Microsoft ISA Server

Over view of ISA server function

1-Application filters: its one of ISA server features which used to

extend the
Abilities of ISA server for example SMTP application
Filter can used to block harmful attachments or Message with
offensive
Content, anther example is H.323 filter can control how ISA
server
Handles for audio conferencing & video conferencing.

2-Caching: the second feature of ISA server is caching which helps on

storing
Copies of all web and FTP objects which you can retrieve all this
objects
On your local hard drive whenever user requests an object ISA
server
Checks to see if there is a copy from this object in his hard drive
or no
This case helps to increase speed of the connection because if
there is a
Copy from this objects ISA server retrieve this objects from local
hard
Drive directly.

3-Firewall: ISA server includes powerful firewall stands between

internets
And your internal network to provide security through packet
filtering.
State full packet inspection: its examine the packets to decide
which
Packet can allows and which packet can restrict or prevent.

4-Firewall clients: ISA server provide firewall clients which provides

different
Level of security for user groups in the internal network through
Enterprise.

5-Securenat: configure the ISA server to be default getaway in the

secure Nat
Clients machine TCP/IP setting, and ISA server will handle all
Translation of traffic from your privet address to public network.

1 Prepared by Mohamed El Qadi

6-Web server: this is the last feature of ISA server which you can
provide
Extra level of security by placing your server of email web behind

Components Standard edition Enterprise edition

CPU 300 MHZ 300 MHZ

RAM 256 256

HARDISK 20 GB NTFS require for 20 GB require for

cache cache
OPS Windows 2K server Windows 2K server

Active Directory NO YES

ISA
Server

NOTE: When you decide to install ISA Server you must first check the
Requirement of ISA Server

Installing ISA server

System requirements

*-pre configuring ISA Server Network configuration ISA Server must

have
Two network interface card one which can used for internal
network and
The another one can used to external, external may receive IP
address
Dynamically or through DHCP and internal is receive IP Address
static

*- installing Microsoft ISA Server.

To install ISA server you must add ISA server specific on active
Directory schema by run MSISAENT.EXE which you can found it in
the

2 Prepared by Mohamed El Qadi

 Directory of ISA Setup You will prompt to choose the type of
installation
After you choose enterprise policy run SETUP.EXE you will prompt
to
Choose of your ISA server Mode there is Tow mode for installing
ISA
Serer one called enterprise and second called stand alone mode
and the
Last one is server mode this is depending on extension found in
active
Directory if it exist you will prompted if it not exist you will able
to
Install ISA server

*-Firewall mode: this is used to running ISA server as firewall only.

*-Caching mode: this is used to running ISA server to increase speed
of
Internet connection
*-Integrated mode: both of firewall and caching.
*-Cache Configuration: during installation of Microsoft ISA server you
must
Configure cache which will be placed on your hard drive by
default ISA
Server support 100 mb Cache on C drive if is formatted with
NTFS.

NOTE: Microsoft ISA server can not support any free space for caching
if the
Drive not formatted as NTFS fat system
Some Important Information.
*-LAT: is local address Table
*-LDT: is local domain table.
*Microsoft ISA server can construct automatically a local address table
that
Includes addresses, IANA internet assigned number authority has
set
Aside for private use.
NOTE: firewall clients use a file named MSPLAT.TXT to store local
address
Table information but you can create local address table
manually by
Using file named LOCALLAT.TXT.
NOTE: local domain table contains name of your internal domain.

3 Prepared by Mohamed El Qadi

NOTE: ISA server says that I can’t find schema information it needs to
Install enterprise mode and that can only install stand alone
server we
Can solve this problem by installing MSISAENT.EXE from
ISA\I386\MSISAENT.EXE.
*-After you finish installation of Microsoft ISA server you will find the
main
Window in ISA server which control all functions of ISA server
which
Called Microsoft Management console MMC.
*-ISA server create listener for outgoing web requests on port 8080 by
default
NOTE: web proxy clients don’t send authentication info to ISA Server
Caveat: if you configure outgoing listener asking for authentication
then you
Must have web proxy clients configuration set browsers or you
will
Have unhappy users unable to web surf
How you can configure outgoing web request?
Answer: open Microsoft management console from start menu and
choose program and choose ISA server.

