ISA 2006 Lab Manual

ISA Server 2006
Lab Manual
Module A: Introduction to ISA Server 6

Module B: Configuring Outbound Internet Access 19
Module C: Publishing Web Servers and Other Servers 32
Module D: Publishing an Exchange Server 60
Module E: Enabling VPN Connections 82
Module F: ISA Server 2006 as Branch Office Gateway 105
Module G: Enterprise Management of ISA Servers 119
Module H: Configuring Load Balancing 138
Module I: Using Monitoring, Alerting and Logging 170
Lab version 3.0f (6-Aug-2006)
2 Lab Summary
Lab Summary
Contents
There are nine modules in this lab. You can complete each of these lab modules
independent of the other modules.
 The monitor icons ( ) indicate which virtual machines are needed.
 The 06 code indicates exercises that are specific to ISA Server 2006.
 The EE code indicates exercises that are specific to ISA Server Enterprise
Edition.
 The up arrow (  ) indicates exercises that depend on the previous exercise.
Den Par Flo Fir Ist Lab

Summary.............................................................................................................2
Module A: Introduction to ISA Server...................................................................6
    Exercise 1 Exploring the User Interface.................................................................6
    Exercise 2 Ease of Use: Multiple Networks.........................................................10
    Exercise 3 Ease of Use: Single Rule Base............................................................14
    Exercise 4 Ease of Use: Monitoring.....................................................................17
Module B: Configuring Outbound Internet Access.............................................19
  Exercise 1 Allowing Outbound Web Access from Client Computers.................19
  Exercise 2 Enabling the Use of the Ping command from Client Computers.......23
  Exercise 3 Allowing Outbound Access from the ISA Server...............................25
  06 Exercise 4 Configuring ISA Server 2006 for Flood Resiliency...........................27
Module C: Publishing Web Servers and Other Servers......................................32
  Exercise 1 Publishing a Web Server in the Internal Network..............................32
   Exercise 2 Publishing the Web Server on the ISA Server Computer...................36
   Exercise 3 Performing Link Translation on a Published Web Server..................40
  06 Exercise 4 Using Cross-Site Link Translation to Publish SharePoint Server......42
  06 Exercise 5 Publishing a Web Farm for Load Balancing.......................................46
  Exercise 6 Publishing Multiple Terminal Servers................................................54
Module D: Publishing an Exchange Server..........................................................60
  06 Exercise 1 Publishing Exchange Web Access - Certificate Management...........60
  Exercise 2 Publishing an Exchange Server for SMTP and POP3........................67
  Exercise 3 Publishing an Exchange Server for Outlook (RPC)...........................69
  Exercise 4 Publishing an Exchange Server for RPC over HTTP.........................72
Module E: Enabling VPN Connections.................................................................82
    Exercise 1 Configuring ISA Server to Accept Incoming VPN Connections.......82
   Exercise 2 Configuring a Client Computer to Establish a VPN Connection.......85
   Exercise 3 Allowing Internal Network Access for VPN Clients..........................88
   Exercise 4 Configuring VPN Quarantine on ISA Server.....................................90
   Exercise 5 Creating and Distributing a Connection Manager Profile..................95
   Exercise 6 Using VPN Quarantine on the Client Computer...............................101
Module F: ISA Server 2006 as Branch Office Gateway....................................105
06
  Exercise 1 Configuring HTTP Compression to Reduce Bandwidth Usage.......105
06
   Exercise 2 Configuring ISA Server to Cache BITS Content..............................112
06
  
Exercise 3 Configuring DiffServ Settings to Prioritize Network Traffic...........116

Module G: Enterprise Management of ISA Servers..........................................119
Exercise 1 Enterprise Policies and Array Policies..............................................119
Exercise 2 Remote Management and Role-based Administration.....................126
Exercise 3 Working with Configuration Storage Servers (Optional).................132
Module H: Configuring Load Balancing............................................................138
Exercise 1 Configuring Network Load Balancing (NLB)..................................138
Exercise 2 Examining Details on NLB...............................................................146
Exercise 3 Using CARP to Distribute Cache Content........................................156
Exercise 4 Using CARP and Scheduled Content Download Jobs......................164
Module I: Using Monitoring, Alerting and Logging..........................................170
Exercise 1 Monitoring the ISA Server................................................................170
Exercise 2 Checking Connectivity from the ISA Server....................................173
Exercise 3 Logging Client Computer Access.....................................................176

4 Lab Summary
Lab Setup
To complete each lab module, you need to review the following:
Virtual PC
This lab makes use of Microsoft Virtual PC 2004, which is an application that
allows you to run multiple virtual computers on the same physical hardware.
During the lab you will switch between different windows, each of which contains
a separate virtual machine running Windows Server 2003.
Before you start the lab, familiarize yourself with the following basics of
Virtual PC:
 To issue the Ctrl-Alt-Del keyboard combination inside a virtual machine, use
the <right>Alt-Del instead.
 To enlarge the size of the virtual machine window,
drag the right bottom corner of the window.
 To switch to full-screen mode, and to return from
full-screen mode, press <right>Alt-Enter.
Lab Computers
The lab uses five computers in virtual machines.
 Denver.contoso.com (green) is domain controller for the contoso.com domain

on the Internal network. Denver runs DNS, RADIUS, Exchange 2003 SP1,
SharePoint Services 2.0 and is also Certification Authority (CA).
 Istanbul.fabrikam.com (purple) is Web server and client computer on the
External network (Internet). Istanbul runs Outlook 2003. Istanbul is not
member of a domain.
 Paris (red) runs ISA Server 2006 Standard Edition. Paris has three network
adapters, which connect to the Internal network, the Perimeter network and the
External network (Internet). The Perimeter network is not used in this lab.
 Florence (red) and Firenze (red) run ISA Server 2006 Enterprise Edition.
Both computers have three network adapters. Florence and Firenze are in an
array named Italy. Only Florence runs Configuration Storage server (CSS).
The computers cannot communicate with the host computer.

To allow you to examine and understand the traffic on the network, in each virtual
machine Microsoft Network Monitor 5.2, which is part of Windows Server 2003, is
installed.
To start the lab

Before you can do any of the lab modules, you need to start the virtual machines,
and then you need to log on to the computers.
In each exercise you only have to start the virtual machines that are needed.
To start any virtual machine:

1. On the desktop, double-click the shortcut Open ISA 2006 Lab Folder.
2. In the lab folder, double-click any of the Start computer scripts.
(For example: double-click Start Paris to start the Paris computer.)
3. When the logon dialog box has appeared, log on to the computer.
To log on to a computer in a virtual machine:

1. Press <right>Alt-Del (instead of Ctrl-Alt-Del) to open the logon dialog box.
2. Type the following information:
 User name: Administrator
 Password: password
and then click OK.
3. You can now start with the exercises in this lab manual.
Enjoy the lab!
Comments and feedback

Please send any comments, feedback or corrections regarding the virtual machines
or the lab manual to:
Ronald Beekelaar
v-ronb@microsoft.com
Lab version 3.0f (6-Aug-2006)

6 Lab Summary
Module A: Introduction to ISA Server
Exercise 1
Exploring the User Interface
In this exercise, you will explore the user interface of ISA Server.
Note that the steps in this exercise and the other exercises in this module, do not enable,
configure or test the functionality of ISA Server. In later modules, the functionality is
configured and used in scenarios.
Tasks Detailed steps

 Note: This lab exercise uses the following computer: Paris
Refer to the beginning of the manual for instructions on how to start this computer. Log on to the computer.
 Perform the following steps on the Paris computer.
1. On the Paris computer, a. On the Paris computer, on the Start menu, click All Programs, click
explore the task pane. Microsoft ISA Server, and then click ISA Server Management.
 The ISA Server console opens. This is the console from which all
configuration of the ISA server is done.
b. In the ISA Server console, in the left pane, expand Paris, expand
Configuration, and then select Add-ins.
 Note: The Add-ins node is only used here as an example to start the
exploration of the new user interface.
 The user interface of the ISA Server console consists of three main
parts:
 The tree pane (or left pane) - This pane contains a short list of nodes. The
nodes logically group related management or configuration settings.
 The details pane (or right pane) - For each node in the left pane, the details
pane contains detailed information related to the node. The details pane may
contain several tabs, such as Application Filters and Web Filters for the Add-
ins node.
 The task pane - The task pane contains a Tasks tab with relevant commands
for the selected node in the tree pane, or for the configuration element in the
details pane. The task pane also contains an Help tab with context sensitive
help for the selected node or configuration element.
c. Drag the vertical divider between the tree pane (left) and the
details pane, to make the details pane area larger or smaller.
d. On the vertical divider between the details pane and the task pane, click
the arrow button.
 The task pane closes to make a larger area of the screen available
for the details pane.
e. Click the arrow button again.
 The task pane opens again to allow access to the commands on the
task pane.
f. Ensure that in the left pane, the Add-ins node is selected, and then in the
right pane, on the Web Filters tab, select (for example)
RADIUS Authentication Filter.
 Notice that the available commands in the task pane change, when
a configuration element (a web filter in this example) is selected in the right
pane.
g. In the right pane, right-click RADIUS Authentication Filter.
 A context menu appears with commands applicable to this web
filter. (Do not click a command on the menu.)
 At any time, you can click the most common tasks in the task pane,
or select from a more extensive list of commands by right-clicking the
configuration element.
h. In the task pane, select the Help tab.
 The Help tab in the task pane provides context-sensitive help
information related to the selection configuration element.
i. In the task pane, select the Tasks tab.
 The following task is related to the use of Virtual PC.
2. Explore how you can make a. Drag the bottom right corner of the Paris window, to make the window
the Virtual PC window larger, or larger or smaller.
switch to full-screen mode.  Virtual PC installs a special video driver in the guest operating
system, which allows you to select any arbitrary resolution, by dragging the
bottom right corner of the Virtual PC window.
b. Press the Ctrl-key, and then drag the bottom right corner of the
Virtual PC window, to snap the window size to standard resolutions, such as
800x600.
c. Press <right>Alt-Enter.
d. If a warning message box appears, click Continue to confirm that you
can press <right>Alt-Enter again to return from full-screen mode.
 The Virtual PC window switches to full-screen mode after you press
<right>Alt-Enter. The resolution of the guest operating system is automatically
adjusted to fill the entire screen of the host computer. You may need to
maximize the ISA Server console window, in order to use the entire screen.
 Virtual PC calls the <right>Alt key, the "host key".
e. Press <right>Alt-Enter again to return from full-screen mode.
3. Explore the main nodes in a. In the ISA Server console, in the left pane, select Configuration.
the ISA Server console:  A single ISA Server (or an array of multiple ISA Servers) has two
main areas of configuration:
- Configuration  Configuration node - This node contains all configuration settings that are
- Networks relatively static. This includes Networks configuration, Cache configuration,
- Firewall Policy Add-ins (application filters and Web filters) and General. You would typically
- Monitoring not change the configuration of those elements very often. ISA Server 2006
Enterprise Edition also has a Servers node.
 Firewall Policy node - This node contains a single list of all the access rules
(outgoing) and the publishing rules (incoming). These rules will change more
often, since they reflect the business rules and firewall access policy of a
company.
b. In the left pane, select Networks.
 The Networks node contains the configuration of all the networks
connected to the ISA Server. Network rules are defined between each network.
This includes networks directly connected by network adapters such as
External, Internal and Perimeter, virtual networks such as all the
VPN Clients and Quarantined VPN Clients and special networks such as
Local Host.
 The initial configuration of the networks and the related firewall
8 Lab Summary
policy rules is done by selecting a network template from Templates tab in the
task pane.
(Do not change the network template now.)
 Exercise 2 in this lab module explores the Networks configuration.
c. In the left pane, select Firewall Policy.
 The Firewall Policy node contains a list of all access rules and
publishing rules.
 Exercise 3 in this lab module explores the Firewall Policy
configuration.
d. If the task pane is closed, click the arrow button to open the task pane.
 The task pane for the Firewall Policy node contains an additional
tab named Toolbox. This tab has 5 sliding sections (Protocols, Users,
Content Types, Schedules and Network Objects) that list all the rule elements
that you can use in the access rules and publishing rules.
e. In the task pane, on the Toolbox tab, click the Protocols heading, and
then click Common Protocols.
 The rule elements, such as protocol definitions, are selected when
new access rules or publishing rules are created.
f. In the task pane, on the Toolbox tab, click the Users heading, and then
click New.
 The New User Set wizard appears. A user set is a collection of
users (from Windows, RADIUS or SecurID) and groups, defined together in a
single set. You can apply an access rule or publishing rule to one or more user
sets.
g. Click Cancel to close the New User Set Wizard.
h. In the left pane, select Monitoring.
 The Monitoring node has multiple tabs (Dashboard, Alerts,
Sessions, Services, Reports, Connectivity Verifiers and Logging) that allow you
to monitor, control, investigate, troubleshoot and plan firewall operations. ISA
Server 2006 Enterprise Edition also has a Configuration tab.
 The Dashboard tab contains summary boxes for five of the tabs and
a running System Performance monitor that displays a real-time graph of the
current rate of allowed and dropped packets.
 Exercise 5 in this lab module explores the Monitoring node.
i. On the Dashboard tab, click the Sessions summary box header.
 The Sessions tab of the Monitoring node is displayed. This tab
displays the client sessions that are currently active on the ISA Server. If you
only want to see specific sessions, you can filter the session list.
 Other tabs of the Monitoring node are explored in exercise 5 in this
lab module.
4. Explore the Export and a. In the ISA Server console, in the left pane, right-click Paris.
Import configuration commands.  The context menu of the Paris node contains Export and Import
commands. You can use these commands to export configuration setting to an
XML file, and import the settings later at this computer or at another computer.
 The Export and Import commands are present on the context menu
of almost all the nodes in the left pane. This includes the Networks node, the
Firewall Policy node and even individual rules and rule elements.
Exercise 2
Ease of Use: Multiple Networks
In this exercise, you will explore how ISA Server uses multiple networks.

1. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left pane,
explore how ISA Server uses expand Paris, expand Configuration, and then select Networks.
multiple networks with  One of the most important changes in ISA Server 2004 and
IP address ranges, instead of the ISA Server 2006, in comparison with ISA Server 2000, is the concept of
concept of a Local Address Table multiple networks connected to the ISA Server, which are all treated similarly
(LAT). for configuration purposes.
 All firewall policy rules can be defined in terms of Source network
and Destination network.
b. In the right pane, on the (lower) Networks tab, right-click Internal, and
then click Properties.
c. In the Internal Properties dialog box, select the Addresses tab.
 Compare:
 ISA Server 2004 and ISA Server 2006 - The IP addresses of the Internal
network only define what network interfaces are included in the network named
Internal. Other networks, such as Perimeter are defined in a similar fashion.
There is no equivalent to ISA Server 2000's Local Address Table (LAT). The
application of packet filters, rules and Network Address Translation (NAT) or
routing of IP packets is configured separately.
 ISA Server 2000 - The LAT is a very significant part of the configuration of
ISA Server. It automatically determines on which network interface packet
filters are applied and where NAT or routing of IP packets is performed.
d. Click Cancel to close the Internal Properties dialog box.
 Notice that the Perimeter network is defined as the IP address
range 23.1.1.0 - 23.1.1.255. The Local Host network is defined as the
ISA Server computer itself. All other IP addresses belong to the External
network.
The VPN Client and Quarantined VPN Clients networks have dynamic
membership and contain connecting VPN client computers.
e. On the Network Sets tab, right-click All Protected Networks and then
click Properties.
f. In the All Protected Networks Properties dialog box, select the
Networks tab.
 Network Sets are groupings of existing Networks that can be used
in firewall policy rules as well. This makes it easy to refer to all networks, or
all related networks. You can define additional network sets.
 The definition of the All Protected Networks network set is all
existing networks, EXCEPT the External network.
 ISA Server 2006 Enterprise Edition also allows you to define
Networks and Network Sets at the enterprise-level, so that they can be used in
all ISA Server arrays. With enterprise networks, individual array
administrators don’t need to be aware of changes in the larger corporate
networks. Changes to an enterprise network take effect without requiring an
10 Lab Summary
array administrator to make changes to an individual array.

g. Click Cancel to close the All Protected Networks Properties dialog box.
h. On the Start menu, click Control Panel, and then click
Network Connections.
 The Network Connections menu on the Start menu shows that Paris
has three network adapters. To avoid confusion in the lab exercises, the
network adapters on Paris were renamed as part of the lab setup from
Local Area Connection (#2 and #3) to External Connection,
Internal Connection and Perimeter Connection.
i. Click the Start button again to close the Start menu.
2. Explore how a. In the ISA Server console, in the left pane, ensure that Networks is
Network Rules define Network selected.
Address Translation (NAT) or b. In the right pane, select the Network Rules tab.
routing of IP packets between
 Network rules define whether ISA Server will use NAT (replace
networks.
client source address with ISA Server address) or Route (use client source
address in request) for traffic between each pair of networks or network sets, if
For demonstration purposes, create
the firewall policy allows network traffic between these networks.
and discard a new network rule.
 Currently, Paris uses Route for all traffic between the ISA Server
computer and all networks (rule 1), between the VPN networks and the Internal
network (rule 2) and between the Perimeter network and the External network
(rule 4).
It uses NAT for all traffic from the Internal and VPN networks to the Perimeter
network (rule 3) and from the Internal and VPN networks to the External
network (rule 5).
 Route network rules automatically work in both directions. NAT
network rules are defined in one direction. If there is no network rule defined
between two networks, ISA Server does not allow traffic between those
networks.
c. In the task pane, on the Tasks tab, click Create a Network Rule.
d. In the New Network Rule Wizard dialog box, in the
Network rule name text box, type VPN Perimeter Access, and then click
Next.
e. On the Network Traffic Sources page, click Add.
 The Add Network Entities dialog box appears.
f. In the Add Network Entities dialog box,
 click Networks, click VPN Clients, and click Add,
and then click Close to close the Add Network Entities dialog box.
g. On the Network Traffic Sources page, click Next.
h. On the Network Traffic Destinations page, click Add.
 The Add Network Entities dialog box appears again.
i. In the Add Network Entities dialog box,
 click Networks, click Perimeter, and click Add,
j. On the Network Traffic Destinations page, click Next.
k. On the Network Relationship page, select Route, and then click Next.
l. On the Completing the New Network Rule Wizard page, click Finish.
 A new network rule is created. ISA Server will route IP packets
from computers on the VPN Clients network to the Perimeter network.
 Note: The new network rule is not applied yet.
 The new VPN Perimeter Access network rule is only created for
demonstration purposes. Do not apply the new rule to ISA Server.
m. On the top of the right pane, click Discard to remove the unsaved
changes, such as the new VPN Perimeter Access rule.
n. Click Yes to confirm that you want to discard the changes.
3. Explore how a. In the ISA Server console, in the left pane, ensure that Networks is
network templates are used to selected
configure network rules b. In the task pane, select the Templates tab.
and firewall policy rules.
 Network Templates are predefined XML files that contain common
network topologies. They can be used to configure the network rules between
networks and the firewall policy rules. The graphic associated with each
network template helps you understand the selected network topology.
 ISA Server 2006 includes five network templates (Edge Firewall,
3-Leg Perimeter, Front Firewall, Back Firewall and Single Network
Adapter).
 Normally, setting up ISA Server includes four steps:
1 Install network adapters and assign IP addresses.
2 Install the ISA Server software. The installation wizard asks you to specify
the IP addresses of the Internal network.
3 Open the ISA Server console and select the Network Template that most
closely matches your network topology.
4 Modify the created firewall policy rules to meet specific security
requirements. For example limit access to specific users.
 Note: Installing ISA Server 2006 Enterprise Edition also includes a
step to install the Configuration Storage Server, which stores the configuration
information of all ISA Server arrays.
c. On the Templates tab, click 3-Leg Perimeter.
 Note: 3-Leg Perimeter is already the current active network
template on Paris. It matches most closely the network topology of the lab
environment. For demonstration purposes, this task explores the Network
Template Wizard without changing any settings.
d. In the Network Template Wizard dialog box, click Next.
 ISA Server allows you to export the current configuration to a
backup (XML) file, which can be restored later.
e. On the Export the ISA Server Configuration page, click Next.
f. On the Internal Network IP Addresses page, click Next.
g. On the Perimeter Network IP Addresses page, click Next.
 Each network template contains one or more firewall policy rule
sets. These firewall policies allow you to start with a set of firewall policy rules
that best matches your network and security policy.
h. On the Select a Firewall Policy page, in the Select a firewall policy list
box, select Allow limited Web access, allow access to network services on
Perimeter network.
i. In the Description list box, scroll to the end of the text to see a
description of the firewall policy rules that are created, if this firewall policy is
selected.
j. On the Select a Firewall Policy page, click Next.
k. On the Completing the Network Template Wizard page, click CANCEL
(do NOT click Finish).
 The network rules and firewall policy rules on the ISA Server are
not changed.
4. Explore the client support a. In the ISA Server console, in the left pane, ensure that Networks is
configuration settings per network. selected, and then in the right pane, select the (lower) Networks tab.
b. Right-click Internal, and then click Properties.
c. In the Internal Properties dialog box, select the Firewall Client tab.
 The Firewall Client tab specifies whether client computers on the
selected network (Internal) can access other networks such as the Internet,
through ISA Server, by using the Firewall Client software (port 1745).
d. Select the Web Proxy tab.
 The Web Proxy tab specifies whether client computers on the
12 Lab Summary
selected network (Internal) can access other networks through ISA Server, by

using a Web Proxy client such as a Web browser (port 8080).
e. Click Cancel to close the Internal Properties dialog box.
Exercise 3
Ease of Use: Single Rule Base
In this exercise, you will explore how ISA Server uses a single list of firewall rules.

1. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left pane, select
explore the single firewall policy Firewall Policy.
rule list.  ISA Server uses a single rule list for access rules and publishing
rules.
Create an access rule:
b. In the right pane, on the Firewall Policy tab, select Default rule.
Name: Allow Web traffic to  Note: New rules are added to the rule list before the currently
Internet selected rule. Although it does not make a difference when only the default rule
exists, it is a good practice to always explicitly select an existing rule, before
Applies to: HTTP creating a new rule.
c. In the task pane, on the Tasks tab, click Create Access Rule.
From network: Internal d. In the New Access Rule Wizard dialog box, in the Access rule name
To network: External text box, type Allow Web traffic to Internet, and then click Next.
e. On the Rule Action page, select Allow, and then click Next.
f. On the Protocols page, in the This rule applies to list box, select
Selected protocols, and then click Add.
 The Add Protocols dialog box appears.
g. In the Add Protocols dialog box,
 click Web, click HTTP, and click Add,
and then click Close to close the Add Protocols dialog box.
h. On the Protocols page, click Next.
i. On the Access Rule Sources page, click Add.
j. In the Add Network Entities dialog box,
 click Networks, click Internal, and click Add,
k. On the Access Rule Sources page, click Next.
l. On the Access Rule Destinations page, click Add.
 The Add Network Entities dialog box appears again.
m. In the Add Network Entities dialog box,
 click Networks, click External, and click Add,
n. On the Access Rule Destinations page, click Next.
o. On the User Sets page, click Next.
p. On the Completing the New Access Rule Wizard page, click Finish.
 A new firewall policy rule is created that allows the HTTP protocol
from the Internal network to the External network for all users. The External
network represents the Internet.
 Notice that the new rule has not been applied yet.
q. Do NOT click Apply to apply the new rule.
14 Lab Summary
2. Add the HTTPS and FTP a. In the task pane, on the Toolbox tab, in the Protocols section, click
protocol to the Allow Web traffic Web.
to Internet access rule.  The Web protocol list opens up. The list includes HTTPS and FTP.
b. Drag HTTPS from the Toolbox to HTTP in the Protocols column of
the Allow Web traffic to Internet access rule.
 The HTTPS protocol is added to the access rule.
c. Drag FTP from the Toolbox to HTTP/HTTPS in the Protocols column
of the Allow Web traffic to Internet access rule.
 The FTP protocol is added to the access rule.
d. Click the box with the minus-sign in front of the
Allow Web traffic to Internet access rule to display the access rule with
multiple protocols on a single line.
 Instead of dragging protocols from the toolbox to configure a
firewall policy rule, you can also right-click on the rule, and select Properties,
as is shown in the next task.
3. Explore the properties of a. Right-click the Allow Web traffic to Internet access rule, and then
the Allow Web traffic to Internet click Properties.
access rule. b. In the Allow Web traffic to Internet Properties dialog box, on the
Protocols tab, click Add.
c. In the Add Protocols dialog box, click Common Protocols.
 You can add any TCP/UDP protocol to the access rule. You can
also add non-TCP/UDP protocols, such as Ping (ICMP) to the access rule.
d. Click Close to close the Add Protocols dialog box.
e. On the To tab, click Add.
 Instead of applying the access rule to traffic to all destinations on
the External network, you can limit access to specific destinations by using any
of the other network entities (Computers, Address Ranges, Subnets,
Domain Name Sets, URL Sets and Computer Sets).
f. Click Close to close the Add Network Entities dialog box.
g. On the From tab, click Add.
h. In the Add Network Entities dialog box, click Networks.
 The Local Host network (representing the ISA Server computer)
can be used as the source network in an access rule.
i. Click Close to close the Add Network Entities dialog box.
j. Click Cancel to close the Allow Web traffic to Internet Properties dialog
box.
4. Explore the HTTP protocol a. Right-click the Allow Web traffic to Internet access rule, and then
scanning features of the Allow click Configure HTTP.
Web traffic to Internet access b. In the Configure HTTP policy for rule dialog box, examine the five tabs
rule. with the HTTP filter settings.
 ISA Server examines the contents of all HTTP traffic. This is called
For demonstration purposes,
application level filtering, or content filtering. HTTP packets that do not meet
configure the rule to block HTTP
the specifications on the General tab are blocked.
traffic from MSN Messenger.
 Many applications use HTTP as their transport protocol or even as
HTTP Header: tunnel protocol, because the HTTP port 80 is configured to be allowed through
- User-Agent: MSMSGS most firewalls. Application level filtering can block HTTP traffic that does not
conform to the protocol specification or unwanted HTTP applications or
content.
These settings, such as limiting the maximum URL length, would have blocked
the exploitation of vulnerabilities described in more than 40 different Microsoft
Security Bulletins, between MS98-003 and now.
c. On the Signatures tab, click Add.
d. In the Signature dialog box, complete the following information:
 Name: MSN Messenger traffic
 Search in: Request headers

 HTTP Header: User-Agent
 Signature: MSMSGS
and then click OK.
e. Click OK to close the Configure HTTP policy for rule dialog box.
 The Allow Web traffic to Internet access rule will allow HTTP
traffic from a Web browser, but it will block HTTP traffic from
MSN Messenger.
5. Explore the a. In the left pane, ensure that Firewall Policy is selected.
System Policy Rules in the b. In the task pane, on the Tasks tab, click Show System Policy Rules.
Firewall Policy.
 In the right pane, 30 predefined access rules to or from the
Local Host network (ISA Server computer) are shown. These are called
System Policy Rules.
 Note: ISA Server 2006 Enterprise Edition has four more system
policies rules (31 to 34) which specifically apply to traffic to and from ISA
Server arrays.
c. In the task pane, on the Tasks tab, click Edit System Policy.
 The System Policy Editor dialog box appears. You can only make
minimal changes to the system policy rules, but you can enable or disable most
system policy rules.
d. Click Cancel to close the System Policy Editor dialog box.
e. In the task pane, on the Tasks tab, click Hide System Policy Rules.
 Note: The following task is needed to avoid conflicts with other lab exercises.
6. Discard the Allow Web a. In the right pane, click Discard to remove the unsaved Allow Web
traffic to Internet access rule. traffic to Internet access rule.
b. Click Yes to confirm that you want to discard the changes.
 If you clicked Apply during this exercise, the access rule is saved.
Right-click the access rule, click Delete, and then click Apply and OK to delete
the access rule again.
16 Lab Summary
Exercise 4
Ease of Use: Monitoring
In this exercise, you will explore how ISA Server uses monitoring.

explore the new Monitoring expand Paris, and then select Monitoring.
features in ISA Server.  The Monitoring node has multiple tabs that allow you to monitor,
control, investigate, troubleshoot and plan firewall operations.
 On the first tab (Dashboard), five of the other tabs are represented
by summary boxes. By clicking the header of a summary box, you can go to the
corresponding tab to see more details.
b. Select the Alerts tab.
 The Alerts tab lists events that ISA Server informs you about. You
can configure for which types of events ISA Server creates an alert.
c. Select the Sessions tab.
 The Sessions tab shows the current SecureNAT, Firewall client,
Web Proxy client and VPN client sessions. You can also disconnect client
sessions on this tab.
d. Select the Services tab.
 The Services tab displays the status of the Microsoft Firewall
service and other related services.
If you enable the ISA Server for VPN connections, then the
Routing and Remote Access service status is also displayed.
For ISA Server 2006 Enterprise Edition, if you enable NLB integration, then
the Network Load Balancing driver status is also displayed.
e. Select the Reports tab.
 The Reports tab lists the defined usage reports. Reports show you
ISA Server activity over time, such as performance and security information.
You can also create new reports on this tab.
f. Select the Connectivity Verifiers tab.
 The Connectivity Verifiers tab allows you to define
Connectivity Verifiers. A connectivity verifier periodically connects from the
ISA Server to a computer that you specify, to test current connectivity by using
either an HTTP GET request, a Ping request, or by attempting to establish a
TCP connection to a port that you specify. ISA Server can use connectivity
verifiers to alert you if a network connection fails.
g. Select the Logging tab.
 Note: You may (temporarily) need to close the task pane in order to
see the Logging tab.
 The Logging tab is used to configure the Firewall Server log files,
and to view the contents of the log files online.
h. In the task pane, on the Tasks tab, click Configure Firewall Logging.
 ISA Server 2006 logging supports three log storage formats:
MSDE Database (*.mdf), SQL Database (ODBC) or File (*.w3c, text).
i. Click Cancel to close the Firewall Logging Properties dialog box.

 Note: The Logging tab also has an Live display mode that allows
you to see the log entries from the ISA Server log files on the screen,
immediately after they are written to the log files. If you want to limit the log
entries that are displayed to simplify finding specific information in the log
files, you can create a filter.
j. Close the ISA Server console.
18 Lab Summary
Module B: Configuring Outbound

Internet Access
Exercise 1
Allowing Outbound Web Access from Client Computers
In this exercise, you will configure ISA Server to allow outbound Web access for client
computers on the internal network.

