitoring Components ISA Server Management Console cha nhiu thnh phn cho php bn gim st hot ng ca ISA Server nhiu mt. l cc thnh phn sau: Alerts: thc hin gim st ISA Server vi cc s kin c cu hnh trc, v khi nhng s kin xy ra th thc hin nhng cng vic xc nh (action). Mc nh ISA c cu hnh vi nhiu alert. Bn c th nh ngha nhiu s kin mi v hnh ng p ng khi s kin xy ra. o Sessions: cung cp thng tin v phin lm vic ca tt c ngi dng kt ni ti ISA Server, bao gm cc loi client sau: Firewall client, SecureNAT client, VPN client, VPN site-to-site v Web Proxy client. o Logging: cung cp thng tin chi tit v Web Proxy, Microsoft Firewall Service hay SMTP Message Screener. Mc nh ISA s ghi li tt c client kt ni thnh cng hay b ngn cm ti ISA Server. Bn c th s dng nhng thng tin nht k gim st ISA theo thi gian thc hay xem li sau ny. o Reporting: tng kt thng tin s dng trn ISA Server. V d bn c th tng kt nhng user no truy cp nhiu nht qua ISA Server, nhng trang no c truy cp, hay nhng giao thc v ng dng no c s dng nhiu nht.
o

Connectivity: kch hot gim st kt ni lin tc t ISA Server ti nhng my tnh khc, hay mt trang web no trn mng. V d, bn c th s dng Connectivity gim st kt ni t my ISA ti domain controller, DNS server, published Web server, ng thi cung cp c ch cnh bo khi nhng kt ni b li. o Performance: thu thp d liu hiu nng ca my ch ISA. Bn c th gim st my ch ISA theo thi gian thc, hay ghi vo nht k xem li.
o

Tuy nhin, nu bn nh cu hnh ISA thu thp tt c thng tin, s rt kh khn hiu v phn tch nhng d liu c c trn mt my ISA lun lun bn rn. Trong k hoch gim st ISA ca mnh, bn nn tm ra nhng thng tin l quan trng, thu thp nhng thng tin nh th no v khi no th bn s xem li chng. Bn c 2 chin lc gim st ISA. Gim st Real-time Bn c th gim st ISA theo thi gian thc, thu thp thng tin kt ni ca cc client, cu hnh cc alert v action khi mt s kin xy ra. Bn c th s dng ISA Server Management Console hay Performance Monitor. Nhiu khi bn phi s dng nhng cng c khi c vn xy ra. V d, nu mt user bo co rng anh ta truy cp Internet chm hn bnh thng, bn c th s dng Performance Monitor vi cc bin m c cu hnh sn xc nh nguyn nhn ca vn . Thu thp thng tin trong mt thi gian di Bn cnh gim st real-time, bn c th thu thp thng tin trn my ISA trong mt thi gian di hn v xem li, tng kt sau ny. V d, bn c th s dng cch trn i vi nhng loi thng tin sau: Hiu nng lm vic ca my ISA. Nhng thng tin ny s c ch cho nhng thay i, hiu chnh sau ny i vi h tng ISA ca bn. o Thng tin s dng. Nhng thng tin ny bn c th ly c t cc bo co ca ISA. o Thng tin bo mt.
o

Phn ti chng ta s tip tc tm hiu c th v nhng cng c cho php gim st ISA Server Tr Li Vi Trch Dn 2. 23/06/09 11:18 AM #2 th_tuyen
o o o o

Xem H S View Forum Posts Nhn Tin Ring View Blog Entries

Member Tham gia ngy May 2009 Bi gi 94

K ho ch Gim st ISA server (ph n II)

Alert l g? duy tr tnh nng v bo mt cho ISA, bn- ngi qun tr ISA cn phi bit khi no cc s kin ca ISA s xy ra. V d, bn cn phi c bit nu cc dch v ca ISA bt thnh lnh "t t", hay mt cuc xm nhp tri php c pht hin. Bn c th cu hnh ISA thng bo cho bn khi c mt s kin no xy ra. Mt Alert l mt thng bo, hay mt hnh ng no c thc hin trn my ISA. Sau y l mt vi kiu s kin (c cu hnh mc nh sn) s kch hot Alert: Dch v khi ng. Cnh bo khi c dch v no trn ISA khi ng. Gi mo a ch IP - IP Spoofing. Cnh bo khi ISA pht hin gi tin c a ch IP ngun khng ng. IP Spoofing s xy ra khi gi tin n t mt interface no ca ISA nhng a ch IP ngun li thuc v mt mng gn vi mt interface khc. o Pht hin xm nhp. Cnh bo khi ISA pht hin ra c s xm nhp tri php...
o o