*-from the array click by right button of mouse and choose properties a
Dialog box will be appear which you can configure web outgoing
request

4 Prepared by Mohamed El Qadi

 Configure ISA server
1-Bastion Host: have two network adapter one is connected to
internal
Network and the second one is connected to the internet its
provide a

5 Prepared by Mohamed El Qadi

 Single point of defense to against attacks from the internet to
your own
Internal network.
2-Three homed firewall with DMZ: three homed firewall which
consists of
Three network adapter one is connected to the internet and the
second
One is connected to the demilitarized zone and the last one is
connected
To the internal network.
3-Web publishing: web publishing allows you to place one or more
web
Servers behind ISA server computer on array and have ISA server
Processes request on behalf of the web server this is provides
extra
Security and users can’t use resources directly without
permission.
*-Managing ISA Server
How you can create custom console?
Answer: open start menu and run and type MMC widow will
appear
This is the new custom console of your ISA server

6 Prepared by Mohamed El Qadi

A-Console Mode operation: custom console can saved in for modes
B-Author mode: allows you to create a new console or to modify an
existing
Console.
C-Use mode full access: Provide full access control of all ISA
management
Option but prevent adding or removing ISA snap in or changing
console
Properties.
D-User mode limited access: allow you to use ISA management with
Multiple windows
E-User mode limited access with a single window: allow you to
use ISA
Management console with a single window.
*- You can change mode of your custom console of ISA management
from
Console and option and you can add new objects to your custom
Console by choose Console and then choose add snap in and
choose your
Objects.

7 Prepared by Mohamed El Qadi

*- The components of MMC Window
In the left you will find a tab called console tree this tab is used to
Administrate the ISA server function and arrays.
In the right pane you will find window which display the details of
every
Elements of left pane there are three containers under ISA server
root if
You installing Stand alone version of ISA server you will find only
two
Container folder one is called ISA server & array and the second
called
H.323 Gate Keeper.
*-There is a menu bar for your ISA management console which
contains some
Of tools helps on controlling all features and function of ISA
server
Which consists of Action and view?
*-Action menu:
1-Disconnect: which will disconnect all services

8 Prepared by Mohamed El Qadi

2-Backup: this is used to make a backup from all ISA Configuration
Information.
3-Restore: which used to restore the backup you taken before?
4-Refresh: used for refresh ISA server console.
5-Export list: used for save details of pane to the next file.
6-Help: provides some information about these tools.

*-View menu: it’s identical with stand alone installation and array
server
View menu used to choose the way you want the element to be
appear
1-Large icon: used to view icons in large
2-Small icon: used to view icons in small
3-List: used to view icons as list
4-Details: provides more details for icons
5-Taskpad: provides more graphical interface for navigating
element of
ISA Server.
6-Advanced: default view of MMC

*-Microsoft SA server objects

Console tree provides all objects that can be configured every
element in
Console tree called child that’s mean the root of MMC which it
make up
The console tree.
ISA server objects
-Monitoring
-Computers
-Access policy
-Publishing
-Band with rules
-Policy element
-Cache configuration
-Monitoring configuration
-Extension
-Network configuration
-Client configuration
*-We will discuss in details all objects of MMC ISA Management console
1-Monitoring
Under monitoring objects you will find four child elements
Alerts, Services, Reports, Session.

9 Prepared by Mohamed El Qadi

 A-Alerts: used to configure alerts & view alerts.
b- Services: its contains all ISA services array & server, web
proxy,
Firewall, schedule indicating whether are stopped or running.
C-Session: its contains some information about the current
session
Active for the web proxy or the firewall
D-Reports: its contains the result of any report that have been
Configured and you will see under report folder five main child
element
(summary, web usage, application) usage, traffic& utilization,
security).

2-Computer

10 Prepared by Mohamed El Qadi

 The next objects in console tree is computer which refer to the
Computers belong to ISA server.
3-Access Policy
The next object in console tree is the access policy which used to
Configure access to the web sites and IP addresses and it’s
include three
Child element

A-Site and content rules: which it used to deny or allows

users or group
Of Users for using internet resources.
b- Protocols rules: used to identify the protocols types will use
to access
Internet resources.
C-IP packet filter: used to allow or deny packets to passing
through
Specified port

4- Web Publishing

11 Prepared by Mohamed El Qadi

 The next object in console tree is web publishing which used to
publish
A certain site or services to be available or unavailable for users
or
Group it is include two child elements (web publishing, server
Publishing)

5-Bandwidth rules
The next objects in console tree is brand width rules used to lets
you
Specify which connection has priority over other connection
6- Policy element
The next object in the console tree is policy element is used to
make
Controlling in ISA server its consists of
-Schedule
-Bandwidth rules
-Destination set
-Protocol definition
-Client address set
-Content group
-Dialup

12 Prepared by Mohamed El Qadi

 7-Cache Configuration
The next object in the console tree is cache configuration it used
to make
A copy from all common web requests to let the internet
connection
Faster you will find under cache configuration two folder
schedules
Content download and drives
A-Schedule content download: help you to configure ISA server
to
Download cache content from specified URL in specific time this
option
Helps users to access web in the internet faster

B-Drives: display NTFS drive logical drive & cache space.