 Note: This lab exercise uses the following computers: Denver - Paris - Istanbul
Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers.
 Perform the following steps on the Denver computer.
1. On the Denver computer, a. On the Denver computer, open Internet Explorer. In the Address box,
test your connectivity by opening type http://istanbul.fabrikam.com, and then press Enter.
Internet Explorer and attempting to  Internet Explorer is unable to connect to the Web site.
connect to http://
b. Look at the bottom of the Web page and view the reason why the Web
istanbul.fabrikam.com
page cannot be displayed.
 ISA Server denies the request. (502 Proxy Error - ISA Server
denied the specified URL). This is because you have not created any access
rules yet.
 The firewall policy on ISA Server always contains a rule named
Default rule. This rule denies all network traffic. This mean that ISA Server
denies any network traffic that you did not specifically allow in another rule.
c. Close Internet Explorer.
create a new access rule. Microsoft ISA Server, and then click ISA Server Management.
 The ISA Server console opens.
Name: Allow outbound Web
b. In the ISA Server console, expand Paris, and then select
traffic
Firewall Policy.
Applies to: HTTP, HTTPS, FTP c. In the right pane, on the Firewall Policy tab, select Default rule.
 It is a good practice to always select an existing rule, before
From network: Internal creating a new rule, to indicate where the new rule is added in the list.
To network: External d. In the task pane, on the Tasks tab, click Create Access Rule.
 Instead of using the task pane, you can also right-click
Firewall Policy, click New, and then click Access Rule.
e. In the New Access Rule Wizard dialog box, in the Access rule name
text box, type Allow outbound Web traffic, and then click Next.
f. On the Rule Action page, select Allow, and then click Next.
g. On the Protocols page, in the This rule applies to list box, select
 The Add Protocols dialog box appears.

h. In the Add Protocols dialog box,
 click Common Protocols, click HTTP, and click Add,
 click HTTPS, and click Add,
 click Web, click FTP, and click Add,
 Notice that the same protocols can be listed under multiple
headings in the Add Protocols dialog box.
i. On the Protocols page, click Next.
j. On the Access Rule Sources page, click Add.
k. In the Add Network Entities dialog box,
l. On the Access Rule Sources page, click Next.
m. On the Access Rule Destinations page, click Add.
n. In the Add Network Entities dialog box,
o. On the Access Rule Destinations page, click Next.
p. On the User Sets page, click Next.
q. On the Completing the New Access Rule Wizard page, click Finish.
 A new firewall policy rule is created that allows the FTP, HTTP
and HTTPS protocols from the Internal network to the External network for all
users.
 The new rule has not been applied yet.
3. Apply the changes. a. Click Apply to apply the new rule, and then click OK.
4. Examine the network rule a. In the left pane, expand Configuration, and then select Networks.
for connectivity between the b. In the right pane, on the Network Rules tab, select the rule that defines
Internal network and the External the connectivity between the Internal network and the External network.
network.
 In the default configuration for the 3-Leg Perimeter network
template, the network rule named Internet Access (rule 5) indicates that
network traffic between the Internal network and the External network will use
NAT.
5. Examine the Web Proxy a. On the Networks tab, right-click Internal, and then click Properties.
settings of the Internal network. b. In the Internal Properties dialog box, select the Web Proxy tab.
 The Enable Web Proxy clients check box indicates that ISA Server
listens (on port 8080) for requests from Web Proxy clients on the Internal
network.
c. Click Cancel to close the Internal Properties dialog box.
test your connectivity again by type http://istanbul.fabrikam.com, and then press Enter.
opening Internet Explorer and  Internet Explorer displays the Istanbul Web site. The access rule
connecting to http:// that you created grants access to network traffic to the Istanbul Web server.
istanbul.fabrikam.com and by
b. In Internet Explorer, on the Tools menu, click Internet Options.
establishing an FTP session with
istanbul.fabrikam.com. c. In the Internet Options dialog box, on the Connections tab, click
LAN Settings.
 Notice that Denver is indeed configured as Web Proxy client.
d. Click Cancel to close the Local Area Network (LAN) Settings dialog
20 Lab Summary
box.
e. Click Cancel to close the Internet Options dialog box.
f. Close Internet Explorer.
g. Open a Command Prompt window.
h. At the command prompt, type ftp istanbul.fabrikam.com, and then
press Enter.
 The FTP server on Istanbul prompts you to log on. This result
confirms that you can connect using the FTP protocol.
i. Type Ctrl-C to close the FTP session.
j. If the ftp> prompt appears, type quit, and then press Enter.
k. Close the Command Prompt window.
create a new Computer Set rule Firewall Policy.
element. b. In the task pane, on the Toolbox tab, in the Network Objects section,
right-click Computer Sets, and then click New Computer Set.
Name: Restricted Internal
c. In the New Computer Set Rule Element dialog box, in the Name text
Computers
box, type Restricted Internal Computers.
Included in the set: d. Click Add, and then click Address Range.
10.1.1.5-10.1.1.8 e. In the New Address Range Rule Element dialog box, complete the
(Domain Controllers) following information:
 Name: Domain Controllers
 Start Address: 10.1.1.5
 End Address: 10.1.1.8
 Description: DCs on the internal network
and then click OK.
 The example suggests that there are 4 domain controllers on the
Internal network. The lab only has a single domain controller named Denver
(10.1.1.5).
f. Click OK to close the New Computer Set Rule Element dialog box.
 A new Computer Set rule element is created.
8. Create a new access rule. a. In the Firewall Policy list, select the Allow outbound Web traffic rule.
 The new rule will be added before the selected rule.
Name: Deny restricted
b. In the task pane, on the Tasks tab, click Create Access Rule.
computers
c. In the New Access Rule Wizard dialog box, in the Access rule name
Action: Deny text box, type Deny restricted computers, and then click Next.
d. On the Rule Action page, select Deny, and then click Next.
Applies to: All outbound traffic e. On the Protocols page, in the This rule applies to list box, select
All outbound traffic, and then click Next.
From: Restricted Internal
Computers f. On the Access Rule Sources page, click Add.
To network: External g. In the Add Network Entities dialog box,
 click Computer Sets, click Restricted Internal Computers, and click Add,
h. On the Access Rule Sources page, click Next.
i. On the Access Rule Destinations page, click Add.
k. On the Access Rule Destinations page, click Next.
l. On the User Sets page, click Next.
m. On the Completing the New Access Rule Wizard page, click Finish.
 A new firewall policy rule is created that denies all network traffic
from the computers in the Restricted Internal Computers set to the External
network.
 The new rule is listed first in the firewall policy rule list.
n. Click Apply to apply the new rule, and then click OK.
opening Internet Explorer and  Internet Explorer is unable to connect to the Web site (502 Proxy
attempting to connect to http:// Error). ISA Server denies access to the Istanbul Web site, because Denver
istanbul.fabrikam.com. (10.1.1.5) is in the Restricted Internal Computers set and is denied access by
the new access rule.
b. Close Internet Explorer.
move the Allow outbound Web Firewall Policy.
traffic rule, before the Deny b. In the right pane, right-click the Allow outbound Web traffic rule
restricted computers rule. (order 2), and then click Move Up.
 The Allow outbound Web traffic rule (order 1) is now listed before
the Deny restricted computers rule (order 2).
c. Click Apply to save the changes, and then click OK.
opening Internet Explorer and  Internet Explorer displays the Istanbul Web site, even though the
connecting to http:// Firewall Policy list contains a rule that denies access from the Denver
istanbul.fabrikam.com. (10.1.1.5) computer.
 Note: To evaluate access, ISA Server follows the Firewall Policy
rule order very strictly. Currently the Allow rule for Web traffic from Denver is
listed before the Deny rule for all protocols from Denver.
delete the Deny restricted Firewall Policy.
computers access rule. b. In the right pane, right-click the Deny restricted computers rule, and
then click Delete.
c. Click Yes to confirm that you want to delete the rule.
 The access rule is deleted.
d. Click Apply to save the changes, and then click OK.
22 Lab Summary
Exercise 2
Enabling the Use of the Ping command from Client Computers
In this exercise, you will configure ISA Server to allow ICMP network traffic, used by the
Ping command, from client computers on the internal network.

1. On the Denver computer, a. On the Denver computer, open a Command Prompt window.
use the Ping command to test b. At the command prompt, type ping istanbul.fabrikam.com, and then
connectivity with press Enter.
 The ping requests time out, because by default the ISA Server does
not allow outgoing ping requests (ICMP type 8 packets) from computers on the
internal network to the Internet.
c. Close the Command Prompt window.
create a new access rule. Firewall Policy.
b. In the right pane, select the first rule to indicate where the new rule is
Name: Allow outbound Ping added to the rule list.
traffic
Applies to: PING d. In the New Access Rule Wizard dialog box, in the Access rule name
text box, type Allow outbound Ping traffic, and then click Next.
From network: Internal e. On the Rule Action page, click Allow, and then click Next.
To network: External f. On the Protocols page, in the This rule applies to list box, select
 click Common Protocols, click PING, and click Add,
 The PING protocol definition is ICMP protocol, ICMP type 8.
 A new firewall policy rule is created that allows the ICMP protocol,
ICMP type 8, from the Internal network to the External network for all users.
q. Click Apply to apply the new rule, and then click OK.
3. Examine the PING a. In the task pane, on the Toolbox tab, in the Protocols section, expand
protocol definition. Common Protocols, right-click PING, and then click Properties.
b. In the PING Properties dialog box, select the Parameters tab.
 Note: A protocol definition for a firewall policy rule, can use other
protocols than only TCP (IP protocol 6) or UDP (IP protocol 17).
c. Click Cancel to close the PING Properties dialog box.
use the Ping command to test b. At the command prompt, type ping istanbul.fabrikam.com, and then
connectivity with press Enter.
istanbul.fabrikam.com again.
 The Istanbul computer returns four echo replies, because
ISA Server allows outgoing echo requests from the computers on the internal
network to the Internet.
 Note: All firewall policy rules are stateful. This means that a single
rule allows the request and the corresponding reply to the sender.
 Perform the following steps on the Istanbul computer.
5. On the Istanbul computer, a. On the Istanbul computer, open a Command Prompt window.
use the Ping command to test b. At the command prompt, type ping 39.1.1.1, and then press Enter.
connectivity with the ISA Server.
 The ping requests time out, because the ISA Server does not allow
incoming ping requests from computers on the Internet. The
Allow outbound Ping traffic access rule only allows replies to earlier
outgoing ping requests to come from the Internet.
24 Lab Summary
Exercise 3
Allowing Outbound Access from the ISA Server
In this exercise, you will configure ISA Server to allow outbound access from the ISA Server
computer.

1. On the Paris computer, test a. On the Paris computer, open a Command Prompt window.
your connectivity by attempting to b. At the command prompt, type ftp istanbul.fabrikam.com, and then
establish an FTP session with press Enter.
istanbul.fabrikam.com.
 After one minute, the ftp command will time out
("Host is unreachable"). By default, ISA Server does not allow an FTP
connection from the ISA Server to the Internet.
c. At the ftp> prompt, type quit, and then press Enter.
d. Close the Command Prompt window.
2. Create a new access rule. a. In the ISA Server console, in the left pane, select Firewall Policy.
Name: Allow FTP from firewall added to the rule list.
Applies to: FTP
d. In the New Access Rule Wizard dialog box, in the Access rule name
From network: Local Host text box, type Allow FTP from firewall, and then click Next.
To network: External e. On the Rule Action page, click Allow, and then click Next.
 click Web, click FTP, and click Add,
 click Networks, click Local Host, and click Add,
 The Local Host network represents the ISA Server computer.
 A new firewall policy rule is created that allows the FTP protocol
from the ISA Server to the External network for all users.
3. Test your connectivity a. Open a Command Prompt window.

again by establishing an FTP b. At the command prompt, type ftp istanbul.fabrikam.com, and then
session with press Enter.
 The FTP server on Istanbul prompts you to log on. This result
confirms that you can connect using the FTP protocol.
c. Type Ctrl-C to close the FTP session.
d. If the ftp> prompt appears, type quit, and then press Enter.
 Note: ISA Server uses firewall policy rules to define access between
any defined network, including traffic that starts or ends at the ISA Server
computer itself (Local Host network).
e. Close the Command Prompt window.
4. Show the a. In the ISA Server console, in the left pane, select Firewall Policy.
System Policy Rules in the b. In the task pane, on the Tasks tab, click Show System Policy Rules.
Firewall Policy.
Local Host network are shown. These are called System Policy Rules.
 Note: ISA Server 2006 Enterprise Edition has four more system
policies rules (31 to 34) which specifically apply to traffic to and from ISA
Server arrays.
5. Test your connectivity by a. Open Internet Explorer. In the Address box, type
opening Internet Explorer and http://istanbul.fabrikam.com, and then press Enter.
connecting to http://  Internet Explorer is unable to connect to the Web site (Error 403
istanbul.fabrikam.com and by Forbidden - ISA Server denied the specified URL).
using the Ping command to
and to  System policy rules 18, 19, 23, 26, 29 and 30 all list outgoing Web
denver.contoso.com. access (HTTP) from the ISA Server (Local Host). However, rules 23, 26 and 30
only apply to specific destinations (watson.microsoft.com, microsoft.com,
windows.com, windowsupdate.com and remote management computers), and
rules 18, 19 and 29 are disabled, unless updated certificate revocation lists
(CRLs) are downloaded (18), HTTP connectivity verifiers for monitoring are
created (19), or scheduled download jobs are defined (29).
 If you want to allow outgoing Web access from the ISA Server to
the Istanbul Web server, then you have to create a new access rule.
c. Open a Command Prompt window.
d. At the command prompt, type ping istanbul.fabrikam.com, and then
press Enter.
 The Istanbul computer on the External network returns four echo
replies.
e. At the command prompt, type ping denver.contoso.com, and then
press Enter.
 The Denver computer on the Internal network returns four echo
replies.
f. Close the Command Prompt window.
 System policy rule 12 allows outgoing Ping from the ISA Server to
all networks.
6. Hide the a. In the ISA Server console, in the left pane, select Firewall Policy.
System Policy Rules in the b. In the task pane, on the Tasks tab, click Hide System Policy Rules.
Firewall Policy.
 In the right pane, the System policy rules are hidden again.
c. Close the ISA Server console.
26 Lab Summary
Exercise 4
Configuring ISA Server 2006 for Flood Resiliency
In this exercise, you will configure ISA Server to block a large number of TCP connections
from the same IP address.
Note: This exercise applies to new functionality in ISA Server 2006.

examine the flood mitigation Microsoft ISA Server, and then click ISA Server Management.
settings.  The ISA Server console opens.
b. In the ISA Server console, in the left pane, expand Paris, expand
Configuration, and then select General.
c. In the right pane, under Additional Security Policy, click
Configure Flood Mitigation Settings.
 ISA Server 2006 can help stop the flooding of connections from
three different kind of attacks:
 Worm propagation - A computer on the internal network starts sending out
network packets to different IP addresses on the Internet.
 TCP denial-of-service attack - An attacker sends out TCP packets in order
to use up all the resources at the firewall, or server behind the firewall.
 HTTP denial-of-service attack - A computer on the internal network sends a
very large number of HTTP request over the same connection.
 In all these cases, the Firewall Engine component of ISA Server
limits the number of connections, connection requests, and half-open
connections per minute, or per rule, from a particular IP address.
d. In the Flood Mitigation dialog box, on the Flood Mitigation tab, click
the second Edit button.
 As an example of a limit, ISA Server allows a maximum of
160 concurrent TCP connections from the same IP address. There is also a
custom limit (400) that applies to a set of exception IP addresses.
e. Click Cancel to close the Flood Mitigation Settings dialog box.
f. In the Flood Mitigation dialog box, select the IP Exceptions tab.
 You can specify the IP addresses of computers to which the custom
limit applies.
2. Disable the logging of a. In the Flood Mitigation dialog box, select the Flood Mitigation tab.
network traffic blocked by flood b. Clear the Log traffic blocked by flood mitigation settings check box.
mitigation settings.
 To avoid overwhelming the log file with identical block entries,
after the flood mitigation settings have blocked an attack, you can disable the
logging of those blocked network connections.
c. Click OK to close the Flood Mitigation dialog box.
3. Create a new access rule. a. In the left pane, select Firewall Policy.
b. In the right pane, select the first rule, or select Default rule if no other
Name: Allow Web access (Flood) rule exists, to indicate where the new rule is added to the rule list.
Applies to: HTTP c. In the task pane, on the Tasks tab, click Create Access Rule.
From network: Internal text box, type Allow Web access (Flood), and then click Next.
To network: External
e. On the Rule Action page, select Allow, and then click Next.
 click Common Protocols, click HTTP, click Add,
 click Networks, click Internal, click Add,
 click Networks, click External, click Add,
from the Internal network to the External network.
4. Apply the changes. a. Click Apply to apply the changes, and then click OK.
5. On the Denver computer, a. On the Denver computer, open Internet Explorer.

configure Internet Explorer not to b. In Internet Explorer, on the Tools menu, click Internet Options.
use a proxy server.
c. In the Internet Options dialog box, on the Connections tab, click
LAN Settings.
d. In the Local Area Network (LAN) Settings dialog box, clear the
Use a proxy server for your LAN check box, and then click OK.
 When you configure Internet Explorer to use a proxy server, all
HTTP connections to the ISA Server use the same connection to the Web Proxy
TCP port 8080. In this exercise, you use two Internet Explorer windows, which
should count as two separate connections.
e. Click OK to close the Internet Options dialog box.
6. Use Internet Explorer to a. In Internet Explorer, in the Address bar, type
connect to http:// http://istanbul.fabrikam.com/web.asp, and then press Enter.
istanbul.fabrikam.com/  Internet Explorer displays the content of the web.asp page from
web.asp Istanbul. This is a single TCP connection from the Denver computer.
b. Do not close Internet Explorer.
7. Use the a. Use Windows Explorer (or My Computer) to open the C:\Tools folder.
C:\Tools\tcpflooder.vbs tool to  The Tools folder contains a script named tcpflooder.vbs, which
create 200 concurrent TCP attempts to set up 200 connections to IP addresses 42.1.0.0 through 42.1.19.9.
connections.
 Note: By default, ISA Server allows a maximum of 160 concurrent
TCP connections from the same IP address.
b. Right-click tcpflooder.vbs, and then click Open.
c. Click Yes to confirm that you want to start TCP Flooder.
 Please wait 10 seconds while TCP Flooder attempts to set up the
200 TCP connections.
28 Lab Summary
 Note: The IP addresses on the 42.1.0.0 network do not exist in the

lab environment, but Denver will set up a maximum of 160 TCP connections
with ISA Server. ISA Server blocks the remaining 40 TCP connections.
d. Press OK to acknowledge that 200 TCP connections are created.
e. Close the Tools folder.
8. In Internet Explorer, refresh a. In the Internet Explorer windows, on the toolbar, click the Refresh
the existing Web page, and attempt button.
to create a second connection to  If the Internet Explorer connection did not time out yet, then the
http:// Server time on the Web page is changed. That is an indication that the page
istanbul.fabrikam.com/ refreshed successfully.
web.asp
 Even though ISA Server has blocked connections from Denver
(10.1.1.5), existing connections, such as the one in the Internet Explorer
window can still be used.
b. On the Start menu, click All Programs, and then click
Internet Explorer.
 A second Internet Explorer window opens.
c. In Internet Explorer, in the Address box, type
http://istanbul.fabrikam.com/web.asp, and then press Enter.
 ISA Server blocks new connections from 10.1.1.5. After a few
moments, Internet Explorer displays an error page to indicate that it cannot
display the page.
d. Close the Internet Explorer windows.
 Note: ISA Server blocks traffic based on the flood mitigation settings for 60 seconds. To avoid the situation
where an attacker uses a large number of network packets with a spoofed sender IP address to intentionally
block another computer, ISA Server will first complete a TCP three-way handshake to verify that the sender IP
address is not spoofed.
examine the flooding alert. Monitoring.
b. In the right pane, select the Alerts tab.
c. In the task pane, on the Tasks tab, click Refresh Now.
d. In the alert list, expand the Concurrent TCP Connections from One
IP Address Limit Exceeded alert, and then select the alert line below that.
 Notice in the Alert Information description that ISA Server
identifies which IP address (10.1.1.5) exceeded the configured limit of
concurrent TCP connections. This information allows you to further investigate
the cause of the high number of connection attempts.
10. Configure the log viewer a. In the right pane, select the Logging tab.
filter conditions:  Note: You may (temporarily) need to close the task pane in order to
Log Time: Last Hour see the Logging tab.
b. In the task pane, on the Tasks tab, click Edit Filter.
Client IP:
Equals 10.1.1.5 c. In the Edit Filter dialog box, in the conditions list, select the
Log Time - Live condition.
Destination IP: d. In the Condition drop-down list box, select Last Hour, and then click
Greater or Equal 42.1.0.0 Update.
 The condition is changed to Log Time - Last Hour.
e. Complete the following information:
 Filter by: Client IP
 Condition: Equals
 Value: 10.1.1.5
and then click Add To List.
f. Complete the following information:
 Filter by: Destination IP
 Condition: Greater or Equal

 Value: 42.1.0.0
and then click Add To List.
g. Click Start Query to close the Edit Filter dialog box.
 After a few moments, the log viewer displays all log entries from
10.1.1.5 to the 42.1.0.0 network from the last hour. The most recent log entry is
listed first.
h. Scroll to the top of the list of log entries.
 Notice that the most recent log entry is for the connection to an IP
address that is a close to 42.1.15.9. That is a exactly 160 concurrent TCP
connections. The last IP address may be a little lower, if ISA Server had
existing connections, or may be a little higher if ISA Server closed a few TCP
connections already.
 To avoid overwhelming the log file with identical block entries, you
configured Flood Mitigation to not log traffic that is blocked by the flood
mitigation settings (all connections to IP address close to 42.1.16.0 through
42.1.19.9).
 Note: The following tasks are needed to avoid conflicts with other lab exercises.
11. Restore the log viewer filter a. In the task pane, on the Tasks tab, click Edit Filter.
conditions: b. In the Edit Filter dialog box, in the conditions list, select
Log Time - Last Hour.
Log Time: Live
c. In the Condition drop-down list box, select Live, and then click
Update.
Client IP: (remove)
 The condition is changed to Log Time - Live.
Destination IP: (remove) d. In the conditions list, select the Destination IP condition, and then click
Remove.
e. In the conditions list, select the Client IP condition, and then click
Remove.
f. Click Start Query to close the dialog box.
g. In the task pane, on the Tasks tab, click Stop Query.
configure Internet Explorer to use b. In Internet Explorer, on the Tools menu, click Internet Options.
a proxy server.
LAN Settings.
d. In the Local Area Network (LAN) Settings dialog box, complete the
following information:
 Use a proxy server for your LAN: enable
 Address: 10.1.1.1
 Port: 8080
 Bypass proxy server for local address: enable
and then click OK to close the Local Area Network (LAN) Settings dialog box.
30 Lab Summary
Module C: Publishing Web Servers and

Other Servers
Exercise 1
Publishing a Web Server in the Internal Network
In this exercise, you will configure ISA Server to publish a Web server on the internal
network to client computers on the Internet.

create a new Web listener. Microsoft ISA Server, and then click ISA Server Management.
Name: External Web 80
Firewall Policy.
SSL: disable
c. In the task pane, on the Toolbox tab, in the Network Objects section,
Network: External right-click Web Listeners, and then click New Web Listener.
Compression: disable d. In the New Web Listener Definition Wizard dialog box, in the
Web listener name text box, type External Web 80, and then click Next.
Authentication: none e. On the Client Connection Security page, select
Do not require SSL secured connections with clients, and then click Next.
f. On the Web Listener IP Addresses page, complete the following
information:
 Listen on network: External
 ISA Server will compress content: disable
and then click Next.
g. On the Authentication Settings page, in the drop-down list box, select
No Authentication, and then click Next.
h. On the Single Sign On Settings page, click Next.
i. On the Completing the New Web Listener Wizard page, click Finish.
 A new Web listener (port 80 on the IP address on the adapter on
the External network) with the name External Web 80 is created.
j. Click Apply to save the changes, and then click OK.
2. Examine the effect of the a. Open a Command Prompt window.
Web listener definition on the b. At the command prompt, type netstat -ano | find ":80", and then
listening ports. press Enter.
 The output of the command shows the listening ports that contain
":80". Currently the ISA Server does NOT listen on port 80. The creation of the
Web listener definition did not change the listener configuration of the firewall
yet.
 Note: The displayed line with port 8080 on the internal IP address
10.1.1.1, is the opened Web Proxy port for client computers on the Internal
network.
The last column lists the process ID of the process that listens on the port.
3. Create a Web publishing a. In the ISA Server console, in the left pane, select Firewall Policy.
rule. b. In the right pane, select the first rule, or select Default rule if no other
rule exists, to indicate where the new rule is added to the rule list.
Name: Web Home Page (on
c. In the task pane, on the Tasks tab, click Publish Web Sites.
Denver)
 Instead of using the task pane, you can also right-click
Publishing type: Firewall Policy, click New, and then click Web Site Publishing Rule.
single Web site d. In the New Web Publishing Rule Wizard dialog box, in the
Web publishing rule name text box, type Web Home Page (on Denver), and
Internal site name: then click Next.
denver.contoso.com e. On the Select Rule Action page, select Allow, and then click Next.
Public name: f. On the Publishing Type page, select Publish a single Web site, and then
www.contoso.com click Next.
g. On the Server Connection Security page, select Use non-secured
Web listener: connections to connect to the published Web server, and then click Next.
External Web 80 h. On the Internal Publishing Details page, complete the following
information:
Delegation: none  Internal site name: denver.contoso.com
 Use a computer name or IP address: disable (is default)
i. On the next Internal Publishing Details page, complete the following
information:
 Path: (leave empty)
 Forward the original host header: disable (is default)
j. On the Public Name Details page, complete the following information:
 Accept requests for: This domain name (type below):
 Public name: www.contoso.com
k. On the Select Web Listener page, in the Web listener drop-down list
box, select External Web 80, and then click Next.
 If you did not create the Web listener before starting the New Web
Publishing Rule Wizard, you can click the New button and create a new Web
listener definition from the Select Web Listener page.
l. On the Authentication Delegation page, select No delegation, and client
cannot authenticate directly, and then click Next.
m. On the User Sets page, click Next.
n. On the Completing the New Web Publishing Rule Wizard page, click
Finish.
 A new Web publishing rule is created which publishes the Web site
at denver.contoso.com (10.1.1.5) as www.contoso.com on the External
network.
o. Click Apply to apply the new rule, and then click OK.
4. Examine the effect of the a. Open a Command Prompt window.
Web publishing rule on the b. At the command prompt, type netstat -ano | find ":80", and then
 The output of the command shows that the process with
process ID nnnn (last column) listens on the external IP address 39.1.1.1 on
port 80.
32 Lab Summary
c. At the command prompt, type tasklist /svc | find "nnnn", and then

press Enter. (Replace nnnn with the actual process ID displayed in output of
the previous step.)
process ID nnnn has image name wspsrv.exe and hosts the Microsoft Firewall
service (fwsrv).
 Note: For performance reasons, all Web publishing rules, server
publishing rules, and all outgoing Web access, Firewall client and SecureNAT
client traffic is handled by the Microsoft Firewall service (wspsrv.exe). In
earlier versions of ISA Server, multiple different services were responsible for
this traffic.
5. Examine the network rule a. In the ISA Server console, the left pane, expand Configuration, and
for connectivity between the then select Networks.
External network and the Internal b. In the right pane, on the Network Rules tab, select the rule that defines
network. the connectivity between the Internal network and the External network.
template, the network rule named Internet Access (rule 5) indicates that ISA
Server will use NAT for network traffic from the Internal network to the
External network.
 Because network traffic in the other direction (from the External
network to Denver on the Internal network) goes against the NAT direction,
you need to create a publishing rule to allow this network traffic.
verify that www.contoso.com b. At the command prompt type ping www.contoso.com, and then press
resolves to 39.1.1.1. Enter.
 The output of the ping command verifies that www.contoso.com
resolves to the external IP address of Paris 39.1.1.1. (ISA Server does not reply
to the ping request.)
7. Connect to the published a. Open Internet Explorer. In the Address box, type
Web server on www.contoso.com, http://www.contoso.com, and then press Enter.
and attempt to connect to 39.1.1.1.  Internet Explorer displays the home page of Denver. ISA Server
successfully published the Denver home page as www.contoso.com on the
External network (Internet).
b. In the Address box, type http://39.1.1.1, and then press Enter.
 Internet Explorer displays an error page. ISA Server returns error
code 403 (Forbidden - The server denied the specified URL).
 Currently the home page of Denver is only published with the
public name www.contoso.com, not when using the IP address 39.1.1.1
directly.
8. On the Paris computer, add a. On the Paris computer, in the ISA Server console, in the left pane, select
the 39.1.1.1 public name to the Firewall Policy.
Web Home Page (on Denver) b. In the right pane, select the Web Home Page (on Denver) Web
Web publishing rule. publishing rule.
c. In the task pane, on the Tasks tab, click Edit Selected Rule.
d. In the Web Home Page (on Denver) Properties dialog box, on the
Public Name tab, click Add.
e. In the Public Name dialog box, type 39.1.1.1, and then click OK.
 The Web publishing rule now contains two public names:
www.contoso.com and 39.1.1.1.

f. Click OK to close the Web Home Page (on Denver) Properties dialog
box.
g. Click Apply to apply the changed rule, and then click OK.
9. On the Istanbul computer, a. On the Istanbul computer, in Internet Explorer, ensure that
connect to the published Web http://39.1.1.1 is in the Address box, and then click the Refresh button.
server on 39.1.1.1.  Internet Explorer displays the home page of Denver. ISA Server
successfully published the Denver home page as www.contoso.com and
39.1.1.1 on the External network (Internet).
34 Lab Summary
Exercise 2
Publishing the Web Server on the ISA Server Computer
In this exercise, you will configure ISA Server to publish a Web server on the ISA Server to
client computers on the Internet.

1. On the Paris computer, a. On the Paris computer, on the Start menu, click Administrative Tools,
configure the default Web site to and then click Internet Information Services (IIS) Manager.
use port 81, and then start the Web  The IIS Manager console opens.
site.
b. In the IIS Manager console, expand PARIS (local computer), expand
Web Sites, right-click Default Web Site (Stopped), and then click Properties.
c. In the Default Web Site (Stopped) Properties dialog box, on the
Web Site tab, in the TCP port text box, type 81, and then click OK.
 The default HTTP TCP port is 80. Because ISA Server uses port 80
for publishing Web sites (and publishing automatic discovery information for
Web clients), the Web site on the ISA Server computer must be changed to
another port.
d. Right-click Default Web Site (Stopped), and then click Start.
 The default Web site is started. The Web site listens on port 81.
e. Close the IIS Manager console.
2. Examine the effect of a. Open a Command Prompt window.
starting the default Web site on the b. At the command prompt, type netstat -ano | find ":81", and then
process ID mmmm (last column) listens on all IP addresses (0.0.0.0) on port
81.
c. At the command prompt, type tasklist /svc | find "mmmm", and then
press Enter. (Replace mmmm with the actual process ID displayed in output of
the previous step.)
process ID mmmm hosts the World Wide Web Publishing Service (W3SVC),
which is part of IIS.
 Currently, the Firewall service listens on port 80, and IIS listens on
port 81.
3. Create a Web publishing a. In the ISA Server console, in the left pane, select Firewall Policy.
rule. b. In the right pane, select the first rule to indicate where the new rule is
added to the rule list.
Name: Products Web Site (on
Paris)
d. In the New Web Publishing Rule Wizard dialog box, in the
Publishing type: Web publishing rule name text box, type Products Web Site (on Paris), and
single Web site then click Next.
e. On the Select Rule Action page, select Allow, and then click Next.
Internal site name: Paris f. On the Publishing Type page, select Publish a single Web site, and then
IP address: 10.1.1.1
Port: 81 click Next.