p li cc s kin, bn c nhiu cch cu hnh hnh ng ca Alert, nh gi th thng bo, chy mt chng trnh, ghi vo nht k Event Log, start hay stop mt dch v no . V d, bn c th cu hnh ISA gi mail thng bo cho bn khi n pht hin c s xm nhp tri php. Xem cc Alert u? Khi s kin xy ra v ISA thc hin Alert nh bn cu hnh, ISA Server Management Console s hin th cnh bo trong th Alerts ca phn Monitoring. Trong bn c th ly c cc thng tin sau: Alert: ct Alert ch ra kiu cnh bo da trn danh sch Alert v Event m bn cu hnh trc. o Latest: ct Latest ch ra ngy, gi xy ra cnh bo. o Status: trng thi ca Alert. Nu Alert c trng thi l New (tc l cnh bo mi xy ra), n s c hin th trong bng Dashboard (Dashboard l bng hin th cc thng tin chung nht m ISA thng k c. hin th Dashboard bn ch cn n gin chuyn sang th Dashboard). Nu bn chuyn trng thi sang Acknowledge ( mun ni vi ISA l bn bit ri y) th Alert s khng hin th trong Dashboard na. o Category. Ct Category ch ra Alert thuc category no. C cc loi category sau: Security, Cache, Routing, Firewall, Service, Other.
o

Bn c th hin th nhiu thng tin hn v mi Alert bng cch vo menu View, chn Add/Remove Columns. Bn c th add cc ct khc vo, v d:
o o

Server: tn ca my ISA Server pht hnh ra Alert va ri. Count: s ln Alert va ri c thc hin.

Cu hnh Alert ISA Server c rt nhiu Alert c cu hnh sn. Bn c th chnh sa cc Alert c bng cch cu hnh cc s kin s kch hot Alert hay hnh ng m Alert s thc hin. Bn cng c th nh ngha Alert mi. cu hnh s kin hay iu kin kch hot Alert, ta lm nh sau: 1. Trong ISA Server Management Console, click Monitoring v chn th Alerts. 2. khung Task pane bn tay phi, chn Configure Alert Definitions. Trong hp thoi Alert Difinitions s hin th tt c Alert m bn to.

3. kch hot hay v hiu ha mt Alert bn tch hay b tch check box trc mi Alert. 4. Chn Alert Definition m bn mun cu hnh ri nhn nt Edit pha di. V d, y chng ta chn Alert tn l DNS Instrusion. 5. Trn hp thoi Properties xut hin, th General, bn c th chnh Name, Description, Category, Severity ca Alert. Bn cng c th kch hot hay v hiu ha Alert y bng cch tch hay b tch Enable.

6. Sang th Event bn cu hnh s kin s kch hot Alert.

Event: s kin s kch hot Alert. Hp text-box Description di m t chi tit v Event m bn chn. o Additional Condition: nu Event c nhng iu kin thm no th bn cu hnh y. o Number of occurrences: ch ra s kin phi xy ra bao nhiu ln th mi kch hot Alert. o Number of events per second: ch ra s kin phi xy ra bao nhiu ln trong mt giy th mi kch hot Alert.
o

Hnh ng ca cnh bo - Alert Action Alert Action l hnh ng s c thc hin khi cc s kin v iu kin ca Alert xy ra. Action c th l mt trong cc la chn sau:

o o o o o

Gi Email. Khi bn in a ch ca SMTP Server, From, To... Run a program. Chy mt chng trnh no khi Alert Event xy ra. Report to Windows Event Log. Ghi mt mc vo nht k Event Log. Stop Selected Services. Dng mt dch v no . Start Selected Services. Chy mt dch v no .

Cu hnh Alert mi cu hnh Alert mi, chng ta lm cc bc sau y: 1. Trong ISA Server Management Console, click Monitoring v chn th Alerts. 2. khung Task pane bn tay phi, chn Configure Alert Definitions. Trong hp thoi Alert Difinitions s hin th tt c Alert m bn to. 3. to mt Alert Definition, bn nhn nt Add. Hp thoi New Alert Wizard xut hin. Bn cn cung cp nhng thng tin sau:
o o o o

Tn ca Alert. Chn Event v Additional Condition s kch hot Alert. Ch nh Category v Severity cho alert ca bn. Chn Alert Action cho Alert ca bn.

Phn tip theo chng ta s tm hiu phn gim st Session v Connectivity trong ISA Server 2004 Tr Li Vi Trch Dn 3. 23/06/09 11:24 AM #3
th_tuyen
o

Xem H S

o o o

View Forum Posts Nhn Tin Ring View Blog Entries

Member Tham gia ngy May 2009 Bi gi 94

K ho ch Gim st ISA server (ph n III)

ISA Server 2004 cung cp kh nng gim st theo thi gian thc cc session hin ti gia client v ISA Server. Session Monitoring cung cp thng tin v tt c client kt ni ti ISA Server. Bn cng c th kch hot ISA Server gim st kt ni t n ti cc server khc trong mng cc b hay mng Internet...... Session Monitoring l g? Bn c th s dng Session Monitoring xc nh nhng user hay my tnh no kt ni ti ISA Server, gi chung l ISA client. Nhng ISA client c th SecureNAT, Firewall hay Web Proxy client, hoc c th l client ngoi Internet kt ni ti ti nguyn bn trong mng internal nh web server, hay qua mt kt ni VPN. Session Monitoring cung cp thng tin thi gian thc v session ca cc ISA client. Bn c th tm thy phn Monitoring trong trang ISA Management Console, th Session. Nhng thng tin hin th trn th ny bao gm: Activation: ct ny hin th ngy v gi session c thit lp. Session Type: kiu session, c th l SecureNAT, Firewall client, Web proxy client, VPN client, VPN Site-to-Site. o Client IP: a ch IP ca client khi to session. o Source Network: hin th mng m t session c khi to. o Client Username: tn ca client khi to session. Client Name s ch hin th cho Web Proxy v Firewall Client. o Client Hostname: hin th tn hay a ch IP ca my tnh client. Nu l Firewall client th hin th tn, nu l SecureNAT client th hin th IP.
o o