8-Network Configuration
The next object in the console tree is network configuration used
to

13 Prepared by Mohamed El Qadi

 Setup and configure local ISA server or VPN servers to allow
Connections under network configuration you will find three
folders
Routing, LAT (local address table), LDT (local domain table)
A-LAT: local address table it used to construct address table or
to add
Entries to existing local address table and it used to identify all
internal Network imp range for all machines in the internal
network.
B-LDT: local domain table it’s used to add new entries to local
domain
Table and it used as naming schema and it used to lists all
domain
Names in the internal network that served by external user.

*- Now we will discuss in details all options in ISA server that

serve in
Controlling and management ISA server
Creating and configuring monitoring and alerts
A-Viewing alerts: form monitoring configuration choose alerts
and by
Clicking by right button of mouse of any alert you can view
description
Of alert and action and events of these alert

14 Prepared by Mohamed El Qadi

 How you can create a new alert?
1-Expand monitoring configuration
2- Click by right button of mouse alert and choose new alert
3-a dialog box will appear to ask you to type a name for your
alert
And click next
4-a dialog box will appear to ask you to choose event of these
alert from
A group of alerts built in ISA server and then press next
5- A dialog box will appear to ask you to determine the action of
these
Alert will execute from some actions like
A-Send an email message: it will ask you about SMTP URL
B-Run a program: it will ask you about the program you want
to run it
Report the event to windows 2000 event log
C-Stop selected ISA services: it will ask you about which
services you
Want to be stopped like firewall services, schedule content
download,
Web proxy
D-Start selected ISA services: it will ask you about the
services you
Want to be started like the same services before

15 Prepared by Mohamed El Qadi

 How you can view services?
You can view session by
1-expand monitoring configuration.
2-click by left button of mouse on the session you want to view in
the
Left pane you will find some information about all session there is
two
Type of session one is called firewall session and the second is
called web
Session, user name for authenticated session, IP address of the
station
That running this session, client address which refer to the
address of
The internal network and the date of session running and time of
the
Session started this dialog box shows all some information of any
Session.

16 Prepared by Mohamed El Qadi

 NOTE: You have ability to disconnect any session running on ISA
Server by clicking by right button of mouse and then click
disconnect
the Session will disconnected from ISA server
How you can view services?
You can view services of ISA by
1-expand monitoring configuration object in the MMC console tree
Click by right button of mouse on services in the left pane all
services will appears you can stop services by clicking right button
of Mouse on sequence from top to down on all services and
choose stop if you want to start all services click by right button of
mouse on sequence from down to top and then choose start

3-Access Policy: is the object of Microsoft ISA server

management
Console which consists of three main child object one is called
site and
Content rules and the second is called protocol definition and the
last
Child object is IP packet filters we will discuss every element of
Access
Policy object in details

17 Prepared by Mohamed El Qadi

 1-Site and content rules: is used to deny or allow users and
groups to
Access the internet sites or resources by applying a rule which
deny
Access for specific site or allow access to specific site to all users
or to
Special destination set.
How you can create a new rule?
1-Expand the access policy object
2-cclick by right button of mouse on site and content rule and
choose
New rule
3- A dialog box will appear ask you to type a name for this rule
type
The name of this rule and then press next

4-a dialog box will appear to ask you about the action of this rule
deny
Or allow the default option in site content rule is to deny access
to
Specified site you can allow access by choose allow option or
you can
Deny access by choose deny option or you can redirect the
request to
Anther site for example if you want to redirect all requests to
www.yahoo.com you must check the HTTP redirect request and
type in
The blank text the site this figure will explain that idea

18 Prepared by Mohamed El Qadi

 5-a dialog box will appear ask you for choose deny option there is
four
Main option
-Deny access based on destination
-Deny access only at time
-Deny selected client access to all external sites
-Custom
6- Press next a dialog box will appear to ask you to determine
which
Destination will affected by the rule