Public name: connections to connect to the published Web server, and then click Next.
www.contoso.com
h. On the Internal Publishing Details page, complete the following
/products
information:
Web listener:  Internal site name: Paris
External Web 80  Use a computer name or IP address: enable
 Computer name or IP address: 10.1.1.1
Delegation: none and then click Next.
 Note: After completing the wizard, the destination TCP port of the
rule can be set to 81.
 10.1.1.1 is the IP address of Paris on the Internal network.
information:
 Path: products
 The public name of the Web site is www.contoso.com/products.
Finish.
 A new Web publishing rule is created that publishes the Web site at
10.1.1.1 (Paris) as www.contoso.com/products on the External network.
o. In the right pane, select the Products Web Site (on Paris) Web
publishing rule, and then in the task pane, on the Tasks tab, click
Edit Selected Rule.
p. In the Products Web Site (on Paris) Properties dialog box, select the
Paths tab.
 Web publishing rules can redirect requests that contain a path
(/products) to the root of a Web site (/).
q. Select the Listener tab.
 Notice that the rule applies to requests received on port 80.
r. On the Bridging tab, in the Redirect requests to HTTP port text box,
type 81.
 The Web publishing rule now redirects requests for
www.contoso.com/products (port 80) to 10.1.1.1 (port 81).
s. Click OK to close the Products Web Site (on Paris) Properties dialog
box.
 The Products Web Site (on Paris) and the Web Home Page (on
Denver) Web publishing rules share the same Web listener named External
Web 80. The public name that is used in the incoming Web requests determines
which Web publishing rule applies.
 Because the public name of the Web Home Page (on Denver) rule
(www.contoso.com) is a superset of the public name of the Products Web Site
(on Paris) rule (www.contoso.com/products), it is important that the Products
Web Site (on Paris) rule (currently order 1) is listed before the Web Home
36 Lab Summary
Page (on Denver) rule (currently order 2).

t. Click Apply to apply the new rule, and then click OK.
4. On the Istanbul computer, a. On the Istanbul computer, open Internet Explorer. In the Address box,
connect to the published Web type http://www.contoso.com/products, and then press Enter.
servers on www.contoso.com  Internet Explorer displays the home page of Paris (10.1.1.1). ISA
/products Server successfully published the Paris home page as
and www.contoso.com/products on the External network.
www.contoso.com.
b. In the Address box, type http://www.contoso.com, and then press
Enter.
 Internet Explorer displays the home page of Denver (10.1.1.5). This
result confirms that ISA Server publishes two Web sites now.
create a Web publishing rule. Firewall Policy.
Name: Public Web Site (on added to the rule list.
Paris)
Publishing type: d. In the New Web Publishing Rule Wizard dialog box, in the
single Web site Web publishing rule name text box, type Public Web Site (on Paris), and
then click Next.
Internal site name: Paris e. On the Select Rule Action page, select Allow, and then click Next.
IP address: 10.1.1.1 f. On the Publishing Type page, select Publish a single Web site, and then
Path: publicweb/* click Next.
Port: 81
public.contoso.com h. On the Internal Publishing Details page, complete the following
information:
Web listener:  Internal site name: Paris
External Web 80  Use a computer name or IP address: enable
Delegation: none and then click Next.
information:
 Path: publicweb/*
 The published Web site is 10.1.1.1/publicweb.
 Public name: public.contoso.com
 Path: (remove /publicweb/*, and leave empty)
 The public name of the Web site is public.contoso.com.
Finish.
10.1.1.1/publicweb (Paris) as public.contoso.com on the External network.
o. In the right pane, select the Public Web Site (on Paris) Web publishing
rule, and then in the task pane, on the Tasks tab, click Edit Selected Rule.
p. In the Public Web Site (on Paris) Properties dialog box, select the Paths
tab.
 Web publishing rules can redirect requests for the root of a Web
site (/) to a path (/publicweb) on a Web server.
You can also translate a path in the public name, to another path on the
published Web server.
q. On the Bridging tab, in the Redirect requests to HTTP port text box,
type 81.
public.contoso.com (port 80) to 10.1.1.1/publicweb (port 81).
r. Click OK to close the Public Web Site (on Paris) Properties dialog box.
s. Click Apply to apply the new rule, and then click OK.
connect to the published Web type http://public.contoso.com, and then press Enter.
servers on public.contoso.com.  Internet Explorer displays the home page of Paris (10.1.1.1) from
the /publicweb folder. ISA Server successfully published the Paris home page in
the /publicweb folder as public.contoso.com on the External network.
38 Lab Summary
Exercise 3
Performing Link Translation on a Published Web Server
In this exercise, you will configure ISA Server to enable link translation for a published Web
site.

connect to the Web page type http://www.contoso.com/links.htm, and then press Enter.
www.contoso.com  Internet Explorer displays a demonstration Web page for the Link
/links.htm. Translation Filter. The Web Home Page (on Denver) Web publishing rule
from an earlier exercise makes the links.htm page available on the External
network (Istanbul).
 Notice that the two of the three images are displayed correctly.
 The first image uses a relative address (pic1.jpg). Internet Explorer
automatically adds the current host name (www.contoso.com) to the relative
address.
 The second image uses the full name of the Web server computer itself
(denver.contoso.com), which ISA Server automatically replaces (translates)
with www.contoso.com, so that it can be resolved when the Web server is
published on the Internet.
 The link to the third image still uses the internal name (ronsbox) of the Web
server computer, and does not resolve correctly on the Internet.
b. Hold the mouse pointer over the Translated link for pic1.jpg URL.
 In the status bar, you can see that Internet Explorer translates the
<a href="pic1.jpg"> HTLM code to include the entire address that is used in
the Address box.
c. Right-click on the displayed image (pic1.jpg), and then click Properties.
 In the Properties dialog box, you can see that Internet Explorer
also translates <img src="pic1.jpg"> HTML code to include the entire
address.
d. Click Cancel to close the Properties dialog box.
e. Do not close Internet Explorer.
examine the expand Configuration, and then select Add-ins.
Link Translation Filter Web b. In the right pane, select the Web Filters tab.
filter.
 One of the Web filters is the Link Translation Filter. Responses
from published Web servers pass through the list of Web filters, including the
Link Translation Filter, before they are sent to the client computers.
3. Examine the current link a. In the left pane, select Firewall Policy, and then in the right pane, select
translation mappings for the Web the Web Home Page (on Denver) Web publishing rule.
Home Page (on Denver) Web  This Web publishing rule redirects requests for www.contoso.com
publishing rule. (and 39.1.1.1) to the Web server on denver.contoso.com.
b. In the task pane, on the Tasks tab, click Edit Selected Rule.
c. In the Web Home Page (on Denver) Properties dialog box, select the
Link Translation tab.
 By default, link translation is applied to Web publishing rules.
 Based on the names used in the rule definition, ISA Server will
create link translation mappings (such as "http://denver.contoso.com" to
"http://www.contoso.com") to perform link translation for this Web publishing
rule. This ensures that the second graphical image (using
http://denver.contoso.com) is displayed correctly.
d. On the Link Translation tab, click Mappings.
 Internet Explorer opens a Web page that displays the currently
defined link translation mappings for this rule, including the mapping from
URL http://denver.contoso.com to URL http://www.contoso.com.
e. Close Internet Explorer.
f. Click Cancel to close the Web Home Page (on Denver) Properties
dialog box.
4. Create a new global link a. In the left pane, select General.
translation mapping: b. In the right pane, under Global HTTP Policy Settings, click
Configure Global Link Translation.
Replace this text:
c. In the Link Translation dialog box, select the Global Mappings tab.
http://ronsbox
 In ISA Server 2006, you can define global link translation
With this text: mappings that apply to all Web publishing rules.
http://www.contoso.com d. On the Global Mappings tab, click Add.
e. In the Add Mapping dialog box, complete the following information:
 Internal URL: http://ronsbox
 Translated URL: http://www.contoso.com
and then click OK.
 It is a good practice to also consider adding a link translation
mapping for https://ronsbox, but that is not needed for this exercise.
f. Click OK to close Link Translation dialog box.
g. Click Apply to save the changes, and then click OK.
5. On the Istanbul computer, a. On the Istanbul computer, in Internet Explorer, ensure that the
refresh the content of the Web http://www.contoso.com/links.htm Web page is opened.
page at www.contoso.com b. Hold the Ctrl-key, and then click the Refresh button on the toolbar, to
/links.htm again, by pressing refresh the content of the Web page.
Ctrl-F5 or Ctrl-Refresh.
 The third image (pic3.jpg) is also displayed correctly.
The Link Translation Filter on ISA Server has translated the http://ronsbox link
that was returned by the Denver Web server for the URL of pic3.jpg, to
http://www.contoso.com.
40 Lab Summary
Exercise 4
Using Cross-Site Link Translation to Publish SharePoint Server
In this exercise, you will configure ISA Server to publish a SharePoint Server.
The portal Web site contains links to other Web servers. By using cross-site link translation,
you can access the links from the published portal Web site.

connect to http://portal, and type http://portal, and then press Enter.
examine the links on the Project-D  Internet Explorer displays a sample Project-D Portal Web site,
Portal Web site. which runs on Denver on IP address 10.1.1.10.
b. In the portal Web site, under Shared Documents, move the mouse
pointer over Agenda (do not click).
 In the status bar, notice that the Agenda.doc link refers to
http://portal.
c. Click Agenda.
d. In the File Download dialog box, click Open to confirm that you want to
open the Agenda.doc file.
 WordPad opens the Agenda.doc file.
e. Close WordPad.
f. In the portal Web site, under Links, move the mouse pointer over
Research Web Site (do not click).
 In the status bar, notice that the Research Web Site link refers to
http://server1.
 It is very common that SharePoint sites contain links to other
servers on the internal network.
g. Click Research Web Site.
 Internet Explorer opens the research.htm file on server1. Server1 is
a Web site running on Denver on IP address 10.1.1.21.
h. On the toolbar, click the Back button.
i. Close Internet Explorer
Firewall Policy.
SSL: disable
Network: External expand Web Listeners (if possible).
Compression: disable  Note: If a Web Listener named External Web 80 is already created
in an earlier exercise, then you can skip the rest of this task.
Authentication: none d. If a Web listener named External Web 80 does not exist, then
right-click Web Listeners, and then click New Web Listener.
(If this is not done already)
e. In the New Web Listener Definition Wizard dialog box, in the
f. On the Client Connection Security page, select
g. On the Web Listener IP Addresses page, complete the following
information:
h. On the Authentication Settings page, in the drop-down list box, select
i. On the Single Sign On Settings page, click Next.
j. On the Completing the New Web Listener Wizard page, click Finish.
3. Create a Web publishing a. In the right pane, select the first rule, or select Default rule if no other
rule to publish a SharePoint server. rule exists, to indicate where the new rule is added to the rule list.
b. In the task pane, on the Tasks tab, click Publish SharePoint Sites.
Name: Portal Web Site
c. In the New SharePoint Publishing Rule Wizard dialog box, in the
SharePoint publishing rule name text box, type Portal Web Site, and then
Publishing type:
click Next.
single Web site
d. On the Publishing Type page, select Publish a single Web site, and then
Internal site name: click Next.
portal e. On the Server Connection Security page, select Use non-secured
connections to connect to the published Web server, and then click Next.
Public name: f. On the Internal Publishing Details page, in the Internal site name text
portal.contoso.com box, type portal, and then click Next.
Web listener: g. On the Public Name Details page, in the Public name text box, type
External Web 80 portal.contoso.com, and then click Next.
h. On the Select Web Listener page, in the Web listener drop-down list
Delegation: none box, select External Web 80, and then click Next.
i. On the Authentication Delegation page, select No delegation, and client
j. On the Alternate Access Mapping Configuration page, select
SharePoint AAM is not yet configured, and then click Next.
 ISA Server forwards the public name (portal.contoso.com) to the
SharePoint site. If SharePoint limits which names can be used to access the
site, then you have to add portal.contoso.com to the Extranet URL list
(Alternate Access Mapping list) on the SharePoint site.
k. On the User Sets page, click Next.
l. On the Completing the New SharePoint Publishing Rule Wizard page,
click Finish.
 A new Web publishing rule is created, which publishes the
SharePoint site portal as portal.contoso.com on the External network.
connect to type http://portal.contoso.com, and then press Enter.
http://portal.contoso.com, and
42 Lab Summary
examine the links on the Project-D  Internet Explorer displays the sample Project-D Portal Web site.
Portal Web site.  This result demonstrates that you have successfully published the
SharePoint site.
b. In the portal Web site, under Shared Documents, move the mouse
pointer over Agenda (do not click).
 In the status bar, notice that the Agenda.doc link refers to
http://portal.contoso.com.
 The SharePoint publishing rule wizard configured the Web
publishing rule to forward the original host header (http://portal.contoso.com)
to the SharePoint site.
SharePoint uses that information to create URLs that refer to the host name
(portal.contoso.com) that the client can use.
c. Click Agenda.
d. In the File Download dialog box, click Open to confirm that you want to
open the Agenda.doc file.
 WordPad opens the Agenda.doc file.
 You can access documents on the published SharePoint Web site, in
the same way you can access them on the internal network when connecting to
http://portal.
e. Close WordPad.
f. In the portal Web site, under Links, move the mouse pointer over
http://server1.
g. Click Research Web Site.
 Internet Explorer on Istanbul is not able to resolve the name
server1 name to connect to the Web server on the internal network.
h. On the toolbar, click the Back button.
i. Close Internet Explorer.
create a Web publishing rule. Firewall Policy.
Name: Server1 Web Site added.
Publishing type:
single Web site d. In the New Web Publishing Rule Wizard dialog box, in the
Web publishing rule name, type Server1 Web Site, and then click Next.
Internal site name: e. On the Select Rule Action page, select Allow, and then click Next.
server1 f. On the Publishing Type page, select Publish a single Web site, and then
click Next.
Public name:
web1.contoso.com g. On the Server Connection Security page, select Use non-secured
Web listener: h. On the Internal Publishing Details page, in the Internal site name text
External Web 80 box, type server1, and then click Next.
i. On the next Internal Publishing Details page, leave the Path text box
Delegation: none empty, and then click Next.
j. On the Public Name Details page, in the Public name text box, type
web1.contoso.com, and then click Next.

Finish.
 A new Web publishing rule is created, which publishes the Web site
server1 as web1.contoso.com on the External network.
8. Examine the list of a. In the left pane, expand Configuration, and then click General.
per-server link translation b. In the right pane, click Configure Global Link Translation.
mappings.
 ISA Server 2006 maintains a per-server (or per-array) list of URL
text replacement mappings that are applied to the content of HTTP response
packets through any Web publishing rule in the array.
c. Select the Global Mappings tab.
 The mappings are created automatically based on the internal site
name and the public name of existing Web publishing rules, but you can also
add custom mappings.
 The mapping to replace http://server1/ with
http://web1.contoso.com/ is based on the new Server1 Web Site rule, and will
be used by the Portal Web Site rule.
d. Click Cancel to close the Link Translation dialog box.
 Note: On ISA Server 2006 Enterprise Edition, you can enable link translation across arrays. This means that an
array can use link translation entries from other arrays in the same Enterprise.
connect to type http://portal.contoso.com, and then press Enter.
http://portal.contoso.com, and  Internet Explorer displays the sample Project-D Portal Web site.
examine the links on the Project-D The site is published through the Portal Web Site publishing rule.
Portal Web site.
b. In the portal Web site, under Links, move the mouse pointer over
http://web1.contoso.com.
 The Portal Web Site rule used the link translation entry from the
Server1 Web Site rule.
c. Click Research Web Site.
 Internet Explorer displays the Research Web page from Server1.
The site is published through the Server1 Web Site publishing rule.
d. On the toolbar, click the Back button.
44 Lab Summary
Exercise 5
Publishing a Web Farm for Load Balancing
In this exercise, you will publish two Web servers (10.1.1.21 and 10.1.1.22) as a Web farm.
ISA Server load balances Web requests to servers in a Web farm.
The exercise uses both Cookie-Based Load Balancing and Source-IP Based Load Balancing.

Firewall Policy.
SSL: disable
Network: External expand Web Listeners (if possible).
Compression: disable  Note: If a Web Listener named External Web 80 is already created
Authentication: none d. If a Web Listener named External Web 80 does not exist, then
(If this is not done already)
e. In the New Web Listener Definition Wizard dialog box, in the
f. On the Client Connection Security page, select
g. On the Web Listener IP Addresses page, complete the following
information:
h. On the Authentication Settings page, in the drop-down list box, select
i. On the Single Sign On Settings page, click Next.
j. On the Completing the New Web Listener Wizard page, click Finish.
2. Create a new Server Farm a. In the task pane, on the Toolbox, in the Network Objects section,
network element. right-click Server Farms, and then click New Server Farm.
 The New Server Farm Definition Wizard opens.
Name: Shop Web Servers
b. In the New Server Farm Definition Wizard dialog box, in the
Server farm name text box, type Shop Web Servers, and then click Next.
Addresses:
- 10.1.1.21 c. On the Servers page, click Add.
- 10.1.1.22 d. In the Server Details dialog box, complete the following information:
Monitoring: http://*/  Description: Shopping Web Server 1

and then click OK.
e. On the Servers page, click Add again.
f. In the Server Details dialog box, complete the following information:
 Description: Shopping Web Server 2
and then click OK.
 Note: The Denver computer runs two Web sites at addresses
10.1.1.21 and 10.1.122.
g. On the Servers page, click Next.
h. On the Server Farm Connectivity Monitoring page, complete the
 Send an HTTP/HTTPS GET request: enable (is default)
 Current URL: http://*/ (is default)
 ISA Server will monitor the connectivity to the servers in the
Shop Web Servers farm by connecting to each of the Web servers (using GET
http://10.1.1.21/, and GET http://10.1.1.22/) every 30 seconds.
i. On the Completing the New Server Farm Wizard page, click Finish.
j. In the HTTP Connectivity Verification dialog box, click Yes to confirm
that you want the connectivity verifiers system policy to be enabled.
 The wizard enables system policy 19 to allow the HTTP GET
request from the ISA Server to the Web servers in the Shop Web Servers farm.
3. Create a new Web a. In the right pane, select the first rule, or select Default rule if no other
publishing rule. rule exists, to indicate where the new rule is added to the rule list.
b. In the task pane, on the Tasks tab, click Publish Web Sites.
Name: Sales Web Site
c. In the New Publishing Rule Wizard dialog box, in the
Web publishing rule name text box, type Sales Web Site, and then click
Type: Publish server farm
Next.
Internal name: d. On the Select Rule Action page, select Allow, and then click Next.
store.contoso.com/shop  The Publishing Type page has three choices:
 Publish a single Web site - You create a single rule for a single Web site.
Server farm:  Publish a server farm - You create a single rule for multiple Web sites with
Shop Web Servers identical content. ISA Server load balances requests.
 Publish multiple Web sites - You create a separate rule for each published
Load balance mechanism: Web site with only a single run of the wizard.
Cookie-based
e. On the Publishing Type page, select
Publish a server farm of load balanced Web servers, and then click Next.
Public name:
www.contoso.com/shop f. On the Server Connection Security page, select Use non-secured
connections to connect to the published Web server or server farm, and
Web listener: then click Next.
External Web 80 g. On the Internal Publishing Details page, in the Internal site name text
box, type store.contoso.com, and then click Next.
Delegation: none  Note: When you publish a server farm, ISA Server does not use the
internal site name (store.contoso.com) to find the published servers. Instead,
later in the wizard you specify the Server Farm network element, which lists the
addresses of the servers in the farm.
The internal site name is used as host header when connecting to the farm
servers, and it is used in automatic Link Translation mappings.
h. On the next Internal Publishing Details page, complete the following
information:
 Path: shop/*
 Forward the original host header: disable (default)
i. On the Specify Server Farm page, complete the following information:
46 Lab Summary
 Select the server farm (drop-down list box): Shop Web Servers
 Cookie-based Load Balancing: enable (is default)
 ISA Server can use two different methods to load balance request to
the servers in the farm:
 Cookie-based Load Balancing - ISA Server uses round-robin to distribute
new connections to the Web servers. It sends a temporary session cookie to
each client that connects, so that client session affinity to the selected Web
server is maintained.
 Source-IP based Load Balancing - ISA Server uses a hash value of the
client's IP address to distribute connections to the Web servers. All requests
from the same client IP address go the same Web server.
 Note: For load balancing Outlook Web Access or SharePoint
access, both of which use Internet Explorer, the Cookie-based Load Balancing
is the recommended solution. For load balancing Outlook RPC over HTTP
access, you need to use Source-IP based Load Balancing. Outlook cannot work
with HTTP cookies.
 Accept request for: This domain name (type below)
 Path (optional): /shop/* (automatic)
l. On the Authentication Delegation page, in the drop-down list box, select
No delegation, and client cannot authenticate directly, and then click Next.
Finish.
 A new Web publishing rule named Sales Web Site is created. The
icon with the four small servers indicates that this rule publishes a server farm.
5. Examine the connectivity a. In the ISA Server console, in the left pane, select Monitoring.
verifiers for the Shop Web Servers b. In the right pane, select the Connectivity Verifiers tab.
farm.
see the Connectivity Verifiers tab.
c. Right-click the first Farm: Shop Web Servers connectivity verifier, and
then click Properties.
d. In the Farm: Shop Web Servers Properties dialog box, select the
Connectivity Verification tab.
 Every 30 seconds, ISA Server connects to the published Web
servers (using GET http://10.1.1.21/, and GET http://10.1.1.22/). If the Web
server responds with HTTP code 200 (OK) within 5 seconds, ISA Server
considers the Web server to be available, and load balances requests to the
Web server.
 Note: For the GET http://*/ request to succeed, the Web server
must accept anonymous access to the root, and must have a default document
available. Otherwise, the connectivity verifier fails to connect.
e. Click Cancel to close the Farm: Shop Web Servers Properties dialog
box.
 When the Web servers are available, the connectivity verifier icon
contains a green check mark, and the Result column displays the observed
response time.
use Internet Explorer to connect to type http://www.contoso.com/shop/web.asp, and then press Enter.
http://www.contoso.com/  Internet Explorer displays the web.asp page from Web server
shop/web.asp 10.1.1.21 (Server1). The client did not include a cookie in the Web request.
 Note: Due to the round-robin nature of the Cookie-based Load
Balancing, and depending on earlier Web requests that you may have done, it
is possible that the Web page in this task is returned from 10.1.1.22. In that
case, close the Internet Explorer window, and connect to the Web address
again.
b. On the toolbar, click the Refresh button to refresh the content of the
Web page.
 The same Web server handles the Web request. For the second and
the subsequent requests, the client includes the session cookie (starting with
ISAWPLB), which it received in the response of the first request. The cookie
text contains a Global Unique Identifier (GUID) that ISA Server uses to
identify which Web server it should send the Web request to. This ensures the
session affinity with the same Web server. (ISAWPLB stands for ISA Web
Publishing Load Balancing.)
 Note: In the response, ISA Server also forwards an ASP Session
cookie from the Web server to the client computer.
7. Create two new Internet a. On the Start menu, click All Programs, and then click
Explorer sessions, and connect to Internet Explorer.
http://www.contoso.com/  A second Internet Explorer window opens.
shop/web.asp
b. In Internet Explorer, in the Address box, type
http://www.contoso.com/shop/web.asp, and then press Enter.
 The new Web request does not contain a session cookie. Therefore
ISA Server forwards the request to the other Web server 10.1.1.22 (Server2),
and includes a new cookie in the response.
c. On the toolbar, click the Refresh button to refresh the content of the
Web page.
 The second Internet Explorer session uses a different cookie.
d. On the Start menu, click All Programs, and then click
Internet Explorer again.
 A third Internet Explorer window opens.
e. In Internet Explorer, in the Address box, type
 ISA Server load balances the third session to Web server 10.1.1.21
(Server1) again.
8. On the Denver computer, a. On the Denver computer, on the Start menu, click
stop the Server1 Web Site to Administrative Tools, and then click
simulate a connectivity problem Internet Information Services (IIS) Manager.
with the Web server on 10.1.1.21.  The IIS Manager console opens.
b. In the IIS Manager console, expand DENVER (local computer),
expand Web Sites, and then select Server1 Web Site.
c. Right-click Server1 Web Site, and then click Properties.
 Notice that Server1 Web Site is listening on IP address 10.1.1.21.
d. Click Cancel to close the Server1 Web Site Properties dialog box.
e. Right-click Server1 Web Site, and then click Stop.
 The Web site at 10.1.1.21 is no longer responding to Web requests.
48 Lab Summary
9. On the Istanbul computer, a. On the Istanbul computer, switch to one of the Internet Explorer
attempt to refresh the content of windows that currently displays the web.asp page from 10.1.1.21 (Server1).
the Web pages that were from b. On the toolbar, click the Refresh button to refresh the content of the
10.1.1.21 (Server1). Web page.
 Internet Explorer displays an error message: Bad request (invalid
hostname).
c. Wait 20 seconds, and then on the toolbar, click the Refresh button
again.
 Internet Explorer displays the web.asp page from 10.1.1.22
(Server2). ISA Server has forwarded the Web request to the remaining Web
server in the farm.
 Note: Because ISA Server checks the connectivity to the 10.1.1.21
Web server every 30 seconds, and then waits for the timeout for another
5 seconds, on average it takes 15+5 seconds after the Web server is no longer
available, before ISA Server forwards all the Web requests to the other Web
server. Due the way http.sys works on the Denver computer, it still returned a
response (Bad request) when connecting to 10.1.1.21.
d. Switch to the other Internet Explorer window that displays the web.asp
page from 10.1.1.21 (Server1).
e. On the toolbar, click the Refresh button.
 Internet Explorer immediately displays the web.asp page from
10.1.1.22 (Server2).
examine the connectivity verifier Monitoring.
and the alert for the connection to b. In the right pane, select the Connectivity Verifiers tab.
10.1.1.21.
 Notice that the icon for the connectivity verifier to 10.1.1.21
contains a red mark, indicating a connectivity issue.
c. In the right pane, select the Alerts tab.
d. In the task pane, on the Tasks tab, click Refresh Now.
e. In the right pane, expand the No Connectivity alert, and then select the
lower No Connectivity line.
 The alert information describes that the connection to 10.1.1.21
failed.
f. Right-click the lower No Connectivity line, and then click Reset.
g. Click Yes to confirm that you want to reset the No Connectivity alert.
11. On the Denver computer, a. On the Denver computer, in the IIS Manager console, right-click
start the Server1 Web Site. Server1 Web Site, and then click Start.
 The Web site at 10.1.1.21 is available again.
12. On the Istanbul computer, a. On the Istanbul computer, switch to any of the Internet Explorer
refresh the Web page from windows that currently displays the web.asp page from 10.1.1.22 (Server2).
10.1.1.22, and create a new b. On the toolbar, click the Refresh button to refresh the content of the
connection to Web page.
http://www.contoso.com/
 ISA Server continues to forward the Web requests to 10.1.1.22
shop/web.asp.
(Server2), even though 10.1.1.21 is available again. All current sessions
already use a cookie that contains the GUID of Server2, and will stay on this
Web server. This is referred to as client stickiness.

c. On the Start menu, click All Programs, and then click
Internet Explorer.
 A new Internet Explorer session opens.
d. Wait 20 seconds, and then in Internet Explorer, in the Address box, type
http://www.contoso.com/shop/web.asp, and press Enter.
(Server1). ISA Server load balances all new connections.
 Note: It may take 30+5 seconds before ISA Server detects that the
Web server at 10.1.1.21 is available again. If the web.asp page is returned from
10.1.1.22, then close the Internet Explorer window, wait a few seconds, and try
again.
e. Close all Internet Explorer windows.
change the load balancing Firewall Policy.
mechanism for the Sales Web Site b. In the right pane, right-click the Sales Web Site rule, and then click
rule to Source-IP based. Properties.
c. In the Sales Web Site Properties dialog box, on the Web Farm tab, in
the Load Balancing Mechanism section, select Source-IP based.
 ISA Server will no longer send cookies to manage load balancing
Web requests, but will use a hash of the source IP address instead.
d. Click OK to close the Sales Web Site Properties dialog box.
15. On the Istanbul computer, a. On the Istanbul computer, on the Start menu, click All Programs, and
create two new Internet Explorer then click Internet Explorer.
sessions, and connect to b. In Internet Explorer, in the Address box, type
http://www.contoso.com/ http://www.contoso.com/shop/web.asp, and then press Enter.
shop/web.asp
 Internet Explorer displays the web.asp page from Web server
10.1.1.22 (Server2).
c. On the toolbar, click the Refresh button to refresh the content of the
Web page.
 In the response to the first Web request, ISA Server did not include
an ISAWPLB cookie, but instead only forwarded the ASP Session cookie that
the Web server provides.
d. On the Start menu, click All Programs, and then click
Internet Explorer.
 A second Internet Explorer window opens.
e. In Internet Explorer, in the Address box, type
 The new Web request is also handled by the same Web server
10.1.1.22 (Server2). Unlike cookie-based load balancing, ISA Server does not
round-robin the Web requests to the Web servers, but uses the hash of the
client IP address (39.1.1.7). All Web requests from the Istanbul computer will
go to the same Web server.
50 Lab Summary
stop the Server2 Web Site to Server2 Web Site, and then click Stop.
simulate a connectivity problem  The Web site at 10.1.1.22 is no longer responding to Web requests.
with the Web server on 10.1.1.22.
17. On the Istanbul computer, a. On the Istanbul computer, switch to one of the Internet Explorer
attempt to refresh the content of windows that currently displays the web.asp page from 10.1.1.22 (Server2).
the Web page that was from b. On the toolbar, click the Refresh button to refresh the content of the
 Internet Explorer displays an error message: Bad request (invalid
hostname).
again.
(Server1). ISA Server has forwarded the Web request to the remaining Web
server in the farm.
start the Server2 Web Site. Server2 Web Site, and then click Start.
 The Web site at 10.1.1.22 is available again.
b. Close the IIS Manager console.
19. On the Istanbul computer, a. On the Istanbul computer, switch to the Internet Explorer window that
attempt to refresh the content of currently displays the web.asp page from 10.1.1.21 (Server1).
the Web page that was from b. On the toolbar, click the Refresh button to refresh the content of the
 ISA Server may still forward the Web request to 10.1.1.21.
 After an average of 20 seconds, the connectivity verifier on ISA
Server detects that Web server 10.1.1.22 is available again.
again.
(Server2).
 Note: With cookie-based load balancing, ISA Server continues to
forward requests to the same Web server, after the original Web server is
available again - called client stickiness.
With source-IP based load balancing, ISA Server falls back to forwarding Web
request to the original Web server. There is no client stickiness.
d. Close all Internet Explorer windows.
delete the Sales Web Site rule, and Firewall Policy.
delete the Shop Web Servers b. In the right pane, right-click the Sales Web Site rule, and then click
farm. Delete.
c. Click Yes to confirm that you want to delete Sales Web Site.
 The Sales Web Site rule is deleted.

d. In the task pane, on the Toolbox tab, in the Network Objects section,
expand Server Farms.
e. Under Server Farms, right-click Shop Web Servers, and then click
Delete.
f. Click Yes to confirm that you want to delete Shop Web Servers.
 The Shop Web Servers farm and the two related connectivity
verifiers are deleted.
52 Lab Summary
Exercise 6
Publishing Multiple Terminal Servers
In this exercise, you will configure ISA Server to publish a terminal server (remote desktop)
on the Internal network and publish a terminal server on the ISA Server computer.