Ch : tt c kt ni ngoi Internet truy cp web-site bn trong ISA u c hin th

l Web-Proxy client. Cc kt ni khc t Internet c hin th nh l SecureNAT client. Bn cng c th add thm hai ct na cung cp thng tin v server v application. add thm ct, t menu View ca trang ISA Server Management Console, chn Add/Remove Columns, ri chn ct bn mun thm vo. Server Name: tn ca my chy ISA Server cha session ang theo di. Application Name: hin th tn ca bt k ng dng no duy tr mt session qua ISA Server. Thng tin ny ch c nu client s dng kt ni kiu Firewall Client.
o o

Gim st Session nh th no? Bn c th s dng Session Monitoring khng ch hin th cc kt ni ca client. Bn c th ngt cc session khng mong mun gia my tnh no v mng ca bn. Bn cng c th gim s lng session hin th (trong trng hp c qu nhiu) th Session bng cch thit lp b lc session. Chng ta cng xem qua mt s cng vic bn c th thc hin trn session ca client. Disconnecting the session: cho php bn ngt session khng mong mun ngay lp tc, tt c cc kt ni s dng session ca client s b ng li. Nhng iu ny khng ngn cn client thit lp session tr li. Mun ngn cn bn phi chnh li chnh sch ca ISA thc hin iu . o Pausing Monitoring session: tm dng vic gim st cc session. Cc session ang c s khng b xa i, nhng nhng session mi thit lp s khng c a thm vo. Khi bn kch hot vic gim st tr li, ISA s t ng cp nht thng tin v cc session mi v a vo. o Stopping Monitoring session: ngng vic gim st session. Thng tin v tt c session hin ti s b mt. Khi bn kch hot vic gim st tr li, ISA s thu thp thng tin v cc session t u.
o

qun l client session, bn lm theo cc bc sau y: Trong ISA Server Management Console, click vo phn Monitoring. Chn th Sessions. Cc session hin ti c lit k th Sessions. ngt mt session, chut phi vo n v chn Disconnect Session. tm dng vic gim st cc session, bn click Pause Monitoring Sessions khung Task Pane hay chut phi vo mt session bt k. kch hot gim st session tr li, bn click Resume Monitoring Sessions khung Task Pane hay chut phi vo mt session bt k. dng hn vic gim st session, bn click Stop Monitoring Sessions khung Task Pane hay chut phi vo mt session bt k. khi ng vic gim st session tr li, bn click Start Monitoring Sessions khung Task Pane hay chut phi vo mt session bt k.
1. 2. 3. 4. 5. 6. 7. 8.

Ch : khi bn Pause Monitoring Session th cc session hin th th Sessions s khng b xa, nhng nu bn Stop Monitoring Session th tt c session hin th s b xa. (xa hin th ca session ch khng phi l ngt session ). Lc cc Session Nu bn c mt s lng ln ngi dng trong mng th th session s c rt nhiu v bn s kh quan st. Khi bn c th s dng lc session ch hin th nhng session m bn mun xem. Bn to ra b lc - Filter da trn mt tp cc iu kin no . V d, nu bn ch mun xem cc session ca mt client c th no , bn c th to ra b lc ch hin th session khi to bi client . Hay nu bn mun xem cc session t ngoi Internet, bn c th to b lc ch hin th session khi to t External network. cu hnh session filtering, bn thc hin cc bc sau: 1. Trong ISA Server Management Console, click Monitoring. 2. Chn th Sessions. 3. Trong khung Task pane, hay di dng Filter Definition, nhn vo Edit Filter. 4. hp thoi Edit Filter, bn chn cc thit lp sau: Filter By: chn tiu ch m bn mun lc, nh Session Type, Client IP, Client Username... o Condition:iu kin da trn tiu ch m bn va chn, bao gm Equals (bng), Contains (cha), Not Contains (khng cha), Not Equal (khng bng). o Value: a vo gi tr tng ng vi condition m bn chn.
o

5. Sau khi thit lp xong, bn nhn Add To List thm vo danh sch b lc. 6. Tip tc thit lp cc b lc khc nu bn cn. 7. Sau khi to ra cc b lc, bn c th export ra dng li sau ny. khung Task pane, bn click Export Filter Definition export ra mt tp tin XML. Sau ny bn c th Import Filter Definition s dng li. http://www.nghean-aptech.com/network/2009/744/default.aspx http://www.nghean-aptech.com/network/2009/743/default.aspx

You might also like