19 Prepared by Mohamed El Qadi

 2-Protocol rules: is used to determine which protocol definition
the
Clients will used to access the internet resources or sites you
can allow
Or deny access to the internet or any resources by creating new
protocol Rule we have some main protocols used to access the
internet
this table Will explain the main protocols you can used
This above figure helps to determine which protocol you want to
use to
Access the internet and internet services from the protocol rule
for
Example you can deny the users of your organization of using the
MSN
Messenger lets us see how we can deny MSN messenger
1-Click by right button of mouse on the protocol rule and then
chooses
New rule
2-a dialog box will appear t ask you to type the name of the
protocol rule
After you type the name of protocol rule press next

20 Prepared by Mohamed El Qadi

Name Port NO Potpie Def.By Description

FTP 21 TCP FTP - this protocol used to

copying files between two
hosts
FTP 21 TCP FTP - FTP used to download files
Download from FTP server to FTP
Clients
Gopher 70 TCP ISA Server - Menu driven front to end
to other internet services
HTTP 80 TCP ISA Server - Hyper text transfer
protocol used to implement
the world wide web
HTTPS 443 TCP ISA Server - Version of HTTP used to
securer sockets layer SSL
for encryption
3-a dialog box will appear to ask you choose the action of this
protocol
There is two action for the protocol rule allow and the second is
deny
Www want to deny access to the MSN messenger so we will
choose
Deny And then press next

21 Prepared by Mohamed El Qadi

 4-a dialog box will appear to ask you to determine witch protocol
will
Apply your rule there is three type of protocol rule all IP traffic
the
Second is selected protocol rule the last type is all IP traffic
except
Selected protocol

Choose selected protocol and then choose MSN messenger from

list and
Then press next

5-a dialog box will appear to ask you when you want to deny
access to

22 Prepared by Mohamed El Qadi

 MSN messenger you can deny access to messenger always or
you can
Determine which time you want to deny access to messenger if
you
Choose always that’s mean no body can access messenger all
time if you
Want to deny access to messenger for 8 hours you must make
schedule
For this action and then press next

6-A dialog box will appear to ask you to determine which request
you
Will apply this protocol rule there are three main requests any
request
Mean any one will deny to access the messenger the second is
specified
Computer (client address set) mean you can choose client
address set or
Group of IP to deny access to the messenger the last request is
specified
Users or groups that’s mean you can choose specified users or
groups to
Deny access to messenger

23 Prepared by Mohamed El Qadi

 7-If you choose any request and then press now the rule will
apply to all
Requests if you choose specified client address set and then
press next
A dialog box will appear to specify the client address set or a
group of
IP Will denied from access the messenger If you choose specified
users
And Group and press next a dialog box will appear to determine
which
Users Or groups will deny accessing the messenger.
4-Publishing which it used to make services of the internet is
available
To external users
Types of publish services: there are three methods of
publishing
Services
-Web publishing
-Server publishing
-DMZ publishing
All above methods are wizard resources built on ISA server each
Method allows you to achieve different goals

-Web publishes: web publish wizard allows you to publish

content
Contained in the internal web services web publish can be
published
Services via web publishing which include
HTTP, HHTPS, FTP.
Web publish wizard allows you to simplify process of making
services

24 Prepared by Mohamed El Qadi

 Available to external users this methods allows you to redirect
web
Requests to any ports.
By using web publish services you will able to redirects web
proxy
Request to anther web site for example if any user want to view
yahoo
And you make web publish to hotmail ISA server redirects all
requests
To hotmail anther example of web publishing if you want to make
a
Group of user use FTP protocol to copying files between them you
can
Make publish to FTP protocols.
How you can make web publishing?
1-Expand publishing from MMC console tree
2- Click by right button of mouse on web publishing and then
choose new
Rule a dialog box will appear to ask you to choose a name for this
rule
Type name of this rule and then press next

25 Prepared by Mohamed El Qadi

 3-a dialog box will appear to ask to determine which destination
set will
Apply these rule there are six type of destination sets can be
apply the
Rule
-All destination: that’s mean all internal and external users
-All internal destinations: that’s mean all internal destinations will
Apply the rule
-All external destinations: that’s mean all external destinations
will
Apply the rule
-Specified destination: that’s mean you choose one of the
destinations
Set
-All destinations except selected set: that’s mean all destinations
will
Apply the rule except the selected one.
Select the destination set you want and then press next
4- A dialog box will appear to ask you which client will effect by
these
Rule