1. On the Denver computer, a. On the Denver computer, on the Start menu, click Control Panel, and
use System properties to enable then click System.
remote desktop. b. In the System Properties dialog box, on the Remote tab, enable
Enable Remote Desktop on this computer.
c. Click OK to acknowledge that remote connection accounts must have
passwords, and that the correct port must be open for remote connections.
 Note: Terminal Services (Remote Desktop) uses TCP port 3389.
d. Click OK to close the System Properties dialog box.
create a server publishing rule: Firewall Policy.
Name: rule exists, to indicate where the new rule is added to the rule list.
Publish RDP (on Denver)
c. In the task pane, on the Tasks tab, click
Publish Non-Web Server Protocols.
Server: 10.1.1.5
 The New Server Publishing Rule Wizard opens.
Protocols: RDP (Terminal d. In the New Server Publishing Rule Wizard dialog box, in the
Services) Server Server publishing rule name text box, type Publish RDP (on Denver), and
then click Next.
e. On the Select Server page, in the Server IP address text box, type
10.1.1.5, and then click Next.
f. On the Select Protocol page, in the Selected protocol drop-down list
box, select RDP (Terminal Services) Server, and then click Next.
g. On the Network Listener IP Addresses page, select External, and then
click Next.
h. On the Completing the New Server Publishing Rule Wizard page, click
Finish.
 A new server publishing rule is created that publishes RDP
(TCP port 3389) on 10.1.1.5 (Denver) on the External network.
i. Click Apply to apply the new rule, and then click OK.
3. Use the a. Open a Command Prompt window.
C:\Tools\fwengmon /C command b. At the command prompt, type netstat -ano | find ":3389", and then
to examine the active creation press Enter.
objects.
 The output of the command shows that currently no process has
registered with the TCP driver to listen on port 3389.
 Notice that creating a Server Publishing rule does NOT cause the
TCP driver or UDP driver to listen on the specific port. Only the ISA Server
kernel-mode firewall engine listens to the port. This makes it very easy to
publish services that run on the ISA Server itself.
 Note: Creating a Web Publishing rule does cause the TCP driver to
listen on the Web listener port (for example port 80).
c. Type cd \tools, and then press Enter.
d. Type fwengmon /?, and then press Enter.
 The Firewall Kernel Mode Tool (fwengmon.exe) is a tool you can
use to analyze and troubleshoot firewall connectivity by monitoring the ISA
Server kernel-mode firewall engine.
 You can download the tool from
www.microsoft.com/isaserver/downloads.
e. Type fwengmon /C, and then press Enter.
 The output lists the table of active creation objects in the firewall
engine. A creation object represents acceptable network traffic that causes ISA
Server to create a new connection.
 The creation object with Destination 39.1.1.1:3389 is created by
the Publish RDP (on Denver) server publishing rule. In other words, not the
TCP driver, but the kernel-mode firewall engine listens on TCP port 3389.
f. Do not close the Command Prompt window.
4. On the Istanbul computer, a. On the Istanbul computer, on the Start menu, click All Programs, click
create a remote desktop connection Accessories, click Communications, and then right-click
to 39.1.1.1 (Paris) Remote Desktop Connection, and click Pin to Start menu.
 Remote Desktop Connection on Istanbul is used multiple times in
this exercise. For ease of use, Remote Desktop Connection is now added to the
main Start menu list.
b. On the Start menu, click Remote Desktop Connection.
c. In the Remote Desktop Connection dialog box, in the Computer text
box, type 39.1.1.1, and then click Connect.
 39.1.1.1 is the external IP address of Paris.
 The Log On dialog box of Denver appears.
d. In the Log On to Windows dialog box, complete the following
information:
 User name: Administrator
 Password: password
and then click OK.
 You can successfully log on to Denver through a remote desktop
connection.
5. Use the netstat command a. In the remote desktop connection to Denver, open a Command Prompt
to examine the client IP address of window.
the remote desktop connection. b. At the command prompt, type netstat -ano | find ":3389", and then
press Enter.
 The output shows that Istanbul (39.1.1.7) has established remote
desktop connection to Denver (10.1.1.5).
6. Log off the remote desktop a. In the remote desktop connection to Denver, on the Start menu, click
connection. Log Off.
b. Click Log Off to confirm that you are sure you want to log off.
 The remote desktop connection is reset. The Istanbul desktop
appears again.
54 Lab Summary
change the Firewall Policy.
Publish RDP (on Denver) rule. b. In the right pane, right-click Publish RDP (on Denver), and then click
Properties.
Requests appear to come from:
c. In the Publish RDP (on Denver) Properties dialog box, on the To tab,
ISA Server computer
select Requests appear to come from the ISA Server computer.
 For each Web Publishing rule (default: appear to come from the
ISA Server computer), and Server Publishing rule (default: appear to come
from the original client), you can specify how ISA Server forwards requests to
published servers.
 Specifying how requests are forwarded to published servers is
especially important in network load balancing (NLB) scenarios where return
network traffic must go back through the same ISA Server.
d. Click OK to close the Publish RDP (on Denver) Properties dialog box.
e. Click Apply to save the changes, and then click OK.
8. On the Istanbul computer, a. On the Istanbul computer, on the Start menu, click
create a remote desktop connection Remote Desktop Connection.
to 39.1.1.1 (Paris) b. In the Remote Desktop Connection dialog box, in the Computer text
c. In the Log On to Windows dialog box, complete the following
information:
and then click OK.
9. Use the netstat command a. In the remote desktop connection to Denver, open a Command Prompt
to examine the client IP address of window.
the remote desktop connection. b. At the command prompt, type netstat -ano | find ":3389", and then
press Enter.
 The output shows that the remote desktop connection to Denver
(10.1.1.5) is now coming from IP address 10.1.1.1 (Internal network address of
Paris).
10. Log off the remote desktop a. In the remote desktop connection to Denver, on the Start menu, click
connection. Log Off.
b. Click Log Off to confirm that you are sure you want to log off.
 The remote desktop connection is reset. The Istanbul desktop
appears again.
change the Firewall Policy.
Publish RDP (on Denver) rule. b. In the right pane, right-click Publish RDP (on Denver), and then click
Properties.
Publish on port: 3390
c. In the Publish RDP (on Denver) Properties dialog box, on the Traffic
tab, click Ports.
d. In the Ports dialog box, complete the following information:
 Publish on this port instead of the default port: 3390
and then click OK.
 Both Web Publishing rules and Server Publishing rules can
redirect traffic from one port number to another port number on the published
server.
e. Click OK to close the Publish RDP (on Denver) Properties dialog box.
 The server publishing rule now redirects RDP network traffic on
39.1.1.1 port 3390 to 10.1.1.5 port 3389.
f. Click Apply to save the changes, and then click OK.
12. Use the a. In a Command Prompt window in the C:\Tools folder, type
C:\Tools\fwengmon /C command fwengmon /C, and then press Enter.
to examine the active creation  The firewall engine listens on IP address 39.1.1.1 port 3390.
objects.
to 39.1.1.1:3390 (Paris) b. In the Remote Desktop Connection dialog box, in the Computer text
box, type 39.1.1.1:3390, and then click Connect.
 This result confirms that you successfully published the remote
desktop of Denver port 3389 on the External network of Paris port 3390.
c. Click Cancel to close the Log On to Windows dialog box.
 The Istanbul desktop appears again.
d. Click Close to close the Remote Desktop Connection dialog box.
14. On the Paris computer, use a. On the Paris computer, on the Start menu, click Control Panel, and
System properties to enable remote then click System.
desktop. b. In the System Properties dialog box, on the Remote tab, enable
Enable Remote Desktop on this computer.
15. Use the netstat command, a. In a Command Prompt window, type netstat -ano | find ":3389", and
and the C:\Tools\fwengmon /C then press Enter.
command to examine the effect of  The output of the command shows that the process with
enabling remote desktop. process ID nnnn (last column) on Paris listens on all IP addresses (indicated
by 0.0.0.0) on port 3389.
b. At the command prompt, type tasklist /svc | find "nnnn", and then
press Enter. (Replace nnnn with the actual process ID displayed in the output
of the previous step.)
process ID nnnn has image name svchost.exe, and host the Terminal Services
service (TermService).
 Note: By default Terminal Services service listens on all IP
addresses on port 3389. This includes the external IP address on Paris
(39.1.1.1). However, this does not mean that the firewall engine currently
allows incoming network traffic on the External network on port 3389.
c. At the command prompt, in the C:\Tools folder, type fwengmon /C,
and then press Enter.
 The firewall engine does not listen on IP address 39.1.1.1 port
3389.
16. Create a server publishing a. In the ISA Server console, in the left pane, select Firewall Policy.
rule: b. In the right pane, select the first rule to indicate where the new rule is
Name:
56 Lab Summary
Publish RDP c. In the task pane, on the Tasks tab, click

(on Paris) Publish Non-Web Server Protocols.
 The New Server Publishing Rule Wizard opens.
Server: 10.1.1.1
d. In the New Server Publishing Rule Wizard dialog box, in the
Server publishing rule name text box, type Publish RDP (on Paris), and then
Protocols: RDP (Terminal
click Next.
Services) Server
e. On the Select Server page, in the Server IP address text box, type
f. On the Select Protocol page, in the Selected protocol drop-down list
box, select RDP (Terminal Services) Server, and then click Next.
g. On the Network Listener IP Addresses page, select External, and then
click Next.
h. On the Completing the New Server Publishing Rule Wizard page, click
Finish.
 A new server publishing rule is created that publishes RDP
(TCP port 3389) on 10.1.1.1 (Internal network of Paris) on the External
network.
i. Click Apply to apply the new rule, and then click OK.
17. Use the netstat command, a. In a Command Prompt window, type netstat -ano | find ":3389", and
and the C:\Tools\fwengmon /C then press Enter.
command to examine the effect of  The Terminal Services service listens on all IP addresses
enabling remote desktop. (including 39.1.1.1) on port 3389.
b. At the command prompt, in the C:\Tools folder, type fwengmon /C,
 The firewall engine listens on IP address 39.1.1.1 port 3389.
 Note: Even though the TCP driver registers the Terminal Services
service to listen on 39.1.1.1 port 3389, the firewall engine intercepts and
inspects the network traffic, before it is forwarded to the registered service.
This is called "port stealing".
 Port stealing allows you to publish a service that runs on the ISA
Server computer, without any special configuration to the service itself. This
avoids having to disable socket pooling, configure the service to only listen on
the IP address on the Internal network, or to listen on an alternate port. This is
especially useful for small business scenarios. (However, this does not apply to
Web Publishing rules.)
to 39.1.1.1 (Paris) b. In the Remote Desktop Connection dialog box, in the Computer text
 The Log On dialog box of Paris appears.
 This result confirms that you successfully published the remote
desktop of Paris the External network of Paris.
c. Click Cancel to close the Log On to Windows dialog box.
 The Istanbul desktop appears again.
d. Click Close to close the Remote Desktop Connection dialog box.
19. On the Denver computer, a. On the Denver computer, on the Start menu, click Control Panel, and
use System properties to disable then click System.
remote desktop. b. In the System Properties dialog box, on the Remote tab, in the
Remote Desktop box, clear Enable Remote Desktop to this computer.

c. Click OK to close the System Properties dialog box.
20. On the Paris computer, use a. On the Paris computer, on the Start menu, click Control Panel, and
System properties to disable then click System.
Remote Desktop box, clear Enable Remote Desktop to this computer.
58 Lab Summary
Module D: Publishing an Exchange

Server
Exercise 1
Publishing Exchange Web Access - Certificate Management
In this exercise, you will enable access to the Exchange Server for clients that use Outlook
Web Access (OWA). You configure ISA Server to use SSL Bridging, because you want to
encrypt the connection with the SSL protocol (HTTPS), but you also want to inspect the
traffic at the ISA Server computer.
This exercise also demonstrates the new certificate management functionality of

ISA Server 2006.

1. On the Denver computer, a. On the Denver computer, use Windows Explorer (or My Computer) to
import the denver.contoso.com open the C:\Tools\Certs folder.
Web server certificate from the  The Certs folder contains a Web server certificate for
C:\Tools\Certs folder. denver.contoso.com, and a script to import the certificate and private key in the
local machine store.
b. In the Certs folder, right-click denver-certload.vbs, and then click
Open.
c. Click Yes to confirm that you want to import the certificate.
d. Click OK to acknowledge that the import of the certificate is complete.
e. Close the Certs folder.
2. Configure IIS to use the a. On the Start menu, click Administrative Tools, and then click
denver.contoso.com Web server Internet Information Services (IIS) Manager.
certificate.  The IIS Manager console opens.
expand Web Sites, right-click Default Web Site, and then click Properties.
c. In the Default Web Site Properties dialog box, on the
Directory Security tab, click Server Certificate.
d. In the Welcome to the Web Server Certificate Wizard dialog box, click
Next.
e. On the Server Certificate page, select Assign an existing certificate,
f. On the Available Certificates page, select the certificate for
denver.contoso.com that has the intended purpose of Server Authentication
(do not select a certificate with another intended purpose), and then click Next.
g. On the SSL Port page, in the SSL port this web site should use text
box, type 443, and then click Next.
h. On the Certificate Summary page, click Next.
i. On the Completing the Web Server Certificate Wizard page, click
Finish.
 The Default Web Site on Denver can now use the
denver.contoso.com Web server certificate for HTTPS connections.
j. Click OK to close the Default Web Site Properties dialog box.
k. Close the IIS Manager console.
3. On the Paris computer, a. On the Paris computer, use Windows Explorer (or My Computer) to
import the mail.contoso.com open the C:\Tools\Certs folder.
C:\Tools\Certs folder. mail.contoso.com, and a script to import the certificate and private key in the
b. In the Certs folder, right-click mail-certload.vbs, and then click Open.
4. For demonstration a. In the Certs folder, open the Invalid folder.
purposes, import invalid  The Invalid folder contains certificates that demonstrate a few
certificates from the common mistakes with using certificates on ISA Server, and a script to import
C:\Tools\Certs\Invalid folder. the certificates.
b. In the Invalid folder, right-click certload-invalid-Paris.vbs, and then
click Open.
c. Click Yes to confirm that you want to import the certificates.
d. Click OK to acknowledge that the import of the certificates is complete.
 Later in this exercise, you will see how ISA Server helps identify the
invalid certificates.
e. Close the Invalid folder.
 Note: On ISA Server 2006 Enterprise Edition, when you configure a Server Authentication certificate to create
SSL connections, the same certificate (same name) must be installed on all array members.
5. Create a new Web listener. a. On the Start menu, click All Programs, click Microsoft ISA Server,
and then click ISA Server Management.
Name: External Web 443  The ISA Server console opens.
SSL: enable
Firewall Policy.
Network: External c. In the task pane, on the Toolbox tab, in the Network Objects section,
Compression: disable right-click Web Listeners, and then click New Web Listener.
d. In the New Web Listener Definition Wizard dialog box, in the
Certificate: Web listener name text box, type External Web 443, and then click Next.
mail.contoso.com e. On the Client Connection Security page, select
Require SSL secured connections with clients, and then click Next.
Authentication:
HTTP Authentication f. On the Web Listener IP Addresses page, complete the following
- Basic information:
g. On the Listener SSL Certificates page, click Select Certificate.
 By default, the Select Certificate dialog box only shows the Web
server certificates that are installed correctly.
h. In the Select Certificate dialog box, disable
60 Lab Summary
Show only valid certificates.
 To help you troubleshoot common certificate mistakes, ISA Server
lists imported certificates that are not valid. The certificates named
cert2.contoso.com to cert5.contoso.com are the invalid certificates that you
imported earlier in the exercise.
i. In the certificates list, select each of the certificates cert2.contoso.com
to cert5.contoso.com to see the problem with the certificate.
 ISA Server can identify the following problems with certificates:
 cert2.contoso.com - The certificate is installed in the current user store,
instead of the local machine store.
 cert3.contoso.com - The certificate is installed without private key.
 cert4.contoso.com - The certificate has expired.
 cert5.contoso.com - The certificate is not yet valid.
 On ISA Server 2006 Enterprise Edition, there is one more
certificate problem that is identified:
 The certificate is not imported on all array members.
j. In the certificates list, select mail.contoso.com, and then click Select.
k. On the Listener SSL Certificates page, click Next.
l. On the Authentication Settings page, complete the following
information:
 Authentication method: HTTP Authentication (is default)
 Basic: enable
 Digest: disable (is default)
 Integrated: disable (is default)
m. On the Single Sign On Settings page, click Next.
n. On the Completing the New Web Listener Wizard page, click Finish.
6. Create an OWA mail server a. In the right pane, select the first rule, or select Default rule if no other
publishing rule: rule exists, to indicate where the new rule is added to the rule list.
b. In the task pane, on the Tasks tab, click
Name: Publish mail (OWA) Publish Exchange Web Client Access.
c. In the New Exchange Publishing Rule Wizard dialog box, in the
Version:
Exchange Publishing rule name text box, type Publish mail (OWA), and
Exchange Server 2003
then click Next.
Internal site name: d. On the Select Services page, complete the following information:
denver.contoso.com  Exchange version: Exchange Server 2003 (is default)
 Outlook Web Access: enable (is default)
Public name:  Leave the other check boxes disabled (is default)
mail.contoso.com and then click Next.
e. On the Publishing Type page, select Publish a single Web site, and then
Web listener: click Next.
External Web 443
f. On the Server Connection Security page, select
Use SSL to connect to the published Web server, and then click Next.
Delegation:
Basic Authentication g. On the Internal Publishing Details page, in the Internal site name text
box, type denver.contoso.com, and then click Next.
 The specified name of the Web mail server must match exactly the
name in the certificate on the Denver Web server. Otherwise Internet Explorer
on the client computers fails to connect, and displays an error message (500
Internal Server Error - The target principal name is incorrect).
h. On the Public Name Details page, complete the following information:
 Public name: mail.contoso.com
 The specified public name must match exactly the name in the
certificate on Paris. Otherwise the connecting client computers will display a
security alert message (The name on the security certificate is invalid.).
i. On the Select Web Listener page, in the Web listener drop-down list
j. On the Authentication Delegation page, select Basic Authentication,
l. On the Completing the New Exchange Publishing Rule Wizard page,
click Finish.
 A new Web publishing rule is created, which publishes the three
OWA virtual directories on the Web site denver.contoso.com as
mail.contoso.com on the External network.
7. Examine the new OWA a. In the right pane, right-click Publish mail (OWA), and then click
mail server publishing rule named Properties.
Publish mail (OWA). b. In the Publish mail (OWA) Properties dialog box, select the To tab.
 OWA requires that the original host headers
(https://mail.contoso.com) are forwarded to the published server (Denver).
c. Select the Traffic tab.
 The OWA publishing rule only allows HTTPS access, not HTTP
access.
d. Select the Paths tab.
 The OWA publishing rule only allows access to the three virtual
directories needed for OWA (/public, /exchweb and /exchange).
e. Select the Listener tab.
 The certificate name (mail.contoso.com) exactly matches the name
on the Public Name tab.
f. Select the Bridging tab.
 ISA Server redirects incoming requests to the SSL port. It will
create a new SSL connection from the ISA Server to Denver. The name on the
To tab exactly matches the name in the certificate on Denver.
g. Click Cancel to close the Publish mail (OWA) Properties dialog box.
8. Apply the new rule. h. Click Apply to apply the new rule, and then click OK.
 The new Publish mail (OWA) rule is applied.
configure IIS to require SSL on the Administrative Tools, and then click
virtual directories used by OWA: Internet Information Services (IIS) Manager.
 The IIS Manager console opens.
/Exchange
b. In the IIS Manager console, expand Default Web Site, right-click
/ExchWeb
Exchange, and then click Properties.
/Public
 /Exchange, /ExchWeb and /Public are the three virtual directories
used by Outlook Web Access (OWA).
c. In the Exchange Properties dialog, on the Directory Security tab, in the
Secure communications box, click Edit.
d. In the Secure Communications box, enable
Require secure channel (SSL), and then click OK.
 Now that IIS has a Web server certificate configured, only secure
access (HTTPS) to the OWA virtual directories should be allowed.
e. Click OK to close the Exchange Properties dialog box.
 Repeat the same configuration step for the /ExchWeb virtual
directory.
62 Lab Summary
f. Right-click ExchWeb, and then click Properties.

g. In the ExchWeb Properties dialog box, on the Directory Security tab, in
the Secure communications box, click Edit.
h. In the Secure Communications box, enable
i. Click OK to close the ExchWeb Properties dialog box.
 Repeat the same configuration step for the /Public virtual directory.
j. Right-click Public, and then click Properties.
k. In the ExchWeb Properties dialog box, on the Directory Security tab, in
the Secure communications box, click Edit.
l. In the Secure Communications box, enable
m. Click OK to close the Public Properties dialog box.
n. Close the IIS Manager console.
use Internet Explorer to securely type https://mail.contoso.com/exchange, and then press Enter.
connect to  An authentication dialog box for mail.contoso.com appears.
https://mail.contoso.com
 Note: On Istanbul, mail.contoso.com resolves to 39.1.1.1 (Paris).
/exchange
b. In the Connect to mail.contoso.com dialog box, complete the following
Send an e-mail to Administrator information:
to test the secure OWA connection  User name: Administrator
to ISA Server.  Password: password
 Remember my password: disable (is default)
and then click OK.
 Internet Explorer displays the Outlook Web Access Inbox of the
Administrator. The yellow lock icon at the bottom of the screen indicates that
the connection uses SSL.
 Note: The root certificate of Denver CA is already installed as
trusted root certificate on Istanbul.
c. On the OWA toolbar, click New.
d. In the new message window, complete the following information:
 To: Administrator
 Subject: Test mail through Secure OWA - 1
 (Message): Publish Exchange using Secure OWA
and then click Send.
 Internet Explorer sends the message.
 After a few moments a new message appears in the Inbox. This
result shows that Internet Explorer successfully connected to the Exchange
Server on Denver, by using a secure OWA connection to ISA Server.
e. After a few moments, in the left pane, click Inbox to refresh the display
of the Inbox contents.
 Note: In the following steps, HTML Form Authentication is configured. The advantage of using HTML Form
Authentication is that the authentication credentials are not cached on the client computer. This is especially
important when users are connecting from public computers. The credential information is kept in a (temporary)
session-cookie while the OWA connection is open.
configure the External Web 443 Firewall Policy
Web listener to use HTML Form b. In the task pane, on the Toolbox tab, in the Network Objects section,
Authentication.
expand Web Listeners, right-click External Web 443, and then click
Properties.
c. In the External Web 443 Properties dialog box, on the Authentication
tab, in the Client Authentication Method drop-down list box, select HTML
Form Authentication.
d. On the Forms tab, click Advanced.
 The HTML Form Authentication allows you to specify idle session
timeout values for client browsers on public computers and client browsers on
private computers.
e. Click Cancel to close the Advanced Form Options dialog box.
f. Click OK to close the External Web 443 Properties dialog box.
 The Web listener is now configured to use HTML Form
Authentication.
g. Click Apply to save the changes, and then click OK.
use Internet Explorer to securely type https://mail.contoso.com/exchange, and then press Enter.
connect to  The Office Outlook Web Access authentication Web page appears.
https://mail.contoso.com
b. In the Office Outlook Web Access page, complete the following
/exchange again.
information:
 Security: This is a private computer
 Use Outlook Web Access Light: disable (is default)
 Domain\user name: contoso\administrator
and then click Log On.
 When using HTML Form Authentication, the user indicates whether
the client browser is on a public computer or on a private computer.
 Internet Explorer displays the Outlook Web Access Inbox.
configure the External Web 443 Firewall Policy.
Web listener to use Basic b. In the task pane, on the Toolbox tab, in the Network Objects section,
authentication. expand Web Listeners, right-click External Web 443, and then click
Properties.
tab, complete the following information:
 Client Authentication Method: HTTP Authentication
 Basic: enable
and then click OK to close the External Web 443 Properties dialog box.
 The Web listener is now configured to use Basic HTTP
authentication.
64 Lab Summary
Exercise 2
Publishing an Exchange Server for SMTP and POP3
In this exercise, you will configure server publishing rules on the ISA Server to allow access
to the Exchange Server by using the SMTP and POP3 protocols.

1. On the Istanbul computer, a. On the Istanbul computer, on the Start menu, click All Programs, and
start Outlook Express, and then then click Outlook Express.
attempt to connect to the Exchange b. In Outlook Express, on the toolbar, click Send/Recv.
Server (POP3) by clicking
c. In the Logon - Contoso mail dialog box, complete the following
Send/Recv.
information:
 User Name: Administrator
and then click OK.
 Outlook Express attempts to connect to the server at IP address
39.1.1.1 (ISA Server) by using the POP3 protocol. ISA Server blocks the
connection. After a few moments, Outlook Express displays an error message
that the connection to the server has failed.
d. Click Hide to close the error message box.
create a mail server publishing Firewall Policy.
rule: b. In the right pane, select the first rule, or select Default rule if no other
Name: Publish mail
c. In the task pane, on the Tasks tab, click Publish Mail Servers.
Protocols: SMTP, POP3  The New Mail Server Publishing Rule Wizard opens. This is a
specialized version of the general New Server Publishing Rule Wizard and New
Server: 10.1.1.5 Web Publishing Rule Wizard.
d. In the New Mail Server Publishing Rule Wizard dialog box, in the
Mail Server Publishing rule name text box, type Publish mail, and then click
Next.
e. On the Select Access Type page, select
Client access: RPC, IMAP, POP3, SMTP, and then click Next.
f. On the Select Services page, complete the following information:
 POP3 (standard port): enable
 SMTP (standard port): enable
 Leave all other check boxes disabled
g. On the Select Server page, in the Server IP address text box, type
h. On the Network Listener IP Addresses page, select External, and then
click Next.
i. On the Completing the New Mail Server Publishing Rule Wizard page,
click Finish.
 Two new server publishing rules are created: Publish mail SMTP
Server, and Publish mail POP3 Server.
3. Apply the changes. a. Click Apply to apply the new rules, and then click OK.
4. On the Istanbul computer, a. On the Istanbul computer, in Outlook Express, on the toolbar, click
in Outlook Express, connect to Send/Recv.
the Exchange Server, by clicking b. If the Logon - Contoso mail dialog box appears, complete the following
Send/Recv. information:
 User Name: Administrator
Send an e-mail to administrator  Password: password
@contoso.com to test the SMTP and then click OK.
and POP3 connections to
ISA Server.  Outlook Express is able to connect with the POP3 protocol to the
Exchange Server (10.1.1.5) published by ISA Server on its external interface
(39.1.1.1).
c. On the toolbar, click Create Mail.
d. In the New Message window, complete the following information:
 To: administrator@contoso.com
 Subject: Test mail through SMTP/POP3 - 2
 (Message): Publish Exchange using SMTP/POP3
 Outlook Express immediately sends the e-mail message.
 Notice that a new message does not show up in the Inbox. Unlike
some of the other methods (OWA, RPC) that can be used to connect to the
Exchange Server, the SMTP/POP3 connection does not support New Mail
Notification.
e. On the toolbar, click Send/Recv.
 A new message appears in the Inbox. This result shows that
Outlook Express successfully connected to the Exchange Server on Denver, by
using SMTP/POP3 connections to ISA Server.
f. Close Outlook Express.
66 Lab Summary
Exercise 3
Publishing an Exchange Server for Outlook (RPC)
In this exercise, you will publish the Exchange Server (Denver) for Remote Procedure Call
(RPC) access by Microsoft Outlook clients. This allows the full functionality of Outlook.

create a mail server publishing Firewall Policy.
rule: b. In the right pane, select the first rule, or select Default rule if no other
Name: Publish mail
c. In the task pane, on the Tasks tab, click Publish Mail Servers.
Protocols: Outlook (RPC) d. In the New Mail Server Publishing Rule Wizard dialog box, in the
Mail Server Publishing rule name text box, type Publish mail, and then click
Server: 10.1.1.5 Next.
e. On the Select Access Type page, select
Client access: RPC, IMAP, POP3, SMTP, and then click Next.
f. On the Select Services page, complete the following information:
 Outlook (RPC) (standard port): enable
 Leave all other check boxes disabled
g. On the Select Server page, in the Server IP address text box, type
h. On the Network Listener IP Addresses page, select External, and then
click Next.
i. On the Completing the New Mail Server Publishing Rule Wizard page,
click Finish.
 A new server publishing rule named Publish mail Exchange RPC
Server is created.
2. Examine the RPC Filter a. In the left pane, expand Configuration, and then select Add-ins.
application filter. b. In the right pane, on the Application Filters tab, select RPC Filter.
 When a firewall policy rule uses a RPC protocol, the RPC Filter
listens to requests from client computers on TCP port 135. Client computers
are then redirected to higher port numbers on the ISA Server. The RPC Filter
will dynamically open these ports. It is not necessary to open these higher ports
statically on the firewall.
3. Examine the new mail a. In the left pane, select Firewall Policy.
server publishing rule named b. In the right-pane, select Publish mail Exchange RPC Server, and then
Publish mail in the task pane, on the Tasks tabs, click Edit Selected Rule.
Exchange RPC Server.
c. In the Publish mail Exchange RPC Server Properties dialog box, select
the Traffic tab.
 The new mail server publishing rule allows traffic for the
Exchange RPC Server protocol. This is a specialized version of the
RPC Server protocol. The RPC Filter will dynamically open ports for RPC
requests that are related to Exchange Server only.
d. On the Traffic tab, click Properties.
e. In the Exchange RPC Server Properties dialog box, select the Interfaces
tab.
 A service can register itself with the RPC Service, using its
Universal Unique Identifier (UUID). Client computers include the UUID in the
RPC requests, to indicate which service they want to connect to. The default
Exchange RPC Server protocol definition in ISA Server 2006 supports 17
different RPC UUIDs related to Exchange services. These are all published on
a dynamically assigned port, if a connection request is received.
f. Click Cancel to close the Exchange RPC Server Properties dialog box.
g. Click Cancel to close the Publish mail Exchange RPC Server Properties
dialog box.
4. Apply the new rule. a. In the right pane, click Apply to apply the new rule, and then click OK.
 The new Publish mail Exchange RPC Server rule is applied.
start Outlook 2003, and then b. At the command prompt, type netstat -ano | find "EST", and then
examine the network connections. press Enter.
 The output of the command displays zero or more established
Use: netstat -ano
TCP/IP network connections from the Istanbul computer, before Outlook is
started.
Use: Connection Status
 You can use the netstat -ano command, without the find part, to
see a complete list of current network connections.
c. On the Start menu, click All Programs, click Microsoft Office, and
then click Microsoft Office Outlook 2003.
 Outlook 2003 starts and displays the Inbox of the Administrator.
d. Switch to the Command Prompt window.
e. At the command prompt, type netstat -ano | find "EST", and then
press Enter.
 The output of the command displays four (or less) established
connections from Istanbul (39.1.1.7) to the ISA Server (39.1.1.1). Outlook
initially set up an RPC connection to TCP port 135, and was then redirected to
a dynamically opened higher port on the ISA Server.
g. Press the Ctrl-key, and then click the Outlook icon in the system tray
area.
 When the Ctrl-key is not pressed, the Connection Status option
does not appear on the context menu of the system tray Outlook icon.
h. In the context menu of the system tray Outlook icon, click
Connection Status.
 The Exchange Server Connection Status window lists four
connections from Outlook to Denver.contoso.com. The term TCP/IP in the
Conn column indicates that RPC connections are used.
 In the next exercise, Outlook will use RPC over HTTP connections
to the Exchange Server.
i. Click Close to close the Exchange Server Connection Status window.
6. Send an e-mail to a. In Outlook, on the toolbar, click New.
Administrator to test the RPC b. In the new message window, complete the following information:
connection to ISA Server.  To: Administrator
 Subject: Test mail through RPC - 3
 (Message): Publish Exchange using RPC
 After a few moments Outlook sends the message from the Outbox. It
will then appear in the Inbox. This result shows that Outlook successfully
connected to the Exchange Server on Denver, by using RPC connections to the
68 Lab Summary
ISA Server.
c. In the Inbox, select the new message.
d. Close Outlook.
Exercise 4
Publishing an Exchange Server for RPC over HTTP
In this exercise, you want to provide Microsoft Outlook clients with the full functionality of
Outlook when they connect to the Exchange Server. However, in this exercise, directly
publishing Exchange Server through the Remote Procedure Call (RPC) protocol is not
possible. You will configure ISA Server to tunnel RPC traffic inside HTTP (HTTPS) traffic.
This uses the RPC over HTTP protocol.
Note: This exercise uses the same Web server authentication certificates (mail.contoso.com
and denver.contoso.com) that you used in the Outlook Web Access (OWA) exercise earlier. If
you have completed that exercise, you can skip the first three tasks in this exercise.

1. On the Paris computer, a. On the Paris computer, use Windows Explorer (or My Computer) to
import the mail.contoso.com open the C:\Tools\Certs folder.
C:\Tools\Certs folder. mail.contoso.com, and a script to import the certificate and private key in the
b. In the Certs folder, right-click mail-certload.vbs, and then click Open.
import the denver.contoso.com open the C:\Tools\Certs folder.
C:\Tools\Certs folder. denver.contoso.com, and a script to import the certificate and private key in the
b. In the Certs folder, right-click denver-certload.vbs, and then click
Open.
3. Configure IIS to use the a. On the Start menu, click Administrative Tools, and then click
denver.contoso.com Web server Internet Information Services (IIS) Manager.
certificate.  The IIS Manager console opens.
expand Web Sites, right-click Default Web Site, and then click Properties.
c. In the Default Web Site Properties dialog box, on the
Directory Security tab, click Server Certificate.
d. In the Welcome to the Web Server Certificate Wizard dialog box, click
Next.
70 Lab Summary
 Note: If the Modify the Current Certificate Assignment page

appears, then you have already assigned the denver.contoso.com certificate to
the Default Web Site.
In that case, cancel the wizard, close the IIS Manager console, and continue
with the next task.
e. On the Server Certificate page, select Assign an existing certificate,
f. On the Available Certificates page, select the certificate for
denver.contoso.com that has the intended purpose of Server Authentication
(do not select a certificate with another intended purpose), and then click Next.
g. On the SSL Port page, in the SSL port this web site should use text
box, type 443, and then click Next.
h. On the Certificate Summary page, click Next.
i. On the Completing the Web Server Certificate Wizard page, click
Finish.
 The Default Web Site on Denver can now use the
denver.contoso.com Web server certificate for HTTPS connections.
j. Click OK to close the Default Web Site Properties dialog box.
k. Close the IIS Manager console.
4. Install the a. On the Start menu, click Control Panel, and then click
RPC over HTTP Proxy network Add or Remove Programs.
service. b. In the Add or Remove Programs window, click
Add/Remove Windows Components.
c. On the Windows Components page, select the Networking Services
component (do NOT select the check box), and then click Details.
d. In the Networking Services dialog box, select the
RPC over HTTP Proxy check box, and then click OK.
e. On the Windows Components page, click Next.
 Please wait while Setup installs the RPC over HTTP Proxy network
service.
f. On the Completing the Windows Components Wizard page, click
Finish.
 Typically you would install RPC over HTTP Proxy on an Exchange
front-end server. In this lab you only use a single Exchange server computer
(Denver), and therefore install the network service on this computer.
g. Close the Add or Remove Programs window.
5. In the IIS Manager console, a. On the Start menu, click Administrative Tools, and then click
examine the RPC Proxy Server Internet Information Services (IIS) Manager.
extension.  The IIS Manager console opens.
b. In the IIS Manager console, expand DENVER (local computer), and
then in the left pane, select Web Service Extensions.
 A new Web Service Extension is installed
(RPC Proxy Server Extension). The status of the extension is Allowed.
 Note: In an earlier exercise to configure OWA, you have already requested a Web server certificate named
denver.contoso.com, and loaded the certificate in IIS.
6. Configure the /Rpc virtual a. In the IIS Manager console, expand Web Sites, expand
directory: Default Web Site, and then in the left pane, select Rpc.
 ISA Server will publish the /Rpc virtual directory to allow
Anonymous access: No RPC over HTTP access to the Exchange Server.
b. Right-click Rpc, and then click Properties.
Authentication method:
Basic authentication only c. In the Rpc Properties dialog box, on the Directory Security tab, in the
Authentication and access control box, click Edit.
Require SSL: Yes d. In the Authentication Methods dialog box, enable Basic authentication.
e. In the IIS Manager warning message box, click Yes to confirm that you
want to continue.
 Basic authentication results in password being transmitted over the
network without encryption. You will configure the virtual directory to require
SSL on the RPC over HTTP connection, to protect the credential information.
f. In the Authentication Methods dialog box, complete the following
information:
 Enable anonymous access: disable
 Integrated Windows authentication: disable (is default)
 Basic authentication: enable (done in previous step)
and then click OK.
 Basic authentication is now the only enabled authentication method
on the /Rpc virtual directory.
g. On the Directory Security tab, in the Secure communications box,
click Edit.
h. In the Secure communications box, enable
 To secure the basic authentication passwords used by RPC over
HTTP, SSL is required on the /Rpc virtual directory.
Effectively this makes it RPC over HTTPS.
i. On the Directory Security tab, click View Certificate.
 The Default Web Site on Denver uses a Web server certificate
named denver.contoso.com. ISA Server will publish
https://denver.contoso.com/rpc to allow access to the Exchange Server.
j. Click OK to close the Certificate dialog box.
k. Click OK to close the Rpc Properties dialog box.
l. Close the IIS Manager console.
7. Configure the RPC Proxy a. Open a Command Prompt window.
network service to communicate b. At the command prompt, type cd \tools\reskit, and then press Enter.
with the Exchange Server and
 The Reskit folder contains a configuration tool (rpccfg.exe) from
Global Catalog server
the Windows Server 2003 Resource Kit.
(denver.contoso.com) on the
following ports:  At each of the steps below, press Enter after the command.
c. Type rpccfg /hd.
6001, 6002 and 6004  The output of the command displays which ports on which
computer the RPC Proxy service is allowed to create an RPC connection to.
The default setting is: Denver 100-5000.
d. Type rpccfg /hr Denver.
 This removes the current port range settings for Denver.
 The next commands add the required port ranges for both the
NetBIOS name, and the fully qualified domain name (FQDN) of the (back-end)
Exchange Server and Global Catalog server.
The RPC connections to the Exchange Server are done at port 6001 (Store),
6002 (DSReferral) and 6004 (DSProxy).
e. Type rpccfg /ha Denver 6001 6002 6004.
f. Type rpccfg /ha denver.contoso.com 6001 6002 6004.
g. Type rpccfg /hd.
 The RPC Proxy service can now create RPC connections to the
Exchange Server (6001 and 6004) and Global Catalog server (6002) on the
required ports.
 Instead of using the rpccfg.exe tool, you can also directly edit the
ValidPorts value in the registry. The next command shows the current value of
the ValidPorts setting.
h. Type reg.exe query HKLM\Software\Microsoft\Rpc\RpcProxy.
 Note: Earlier Exchange Server 2003 documentation described that
72 Lab Summary
you must also add port 593. This port is used for DCOM access. However,
when unpatched, a vulnerability in the DCOM RCP interface allows an
attacker to run code with Local System privileges on the affected system. The
W32/Blaster worm exploited this vulnerability. This is described in Microsoft
Knowledge Base article 826382, and Microsoft security bulletin MS03-26.
Outlook does not require the use of TCP port 593 when connecting to the
Exchange Server using RPC over HTTP, so do not include that port number in
the configuration of the RPC Proxy service.
i. Close the Command Prompt window.
 Note: When you deploy Exchange in a front-end/back-end scenario, and have Exchange Server 2003 SP1 or
higher installed on the front-end server, you do not need to configure the ValidPorts setting manually. In that
case, the front-end Exchange Server automatically manages the ValidPorts value.
8. Configure the Global a. On the Start menu, click Run.
Catalog server (Denver) to use port b. In the Run dialog box, type regedit.exe, and then click OK.
6004 for RPC over HTTP
c. In the Registry Editor window, select the
connections.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDS\Parameters key.
d. Right-click the Parameters key, click New, and then click
Multi-String Value.
e. In the New Value #1 text box, replace the text by typing
NSPI interface protocol sequences, and then press Enter.
 A new REG_MULTI_SZ value named
NSPI interface protocol sequences is created.
f. Right-click the NSPI interface protocol sequences value, and then
click Modify.
g. In the Edit Multi-String dialog box, type ncacn_http:6004, and then
click OK.
 The Global Catalog server will listen on TCP port 6004 for
RPC connections from the RPC Proxy network service.
 The server computer needs to restart, before this setting is active.
h. Close the Registry Editor window.
9. Restart the Denver a. On the Start menu, click Shut Down.
computer.  In the next step, ensure that you RESTART Denver, instead of
Shut down Denver.
b. In the Shut Down Windows dialog box, complete the following
information:
 What do you want the computer to do: Restart
 Option: Other (Planned) (is default)
 Comment: Changed RPC Proxy settings
and then click OK.
 The Denver computer restarts. This will take a few minutes.
10. Log on to the computer: a. After the restart, at the Welcome to Windows dialog box, press
<right>Alt-Del (instead of Ctrl-Alt-Del).
User name: Administrator b. In the Log On to Windows dialog box, complete the following
Password: password information:
Log on to: CONTOSO  User name: Administrator
 Domain: CONTOSO
and then click OK to log on.
disable the existing rule that Firewall Policy.
publishes the Exchange Server by b. In the right pane, right-click Publish mail Exchange RPC Server, and
using RPC. then click Disable.

 The reason this rule is disabled in the lab, is to clearly demonstrate
that Outlook 2003 on Istanbul will connect to the Exchange Server on Denver
by using RPC over HTTPS, and not using RPC directly.
12. Create a new Web listener. a. In the task pane, on the Toolbox tab, in the Network Objects section,
expand Web Listeners (if possible).
Name: External Web 443  Note: If a Web Listener named External Web 443 is already
created in an earlier exercise, then you can skip the rest of this task.
SSL: enable
b. If a Web listener named External Web 443 does not exist, then
Network: External
Compression: disable c. In the New Web Listener Definition Wizard dialog box, in the
Certificate: d. On the Client Connection Security page, select
mail.contoso.com Require SSL secured connections with clients, and then click Next.
e. On the Web Listener IP Addresses page, complete the following
Authentication: information:
HTTP Authentication
- Basic
f. On the Listener SSL Certificates page, click Select Certificate.
 By default, the Select Certificate dialog box only shows the Web
server certificates that are installed correctly.
g. In the certificates list, select mail.contoso.com, and then click Select.
h. On the Listener SSL Certificates page, click Next.
i. On the Authentication Settings page, complete the following
information:
 Authentication method: HTTP Authentication (is default)
 Basic: enable
j. On the Single Sign On Settings page, click Next.
k. On the Completing the New Web Listener Wizard page, click Finish.
13. Create a new RPC over a. In the right pane, select the first rule, or select Default rule if no other
HTTPS Web publishing rule. rule exists, to indicate where the new rule is added to the rule list.
Name: Publish mail Publish Exchange Web Client Access.
(RPC over HTTPS)
 The RPC connection from the Outlook client is inside a secure Web
connection (HTTPS) to denver.contoso.com/rpc.
Version:
Exchange Server 2003 c. In the New Exchange Publishing Rule Wizard dialog box, in the
Exchange Publishing rule name text box, type
Internal site name: Publish mail (RPC over HTTPS), and then click Next.
denver.contoso.com d. On the Select Services page, complete the following information:
 Exchange version: Exchange Server 2003 (is default)
Public name:  Outlook Web Access: disable
mail.contoso.com  Outlook RPC/HTTP(s): enable
 Leave the other check boxes disabled (is default)
Web listener: and then click Next.
External Web 443
Delegation: click Next.
Basic Authentication f. On the Server Connection Security page, select
Use SSL to connect to the published Web server, and then click Next.
74 Lab Summary
g. On the Internal Publishing Details page, in the Internal site name text

box, type denver.contoso.com, and then click Next.
 The internal site name must match exactly the name in the
certificate on the Denver Web server.
h. On the Public Name Details page, complete the following information:
 Public name: mail.contoso.com
 The public name must match exactly the name in the certificate on
Paris.
i. On the Select Web Listener page, in the Web listener drop-down list
j. On the Authentication Delegation page, select Basic Authentication,
l. On the Completing the New Exchange Publishing Rule Wizard page,
click Finish.
denver.contoso.com (/rpc) as mail.contoso.com (/rpc) on the External network.
14. Examine the new Web a. In the right pane, right-click Publish mail (RPC over HTTPS), and
publishing rule named then click Properties.
Publish mail (RPC over b. In the Publish mail (RPC over HTTPS) Properties dialog box, select the
HTTPS). Path tab.
 The RPC over HTTPS Web publishing rule only allows access to
the /rpc virtual directory.
c. Click Cancel to close the Publish mail (RPC over HTTPS) Properties
dialog box.
15. Apply the new rule. a. Click Apply to apply the new rule, and then click OK.
 The new Publish mail (RPC over HTTPS) rule is applied.
use Internet Explorer to verify type https://mail.contoso.com/rpc, and then press Enter.
the configuration of the secure b. In the Connect to mail.contoso.com dialog box, complete the following
Web publishing rule, by information:
connecting to  User name: Administrator
https://mail.contoso.com  Password: password
/rpc.
and then click OK.
The expected error code is 401.3
(Access denied due to an ACL).  Because the /Rpc virtual directory does not allow direct access,
Internet Explorer displays the Connect to mail.contoso.com dialog box two
more times.
c. In the Connect to mail.contoso.com dialog box, type Administrator and
password for the second time, and then click OK.
d. In the Connect to mail.contoso.com dialog box, type Administrator and
password for the third time, and then click OK.
 Internet Explorer displays an error Web page (HTTP Error 401.3 -
Unauthorized: Access is denied due to an ACL).
This is the expected result.
 Using Internet Explorer to connect to the /Rpc virtual directory has
no functional meaning in the context of the RPC over HTTP protocol.
However, this is a quick way to verify that the Web listener, the Secure Web
publishing rule and the Web server certificates on both the ISA Server and the
RPC Proxy server (Denver) are configured correctly.
The expected error message is the 401.3 error Web page.

Note: When running Windows Server 2003 without SP1, the expected error
message is HTTP Error 403.2 (Forbidden: Read access is denied).
 Note: If you are running Outlook 2003 on Windows XP SP1, you will need to install the update package
described in Microsoft Knowledge Base article 331320, before you can do the tasks below.
(In this lab, Outlook 2003 on Istanbul runs on Windows Server 2003.)
17. Configure the e-mail a. On the Start menu, click Control Panel, and then click Mail.
account in the current Outlook b. In the Mail Setup - Outlook dialog box, click E-mail Accounts.
profile to use RPC over HTTP:
c. In the E-mail Accounts dialog box, select
View or change existing e-mail accounts, and then click Next.
URL: mail.contoso.com
 The Control Panel applet attempts to connect to the
Use SSL only: Yes Exchange Server (by using RPC). After a few moments, a message box appears
to notify you that the Exchange Server is unavailable.
Principal name: d. Click Cancel to close the Connecting to Microsoft Exchange Server
msstd:mail.contoso.com message box.
e. On the E-mail Accounts page, ensure that Contoso mail is selected, and
On fast/slow networks, use HTTP then click Change.
first: Yes
f. On the Exchange Server Settings page, click More Settings.
Proxy authentication: Basic g. In the Microsoft Exchange Server dialog box, on the Connection tab,
enable Connect to my Exchange mailbox using HTTP, and then click
Exchange Proxy Settings.
h. In the Exchange Proxy Settings dialog box, complete the following
information:
 Use this URL (https://): mail.contoso.com
 Connect using SSL only: enable (is default)
 Mutually authenticate the session: enable
 Principal name for proxy server: msstd:mail.contoso.com
 On fast networks, connect using HTTP first: enable
 On slow networks, connect using HTTP first: enable (is default)
 Proxy authentication settings: Basic Authentication
and then click OK.
 The msstd form is Microsoft's standard to refer to RPC principal
names. After connecting, Outlook verifies that it is connected to the correct
server, by using the msstd principal name.
 The distinction between a fast network and a slow network is
determined by the speed that the network adapter reports. If it reports less than
128 Kbps, it is considered a slow network.
If this option is enabled, Outlook attempts to connect by using HTTP
(RPC over HTTP) first, and then by using TCP/IP (RPC).
 Using Basic Authentication (instead of NTLM Authentication)
allows Outlook RPC/HTTPS connections, even when ISA Server 2006 is
configured to use HTML Form Authentication. Outlook does not support form
authentication, but ISA Server 2006 will automatically fall back to Basic
Authentication when a non-browser application connects.
i. Click OK to close the Microsoft Exchange Server dialog box.
j. On the Exchange Server Settings page, click Next.
k. In the Connect to Denver.contoso.com dialog box, complete the
 User name: contoso\administrator
and then click OK.
 The Control Panel applet should already be able to connect to the
Exchange Server (by using RPC over HTTPS).
l. On the E-mail accounts page, click Finish.
76 Lab Summary
m. Click Close to close the Mail Setup - Outlook dialog box.

18. Start Outlook 2003, and a. Open a Command Prompt window.
then examine the network b. At the command prompt, type netstat -ano | find "EST", and then
connections. press Enter.
 The output of the command displays zero or more established
Use: netstat -ano
TCP/IP network connections from the Istanbul computer, before Outlook is
started.
Use: Connection Status
c. On the Start menu, click All Programs, click Microsoft Office, and
d. In the Connecting to Denver.contoso.com dialog box, complete the
and then click OK.
e. Switch to the Command Prompt window.
f. At the command prompt, type netstat -ano | find "EST", and then
press Enter.
 The output of the command displays multiple established
connections from Istanbul (39.1.1.7) to the ISA Server (39.1.1.1). All the
connections are using TCP port 443 on the ISA Server.
g. Close the Command Prompt window.
h. Press the Ctrl-key, and then click the Outlook icon in the system tray
area.
i. In the context menu of the system tray Outlook icon, click
Connection Status.
connections from Outlook to Denver.contoso.com. The term HTTPS in the
Conn column indicates that RPC over HTTPS connections are used.
j. Click Close to close the Exchange Server Connection Status window.
19. Send an e-mail to a. In Outlook, on the toolbar, click New.
Administrator to test the RPC b. In the new message window, complete the following information:
over HTTP connection to  To: Administrator
ISA Server.  Subject: Test mail through RPC over HTTP - 4
 (Message): Publish Exchange using RPC over HTTP
 After a few moments Outlook sends the message from the Outbox. It
will then appear in the Inbox. This result shows that Outlook successfully
connected to the Exchange Server on Denver, by using secure RPC over HTTP
connections to the ISA Server.
c. In the Inbox, select the new message.
d. Close Outlook.
 Note: In the tasks below, you will configure ISA Server 2006, to use both Outlook Web Access (OWA) using
HTML Form Authentication, and Outlook RPC/HTTPS using HTTP/Basic Authentication on the same
Web Listener, and same IP address (for mail.contoso.com). That is not possible in ISA Server 2004.
You can only perform the tasks below, if you completed the OWA exercise earlier in this module.
20. Use Internet Explorer to a. Open Internet Explorer. In the Address box, type
connect to https://mail.contoso.com/exchange, and then press Enter.
https://mail.contoso.com  An authentication dialog box for mail.contoso.com appears.
/exchange
 The Web publishing rules Publish mail (OWA) and Publish mail
(RPC over HTTPS) both use the same Web listener named External Web 443.
The Web listener is currently configured to use HTTP/Basic Authentication.
b. In the Connect to mail.contoso.com dialog box, complete the following
information:

and then click OK.
 Internet Explorer displays the Outlook Web Access Inbox of the
Administrator. This result confirms that ISA Server successfully publishes OWA
using Basic Authentication.
configure the External Web 443 Firewall Policy.
Web listener to use Form b. In the task pane, on the Toolbox tab, in the Network Objects section,
Authentication. expand Web Listeners, right-click External Web 443, and then click
Properties.
tab, complete the following information:
 Client Authentication Method: HTML Form Authentication
and then click OK to close the External Web 443 Properties dialog box.
 The Web listener is now configured to use HTML Form
authentication.
connect to https://mail.contoso.com/exchange, and then press Enter.
https://mail.contoso.com  The Office Outlook Web Access authentication Web page appears,
/exchange because the Web listener is configured to use HTML Form authentication.
again.
b. In the Office Outlook Web Access page, complete the following
information:
 Security: This is a private computer
 Use Outlook Web Access Light: disable (is default)
 Domain\user name: contoso\administrator
and then click Log On.
 Internet Explorer displays the Outlook Web Access Inbox.
23. Start Outlook 2003. a. On the Start menu, click All Programs, click Microsoft Office, and
b. In the Connecting to Denver.contoso.com dialog box, complete the
and then click OK.
c. Switch to the Command Prompt window.
d. Press the Ctrl-key, and then click the Outlook icon in the system tray
area.
e. In the context menu of the system tray Outlook icon, click
Connection Status.
RPC over HTTPS connections from Outlook to Denver.contoso.com.
f. Click Close to close the Exchange Server Connection Status window.
 The Web listener on ISA Server is configured to use HTML Form
78 Lab Summary
authentication. When Outlook sends the connection request, ISA Server 2006

first checks the User-Agent HTTP header in the HTTPS request from Outlook.
It recognizes that it should not respond with the form authentication Web page,
but instead falls back to requesting HTTP/Basic Authentication.
 This is new functionality in ISA Server 2006. It allows you to
publish both Outlook Web Access (using HTML Form Authentication), and
Outlook RPC/HTTPS (using Basic Authentication) using the same Web listener,
and the same IP address.
g. Close Outlook.
h. Close the Internet Explorer Outlook Web Access window.
Module E: Enabling VPN Connections

Exercise 1
Configuring ISA Server to Accept Incoming VPN Connections
In this exercise, you will configure ISA Server to accept incoming VPN connections from
client computers on the Internet.

Refer to the beginning of the manual for instructions on how to start the computer. Log on to the computer.
1. On the Paris computer, a. On the Paris computer, on the Start menu, click Administrative Tools,
examine the status of the and then click Routing and Remote Access.
Routing and Remote Access b. In the Routing and Remote Access console, select PARIS (local).
service.
 The Routing and Remote Access service is not started yet, and the
service is not configured. ISA Server uses the Routing and Remote Access
service to handle VPN connections, after the VPN connection is approved.
 Note: All VPN configuration (except Remote Access dial-in
permission for users and groups) is done through the ISA Server console.
2. Use the ISA Server console a. On the Start menu, click All Programs, click Microsoft ISA Server,
to configure VPN address ranges. and then click, ISA Server Management.
IP address ranges: Virtual Private Networks (VPN).
- 10.3.1.1 - 10.3.1.120
c. In the right pane, ensure that the VPN Clients tab is selected.
 ISA Server supports two types of VPN connections:
 Remote access VPN - Client computers on the Internet create a VPN
connection to the ISA Server. This is configured on the VPN Clients tab.
 Site-to-site VPN - Two private networks, or branch offices, are connected by
a VPN connection. This is configured on the Remote Sites tab.
d. In the task pane, on the Tasks tab, click Define Address Assignments.
e. In the Virtual Private Networks (VPN) Properties dialog box, on the
Address Assignment tab, select Static address pool, and then click Add.
f. In the Server IP Address Range Properties dialog box, complete the
 Start address: 10.3.1.1
 End address: 10.3.1.120
and then click OK.
 This IP address range allows for maximum:
 1 destination VPN IP address on Paris (10.3.1.1)
 119 VPN client addresses (10.3.1.2-10.3.1.120).
g. Click OK to close the Virtual Private Networks (VPN) Properties dialog
box.
3. Enable and configure VPN a. On the Tasks tab, click Enable VPN Client Access.
client access.  This step enables VPN access to the ISA server. A system policy
80 Lab Summary
rule is enabled, and after the changes are saved the Routing and Remote
- Maximum clients: 100 Access service is configured.
b. On the Tasks tab, click Configure VPN Client Access.
- Protocols: PPTP
c. In the VPN Client Properties dialog box, on the General tab, in the
Maximum number of VPN clients allowed text box, leave the default value
100.
 The maximum number of VPN clients that can connect at the same
time, depends on the capacity of the ISA Server, and the number of available IP
addresses.
d. On the Protocols tab, ensure that only Enable PPTP is selected.
 In this exercise, only the PPTP protocol is used.
e. Click OK to close the VPN Clients Properties dialog box.
 Note that the VPN configuration is not applied yet.
4. Examine the VPN a. In the left pane, right-click Virtual Private Networks (VPN), and then
connection settings. click Properties.
 You can also access the four tabs of the Virtual Private Networks
Access networks: (VPN) Properties dialog box from the task pane.
External
b. In the Virtual Private Networks (VPN) Properties dialog box, select the
Access Networks tab.
Authentication: MS-CHAPv2
 ISA Server is currently configured to only accept incoming VPN
connections from the External network.
c. Select the Authentication tab.
 ISA Server is currently configured to allow only MS CHAPv2
authentication for incoming VPN connections.
d. Click OK to close the Virtual Private Networks (VPN) Properties dialog
box.
5. Examine the VPN access a. In the left pane, select Firewall Policy.
rule: b. In the task pane, on the Tasks tab, click Show System Policy Rules.
c. In the right pane, select the Allow VPN client traffic to ISA Server
System policy rule:
system policy rule (rule 13).
Allow VPN client traffic to ISA
Server (rule 13).  This system policy rule allows the PPTP protocol from the External
network to the Local Host network (ISA Server).
 If the L2TP/IPSec VPN protocol is enabled as well for VPN client
access, then this rule is extended with the required L2TP/IPSec protocols (IKE,
IPSec, L2TP).
If additional networks are enabled on the Access Networks tab of the Virtual
Private Networks (VPN) Properties dialog box, then this rule is extended with
those networks.
d. In the task pane, on the Tasks tab, click Hide System Policy Rules.
6. Apply the VPN a. In the ISA Server console, click Apply to apply the VPN configuration,
configuration. and then click OK.
 This step will configure and enable VPN connections on ISA Server,
and configure and start the Routing and Remote Access service on the ISA
Server computer.
 Wait 30 seconds for ISA Server to configure and start the Routing and Remote Access service, before you do
the next tasks.
7. Examine the configuration a. In the Routing and Remote Access console, in the left pane, right-click
of the Routing and Remote PARIS (local), and then click Refresh.
Access console.  The user interface is updated to show that Routing and Remote
Access is configured and started.
b. Right-click PARIS (local), and then click Properties.
c. In the PARIS (local) Properties dialog box, select the IP tab.
 ISA Server has configured the Routing and Remote Access service
to use a static address pool of IP addresses.

d. Click Cancel to close the PARIS (local) Properties dialog box.
e. Expand PARIS (local), and then select Remote Access Policies.
f. In the right pane, right-click the ISA Server Default Policy remote
access policy, and then click Properties.
 ISA Server has added a new remote access policy.
 The policy is first in the list, and applies to all incoming remote access
connections (Day-And-Time-Restrictions matches
7x "00:00-24:00").
 The associated profile specifies the authentication methods allowed for the
connections.
 Unless individual access permissions are specified in the user profile (which
is done in the next task), remote access is denied.
g. Click Cancel to close the ISA Server Default Policy Properties dialog
box.
h. Close the Routing and Remote Access console.
8. Configure the user profile a. On the Start menu, click Administrative Tools, and then click
of the Administrator account so Computer Management.
that it is allowed to dial in. b. In the Computer Management console, in the left pane, expand
Local Users and Groups, and then select Users.
c. In the right pane, right-click Administrator, and then click Properties.
d. In the Administrator Properties dialog box, on the Dial-in tab, select
Allow access, and then click OK.
e. Close the Computer Management console.
 For demonstration purposes, in this exercise the local
Administrator account is used to create the VPN connection. Normally domain
user accounts are used to create the VPN connection.
 Note: ISA Server will now accept incoming VPN connections from client computers on the External network.
Those client computers will then automatically be placed in the VPN Clients network.
In a later exercise, you will create access rules to allow the VPN Clients network access to the Internal
network.
82 Lab Summary
Exercise 2
Configuring a Client Computer to Establish a VPN Connection
In this exercise, you will configure a client computer on the Internet to establish a VPN
connection to the ISA Server computer.

examine the current IP address b. At the command prompt, type ipconfig, and then press Enter.
configuration, and use the Ping
 The output of the ipconfig command shows that Istanbul currently
command to test connectivity to
uses only the IP address 39.1.1.7.
the Internal network (10.1.1.5).
c. Type ping 39.1.1.1, and then press Enter.
 The ping requests time out, because ISA Server (39.1.1.1) does not
allow incoming ping requests from computers on the External network
(Internet).
d. Type ping 10.1.1.5, and then press Enter.
 The ping requests time out, because Istanbul cannot connect to
computers on the Internal network yet.
2. Create a new connection in a. On the Start menu, click Control Panel, right-click
the Network Connections Network Connections, and then click Open.
window.  The Network Connections window opens.
b. In the Network Connections window, right-click
Type: VPN connection
New Connection Wizard, and then click New Connection.
Name: VPN to Contoso
VPN Server: 39.1.1.1 c. In the New Connection Wizard dialog box, click Next.
d. On the Network Connection Type page, select
Connect to the network at my workplace, and then click Next.
e. On the Network Connection page, select
Virtual Private Network connection, and then click Next.
f. On the Connection Name page, in the Company Name text box, type
VPN to Contoso, and then click Next.
g. On the VPN Server Selection page, in the Host name or IP address text
box, type 39.1.1.1, and then click Next.
h. On the Connection Availability page, select My use only, and then click
Next.
i. On the Completing the New Connection Wizard page, click Finish.
 The wizard creates a new connection in the Network Connections
window, and displays the Connect VPN to Contoso dialog box, prompting you
to establish the connection.
3. Establish the VPN a. In the Connect VPN to Contoso dialog box, complete the following
connection named information:
VPN to Contoso.  User name: Administrator
User name: Administrator and then click Connect.
Password: password  After creating the VPN connection to the ISA Server computer, an
icon appears in the System tray, which represents the established connection.
4. Examine the current a. Open a Command Prompt window.
IP address configuration, and use b. At the command prompt, type ipconfig, and then press Enter.
the Ping command to test the
connection to the Internal network
uses the IP address 39.1.1.7, and has received a new IP address 10.3.1.2 (or
(10.1.1.5), and the VPN tunnel
higher) for its VPN connection to the ISA Server computer. Notice that both
end-point (10.3.1.1).
connections list a default gateway setting.
c. Type route print, and then press Enter.
 The output of the route command shows that Istanbul has two
default routes (the two Netmask 0.0.0.0 lines). However, the default route for
the VPN connection (10.3.1.2) has a lower metric (1) than the metric (21) for
the default gateway on the network adapter connection (39.1.1.1). The active
default gateway is using the VPN connection (10.3.1.2), as is shown by the
Default Gateway line at the end of the output.
 The ping requests (to Denver) time out. Even though Istanbul has
created a VPN connection to the ISA Server computer, it cannot connect to
computers on the Internal network yet.
 Note: VPN client computers are not considered part of the Internal
network, but instead are considered to be in the special VPN Clients network,
when they create a VPN connection. They are subject to the firewall policy
access rules for the VPN Clients network. Furthermore, all access from the
VPN Clients network is logged in the Firewall log.
e. Type ping 10.3.1.1, and then press Enter.
 The ping requests time out. The IP address 10.3.1.1 is the
destination VPN IP address on the ISA Server computer. Even the end-point of
the VPN tunnel cannot be reached without an access rule that allows this.
5. On the Paris computer, use a. On the Paris computer, open a Command Prompt window.
the Ping command to test the b. At the command prompt, type ping 10.3.1.2 (or the higher 10.3.1.x
connection to the VPN client IP address assigned to Istanbul), and then press Enter.
computer (10.3.1.2 or higher).
 Four ping replies are returned from the Istanbul computer.
d. In the ISA Server console, select Firewall Policy.
e. In the task pane, on the Tasks tab, click Show System Policy Rules.
 System policy rule 12 allows Ping from Local Host (the ISA Server
computer) to All Networks (including the VPN Clients network).
f. In the task pane, on the Tasks tab, click Hide System Policy Rules.
6. Create a new access rule. a. In the right pane, select the first rule., or select Default rule if no other
Name: Allow Ping from VPN b. In the task pane, on the Tasks tab, click Create Access Rule.
clients
text box, type Allow Ping from VPN clients, and then click Next.
Applies to: PING
d. On the Rule Action page, select Allow, and then click Next.
From network: VPN Clients e. On the Protocols page, in the This rule applies to list box, select
To network: Local Host Selected protocols, and then click Add.
f. In the Add Protocols dialog box,
g. On the Protocols page, click Next.
h. On the Access Rule Sources page, click Add.
84 Lab Summary

j. On the Access Rule Sources page, click Next.
k. On the Access Rule Destinations page, click Add.
l. In the Add Network Entities dialog box,
m. On the Access Rule Destinations page, click Next.
n. On the User Sets page, click Next.
o. On the Completing the New Access Rule Wizard page, click Finish.
 A new firewall policy rule is created that allows Ping from the
VPN Clients network to the Local Host network (ISA Server).
p. Click Apply to apply the new rule, and then click OK.
7. On the Istanbul computer, a. On the Istanbul computer, at the command prompt, type ping 10.3.1.1,
use the Ping command again to test and then press Enter.
connectivity to the VPN tunnel  Four (or three) ping replies are returned from the ISA Server
end-point at the ISA Server computer. The Allow Ping from VPN clients access rule allows access to
computer (10.3.1.1). 10.3.1.1.
 This result confirms that the Istanbul computer is on the
VPN Clients network, while it has an active VPN connection to the ISA Server
computer.
b. Close the Command Prompt window.
 In the next exercise, you will configure ISA Server to allow
VPN Clients network access to the Internal network.
Exercise 3
Allowing Internal Network Access for VPN Clients
In this exercise, you will configure ISA Server so that client computers on the Internet, are
allowed access to the internal network, by establishing a VPN connection.

examine the network rule for expand Configuration, and then select Networks.
connectivity between the VPN b. In the right pane, on the Network Rules tab, select the rule that defined
Clients network and the Internal the connectivity between the VPN Clients network and the Internal network.
network.
template, the network rule named VPN Clients to Internal Network (rule 2)
indicates that ISA Server will Route network traffic between the VPN Clients
network and the Internal network.
2. Create a new access rule: a. In the ISA Server console, in the left pane, select Firewall Policy.
Name: Allow access from VPN added to the rule list.
clients to Internal
Applies to: PING, d. In the New Access Rule Wizard dialog box, in the Access rule name
Microsoft CIFS (TCP) text box, type Allow access from VPN clients to Internal, and then click
Next.
From network: VPN Clients e. On the Rule Action page, select Allow, and then click Next.
To network: Internal f. On the Protocols page, in the This rule applies to list box, select
 click All protocols, click Microsoft CIFS (TCP), and click Add,
 The Microsoft CIFS (TCP) protocol is also known as Server
Message Blocks (SMB) - TCP port 445. It is used to access file shares and
printer shares.
86 Lab Summary
 A new firewall policy rule is created that allows the Ping and CIFS
protocols from the VPN Clients network to the Internal network.
3. On the Istanbul computer, a. On the Istanbul computer, if the VPN to Contoso connection is
reconnect the VPN to Contoso disconnected, then in the Network Connections window, right-click
connection, if it was disconnected. VPN to Contoso, and then click Connect. In the Connect VPN to Contoso
dialog box, complete the following information:
and then click Connect.
 The VPN connection to the ISA Server computer is established
again.
4. Use the Ping command to a. Open a Command Prompt window.
test connectivity to the Internal b. At the command prompt, type ping 10.1.1.5, and then press Enter.
network (10.1.1.5), and use the
 Four (or three) ping replies are returned from the Denver computer
Run dialog box to connect to
(10.1.1.5). Istanbul can now access the Internal network.
\\10.1.1.5.
d. On the Start menu, click Run.
e. In the Run dialog box, type \\10.1.1.5, and then click OK.
 A Windows Explorer window opens for \\10.1.1.5. This shows that
ISA Server allows VPN client computers access to file shares on computers on
the Internal network.
f. Close the \\10.1.1.5 window.
5. Disconnect the a. In the System tray, right-click the connection icon, and click
VPN to Contoso connection, and Disconnect.
close the Network Connections  The VPN to Contoso connection is disconnected.
window.
b. Close the Network Connections window.
Exercise 4
Configuring VPN Quarantine on ISA Server
In this exercise, you will configure ISA Server so that it can allow phased network access to
VPN clients. Only client computers whose security configuration meets the security policy
are allowed full access to the network.