26 Prepared by Mohamed El Qadi

 You can choose one of three clients
-any request that’s mean all requests will be redirecting to the
web you
Published
-specific computer or client address set that’s mean you will
choose
-client address set which will effect by these rule
-specific users and groups that’s mean you choose users or
groups which
Will effect by the rule after you choose the client press next a
dialog box will appear to type the sit you want to redirect the
request for it

This above figure refer to the action of the rule you created to
publish
Any web
Example to understanding web publishing suppose that you have
a
Domain its name is Cairo home and you to publish this domain for
the

27 Prepared by Mohamed El Qadi

 Client address 192.168.10.240 to can copying files between them
you will
Create publish for FTP protocols
First you will make destination set called FTP Cairo home and then
Create new web publish rule from the apply rule window choose
selected
Destination set and chooses FTP Cairo home destination and then
press
Next from the client window choose specific client address set
192.168.10.240 and then press next from the action rule window
redirect
All requests to www.cairohome.com if you understand this
example you
Will able to publish any site or web you want.

5-policy element: which it’s referring to the properties of the

rules of the
ISA Server, policy element include some properties
-Schedule
-Bandwidth priorities
-Destination set
-Client address set
-Protocols definition
-Content groups
A -Schedule: it used to identify which time the rule will be effect
How you can create a new schedule?
1-Expand the policy element in the MMC console tree
2-click by right button of mouse on schedule and choose new
schedule a
3-a dailogbox will appear to ask you to type the name of the
schedule
and the description and to determine the time of the rule will
affect

28 Prepared by Mohamed El Qadi

 B-Destination set : is a computer name, or IP address, or IP
range.
How you can create new destination set?
1-expand policy element from MMC console tree
2-click by right button of mouse on destination set and then
chooses new
Destination a dialog box will appear to ask you to type name of
the
Destination and description
3-press add anther dialog box will appear to ask you to identify
the
Destination or IP or IP range after you finish click ok

29 Prepared by Mohamed El Qadi

 C-Client address set: it used to define the Clint address set
which refer
To the group of IP which will affect by a rule
How you can create new client address set?
1-Expand policy element from MMC console tree
2-Click by right button of mouse on client address set and then
chooses
New client a dialog box will appear to ask you to type the name
and
Description of the client address set
3- And then press add to type the rang of IP for the client

For example if you want to create new client address set from IP
192.168.1.1 To IP 192.168.1.10 type in the client IP address from
192.168.1.1 to 192.168.1.10.
D-Protocols definition: Microsoft ISA includes a wide variety of
protocols
Definition which it can used when you create protocol rules or
server
Publishing.
How you can create a protocol definition?

30 Prepared by Mohamed El Qadi

 1-Expand the policy from MMC console tree
2-click by right button of mouse on the protocols definition and
then
Choose new protocol definition a dialog box will appear to ask
you to
Type the name of the protocol definition type the name and then
press
Next
3- A dialog box will appear to ask you to identify the port and
protocol
Type, direction

This figure is refer to the protocol connection information

A- Port: this is the port number which between 1 to 65535 it
used to
Initiate the connection
B-Protocol type: is the transmission control protocol or the
user
Datagram protocol
C-Direction: is inbound or outbound.
After you finish initiates the connection information press next
4-a dialog box will appear is optional which it’s refer to the
secondary
Connection and then press next and then press finish.

31 Prepared by Mohamed El Qadi

 6-cache configuration: which it used to download cache from
the
Common URL which it helps in let the connection to these sites
fastest.
How you can create new job of cache configuration?
1-Expand the cache configuration
2-click by right button of mouse on the cache configuration and
then
Choose new and job
3-adailog box will appear to ask you to type the name of the
caching you
Want to create and then press next
4- A dialog box will appear to choose the time which the cache
will start

-You can choose the time which we advice to begin the cache
download
When there is no user access the internet to avoid overload on
ISA
Server after you finishes press next
5-a dialog box will appear to identify the schedule of the cache
download
Which it can be once or daily or weekly or custom in specific days

32 Prepared by Mohamed El Qadi

 After you finish identify the schedule timing of downloading the
cache
Press next
6- A dialog box will appear to ask you to identify which URL you
want
to Download the cache for it

After you type the URL press next and then press finish.

33 Prepared by Mohamed El Qadi