 Note: Remote Access Quarantine (or VPN Quarantine) implements 'phased network access' for (VPN) dial-up
client computers. This functionality can be provided by the Windows Server 2003 Remote Access service or
by ISA Server 2006.
In both cases, connect time restrictions and network access restrictions are applied to the VPN client computer,
while a script or a custom application verifies the security configuration of the client computer. If the security
configuration meets the security policy, the time and access restrictions for the client computer are removed.
 When Windows Server 2003 Remote Access service is used to implement VPN Quarantine, a remote
access policy (from the Remote Access server, or from a RADIUS server) applies a connection time-out and
restrictive IP filters while the configuration of the client computer is verified.
 When ISA Server 2006 is used to implement VPN Quarantine, the VPN client computer is first placed in the
Quarantined VPN Clients network, while the configuration of the client computer is verified. If the
configuration meets the requirements, the client computer is then placed in the VPN Clients network. The
firewall policy rules for the Quarantined VPN Clients network and the VPN Clients network define the allowed
network access for the client computer.
 In this exercise, ISA Server 2006 provides the VPN Quarantine functionality.
1. On the Paris computer, in a. On the Paris computer, use Windows Explorer (or My Computer) to
the C:\Tools folder, examine the open the C:\Tools folder.
RQScript.vbs script file that is  The RQScript.vbs script file in the Tools folder is the script that this
used to check the security lab uses to check the security configuration of the VPN client computer.
configuration of the VPN client
b. Right-click the RQScript.vbs file, and then click Edit (do not click
computer.
Open).
c. Maximize the RQScript.vbs - Notepad, if that is not done already.
 The RQScript.vbs script file checks whether Internet Connection
Firewall (ICF) or Windows Firewall is enabled on the network connections of
the VPN client computer. If this is the case, it passes the script identifier
(RQScript_ID) RQVersion3 back to the remote access server (ISA Server),
which will remove the quarantine restrictions.
 Note: The same script can be used for either Windows Server 2003
Remote Access Quarantine, or ISA Server 2006 VPN Quarantine.
d. Close Notepad.
2. Install the Remote Access a. On the Start menu, click Control Panel, and then click
Quarantine Agent service Add or Remove Programs.
(RQS.exe).  Note: Since Windows Server 2003 SP1, Remote Access Quarantine
Agent service (RQS.exe) is part of the operating system. Before SP1, the service
was installed from the Windows Server 2003 Resource Kit tools.
b. In the Add or Remove Programs window, click
c. On the Windows Components page, select the Networking Services
88 Lab Summary
component (do NOT select the check box), and then click Details.
d. In the Networking Services dialog box, select the
Remote Access Quarantine Service check box, and then click OK.
 Please wait while Setup installs the Remote Access Quarantine
Service network service.
Finish.
 Setup does not completely configure the RQS.exe service for use
with ISA Server 2006. You still need to define acceptable script identifiers
(version strings) in the registry, configure the service for use with ISA Server,
and then start the service.
3. Configure the RQS.exe a. On the Start menu, click Run.
service: b. In the Run dialog box, type regedit.exe, and then click OK.
c. In the Registry Editor window, select the
AllowedSet: RQVersion3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\rqs key.
Authenticator: vpnplgin.dll
d. In the right pane, right-click the AllowedSet value, and then click
Modify.
e. In the Edit Multi-String dialog box, delete the current value, and then
type RQVersion3, and click OK.
 RQVersion3 is the identifier of the script (RQScript.vbs) that this
lab uses to check the security configuration of the client computer.
f. Right-click the rqs key, click New, and then click String Value.
g. In the New Value #1 text box, replace the text by typing Authenticator,
 A new REG_SZ value named Authenticator is created.
h. Right-click the Authenticator value, and then click Modify.
 Note: Ensure that you do not make a typing mistake in the file name
below. The RQS.exe service will stop if it cannot find the file specified in the
Authenticator registry value.
i. In the Edit String dialog box, type
C:\Program Files\Microsoft ISA Server\vpnplgin.dll, and then click OK.
 After the RQC.exe application on the client computer notifies the
RQS.exe service on the server, by default the RQS.exe service calls %windir
%\System32\mprapi.dll (Remote Access service) to remove the quarantine
restrictions. When ISA Server provides the quarantine restrictions, then the
RQS.exe service must call vpnplgin.dll in the ISA Server folder instead.
j. Close the Registry Editor window.
k. On the Start menu, click Administrative Tools, and then click
Services.
l. In the Services console, in the right pane, right-click
Remote Access Quarantine Agent, and then click Properties.
 By default, the Startup type of the RQS.exe service is Manual. You
will start the service later in this lab.
m. Click Cancel to close the Remote Access Quarantine Agent Properties
dialog box.
n. Close the Services console.
4. Create a new protocol a. In the ISA Server console, in the left pane, select Firewall Policy.
definition:  When the security configuration of the VPN client computer meets
the security policy, the RQC.exe application on the client computer notifies the
Name: RQS - Network RQS.exe service on the ISA Server, that the quarantine restrictions can be
Quarantine removed. This requires an access rule to allow communication (using
Direction: Outbound TCP port 7250) from the Quarantined VPN Clients network to the

Port: TCP 7250 Local Host network (ISA Server).
b. In the task pane, on the Toolbox tab, in the Protocols section, on the
New menu, click Protocol.
c. In the New Protocol Definition Wizard dialog box, in the
Protocol definition name text box, type RQS - Network Quarantine, and
then click Next.
d. On the Primary Connection Information page, click New.
e. In the New/Edit Protocol Connection dialog box, complete the following
information:
 Protocol type: TCP
 Direction: Outbound
 Port Range From: 7250
 Port Range To: 7250
and then click OK.
 Note: At first view it may seem unexpected to create an Outbound
protocol definition for the communication to the ISA Server. However, you will
create an access rule (requiring an Outbound protocol definition) for the
RQC.exe application on the Quarantined VPN Clients network, rather than a
server publishing rule (requiring an Inbound protocol definition) to publish
the RQS.exe service on the ISA Server.
f. On the Primary Connection Information page, click Next.
g. On the Secondary Connections page, select No, and then click Next.
h. On the Completing the New Protocol Definition Wizard page, click
Finish.
 A new user-defined protocol definition named
RQS - Network Quarantine is created.
5. Create a new access rule: a. In the right pane, select the first rule to indicate where the new rule is
Name: Allow RQS network b. In the task pane, on the Tasks tab, click Create Access Rule.
quarantine notification
text box, type Allow RQS network quarantine notification, and then click
Applies to: RQS - Network
Next.
Quarantine
d. On the Rule Action page, select Allow, and then click Next.
From network: e. On the Protocols page, in the This rule applies to list box, select
Quarantined VPN Clients Selected protocols, and then click Add.
To network: Local Host f. In the Add Protocols dialog box,
 click User-Defined, click RQS - Network Quarantine, and click Add,
 click Networks, click Quarantined VPN Clients, and click Add,
 Note: You can configure ISA Server (or remote access policies) to
exempt certain users from the network access quarantine check. This means
that these VPN clients are directly placed in the VPN Clients network when
connected. You must include the VPN Clients network in the access rule, if you
want to allow RQC.exe communication in that scenario.
90 Lab Summary

 A new firewall policy rule is created that allows RQS
communication from a VPN client computer on the Quarantined VPN Clients
network to the ISA Server.
6. In the C:\Tools\ISA folder, a. Use Windows Explorer (or My Computer) to open the C:\Tools\ISA
examine the folder.
ConfigureRQSForISA b. Right-click the ConfigureRQSForISA.vbs file, and then click Edit (do
.vbs script file. NOT click Open).
c. Maximize the ConfigureRQSForISA.vbs - Notepad window if that is not
done already.
 The ConfigureRQSForISA.vbs script file is provided on the
Microsoft Web site in the ISA Server downloads section as part of the Remote
Access Quarantine Tool (RQSUtils.exe).
It does all the tasks done in this exercise so far. This includes:
- Installing the RQS.exe service.
- Defining the AllowedSet registry entry.
- Defining the Authenticator registry entry.
- Creating the RQS protocol definition.
- Creating the Allow RQS access rule.
and even starting the RQS.exe service.
 For demonstration purposes, these steps were done manually in this
exercise.
d. Close Notepad.
e. Close the Windows Explorer window.
7. Configure ISA Server to a. In the ISA Server console, in the left pane, select Networks.
enable quarantine: b. In the right pane, on the Networks tab, right-click the
Quarantined VPN Clients network, and then click Properties.
Type: Use ISA Server
c. In the Quarantined VPN Clients Properties dialog box, on the
Disconnect quarantine: 60 seconds
Quarantine tab, select Enable Quarantine Control.
d. In the message box, click OK to acknowledge that enabling quarantine
control requires configuration on both the ISA Server and VPN client
computers.
 The required configuration on the VPN client computers (installing
a Connection Manager profile that includes the RQScript.vbs script file, and
the RQC.exe notifier component) is done in the next exercise.
e. On the Quarantine tab, complete the following information:
 Enable Quarantine Control: enable (done in previous step)
 Quarantine according to ISA Server policies: enable (is default)
 Disconnect quarantine users after (seconds): 60
and then click OK.
 The option to use quarantine according to RADIUS server policies,
requires a remote access policy on the Remote Access server (or on a RADIUS
server) that applies the connection time-out. It also requires RQS.exe to call
mprapi.dll, instead of vpnplgin.dll to remove the quarantine restrictions.
f. Click Apply to save the changes, and then click OK.
Exercise 5
Creating and Distributing a Connection Manager Profile
In this exercise, you will create and distribute a Connection Manager profile, for use with
network access quarantine. The profile is made available through an extranet distribution
point.

 Note: In order to run the script that verifies the security configuration of the VPN client computer, the client
computer must use a Connection Manager profile to establish the VPN connection. The profile includes the
script (RQScript.vbs) and the notifier component (RQC.exe).
The Connection Manager profile is created with the Connection Manager Administration Kit (CMAK).
1. On the Paris computer, a. On the Paris computer, on the Start menu, click Control Panel, and
install the Connection Manager then click Add or Remove Programs.
Administration Kit (CMAK). b. In the Add or Remove Programs window, click
c. On the Windows Components page, select the
Management and Monitoring Tools component (do NOT clear or select the
check box), and then click Details.
d. In the Management and Monitoring Tools dialog box, select the
Connection Manager Administration Kit check box, and then click OK.
 Please wait while Setup installs the Connection Manager
Administration Kit (CMAK).
Finish.
2. Use CMAK to create a new a. On the Start menu, click Administrative Tools, and then click
Connection Manager profile. Connection Manager Administration Kit.
b. On the Welcome to the Connection Manager Administration Kit Wizard
- Service name: VPN to Contoso page, click Next.
(CM)
 Note: The CMAK wizard consists of 20 steps. Only two steps
- File name: VPN_RQ
(Custom action and Additional files) are related to the use of network access
VPN server: 39.1.1.1
quarantine.
- Custom post-connect action: c. On the Service Profile Selection page, select New profile, and then click
C:\Tools\RQScript.vbs Next.
%TunnelRasEntry% d. On the Service and File Names page, complete the following
%Domain% information:
%UserName%  Service name: VPN to Contoso (CM)
 File name: VPN_RQ
- Additional files: and then click Next.
C:\Program Files\
e. On the Realm Name page, select
cmak\support\rqc.exe
Do not add a realm name to the user name, and then click Next.
f. On the Merging Profile Information page, click Next.
g. On the VPN Support page, complete the following information:
 Phone book from this profile: enable
92 Lab Summary
 Always use the same VPN server: 39.1.1.1

 The IP address 39.1.1.1 is the address of the External Connection
network adapter on Paris.
h. On the VPN Entries page, select VPN to Contoso (CM) Tunnel, and
then click Next.
i. On the Phone Book page, CLEAR the
Automatically download phone book updates check box, and then click
Next.
j. On the Dial-up Networking Entries page, select VPN to Contoso (CM),
k. On the Routing Table Update page, select
Do not change the routing tables, and then click Next.
l. On the Automatic Proxy Configuration page, select
Do not configure proxy settings, and then click Next.
 The next step in the CMAK wizard is the first step that is related to
the use of network access quarantine.
m. On the Custom Actions page, click New.
n. In the New Custom Action dialog box, complete the following
information:
 Description: Quarantine policy checking
 Program to run: c:\tools\RQScript.vbs
 Parameters: %TunnelRasEntry% %Domain% %UserName%
 Action type: Post-connect
 Run this custom action for: All connections (is default)
 Include the custom action program: enable
 Program interacts with the user: enable (is default)
and then click OK.
 The TunnelRasEntry, Domain and Username parameters passed
to the script, are variables that RQC.exe passes back to the RQS.exe service on
the ISA Server to indicate the particular connection.
o. On the Custom Actions page, click Next.
 The next 8 wizard steps use the default setting in this lab.
p. On the Logon Bitmap page, select Default graphic, and then click Next.
q. On the Phone Book Bitmap page, select Default graphic, and then click
Next.
r. On the Icons page, select Default icons, and then click Next.
s. On the Notification Area Shortcut Menu page, click Next.
t. On the Help File page, select Default Help file, and then click Next.
u. On the Support Information page, click Next.
v. On the Connection Manager Software page, select
Install Connection Manager 1.3, and then click Next.
w. On the License Agreement page, click Next.
 The next step is the second step that is related to the use of network
access quarantine.
x. On the Additional Files page, click Add.
y. In the Browse dialog box, in the C:\Program Files\cmak\support
folder, select the rqc.exe file, and then click Open.
 RQC.exe is the application that runs on the VPN client computers.
z. On the Additional Files page, click Next.
aa. On the Ready to Build the Service Profile page, do NOT select
Advanced customization, and then click Next.
 A Command Prompt window opens and closes as the new
Connection Manager profile (VPN_RQ.exe) is created in the

C:\Program Files\cmak\Profiles\VPN_RQ folder.
bb. On the Completing the Connection Manager Administration Kit Wizard
page, click Finish.
3. Create a new folder a. Use Windows Explorer (or My Computer) to open the
C:\Inetpub\Extranet. C:\Program Files\cmak\Profiles\VPN_RQ folder.
b. Right-click the VPN_RQ.exe file, and then click Copy.
Copy VPN_RQ.exe to the
c. In the Windows Explorer window, open the C:\Inetpub folder.
Extranet folder.
d. Right-click in the empty area of the Inetpub folder, click New, and then
click Folder.
e. In the New Folder text box, replace the text by typing Extranet, and
then press Enter.
 A new folder C:\Inetpub\Extranet is created.
f. Open the Extranet folder.
g. In the empty area of the Extranet folder, click Paste.
 The Connection Manager profile VPN_RQ.exe is copied to the
C:\Inetpub\Extranet folder. After the Extranet folder is published through
ISA Server, client computers can install the profile.
h. Close the Extranet folder.
 Note: You may have done the next task in an earlier exercise already.
4. Configure the default Web a. On the Start menu, click Administrative Tools, and then click
site to use port 81, and then start Internet Information Services (IIS) Manager.
the Web site.  The IIS Manager console opens.
b. In the IIS Manager console, expand PARIS (local computer), expand
(If this is not done already).
Web Sites, right-click Default Web Site, and then click Properties.
c. In the Default Web Site Properties dialog box, on the Web Site tab,
ensure that the TCP port text box is set to 81, and then click OK.
 The default HTTP TCP port is 80. Because ISA Server uses port 80
for publishing Web sites (and publishing automatic discovery information for
Web clients), the Web site on the ISA Server computer must be changed to
another port.
d. If the Default Web Site is not started, then right-click
Default Web Site (Stopped), and then click Start.
 The default Web site is started. The Web site listens on port 81.
5. Create a new virtual a. In the IIS Manager console, in the left pane, expand Default Web Site.
directory for the default Web site: b. Right-click Default Web Site, click New, and then click
Virtual Directory.
Alias: extranet
c. In the Virtual Directory Creation Wizard dialog box, click Next.
Path: C:\Inetpub\Extranet d. On the Virtual Directory Alias page, in the Alias text box, type
extranet, and then click Next.
Permissions: e. On the Web Site Content Directory page, in the Path text box, type
Read and Browse. C:\Inetpub\Extranet, and then click Next.
f. On the Virtual Directory Access Permissions page, complete the
 Read: enable (is default)
 Run scripts: disable (is default)
 Execute: disable (is default)
 Write: disable (is default)
 Browse: ENABLE
 The Browse permission is required, because the Extranet folder
does not contain an HTML document to display. It only contains the
94 Lab Summary
Connection Manager profile VPN_RQ.exe.

g. On the Completing the Virtual Directory Creation Wizard page, click
Finish.
 A new virtual directory named extranet is created for the default
Web site.
 Note: By default, the extranet virtual directory allows anonymous
access. Normally you would require authentication to access resources on the
extranet.
h. Close the IIS Manager console.
 Note: You may have done the next task in an earlier exercise already.
6. Create a new Web listener. a. In the ISA Server console, in the left pane, select Firewall Policy.
b. In the task pane, on the Toolbox tab, in the Network Objects section,
Name: External Web 80 expand Web Listeners (if possible).
 Note: If a Web Listener named External Web 80 is already created
SSL: disable
Network: External c. If a Web listener named External Web 80 does not exist, then
Compression: disable right-click Web Listeners, and then click New Web Listener.
d. In the New Web Listener Definition Wizard dialog box, in the
Authentication: none Web listener name text box, type External Web 80, and then click Next.
e. On the Client Connection Security page, select
(If this is not done already) Do not require SSL secured connections with clients, and then click Next.
f. On the Web Listener IP Addresses page, complete the following
information:
g. On the Authentication Settings page, in the drop-down list box, select
h. On the Single Sign On Settings page, click Next.
i. On the Completing the New Web Listener Wizard page, click Finish.
7. Create a Web publishing a. In the left pane, select Firewall Policy.
rule. b. In the right pane, select the first rule to indicate where the new rule is
Name: Extranet Web Site
Publishing type: d. In the New Web Publishing Rule Wizard dialog box, in the
single Web site Web publishing rule name text box, type Extranet Web Site, and then click
Next.
Internal site name: Paris e. On the Select Rule Action page, select Allow, and then click Next.
IP address: 10.1.1.1 f. On the Publishing Type page, select Publish a single Web site, and then
Path: /extranet click Next.
Port: 81
www.contoso.com h. On the Internal Publishing Details page, complete the following
/extranet information:
 Internal site name: Paris
Web listener:  Use a computer name or IP address: enable
External Web 80  Computer name or IP address: 10.1.1.1
Delegation: none  Note: After completing the wizard, the destination TCP port of the
rule can be set to 81.
 10.1.1.1 is the IP address of Paris on the Internal network.

information:
 Path: extranet/*
 Forward the original host header: enable
 The option to send the original host header is enabled, because
otherwise IIS will display the redirected address (10.1.1.1/extranet) in the
browse output in Internet Explorer. It is usually considered a good practice not
to display the internal redirected addresses of published servers.
 Path: /extranet/*
 The public name of the Web site is www.contoso.com/extranet.
Finish.
10.1.1.1/extranet (Paris) as www.contoso.com/extranet on the External
network.
o. In the right pane, select the Extranet Web Site Web publishing rule,
and then in the task pane, on the Tasks tab, click Edit Selected Rule.
p. In the Extranet Web Site Properties dialog box, on the Bridging tab, in
the Redirect requests to HTTP port text box, type 81.
www.contoso.com/extranet (port 80) to 10.1.1.1/extranet (port 81).
q. Click OK to close the Products Web Site (on Paris) Properties dialog
box.
r. Click Apply to apply the new rule, and then click OK.
connect to type http://www.contoso.com/extranet, and then press Enter.
http://www.contoso.com  The content of the C:\Inetpub\Extranet folder is displayed. The
/extranet folder only contains the Connection Manager profile VPN_RQ.exe.
and install the VPN_RQ.exe
 If Internet Explorer shows HTTP Error 403 - Forbidden, then the
Connection Manager profile.
properties of the extranet virtual directory in IIS on Paris are not set to allow
Directory browsing, or do not allow anonymous access.
b. In the extranet folder, right-click VPN_RQ.exe, and then click Open.
c. In the File Download - Security Warning message box, click Run.
d. In the Internet Explorer - Security Warning message box, click Run to
confirm that you want to run this software (without a valid signature to verify
the publisher).
e. In the VPN to Contoso (CM) message box, click Yes to confirm that you
want to install the Connection Manager profile.
f. In the next VPN to Contoso (CM) dialog box, select My use only, and
then click OK.
 The Connection Manager profile is installed on the Istanbul
96 Lab Summary
computer.
 After the installation is completed, the Network Connections
window opens, and the VPN to Contoso (CM) connection dialog box is shown.
g. Click Cancel to close the VPN to Contoso (CM) connection dialog box.
h. Close the Network Connections window.
i. Close Internet Explorer.
 Note: Besides making the Connection Manager profile available through a published extranet solution, as is
done in the scenario in this exercise, you can also allow (portable) client computers to install the Connection
Manager profile from a shared folder on the internal network, at a time when the client computers are on the
internal network.
Exercise 6
Using VPN Quarantine on the Client Computer
In this exercise, you will use the network access quarantine by creating a VPN connection
from the VPN client to the ISA Server.

1. On the Istanbul computer, a. On the Istanbul computer, on the Start menu, click Control Panel,
use the VPN to Contoso (CM) right-click Network Connections, and then click Open.
connection, to establish a VPN b. In the Network Connections window, under Connection Manager,
connection to the ISA Server. right-click VPN to Contoso (CM), and then click Connect.
c. In the VPN to Contoso (CM) connection dialog box, complete the
User name: Administrator
Password: password
Domain: (empty)  User name: Administrator
 Logon domain: (leave empty)
 Save password: ENABLE
 Connect automatically: disable (is default)
and then click Connect.
 A yellow balloon dialog box in the system tray area shows that the
VPN is now connected.
 The quarantine script displays a message box to indicate that the
security configuration of the client computer does not meet the security policy
(ICF is not enabled on the network connections.)
The connection stays in quarantine mode and is dropped after 60 seconds.
d. Click OK to close the Remote Access Quarantine message box.
e. Open a Command Prompt window.
f. At the command prompt, type ipconfig, and then press Enter.
has a VPN connection to Paris using IP address 10.3.1.2 (or higher).
 Note: If the connection drops before you can complete the next ping
command, just click Yes in the Reconnect message box, and then click Connect
to re-establish the VPN connection.
g. At the command prompt, type ping 10.3.1.1, and then press Enter.
 The ping requests time out. The IP address of the end-point of the
VPN tunnel on the ISA Server computer (10.3.1.1) cannot be reached without
an access rule that allows this from the Quarantined VPN Clients network.
Name: Allow Ping from added to the rule list.
Quarantined VPN clients
Applies to: PING d. In the New Access Rule Wizard dialog box, in the Access rule name
text box, type Allow Ping from Quarantined VPN clients, and then click
98 Lab Summary
From network: Next.

Quarantined VPN Clients e. On the Rule Action page, select Allow, and then click Next.
To network: Local Host
 click Networks, click Quarantined VPN Clients, and click Add,
Quarantined VPN Clients network to the Local Host network (ISA Server).
3. On the Istanbul computer, a. On the Istanbul computer, in the Reconnect message box, click Yes.
use the Ping command to test the b. In the VPN to Contoso (CM) connection dialog box, ensure that the
connection to the VPN tunnel end- User name and Password information is still present, and then click Connect.
point (10.3.1.1) and the Internal
c. Click OK to close the Remote Access Quarantine message box.
network (10.1.1.5).
d. At the command prompt, type ping 10.3.1.1, and then press Enter.
 Four (or three) ping replies are returned from the ISA Server
computer. The Allow Ping from Quarantined VPN clients access rule allows
access to 10.3.1.1.
 This result confirms that the Istanbul computer is on the
Quarantined VPN Clients network, as long as the security configuration of the
client computer does not meet the security requirements.
e. At the command prompt, type ping 10.1.1.5, and then press Enter.
 The ping requests (to Denver) time out. There is currently no access
rule that allows communication from the Quarantined VPN Clients network to
the Internal network.
f. If the Reconnect message box appears, click No to close the message
box.
4. Enable Windows Firewall. a. On the Start menu, click Control Panel, and then click
Windows Firewall.
b. In the Windows Firewall message box, click Yes to confirm that you
want to start the Windows Firewall/ICS service.
 The Windows Firewall/ICS service must be running, before you can
configure Windows Firewall.
c. After the Windows Firewall/ICS service has started, in the Windows
Firewall dialog box, on the General tab, select On, and then click OK.
 Windows Firewall is enabled on all network connections. This
configuration meets the RQScript.vbs script file requirement, which verifies
whether Windows Firewall is enabled on all non-VPN connections.
5. Use the a. In the Network Connections window, under Connection Manager,

VPN to Contoso (CM) right-click VPN to Contoso (CM), and then click Connect.
connection, to establish a VPN b. In the VPN to Contoso (CM) connection dialog box, ensure that the
connection to the ISA Server User name and Password information is still present, and then click Connect.
again.
 This time the quarantine script displays a message box to indicate
that the security configuration of the client computer does meet the security
policy. However, the RQC.exe notifier component on the client computer is not
able to contact the RQS.exe service on the ISA Server to remove the quarantine
restrictions. The VPN connection is dropped after 60 seconds.
 The RQS.exe service cannot be contacted, because the service is not
started yet in this exercise.
c. Click OK to close the Remote Access Quarantine message box.
6. On the Paris computer, start a. On the Paris computer, on the Start menu, click Administrative Tools,
the Remote Access Quarantine and then click Services.
Agent (RQS.exe) service. b. In the Services console, in the right pane, right-click
Remote Access Quarantine Agent, and then click Start.
 The Remote Access Quarantine Agent (RQS.exe) is now started,
and listens on TCP port 7250.
 You have already created an access rule (Allow RQS network
quarantine notification) that allows RQS traffic from the Quarantined VPN
Clients network to the Local Host (ISA Server).
c. Close the Services console.
7. On the Istanbul computer, a. On the Istanbul computer, in the Reconnect message box, click Yes.
use the VPN to Contoso (CM) b. In the VPN to Contoso (CM) connection dialog box, ensure that the
connection, to establish a VPN User name and Password information is still present, and then click Connect.
connection to the ISA Server
 The quarantine script successfully notified the RQS.exe service.
again.
ISA Server removed the quarantine restrictions by moving the VPN client
computer from the Quarantined VPN Clients network to the VPN Clients
Test the connection:
network.
- Ping 10.1.1.5
- Run \\10.1.1.5 c. Click OK to close the Remote Access Quarantine message box.
d. At the command prompt, type ping 10.1.1.5, and then press Enter.
Disconnect the VPN connection  Four ping replies are returned from the Denver computer (10.1.1.5)
again. on the Internal network. The access rule (Allow access from VPN clients to
Internal) that you created in an earlier exercise, allows the communication.
f. On the Start menu, click Run.
g. In the Run dialog box, type \\10.1.1.5, and then click OK.
 A Windows Explorer window opens for \\10.1.1.5. These results
show that the VPN client computer can now connect to resources on the
Internal network.
h. Close the \\10.1.1.5 window.
 Now that ISA Server has removed the quarantine restrictions, the
VPN connection is no longer disconnected after 60 seconds.
i. Right-click the connection icon in the system tray area, and then click
Disconnect.
8. Use the VPN to Contoso a. In the Network Connections window, under Virtual Private Network
connection (not the (not under Connection Manager), right-click VPN to Contoso, and then click
Connection Manager), to establish Connect.
a VPN connection to the ISA b. In the Connect VPN to Contoso dialog box, complete the following
Server. information:
100 Lab Summary

Disconnect the VPN connection  Password: password
again. and then click Connect.
 Istanbul successfully establishes a VPN connection to the
ISA Server. This VPN connection does NOT use the Connection Manager, and
does not start the post-connect script to verify the security configuration of the
VPN client computer. ISA Server will place the client computer in the
Quarantined VPN Clients computers network, awaiting a notification from the
RQC.exe notifier component on the client computer. Even though the client
computer meets the security requirements (Windows Firewall is enabled), the
notification is never sent to the ISA Server, and the connection is dropped after
60 seconds.
c. Wait (60 seconds) until the Reconnect VPN to Contoso dialog box
appears, and then click Cancel, or right-click the connection icon in the system
tray area, and then click Disconnect.
 Note: The communication between the RQC.exe notifier component on the client computer, and the RQS.exe
service on the ISA Server is not encrypted or authenticated. A malicious client computer can spoof this
communication. Remote Access Quarantine is not a security mechanism, but rather a mechanism to help avoid
a possible insecure configuration of the client computers, when establishing a VPN connection.
9. Disable Windows Firewall. a. On the Start menu, click Control Panel, and then click
Windows Firewall.
b. In the Windows Firewall dialog box, on the General tab, select Off, and
then click OK.
 Windows Firewall is no longer enabled on any network connection.
c. Close the Network Connections window.
disable VPN client access. Virtual Private Networks (VPN).
b. In the task pane, on the Tasks tab, click Disable VPN Client Access.
 This step disables VPN access to ISA server:
 System policy rule 13 is disabled
 The Routing and Remote Access configuration is removed
 The Routing and Remote Access service is stopped.
c. Click Apply to save the changes, and then click OK.
Module F: ISA Server 2006 as Branch

Office Gateway
Exercise 1
Configuring HTTP Compression to Reduce Bandwidth Usage
In this exercise, you will configure ISA Server to compress HTTP content when responding
to requests from client computers, and to request compressed HTTP content when connecting
to other servers.

examine the uncompressed file Administrative Tools, and then click
size of content.htm in the Default Internet Information Services (IIS) Manager.
Web Site.  The IIS Manager console opens.
b. In the IIS Manager console, expand ISTANBUL (local computer),
expand Web Sites, and then select Default Web Site.
 The Default Web Site contains a file named content.htm.
c. Right-click Default Web Site, and then click Open.
 The c:\inetpub\wwwroot folder opens.
 Notice that the uncompressed size of the content.htm file is 91 KB.
You will request this file in compressed form later in the exercise.
d. Close the c:\inetpub\wwwroot window.
e. Close the IIS Manager console.
2. Open the C:\Tools\ a. Use Windows Explorer (or My Computer) to open the C:\Tools folder.
Perfmon-sent.msc console. b. In the Tools folder, right-click Perfmon-sent.msc, and then click Open.
 Perfmon-sent.msc is a saved MMC console containing a
preconfigured System Monitor Control. It shows the Bytes Sent/sec counter for
the network adapter.
 You will use the results in this console later in the exercise.
c. Close the C:\Tools folder.
create a new access rule. Microsoft ISA Server, and then click ISA Server Management.
Name: Allow Web access
b. In the left pane, expand Paris, and then select Firewall Policy.
(Branch)
c. In the right pane, select the first rule, or select Default rule if no other
Applies to: HTTP rule exists, to indicate where the new rule is added to the rule list.
102 Lab Summary
d. In the task pane, on the Tasks tab, click Create Access Rule.

From network: Internal e. In the New Access Rule Wizard dialog box, in the Access rule name
To network: External text box, type Allow Web access (Branch), and then click Next.
f. On the Rule Action page, select Allow, and then click Next.
g. On the Protocols page, in the This rule applies to list box, select
h. In the Add Protocols dialog box,
 click Common Protocols, click HTTP, click Add,
i. On the Protocols page, click Next.
j. On the Access Rule Sources page, click Add.
k. In the Add Network Entities dialog box,
l. On the Access Rule Sources page, click Next.
m. On the Access Rule Destinations page, click Add.
n. In the Add Network Entities dialog box,
o. On the Access Rule Destinations page, click Next.
p. On the User Sets page, click Next.
q. On the Completing the New Access Rule Wizard page, click Finish.
4. Apply the changes. a. Click Apply to apply the new rule, and then click OK.
open the C:\Tools\ open the C:\Tools folder.
Perfmon-received.msc console. b. In the Tools folder, right-click Perfmon-received.msc, and then click
Open.
 Perfmon-received.msc is a saved MMC console containing a
preconfigured System Monitor Control. It shows the Bytes Received/sec
counter for the network adapter.
c. Close the C:\Tools folder.
connect to http:// http://istanbul.fabrikam.com/content.htm, and then press Enter.
istanbul.fabrikam.com/  Internet Explorer connects to ISA Server and retrieves the
content.htm content.htm Web page from Istanbul.
 The content.htm Web page contains 90 KB of text.
7. Examine the peak bytes a. Switch to the Performance - Bytes Received console.
received per second in the  Notice that the network adapter on Denver has a peak bytes
Performance console. received per second of approximately 90 KB.
 This result confirms that the content.htm Web page is currently not
compressed when delivered from the ISA Server to Denver.
8. On the Istanbul computer, a. On the Istanbul computer, switch to the Performance - Bytes Sent
examine the peak bytes sent per console.
second in the Performance  The network adapter on Istanbul has a peak bytes sent per second
console. of approximately 90 KB.
 This result confirms that the content.htm Web page is currently not
compressed when delivered from the Web server (Istanbul) to the ISA Server.
9. On the Paris computer, a. On the Paris computer, in the ISA Server console, under Paris, expand
examine the two Web filters for Configuration, and then select Add-ins.
HTTP compression. b. In the right pane, select the Web Filters tab.
 ISA Server 2006 installs two Web Filters that provide
HTTP compression functionality:
 Compression Filter - Compresses and decompresses HTTP responses.
 Caching Compressed Content Filter - Stores and retrieves compressed
content in the cache.
 Note: Do not move the Compression Filter lower in the list of Web
Filters. Decompression must take place before any other Web filter inspects the
content. Other Web filters cannot inspect compressed content.
10. Configure HTTP a. In the left pane, under Configuration, select General.
Compression.  HTTP Compression is a global HTTP Policy setting. This means
that is applies to all HTTP traffic that passes through ISA Server to or from a
Return Compressed Data: specified network or computer set. HTTP Compression is not a per-rule setting.
Internal
b. In the right pane, click Define HTTP Compression Preferences.
Content types: c. In the HTTP Compression dialog box, on the Return Compressed Data
- Documents tab, click the top Add button.
- HTML Documents  By default HTTP compression is enabled, but no network elements
- Macro Documents are configured to use compression.
- Text  Note: It is possible that you already added one or more Web
Listeners to the Return Compressed Data list, while creating new Web
Publishing rules in earlier exercises.
d. In the Add Network Entities dialog box,
 You configured compression of HTTP responses when requested by
clients on the Internal network.
 Note: Do not confuse the two compression settings per network
element:
 Return Compressed Data - ISA Server returns compressed content in HTTP
response packets when clients from the specified network request compression.
 Request Compressed Data - ISA Server asks for compressed content in
HTTP request packets when sending requests to servers on the specified
network.
e. On the Return Compressed Data tab, click Content Types.
 The Content Types dialog box lists all defined Content Types on
ISA Server. Some content types, for example Audio, Video and Compressed
Files, are already compressed at the application level. Do not enable HTTP
compression for these content types.
f. In the Content Types dialog box, complete the following information:
 Compress the selected content types only: enable (is default)
 Documents: enable
 HTML Documents: enable (is default)
 Macro Documents: enable
 Text: enable (is default)
 All other check boxes: disable.
and then click OK to close the Content Types dialog box.
 Branch office functionality:
 When branch offices connect to ISA Servers at the main office to access
HTTP content from the Internet or from Web servers at the main office, you
should add the branch office networks to the Return Compressed Data list to
104 Lab Summary
reduce bandwidth usage for the response traffic.

g. Click OK to close the HTTP Compression dialog box.
h. Click Apply to apply the changes, and then click OK.
11. On the Denver computer, a. On the Denver computer, in Internet Explorer, on the Tools menu, click
configure Internet Explorer to use Internet Options.
HTTP 1.1 when connection b. In the Internet Options dialog box, on the Connections tab, click
through a proxy server. LAN Settings.
 Notice that Denver is currently configured to use a proxy server at
IP address 10.1.1.1.
c. Click Cancel to close the Local Area Network (LAN) Setting dialog
box.
d. On the Advanced tab, in the Settings list box, scroll to the
HTTP 1.1 settings section.
 By default, Internet Explorer uses HTTP 1.1, except when
connecting through a proxy server.
 HTTP compression requires HTTP 1.1.
e. Enable the Use HTTP 1.1 through proxy connections check box, and
then click OK.
12. Refresh the content of the a. In Internet Explorer, ensure that the
Web page at http:// http://istanbul.fabrikam.com/content.htm Web page is opened.
istanbul.fabrikam.com/ b. Hold the Ctrl-key, and then click the Refresh button on the toolbar, to
content.htm, by pressing Ctrl-F5 refresh the content of the Web page.
or Ctrl-Refresh.
 Internet Explorer connects to the ISA Server and retrieves the
content.htm Web page from Istanbul again.
 Note: The use of the Ctrl-key to refresh the Web page ensures that
Internet Explorer does not use its caching mechanism.
received per second in the  The network adapter on Denver has a peak bytes received per
Performance console. second of approximately 35 KB.
 This result confirms that the content.htm Web page, which has a file
size of 91 KB, is compressed when delivered from the ISA Server to Denver.
 Note: When Internet Explorer uses HTTP 1.1, it will always include the HTTP request header
Accept-Encoding: gzip, deflate, to request compressed content from a Web server.
The response packet will include the HTTP response header Content-Encoding: gzip to indicate that the
content is compressed.
If you want to examine the network traffic in more detail in the lab environment, then you can use Network
Monitor. The Microsoft Network Monitor 5.2 is installed in each virtual machine.
second in the Performance  The network adapter on Istanbul has a peak bytes sent per second
console. of approximately 90 KB.
 Currently, ISA Server receives the content.htm Web page
uncompressed from Istanbul, and then compresses the content when sending to
Denver.
15. Configure IIS to enable a. On the Start menu, click Administrative Tools, and then click
HTTP compression. Internet Information Services (IIS) Manager.
Application files: yes
b. In the IIS Manager console, expand, ISTANBUL (local computer),
Static files: yes
right-click Web Sites, and then click Properties.
 By default, IIS 6.0 does not compress content in HTTP response

packets.
c. In the Web Sites Properties dialog box, on the Service tab, complete the
 Compress application files: enable
 Compress static files: enable
and then click OK.
 If you enable HTTP compression of application files (.asp, .dll,
and .exe) and static files (.htm, .html, and .txt), IIS compresses the content when
requested by clients that indicate they can accept gzip-encoded responses.
16. Restart IIS. a. In the IIS Manager console, in the left pane, right-click
ISTANBUL (local computer), click All Tasks, and then click Restart IIS.
 After enabling HTTP compression, you must restart IIS.
b. In the Stop/Start/Restart dialog box, in the drop-down list box, select
Restart Internet Services on ISTANBUL, and then click OK.
 The IIS services restart.
c. Close the IIS Manager console.
17. Examine the IIS a. Use Windows Explorer (or My Computer) to open the
Temporary Compressed Files C:\Windows\IIS Temporary Compressed Files folder.
folder.  To reduce processor usage, IIS caches compressed static files in the
IIS Temporary Compressed Files folder, the first time those files are requested.
Application files are compresses every time they are requested.
 The folder is currently empty.
b. Do not close the IIS Temporary Compressed Files folder.
configure HTTP Compression. General.
Request Compressed Data:
c. In the HTTP Compression dialog box, on the
External
Request Compressed Data tab, click the top Add button.
d. In the Add Network Entities dialog box,
 click Networks, click External, and click Add
 ISA Server will include the HTTP request header
Accept-Encoding: gzip when requesting Web content from servers on the
External network, to indicate that it can accept compressed traffic.
 When ISA Servers in branch offices connect to the main office or directly to
the Internet to access HTTP content, you should add the main office network or
External network to the Request Compressed Data list to reduce bandwidth
usage for the response traffic.
e. Click OK to close the HTTP Compression dialog box.
f. Click Apply to apply the changes, and then click OK.
19. On the Denver computer, a. On the Denver computer, in Internet Explorer, ensure that the
refresh the content of the Web http://istanbul.fabrikam.com/content.htm Web page is opened.
page at http:// b. Hold the Ctrl-key, and then click the Refresh button on the toolbar, to
istanbul.fabrikam.com/ refresh the content of the Web page.
content.htm, by pressing Ctrl-F5
c. Wait five seconds, and then hold the Ctrl-key, and click the Refresh
or Ctrl-Refresh twice.
button on the toolbar again.
 Internet Explorer connects to the ISA Server and retrieves the
106 Lab Summary
content.htm Web page from Istanbul twice.

received per second in the  The network adapter on Denver has two peak bytes received per
Performance console. second of approximately 35 KB.
 The content is compressed when delivered from the ISA Server to
Denver.
second in the Performance  The network adapter on Istanbul first has a peak bytes sent per
console. second of approximately 90 KB, followed by a peak of approximately 30 KB.
 On the first request for content.htm, IIS sends the uncompressed
content immediately, and compresses the file for subsequent requests. On the
second request, IIS sends the compressed content.
b. Close the Performance - Bytes Sent console.
22. Examine the IIS a. Switch to the IIS Temporary Compressed Files folder.
Temporary Compressed Files  IIS has stored the compressed version of content.htm in this folder.
folder. The file size is 29 KB.
b. Close the IIS Temporary Compressed Files folder.
 Note: By default, ISA Server is configured to inspect the content of compressed HTTP response packets. This
means that ISA Server performs the following steps when receiving the response from Istanbul:
1) - The Compression Filter uncompressed the content.
2) - The HTTP Filter and other Web filters inspect the uncompressed HTTP content.
3) - The Cached Compressed Content Filter caches the uncompressed content.
and then when sending the response to Denver:
4) - The Compression Filter compresses the content again.
It is possible to disable inspection of compressed content. In that case, ISA Server does not uncompress the
HTTP content, and the Cached Compressed Content Filter caches the compressed version of the content.
23. Configure IIS to disable a. On the Start menu, click Administrative Tools, and then click
HTTP compression. Internet Information Services (IIS) Manager.
Application files: no
b. In the IIS Manager console, expand, ISTANBUL (local computer),
Static files: no
right-click Web Sites, and then click Properties.
c. In the Web Sites Properties dialog box, on the Service tab, complete the
 Compress application files: disable
 Compress static files: disable
and then click OK.
 HTTP compression is disabled.
24. Restart IIS. a. In the IIS Manager console, in the left pane, right-click
ISTANBUL (local computer), click All Tasks, and then click Restart IIS.
b. In the Stop/Start/Restart dialog box, in the drop-down list box, select
Restart Internet Services on ISTANBUL, and then click OK.
 The IIS services restart.
c. Close the IIS Manager console.
disable HTTP Compression. General.
c. In the HTTP Compression dialog box, on the Return Compressed Data

tab, select Internal, and then click Remove.
d. On the Request Compressed Data tab, select External, and then click
Remove.
 HTTP Compression is no longer enabled for responses to the
Internal network, or requests to the External network.
e. Click OK to close the HTTP Compression dialog box.
f. Click Apply to apply the changes, and then click OK.
26. Close the Performance a. Close the Performance - Bytes Received console.
console and close Internet b. Close Internet Explorer.
Explorer.
108 Lab Summary
Exercise 2
Configuring ISA Server to Cache BITS Content
In this exercise, you will configure ISA Server to cache Background Intelligent Transfer
Service (BITS) content, and request ranges from cached files.

1. On the Paris computer, a. On the Paris computer, in the ISA Server console, under Configuration,
define a cache drive. select Cache.
 By default, caching is disabled on ISA Server.
Cache size: 10 MB
b. In the right pane, select the Cache Drives tab.
Define Cache Drives (Enable Caching).
d. In the Define Cache Drives dialog box, in the
Maximum cache size (MB) text box, type 10, and then click Set.
 For demonstrative purposes, a very small disk cache file of 10 MB
is created. Normally you would configure a much bigger cache file.
e. Click OK to close the Define Cache Drives dialog box.
2. Apply the changes and a. Click Apply to apply the changes.
restart the Firewall service. b. In the ISA Server Warning dialog box, CHANGE the current selection,
and select Save the changes and restart the services, and then click OK.
c. Click OK to close the Saving Configuration Changes dialog box.
3. Open a Command Prompt a. Open a Command Prompt window.
window to verify the existence of b. At the command prompt, type cd \urlcache, and then press Enter.
the disk cache file.
c. Type dir, and then press Enter.
File: c:\urlcache\Dir1.cdat  The Dir1.cdat file is the disk cache file that ISA Server uses. The
file size is 10 MB.
 You will use the Dir1.cdat file later in the exercise.
4. Examine the BITS caching a. In the ISA Server console, in the left pane, select Cache.
setting for the Default rule. b. In the right pane, select the Cache Rules tab.
 ISA Server 2006 has two predefined cache rules: the Microsoft
Update Cache Rule and the Default rule.
 You cannot change or delete the Default rule.
c. Right-click Default rule, and then click Properties.
d. In the Default rule Properties dialog box, select the Advanced tab.
 Notice that the built-in Default rule does not enable caching of
Background Intelligent Transfer Service (BITS) content.
e. Click Cancel to close the Default rule Properties dialog box.
5. Examine the BITS caching a. In the right pane, right-click Microsoft Update Cache Rule, and then
setting for the Microsoft Update click Properties.
Cache Rule. b. In the Microsoft Update Cache Rule Properties dialog box, select the
Advanced tab.
 BITS caching is enabled in the Microsoft Update Cache Rule.
 The Microsoft Update Cache Rule is predefined, but you can

disable or delete the rule if required.
c. On the To tab, select Microsoft Update Domain Name Set, and then
click Edit.
 The rule applies to requests to the Windows Update and Microsoft
Update Web sites. Those are examples of Web sites that use BITS. Client
computers that use BITS to download the update files, use the HTTP Range
request header to download only the parts of the update files that contain the
update information they need.
 ISA Server 2006 provides BITS Caching. This means that ISA
Server can cache the HTTP ranges requested by BITS, without having to
download the entire file.
 Note: Although this feature is called BITS Caching, it applies to all
HTTP range requests, not only to HTTP range requests from BITS.
d. Click Cancel to close the Microsoft Update Domain Name Set
Properties dialog box.
e. Click Cancel to close the Microsoft Update Cache Rule Properties
dialog box.
 By using BITS Caching on an ISA Server in a branch office, you can reduce
bandwidth usage from the branch office for connections from client computers
to Windows Server Update Services (WSUS) in the main office, or Windows
Update and Microsoft Update on the Internet. The responses to HTTP range
requests for update files are cached at the ISA Server in the branch office. The
same benefit also applies to other applications in the branch office that use
HTTP range requests or the BITS protocol.
 Note: The computers in the lab environment are not connected to the Internet, and cannot connect to any of the
Windows Update or Microsoft Update Web sites. To demonstrate BITS caching, in the next task you will add
istanbul.fabrikam.com to the list of Web sites in Microsoft Update Domain Name Set.
6. Add a. Right-click Microsoft Update Cache Rule, and then click Properties.
istanbul.fabrikam.com b. On the To tab, select Microsoft Update Domain Name Set, and then
to Microsoft Update Domain click Edit.
Name Set.
c. In the Microsoft Update Domain Name Set Properties dialog box, click
Add.
d. Replace the New Domain text by typing istanbul.fabrikam.com, and
then press Enter.
e. Click OK to close the Microsoft Update Domain Name Set Properties
dialog box.
 The destination istanbul.fabrikam.com is included in Microsoft
Update Domain Name Set.
f. Click OK to close the Microsoft Update Cache Rule Properties dialog
box.
8. Verify the existence of the a. In the left pane, select Firewall Policy.
Allow Web access (Branch)  In the right pane, notice the Allow Web access (Branch) firewall
firewall rule. rule. This rule allows HTTP access from the Internal network to the External
network. You created the rule in an earlier exercise.
 The BITS service uses the normal HTTP protocol, and adds the
HTTP Range request header in order to request parts of the file.
examine the BITS service. Administrative Tools, and then click Services.
 The Services console opens.
110 Lab Summary
b. In the Services console, in the right pane, select

Background Intelligent Transfer Service.
 The BITS service on the client computer transfers data between
clients and servers. It has three functions:
 It asynchronously transfers files or file ranges in the background.
 It transfers the date in small chunks, utilizing unused bandwidth as it
becomes available.
 It automatically resumes the download later if the computer restarts or if the
network disconnects.
 Note: The BITS service is automatically started when needed.
10. Examine the bitsclient.cmd a. Open a Command Prompt window.
and bitsadmin.exe tools. b. At the command prompt, type cd \tools, and then press Enter.
Folder: C:\Tools
 The Tools folder contains a script file named bitsclient.cmd that
you can use to transfer files or file ranges with the BITS protocol.
 The bitsclient.cmd script is created for use with this lab. It uses the
bitsadmin.exe tool, which you can download from the Microsoft Web site as
part of the Windows XP SP2 Support Tools.
See http://support.microsoft.com/?kbid=838079 for more information.
 Note: If you want to examine the network traffic in more detail in the lab environment, then you can use
Network Monitor. The Microsoft Network Monitor 5.2 is installed in each virtual machine.
11. Use the bitsclient tool to a. At the command prompt, type bitsclient, and then press Enter.
download the content2.htm file  As parameters, the BITS Client tool needs a remote URL, and
from Istanbul. optional an offset and length indicating the file range in bytes.
b. Type bitsclient http://istanbul.fabrikam.com/content2.htm, and then
press Enter.
 The BITS service connects to the ISA Server, and downloads the
content2.htm file from Istanbul.
12. On the Paris computer, use a. On the Paris computer, in the Command Prompt window, in the
the find command to verify the C:\urlcache folder, type find /i "content2.htm" dir1.cdat, and then press
presence of the content2.htm Enter.
content in the disk cache file.  You can use the find command to search for text in the disk cache
file.
 The find command displays multiple entries for content2.htm,
indicating the URL of cached content. The entries ending with a semicolon
followed by two numbers, are 32 KB cached BITS chunks of the content2.htm
file.
b. After a few seconds, press Ctrl-C to interrupt the find command, and to
avoid searching the entire 10 MB disk cache file.
13. On the Istanbul computer, a. On the Istanbul computer, on the Start menu, click Control Panel, and
disable the then right-click Network Connections, and click Open.
Local Area Connection network  The Network Connections window opens.
adapter.
b. In the Network Connections window, right-click
Local Area Connection, and then click Disable.
 The network adapter is disabled. This helps demonstrate that ISA
Server does not obtain the content2.htm file from Istanbul, but responds to
subsequent file range requests from its cache.
14. On the Denver computer, a. On the Denver computer, in the Command Prompt window, in the
for demonstrative purposes, C:\Tools folder, type
request the 11 bytes starting at bitsclient http://istanbul.fabrikam.com/content2.htm 749:11, and then
position 749 in the content2.htm press Enter.
file.  Note: You can use the up-arrow key to easily recall the previous
command at the command prompt.
 For demonstrative purposes, the 11 bytes starting at position 749 in
the content2.htm file are requested. The BITS service connects to ISA Server,
and requests bytes 749-759 in the content2.htm file. ISA Server obtains this file
range from the cache, and sends the 11 bytes to Denver, which saves the data
in the bits-job1.txt file.
b. Type type bits-job1.txt, and then press Enter.
 The 11 bytes at that position in the file happen to spell
"Lorem ipsum".
 This result verifies that ISA Server responded to the BITS file range
requests from its cache. ISA Server did not connect to Istanbul, whose network
adapter is disabled.
15. On the Istanbul computer, a. On the Istanbul computer, in the Network Connections window, right-
enable the click Local Area Connection, and then click Enable.
Local Area Connection network  The network adapter is enabled.
adapter.
b. Close the Network Connections window.
disable caching. Cache.
b. In the right pane, select the Cache Drives tab.
c. In the task pane, on the Tasks tab, click Disable Caching.
d. Click Yes to confirm that you want to disable caching.
 Caching is disabled.
17. Apply the changes and a. Click Apply to apply the changes.
112 Lab Summary
Exercise 3
Configuring DiffServ Settings to Prioritize Network Traffic
In this exercise, you will configure ISA Server to use Differentiated Services (DiffServ)
tagging of HTTP and HTTPS network packets.

1. On the Paris computer, a. On the Paris computer, in the ISA Server console, under Paris, expand
enable the Web filter for DiffServ Configuration, and then select Add-ins.
tagging. b. In the right pane, select the Web Filters tabs.
 ISA Server 2006 installs one new Web Filter that provides tagging
of network packets, by using the Differentiated Services (DiffServ) model:
 DiffServ Filter - Enables DiffServ tagging of Web traffic.
c. In the right pane, select DiffServ Filter, and then in the task pane, on the
Tasks tab, click Enable Selected Filters.
 The DiffServ Filter is enabled.
 Note: Do not move the DiffServ Filter lower in the list of Web
Filters. The filter assigns the packet priority to network packets based on
several properties, including the size of the network packet on the network. For
an accurate assessment of packet sizes, it has to inspect the traffic as close to
the network adapter as possible.
d. Click Apply to apply the changes, and then click OK.
2. Define new DiffServ a. In the left pane, select General.
priorities.  DiffServ configuration is a global HTTP Policy setting. This means
that it applies to all HTTP and HTTPS traffic that passes through ISA Server to
Name: High priority a specified URL, domain or network. DiffServ tagging is not a per-rule setting.
DiffServ bits: 100110
b. In the right pane, click Specify DiffServ Preferences.
Size limit: 700 bytes
c. In the HTTP DiffServ dialog box, on the General tab, select
Name: Medium priority Enable network traffic prioritization.
DiffServ bits: 110110 d. On the Priorities tab, click Add.
Size limit: None  ISA Server tags network packets by setting a few bits in the
Type of Service (TOS) field of the IP header of the network packet. These are
called the DiffServ bits, and form a specific value called DiffServ Codepoint
(DS codepoint).
 Note: ISA Server does not have any notion of the actual
prioritization of certain DS codepoint values over other DS codepoint values.
Routers on the network must handle that. ISA Server only assigns the DS
codepoint value.
e. In the Add Priority dialog box, complete the following information:
 Priority name: High priority
 DiffServ bits: 100110
 Apply a size limit to this priority: enable
 Size limit: 700
and then click OK.
 The size limit specifies a maximum size in bytes of network packets
that can use this priority.
f. On the Priorities tab, click Add.

g. In the Add Priority dialog box, complete the following information:
 Priority name: Medium priority
 DiffServ bits: 110110
 Apply a size limit to this priority: disable (is default)
and then click OK.
 You have defined two priorities with an associated DiffServ value.
 On the other tabs in this dialog box, you will assign specific URLs
and domains to the defined priorities. The order of the priorities only matters
for network packets that exceed the size limit. Those packets will be assigned to
the next priority in the list.
3. Assign priorities to URLs. a. In the HTTP DiffServ dialog box, on the URLs tab, click Add.
 The DiffServ filter uses the URL priority assignments for HTTP
URL: network traffic, and uses the domain priority assignments for HTTPS network
istanbul.fabrikam.com traffic. For outgoing HTTPS network packets, ISA Server does not know the
/sales complete URL.
Priority: High priority
b. In the Add URL Priority dialog box, complete the following
information:
URL:
istanbul.fabrikam.com  URL: istanbul.fabrikam.com/sales/*
Priority: Medium priority  Priority: High priority
and then click OK.
 High priority (DiffServ bits 100110) is assigned to HTTP network
packets for URL istanbul.fabrikam.com/sales.
c. On the URLs tab, click Add.
d. In the Add URL Priority dialog box, complete the following
information:
 URL: istanbul.fabrikam.com/*
 Priority: Medium priority
and then click OK.
 Medium priority (DiffServ bits 110110) is assigned to all other
HTTP network packets to the Fabrikam Web site. Notice that the order of the
URLs is important.
4. Assign priorities to a. In the HTTP DiffServ dialog box, on the Domains tab, click Add.
Domains. b. In the Add Domain Priority dialog box, complete the following
information:
Domain: *.fabrikam.com  Domain: *.fabrikam.com
Priority: Medium priority  Priority: Medium priority
and then click OK.
 Medium priority is assigned to all HTTPS network packets to the
entire fabrikam.com domain.
5. Enable DiffServ tagging for a. In the HTTP DiffServ dialog box, on the Networks tab, select External.
the External network.  You have enabled DiffServ tagging for network traffic to the
External network.
b. Click OK to close the HTTP DiffServ dialog box.
7. Start the log viewer. a. In the ISA Server console, in the left pane, select Monitoring.
b. In the right pane, select the Logging tab.
c. In the task pane, on the Tasks tab, click Start Query.
 The log viewer will display all current network activity based on
the Firewall log file and the Web Proxy log file.
8. Verify the existence of the a. In the left pane, select Firewall Policy.
Allow Web access (Branch)
114 Lab Summary
firewall rule.  In the right pane, notice the Allow Web access (Branch) firewall
rule. This rule allows HTTP access from the Internal network to the External
network. You created the rule in an earlier exercise.
use Internet Explorer to connect to type http://istanbul.fabrikam.com/default.htm, and then press Enter.
http://  Internet Explorer displays the home page from Istanbul.
istanbul.fabrikam.com/
default.htm
10. On the Paris computer, stop a. On the Paris computer, in the ISA Server console, in the left pane, select
the log viewer. Monitoring.
b. In the right pane, select the Logging tab.
c. In the task pane, on the Tasks tab, click Stop Query.
 ISA Server displays information about all the network connections
since you started the log viewer.
11. Add the Filter Information a. In the right pane, right-click the Log Time column header (or another
column to the list of displayed column header), and then click Add/Remove Columns.
columns. b. In the Add/Remove Columns dialog box, in the Available columns list
box, select Filter Information, and then click Add.
 The Filter Information log field is moved from the Available
columns list to the Displayed columns list.
c. In the Displayed columns list, select Filter Information, and then click
Move Up, so that the new column is not last in the list.
d. Click OK to close the Add/Remove Columns dialog box.
12. Examine the contents of the a. In the right pane, scroll the list of log field columns, so that you can see
Filter Information log field. the Filter Information column near the end of the list.
b. In the column headers, double-click the small line between the
Filter Information column, and the next column.
 The width of the Filter Information column is changed to display
the longest value in the Filter Information log field.
c. Scroll the list of log entries until you see text in the Filter Information
field.
 The log entry represents the connection from 10.1.1.5 (Denver) to
39.1.1.7 (Istanbul) on TCP port 80.
 The Filter Information field shows the used DiffServ priority for the
request to the server, and the response to the client (Client/Server) for the first
packet (First:0/Medium), and the remaining packets (Last:0/Medium). You did
not enable DiffServ on the Internal network, so ISA Server does not use
DiffServ tagging in the response to the client (Denver). The rest of the Filter
Information field contains HTTP Compression information.
Module G: Enterprise Management of

ISA Servers
Exercise 1
Enterprise Policies and Array Policies
In this exercise, you will create an enterprise policy, and apply this policy to multiple
ISA Server arrays.

 Note: This lab exercise uses the following computers: Florence - Firenze
 Perform the following steps on the Florence computer.
1. On the Florence computer, a. On the Florence computer, on the Start menu, click All Programs, click
in the ISA Server console, examine Microsoft ISA Server, and then click ISA Server Management.
the Enterprise nodes, Arrays  The ISA Server console opens.
node and Servers node.
 Note: The ISA Server console for ISA Server 2006 Enterprise
Edition is not the same as the console for ISA Server 2006 Standard Edition.
b. In the ISA Server console, in the left pane, expand Enterprise.
 The ISA Server console for ISA Server 2006 Enterprise Edition has
two main areas of configuration:
 Enterprise node - This node allows you to define enterprise policies,
enterprise networks, enterprise rule elements and enterprise add-ins.
 Arrays node - This nodes contains a listing of all the arrays managed within
the same enterprise. An array is a group of ISA Server computers that share the
same configuration and are managed together.
 All configuration that is done at the enterprise-level, can be applied
at the array-level.
c. Expand Enterprise Policies, and then select Default Policy.
 The ISA enterprise administrator can create one or more enterprise
policies. The predefined Default Policy enterprise policy cannot be modified.
d. In the left pane, select Arrays
 An enterprise policy is assigned to each array.
 The effective firewall policy is the combination of the firewall
policy rules in the enterprise policy and the firewall policy rules at the array-
level.
e. Expand Arrays, expand ITALY, expand Configuration, and then select
Servers.
 The ITALY array contains two ISA Server computers, Firenze and
Florence.
 When you install ISA Server 2006 Enterprise Edition, ISA Server is
always in an array.
2. Examine the Configuration a. In the left pane, select Arrays.
116 Lab Summary
Storage server (CSS) settings. b. Scroll the right pane, so that you can see the Configuration Server
column.
 All array configuration information (and enterprise configuration
information) is stored in one or more replicating Configuration Storage
servers (CSS). A CSS is a computer running Active Directory Application Mode
(ADAM). You install ADAM from the ISA Server product CD-ROM.
 Compare:
 ISA Server 2006 Enterprise Edition - All configuration information is
stored in one or more servers running ADAM. You cannot store the ISA Server
2006 configuration in Active Directory.
 ISA Server 2006 Standard Edition - All configuration information is only
stored in the local registry. There is no central database for ISA Server 2006
Standard Edition.
 In this lab, the Florence computer is the CSS.
c. Right-click ITALY, and then click Properties.
d. In the ITALY Properties dialog box, select the Configuration Storage
tab.
 When you make enterprise or array configuration changes in the
ISA Server console, and then click Apply, the changes are saved to the CSS. By
default every 15 seconds each ISA Server computer checks the CSS for updates
and applies those changes.
e. Click Cancel to close the ITALY Properties dialog box.
 Note: All domain and workgroup installation combinations are
possible:
 ISA Server array members can be installed on servers in a domain, or on
servers in a workgroup.
 CSS can be installed on servers in a domain, or on servers in a workgroup.
 CSS can be installed on an ISA Server computer.
 In this lab, Florence and Firenze are ISA Server array members in
a workgroup. CSS is installed only on Florence.
f. In the left pane, expand PORTUGAL, expand Configuration, and then
select Servers.
 The PORTUGAL array contains two servers, Lisboa and Lisbon.
 Note: The ISA Server 2006 Enterprise Edition console always
connects to a particular CSS. It does not connect directly to the ISA Server
computers to make changes. This means that you can apply changes to arrays
centrally without having to connect to the individual ISA Server array
members.
 In the right pane, the text in the gray header indicates that currently
the Lisboa and Lisbon computers are not available.
3. Examine the four a. In the left pane, expand Arrays, expand ITALY, and then select
components of the firewall policy Firewall Policy (ITALY).
rule list:  The firewall policy rules that you create for an array can be in
three locations:
- System policy rules  Enterprise Policy Rules (before) - Rules are processed before the array-
- Enterprise rules (before) level firewall policy rules.
- Array-level rules  Firewall Policy Rules (array) - Array-level rules.
- Enterprise rules (after)
 Enterprise Policy Rules (after) - Rules are processed after the array-level
firewall policy rules.
 Only the Firewall Policy Rules (array) are created and managed at
the array level. The Enterprise Policy Rules (before and after) are created and
managed at the enterprise level in an Enterprise Policy, which is assigned to
the array.
b. In the task pane, on the Tasks tab, click Show System Policy Rules.
Local Host (ISA Server computers) are shown.

 Note: ISA Server 2006 Standard Edition only has the first 30
system policy rules. The last four system policy rules (31 to 34) specifically
apply to traffic to and from ISA Server arrays.
 The effective firewall policy is the combination of the following
rules in order:
 System policy rules
 Enterprise policy rules (before)
 Array-level rules
 Enterprise policy rules (after).
The Default rule (deny all traffic) is always listed last.
c. On the Tasks tab, click Hide System Policy Rules.
4. Create a new enterprise a. In the left pane, expand Enterprise, expand Enterprise Policies, and
policy: then select Enterprise Policies.
 An ISA enterprise administrator can create one or more enterprise
Name: Company Enterprise policies, and assign an enterprise policy to one or more arrays. Initially only
Policy the Default Policy enterprise policy exists.
b. In the task pane, on the Tasks tab, click Create New Enterprise Policy.
c. In the New Enterprise Policy Wizard dialog box, in the
Enterprise policy name text box, type Company Enterprise Policy, and then
click Next.
d. On the Completing the New Enterprise Policy Wizard page, click
Finish.
 A new enterprise policy named Company Enterprise Policy is
created.
 The enterprise policy is not assigned to an array yet.
e. In the left pane (NOT the right pane), select
Company Enterprise Policy.
 All enterprise policies (including Default Policy) always contain
the Default rule, which is always listed last. The Default rule denies all network
traffic.
5. Create an enterprise a. In the left pane, select Enterprise Networks.
network:  ISA Server 2006 Enterprise Edition has four predefined enterprise
networks.
Name:
 These four networks always map to the array-level network with
All Internal Networks
the same name. They do not define any IP address ranges at the enterprise
level. Instead the predefined enterprise networks act as placeholders for use in
Network addresses:
enterprise-level firewall policy rules.
10.1.1.0 - 10.1.1.255
10.4.1.0 - 10.4.1.255  Note: ISA Server does not have a predefined enterprise network for
the Internal network. In this task, you will create a new custom enterprise
network for the Internal network.
b. In the task pane, on the Tasks tab, click Create a New Network.
c. In the New Network Wizard dialog box, in the Network name text box,
type All Internal Networks, and then click Next.
 Custom enterprise networks are different than predefined
enterprise networks10.4. They do define IP address ranges.
d. On the Network Addresses page, click Add Range.
e. In the IP Address Range Properties dialog box, complete the following
information:
and then click OK.
 10.1.1.0-10.1.1.255 is the IP address range of the Internal network
for the ITALY array.
118 Lab Summary
f. On the Network Addresses page, click Add Range again.

g. In the IP Address Range Properties dialog box, complete the following
information:
and then click OK.
 10.4.1.0-10.4.1.255 is the IP address range of the Internal network
for the PORTUGAL array.
h. On the Network Addresses page, click Next.
i. On the Completing the New Network Wizard page, click Finish.
 A new enterprise network named All Internal Networks is created.
 Note: For ease of management, when you have a large number of
networks, you can create an Enterprise Network Set which groups multiple
existing enterprise networks.
6. In Company Enterprise a. In the left pane, select Company Enterprise Policy, and then in the
Policy, create a new access rule: right pane, select Default rule.
b. In the task pane, on the Tasks tab, click Create Enterprise Access
Name: Rule.
Baseline - Allow HTTP traffic to
 Note: You cannot create publishing rules in an enterprise policy.
Internet
An enterprise policy only contains access rules.
Applies to: HTTP  Also note that system policy rules are only defined at the array
level.
From network: c. In the New Access Rule Wizard dialog box, in the Access rule name
All Internal Networks text box, type Baseline - Allow HTTP traffic to Internet, and then click Next.
To network: d. On the Rule Action page, select Allow, and then click Next.
External
e. On the Protocols page, in the This rule applies to list box, select
 click Enterprise Networks, click All Internal Networks, and click Add,
 All Internal Networks represents the Internal networks of ITALY
and PORTUGAL.
 click Enterprise Networks, click External, and click Add,
 The External enterprise network maps to the External network in
each array.
 A new enterprise access rule is created that allows the HTTP
protocol from All Internal Networks to the External network for all users.
 Note: The new access rule is listed in the enterprise policy rules
section that is after the Array Firewall Policy section. When this enterprise
policy is applied to an array, the array administrators can override this
enterprise access rule with an array access rule that is listed earlier.
7. Assign Company a. In the left pane, right-click ITALY, and then click Properties.
Enterprise Policy to the ITALY b. In the ITALY Properties dialog box, select the Policy Settings tab.
array.
 Currently the Default Policy enterprise policy is assign to the
ITALY array.
c. in the Enterprise policy list box, select Company Enterprise Policy.
 The Company Enterprise Policy is assigned to the ITALY array.
 Notice that you can specify what types of rules the array
administrator can create for the array firewall policy.
d. Click OK to close the ITALY Properties dialog box.
8. Assign Company a. In the left pane, right-click PORTUGAL, and then click Properties.
Enterprise Policy to the b. In the PORTUGAL Properties dialog box, select the Policy Settings tab.
PORTUGAL array.
 Currently the Default Policy enterprise policy is assigned to the
PORTUGAL array.
c. in the Enterprise policy list box, select Company Enterprise Policy.
 The Company Enterprise Policy is assigned to the PORTUGAL
array.
d. Click OK to close the PORTUGAL Properties dialog box.
9. Examine the firewall policy a. In the left pane, select Firewall Policy (PORTUGAL).
of the PORTUGAL array. b. In the right pane, right-click the Baseline - Allow HTTP traffic to
Internet rule, and then click Properties.
c. In the access rule properties dialog box, select the Action tab.
 Notice that you cannot modify enterprise firewall policy rules at the
array level.
d. Click Cancel to close the access rule properties dialog box.
10. Collapse the PORTUGAL a. In the left pane, collapse the PORTUGAL node.
node.  The PORTUGAL node is not used in later exercises.
11. Create a new enterprise a. In the left pane, select Enterprise Policies.
protocol definition: b. In the task pane, on the Toolbox tab, in the Protocols section, on the
New menu, click Protocol.
Name: Attack Ports
c. In the New Protocol Definition Wizard dialog box, in the
Protocol definition name text box, type Attack Ports, and then click Next.
Protocols:
- TCP 12345 (outbound)  You will use the Attack Ports protocol definition in a new enterprise
- TCP 31337 (outbound) access rule.
d. On the Primary Connection Information page, click New.
e. In the New/Edit Protocol Connection dialog box, complete the following
information:
 From: 12345
 To: 12345
and then click OK.
 TCP port 12345 is used by many Trojan horse applications.
f. On the Primary Connection Information page, click New.
g. In the New/Edit Protocol Connection dialog box, complete the following
information:
 From: 31337
 To: 31337
and then click OK.
 TCP port 31337 is also used by Trojan horse applications.
h. On the Primary Connection Information page, click Next.
120 Lab Summary
i. On the Secondary Connections page, click Next.

j. On the Completing the New Protocol Definition Wizard page, click
Finish.
 A new enterprise protocol definition is created which defines ports
used by Trojan horse applications.
 Note: The new enterprise protocol definition can be used in access
rules in all enterprise policies, and in the array firewall policy of all arrays.
12. In Company Enterprise a. In the left pane, select Company Enterprise Policy, and then in the
Policy, create a new access rule: right pane, select Baseline - Allow HTTP traffic to Internet
 The new rule will be placed before the selected rule.
Name:
b. In the task pane, on the Tasks tab, click Create Enterprise Access
Block - Trojan horse traffic
Rule.
Applies to: Attack Ports c. In the New Access Rule Wizard dialog box, in the Access rule name
text box, type Block - Trojan horse traffic, and then click Next.
From network: d. On the Rule Action page, select Deny, and then click Next.
All Internal Networks e. On the Protocols page, in the This rule applies to list box, select
To network: Selected protocols, and then click Add.
External
 click User-Defined, click Attack Ports, and click Add,
 click Enterprise Networks, click All Internal Networks, and click Add,
 click Enterprise Networks, click External, and click Add,
 A new enterprise access rule is created that denies certain network
traffic from All Internal Networks to the External network for all users.
p. Right-click Block - Trojan horse traffic, and then click Move Up.
 The access rule is now listed in the enterprise policy rules section
that is before the Array Firewall Policy section. Array administrators cannot
override this enterprise access rule in an array access rule.
 Note: By default, ISA Server blocks network traffic on all ports on
the Internal network. The Block - Trojan horse traffic enterprise access rule
prevents unintended access when an array administrator creates an array
access rule that allows access to all protocols.
13. Examine the firewall policy a. In the left pane, select Firewall Policy (ITALY).
of the ITALY array.  The new access rule in the enterprise policy appears in the firewall
policy for the ITALY array.
b. In the task pane, on the Toolbox tab, in the Protocols section, expand
User-Defined.
 The Attack Ports enterprise protocol definition is available for use
in array-level firewall policy rules as well.
14. Assign Default Policy to a. In the left pane, right-click ITALY, and then click Properties.
the ITALY array. b. In the ITALY Properties dialog box, select the Policy Settings tab.
c. In the Enterprise policy text box, select Default Policy, and then click
OK.
 The Default Policy enterprise policy is assigned to the ITALY
array.
d. In the left pane, select Firewall Policy (ITALY).
 Notice that the firewall policy no longer contains the two enterprise
access rules from the Company Enterprise Policy.
15. Discard the changes. a. In the right pane, click Discard to discard all the changes made in this
exercise.
b. Click Yes to confirm that you want to discard the changes.
 If you clicked Apply during this exercise, Company Enterprise
Policy may be assigned to the ITALY array. To change this, assign
Default Policy to the ITALY array, and then click Apply and OK again.
122 Lab Summary
Exercise 2
Remote Management and Role-based Administration
In this exercise, you will configure ISA Server to allow remote management.
You can connect remotely to manage ISA Server using the ISA Server console, or using a
Remote Desktop connection.

 Note: This lab exercise uses the following computers: Denver - Florence - Firenze
1. On the Florence computer, a. On the Florence computer, in the ISA Server console, in the left pane,
add the Denver computer expand Enterprise, and then select Enterprise Policies.
(10.1.1.5) to the Enterprise b. In the task pane, on the Toolbox tab, in the Network Objects section,
Remote Management Computers expand Computer Sets.
computer set.
 The Enterprise Remote Management Computers computer set,
contains all the computer accounts from which you can manage all the arrays
in the enterprise.
c. Right-click Enterprise Remote Management Computers, and then
click Properties.
d. In the Enterprise Remote Management Computers Properties dialog box,
click Add, and then click Computer.
e. In the New Computer Rule Element dialog box, complete the following
information:
 Name: Denver
 Computer IP Address: 10.1.1.5
and then click OK.
 Denver (10.1.1.5) is added to the Enterprise Remote Management
Computers computer set, so that you can manage the ISA Server array
configuration from the Denver computer.
f. Click OK to close the Enterprise Remote Management Computers
2. For the ITALY array, a. In the left pane, select Firewall Policy (ITALY).
examine the Remote b. In the task pane, on the Toolbox tab, in the Network Objects section,
Management Computers expand Computer Sets.
computer set.
c. Right-click Enterprise Remote Management Computers, and then
click Properties.
 Notice that you cannot modify the enterprise-level policy elements,
at the array-level. The Add, Edit and Delete button are grayed out.
d. Click Cancel to close the Enterprise Remote Management Computers
e. Right-click Remote Management Computers, and then click
Properties.
 The array-level Remote Management Computers computer set,
contains all the computer accounts from which you can manage this array
(ITALY). Each array has its own Remote Management Computers computer
set.
 You can manage an array from the computers in the Enterprise
Remote Management Computers computer set, and from the computer in the
Remote Management Computers computer set.
f. Click Cancel to close the Remote Management Computers Properties
dialog box.
3. Examine the system policy a. In the task pane, on the Tasks tab, click Show System Policy Rules.
rules that are used by the remote  The array-level system policy rules are displayed. There are no
management computers: enterprise-level system policy rules.
b. In the System Policy Rules list, select system policy rule 2.
System policy rules:
2 - 3 - 4 - 11 - 20 - 32  A total of six system policy rules allow access from the Remote
Management Computers and the Enterprise Remote Management Computers to
Local Host (ISA Server):
 Rule 2 - Allows access from the ISA Server console (MMC) to the ISA
Server. This is NOT the rule that allows you to configure ISA Server, because
that is done by connecting to the Configuration Storage Server (CSS). This rule
only allows access to the information in Monitoring node.
 Rule 3 - Allows access to the ISA Server computer with a Remote Desktop
(Terminal Services) connection.
 Rule 4 - Allows access to the ISA Server computer from a Web application.
This applies to ISA Server 2006 appliances.
 Rule 11 - Allows you to ping the ISA Server computer.
 Rule 20 - Allows access to the Performance Monitor information on the ISA
Server computer. The rule is disabled by default.
 Rule 32 - Allows access to the CSS to configure the array. This rule only
applies when CSS is installed on ISA Server. In this lab, CSS is installed on
Florence.
c. In the task pane, on the Tasks tab, click Hide System Policy Rules.
4. Use System properties to a. On the Start menu, click Control Panel, and then click System.
enable remote desktop.  Before Denver can connect using Remote Desktop (using system
policy rule 3), remote desktop must be enabled on Florence.
b. In the System Properties dialog box, on the Remote tab, in the
Remote Desktop box, select Enable Remote Desktop on this computer.
5. Create a new user account. a. On the Start menu, click Administrative Tools, and then click
Computer Management.
Name: David b. In the Computer Management console, in the left pane, expand
Password: Password2
 Note: The (Enterprise) Remote Management Computers computer
Change password at next logon:
sets allows you to specify which computers can connect to ISA Server for
disable
remote management. However, whether you connect remotely or administer
ISA Server locally, you always need to authenticate with a user account that is
Member of:
assigned a monitoring role or an administration role on ISA Server.
Remote Desktop Users
 Florence and Firenze are in a workgroup. This means that they do
not share user account information. To allow remote monitoring and
administration of both Florence and Firenze, you have to create a mirrored
user account on Florence and Firenze. A mirrored user account is a local user
account with the same user name and password.
 For arrays with array members in a domain you can use domain
accounts, instead of mirrored local accounts.
c. Right-click Users, and then click New User.
d. In the New User dialog box, complete the following information:
 User name: David
 Password: Password2
 Confirm password: Password2
124 Lab Summary
 User must change password at next logon: disable

and then click Create.
e. Click Close to close the New User dialog box.
f. Right-click David, and then click Properties.
g. In the David Properties dialog box, on the Member Of tab, click Add.
h. In the Select Groups dialog box, type Remote Desktop Users, and then
click OK.
 The Remote Desktop Users group grants David remote desktop
permission, and the necessary user right to log on through Terminal Services.
i. Click OK to close the David Properties dialog box.
 You will assign David the Array Administrator role on ITALY. This
grants the account full control permission on the array configuration in CSS.
 You will also assign David permission to monitor the Florence ISA
Server.
j. Close the Computer Management console.
 Perform the following steps on the Firenze computer.
6. On the Firenze computer, a. On the Firenze computer, on the Start menu, click
create a new (mirrored) user Administrative Tools, and then click Computer Management.
account. b. In the Computer Management console, in the left pane, expand
Name: David
c. Right-click Users, and then click New User.
Password: Password2 d. In the New User dialog box, complete the following information:
Change password at next logon:  User name: David
disable  Password: Password2
 Confirm password: Password2
 User must change password at next logon: disable
and then click Create.
e. Click Close to close the New User dialog box.
 You will assign David permission to monitor the Firenze ISA
Server.
f. Close the Computer Management console.
 Note: If you want to connect to Firenze using a remote desktop
connection, then you must enable remote desktop on Firenze, and add David to
the Remote Desktop Users group.
assign array administrative roles: right-click ITALY, and then click Properties.
b. In the ITALY Properties dialog box, on the Assign Roles tab, click the
Array Administrator: top Add button.
FLORENCE\David
 You use role-based administration to organize ISA Server
administration into predefined roles. The roles represent functions in an
Mirrored monitor account:
organization that may be assigned to administer ISA Server. When you assign a
David
role to a user or a group, only the permissions needed for the tasks associated
with that role are granted.
 ISA Server has three array-level administrative roles.
c. In the Administration Delegation dialog box, complete the following
information:
 Group or User: FLORENCE\David
 Role: ISA Server Array Administrator
and then click OK.
 The David account on Florence is granted full control on the
ITALY array configuration in CSS, and read-only permission on the enterprise
configuration.
d. Click OK to acknowledge that you must assign this role to the mirrored
account.
e. Click the bottom Add button.
f. In the Administration Delegation dialog box, complete the following
information:
 Group or User: David
 Role: ISA Server Array Administrator
and then click OK.
 The David accounts on Florence and on Firenze are granted
permission to monitor the ISA Server.
g. Click OK to close the ITALY Properties dialog box.
8. Examine the enterprise a. In the left pane, right-click Enterprise, and then click Properties.
administrative roles. b. In the Enterprise Properties dialog box, select the Assign Roles tab.
 You can assign administrative roles at three levels in ISA Server:
 Enterprise-level: Allows administrative control over all the enterprise and
the all array configuration.
 Enterprise policy-level: (Per enterprise policy) Allows creation of enterprise
policy rules for a single enterprise policy
 Array-level: (Per array) Allows administrative control over the array
configuration of a single array.
c. Click Cancel to close the Enterprise Properties dialog box.
9. Start the Array Status a. Use Windows Explorer (or My Computer) to open the C:\Tools\Status
Monitor to quickly see the current folder.
CSS status. b. In the Status folder, right-click ArrayStatus.hta, and then click Open.
 Array Status Monitor is an HTML application for use with this lab.
File:
It continually displays the CSS synchronization status and the NLB status of the
C:\Tools\Status\
array.
ArrayStatus.hta
 This is the same information that is displayed in the ISA Server
console at the Monitoring node on the Configuration tab (CSS Status) and on
the Services tab (NLB Status).
c. Close the Status folder.
10. Apply the changes. a. Click Apply to save the changes, and then click OK. Use the Array
Status Monitor to wait until the CSS status is Synced.
11. On the Denver computer, a. On the Denver computer, on the Start menu, click All Programs, click
use ISA Server console to connect Microsoft ISA Server, and then click ISA Server Management.
to ITALY.  Note: Denver does not run ISA Server. Only the ISA Server console
is installed.
CSS: Florence
b. In the ISA Server console, in the left pane, select Microsoft Internet
Security and Acceleration Server 2006, and then in the task pane, on the
CSS credentials:
Tasks tab, click Connect to Configuration Storage Server.
David / Password2
c. In the Configuration Storage Server Connection Wizard dialog box,
Monitor credentials: click Next.
David / Password2 d. On the Configuration Storage Server Location page, in the
On remote computer (remote management) text box, type Florence, and
then click Next.
e. On the Configuration Storage Server Credentials page, complete the
 Credentials of the following user: enable
126 Lab Summary
 These credentials (David) are used to connect to CSS.

f. On the Array Connection Credentials page, select The same credentials
used to connect to the Configuration Storage Server, and then click Next.
 The same credentials (David) are used to monitor the ISA Server
array members.
g. On the Completing the Connection Wizard page, click Finish.
 The ISA Server console on Denver connects to the CSS on Florence
(using system policy rule 32).
12. Attempt to create a new a. In the ISA Server console, in the left pane, expand Enterprise.
enterprise policy. b. Right-click Enterprise Policies, click New, and then click
Enterprise Policy.
 The David account only has read-only permissions at the
enterprise-level. You cannot create a new enterprise policy.
c. Click OK to acknowledge that you do not have necessary permissions.
13. Examine the services a. In the left pane, expand Arrays.
information for the array members.  Notice that you only see the ITALY array. As array administrator
for ITALY, you cannot see other arrays for which you do not have permissions,
such as PORTUGAL.
b. Expand ITALY, and then select Monitoring.
c. In the right pane, select the Services tab.
 The ISA Server console on Denver connects to Florence and
Firenze to obtains services information (using system policy rule 2).
14. Disconnect from the a. In the left pane, select Microsoft Internet Security and Acceleration
enterprise, and close the ISA Server 2006.
Server console. b. In the task pane, on the Tasks tab, click Disconnect from Enterprise.
c. Click Yes to confirm that you want to disconnect from the enterprise.
 The ISA Server console is no longer connected to a CSS.
d. Close the ISA Server console.
15. Create a remote desktop a. On the Start menu, click All Programs, click Accessories, click
connection to Florence. Communications, and then click Remote Desktop Connection.
b. In the Remote Desktop Connection dialog box, in the Computer text
Log on: box, type Florence, and then click Connect.
- User name: David
 Denver creates a remote desktop connection to Florence (using
- Password: Password2
system policy rule 3).
c. In the Log On to Windows dialog box, complete the following
information:
and then click OK.
 David successfully logs on to Florence.
16. Use the ISA Server console a. On the Start menu, click All Programs, click Microsoft ISA Server,
to examine the permissions of and then click ISA Server Management.
David.  The ISA Server console appears.
b. In the ISA Server console, expand Arrays.
 Note: Even though you (David) are logged on the computer that
runs CSS, you have no permissions to see the PORTUGAL array.
c. Expand ITALY, and then select Monitoring.
d. In the right pane, select the Services tab.
 Denver creates the remote desktop connection to Florence.
However, the connection to Firenze (to obtain the services information), is now
created from Florence. System policy rule 2 allows this traffic for members of
the Array Servers computer set, which includes Florence.
e. Close the ISA Server console.

17. Log off from the remote a. On the Start menu, click Log Off.
desktop connection. b. Click Log Off to confirm that you want to log off.
 The remote desktop connection is reset. The Denver desktop
appears again.
18. On the Florence computer, a. On the Florence computer, on the Start menu, click Control Panel, and
use System properties to disable then click System.
Remote Desktop box, CLEAR the Enable Remote Desktop on this computer
check box.
128 Lab Summary
Exercise 3
Working with Configuration Storage Servers (Optional)
In this exercise, you will examine details on how ISA Server uses a Configuration Storage
server (CSS) to save configuration data.

 Note: This lab exercise uses the following computer: Florence
Refer to the beginning of the manual for instructions on how to start the computer. Log on to the computer.
examine the Configuration right-click ITALY, and then click Properties.
Storage server (CSS) settings. b. In the ITALY Properties dialog box, select the Configuration Storage
tab.
 When you make enterprise or array configuration changes in the
ISA Server console, and then click Apply, the changes are saved to the
Configuration Storage server (CSS).
 Periodically each ISA Server computer checks the CSS for updates,
and applies those changes. Each ISA Server keeps a local copy of the array
configuration, and synchronizes the local copy with the updates from the CSS.
c. Open the Check the Configuration Storage server for updates every
list box.
 You can change how often the ISA Servers in the array contact the
CSS to check for updates. The default is every 15 seconds. The minimum is
every 3 seconds.
 Note: This poll rate is stored in the array configuration data as
well. In the lab environment, do not change this to 10 minutes or 60 minutes,
and apply changes, because it will then take 10 minutes or 60 minutes, before
ISA Server checks to change it back again.
d. Close the Check the Configuration Storage server for updates every
list box.
 The Configuration Storage server text box shows that the ITALY
array uses Florence as (primary) CSS. This means that CSS is installed on an
array member. You can also install CSS on a separate server. The server can
be in a workgroup, or in a domain.
 ISA Server only contacts the Alternate Configuration Storage
server, after the primary CSS has been unavailable for more than 30 minutes.
After using the alternate CSS for 6 hours, ISA Server switches back to the
primary CSS if it is available again.
e. Click Cancel to close the ITALY Properties dialog box.
2. In the ISA Server a. Open a Command Prompt window.
installation folder, examine the b. At the command prompt, type
ChangeStorageServer.vbs script. cd \Program Files\Microsoft ISA Server, and then press Enter.
c. Type cscript.exe ChangeStorageServer.vbs /?, and then press Enter.
 ISA Server obtains the address of the primary CSS and alternate
CSS from the local copy of the array configuration data. However, when those
CSS computers become unavailable, ISA Server is not able to connect to a CSS
and update its local copy to use a new CSS.
 To solve this problem, you can use the ChangeStorageServer.vbs
script in the ISA Server installation folder to change the CSS address in the
local copy of the configuration data.

The script is available from the ISA Server product CD-ROM.
 Note: This is the only scenario where you directly change the local
copy of the array configuration data.
d. Do not close the Command Prompt window.
3. In the Services console, a. On the Start menu, click Administrative Tools, and then click
examine the ISASTGCTRL Services.
service. b. In the Services console, right-click ISASTGCTRL, and then click
Properties.
 CSS is an instance of Active Directory Application Mode (ADAM).
ADAM is a LDAP service that runs as user service. It provides data storage
and retrieval for directory-enabled applications. ADAM provides much of the
same functionality of Active Directory, but it does not require the deployment of
domains or domain controllers.
 You install ADAM from the ISA Server product CD-ROM.
c. Click Cancel to close the ISASTGCTRL Properties (Local Computer)
dialog box.
d. Close the Services console.
4. In the Event Viewer a. On the Start menu, click Administrative Tools, and then click
console, examine the Event Viewer.
ADAM (ISASTGCTRL) log. b. In the Event Viewer console, in the left pane, select
ADAM (ISASTGCTRL).
 ADAM uses a separate event log file to record events.
 The ADAM event log is especially important when you deploy CSS
on multiple computers in the same enterprise, and want to troubleshoot CSS
replicating issues.
c. Close the Event Viewer console.
5. Examine the CSS a. In the ISA Server console, in the left pane, right-click ITALY, and then
authentication setting. click Properties.
b. In the ITALY Properties dialog box, on the Configuration Storage tab,
click Select.
 To ensure that ISA Server synchronizes with a valid CSS, either
Windows authentication, or authentication over SSL is used.
 When CSS or ISA Server is in a workgroup, you cannot use
Windows authentication, and must use authentication over SSL instead.
c. Click Cancel to close the Select Authentication Type dialog box.
d. Click Cancel to close the ITALY Properties dialog box.
6. In the ISA Server e. In a Command Prompt window, in the
installation folder, examine C:\Program Files\Microsoft ISA Server folder, type isacerttool.exe /?, and
ISACertTool.exe. then press Enter.
 You can use ISACertTool.exe to install a Web server certificate on
the CSS computer. Alternatively, you can use the Repair option in Add or
Remove Programs.
 You can download ISACertTool from
 Note: Even though it is common to refer to a server authentication
certificate as a Web server certificate, CSS is not a Web server. The certificate
on the CSS computer is used for LDAP over SSL (LDAPS), not HTTP over SSL
(HTTPS).
f. Do not close the Command Prompt window.
7. Use the Certificates console a. On the Start menu, click Run.
to examine the Web server b. In the Run dialog box, type mmc.exe, and then click OK.
certificate for the ISASTGCTRL
 A new empty Microsoft Management Console (MMC) opens.
service account.
130 Lab Summary
c. In the Console1 window, on the File menu, click Add/Remove Snap-in.

d. In the Add/Remove Snap-in dialog box, click Add.
e. In the Add Standalone Snap-in dialog box, select Certificates, and then
click Add.
f. In the Certificates snap-in dialog box, select Service account, and then
click Next.
g. In the Select Computer dialog box, select Local computer, and then
click Next.
h. In the Certificates snap-in dialog box, in the Service account list box,
select ISASTGCTRL, and then click Finish.
i. Click Close to close the Add Standalone Snap-in dialog box.
j. Click OK to close the Add/Remove Snap-in dialog box.
 The Certificates snap-in for the ISASTGCTRL service account, is
added to the console.
k. Maximize the Console Root window.
l. In the left pane, expand Certificates - Service (ISASTGCTRL),
expand ADAM_ISASTGCTRL\Personal, and then select Certificates.
 The certificate store for the ISASTGCTRL service account lists the
Web server certificates that are used when ISA Server computers connect to the
CSS using SSL.
m. In the right pane, right-click the Florence certificate, and then click
Open.
 The ISA Server computers in the ITALY array (Florence and
Firenze), connect to the CSS on Florence to check for updates of the
configuration. The name on the certificate (Florence) must match the primary
or alternate CSS name used in the array configuration.
 You can use ISACertTool.exe or the Repair option in Add or
Remove Programs to install a new Web server certificate for the ISASTGCTRL
service account.
n. Click OK to close the Certificate dialog box.
o. Close the Console1 window. Click No to confirm that you do not want
to save console settings to Console1.
8. Use the dsdbutil tool to a. On the Start menu, click All Programs, click ADAM, and then click
examine the LDAP ports used by ADAM Tools Command Prompt.
CSS.  A Command Prompt window opens in the C:\Windows\ADAM
folder. The folder contains several tools to use with the ADAM database.
b. At the command prompt, type dsdbutil, and then press Enter.
 The dsdbutil.exe tool provides management facilities for the ADAM
database file.
c. At the dsdbutil: prompt, type list instances, and then press Enter.
 The output of the command shows information about the ADAM
instances running on this computer. ISA Server only uses a single instance of
ADAM.
 The ISASTGCTRL ADAM instance uses LDAP TCP port 2171 and
LDAP over SSL TCP port 2172.
 Note: If you install CSS on a domain controller these ports do not
interfere with the default Active Directory LDAP (389 and 3268) and LDAP
over SSL (636 and 3269) TCP ports. ISA Server supports installation of CSS on
a domain controller.
d. At the dsdbutil: prompt, type quit, and then press Enter.
9. Use the ldp tool to check a. At the command prompt, type ldp, and then press Enter.
the LDAP SSL connection to CSS.  The ldp.exe tool can be used to run any LDAP query against the
ADAM directory service. For use with ISA Server, this is also a convenient tool
to check SSL connectivity after you have installed a Web server certificate on
CSS.
b. In the Ldp window, on the Connection menu, click Connect.
c. In the Connect dialog box, complete the following information:
 Server: Florence
 Port: 2172
 Connectionless: disable (is default)
 SSL: enable
and then click OK.
 When a Web server certificate with the correct name is installed,
ldp shows the contents of the ADAM RootDSE information. Otherwise a
connection error is shown.
d. Close the Ldp window.
10. Use the dsmgmt tool to a. At the command prompt, type dsmgmt, and then press Enter.
examine the CSS ADAM naming  The dsmgmt.exe tool provides management facilities for the ADAM
contexts. directory service.
b. At the dsmgmt: prompt, type partition management, and then press
Enter.
c. At the partition management: prompt, type connections, and then press
Enter.
d. At the server connections: prompt, type
connect to server Florence:2171, and then press Enter.
 The dsmgmt tool creates a connection to the CSS ADAM directory
service, using LDAP.
e. At the server connections: prompt, type quit, and then press Enter.
f. At the partition management: prompt, type list, and then press Enter.
 The CSS ADAM directory service uses three naming contexts:
Configuration, Schema, and FPC2.
 The Schema contains class definition for all the ISA Server
configuration data. The Configuration naming context contains data about
ADAM sites, and replication. The FPC2 naming context contains all enterprise
and array configuration data.
g. At the partition management: prompt, type quit, and then press Enter.
h. At the dsmgmt: prompt, type quit, and then press Enter.
i. Close the ADAM Tools Command Prompt window.
11. Use the ADAM ADSI Edit a. On the Start menu, click All Programs, click ADAM, and then click
console to examine the ADAM site ADAM ADSI Edit.
replication configuration.  The ADAM ADSI Edit console allows you to view and modify
ADAM objects in the directory service database.
Connections to [Florence:2171]:
b. In the ADAM-adsiedit window, on the Action menu, click Connect to.
- Configuration
and c. In the Connection Settings dialog box, complete the following
- CN=FPC2 information:
 Connection name: Configuration
 Server name: Florence
 Port: 2171
 Well-known naming context: Configuration
and then click OK.
 The Configuration [Florence:2171] connection is added to the
console.
 Note: ADAM ADSI Edit does not support LDAP over SSL
connections. You must use the ldp.exe tool to check LDAP over SSL
connectivity to the ADAM directory service.
d. On the Action menu, click Connect to again.
e. In the Connection Settings dialog box, complete the following
information:
132 Lab Summary
 Connection name: Enterprise Data

 Server name: Florence
 Port: 2171
 Distinguished name (DN) or naming context: CN=FPC2
and then click OK.
 The Enterprise Data [Florence:2171] connection is added to the
console.
f. In the left pane, expand Configuration [Florence:2171], expand
CN=Configuration, CN={...}, expand CN=Sites, expand
CN=Default-First-Site-Name, and then select CN=Servers.
 Just like Active Directory, ADAM uses sites to manage
multi-master replication between groups of CSS computers in multiple
locations.
 The Florence CSS is in the Default-First-Site-Name site.
g. In the left pane, select CN=Default-First-Site-Name, and then in the
right pane, right-click CN=NTDS Site Settings, and click Schedule.
 CSS replication within an ADAM site is based on change
notification. When a configuration update occurs at a CSS, the ADAM instance
waits 15 seconds and then notifies its closest CSS replication partners within
the site to obtain the configuration update.
 Note: The replication frequency within an ADAM site (every
15 seconds) is unrelated to the default ISA Server CSS poll rate (also every
15 seconds).
 As you can see in the Schedule dialog box, when no updates have
occurred, by default the CSS computers within a site still check the other CSS
replication partners every hour.
h. Click Cancel to close the Schedule dialog box.
i. In the left pane, expand CN=Inter Site Transports, and then select
CN=IP.
j. In the right pane, right-click CN=DEFAULTIPSITLINK, and then
click Properties.
k. In the CN=DEFAULTIPSITELINK Properties dialog box, in the
Attributes list, select replInterval.
 The CSS replication between ADAM sites is not based on
notification, but on a replication interval. By default, different sites replicate
configuration update every 180 minutes (3 hours).
l. Click Cancel to close the CN=DEFAULTIPSITELINK Properties
dialog box.
m. In the left pane, expand Enterprise Data [Florence:2171], expand
CN=FPC2, expand CN=Array-Root, expand CN=Arrays, and then select the
first CN={...}.
 The FPC2 naming context contains all the enterprise and array
configuration data. To avoid configuration mistakes, you should never change
this information directly in ADAM ADSI Edit. Instead use the ISA Server
console, or use an administrative script.
n. Close the ADAM-adsiedit window.
 Note: The ADAM ADSI Edit console saves the current connections
Configuration [Florence:2171] and Enterprise Data [Florence:2171] for later
use.
12. In the ISA Server a. In a Command Prompt window, in the
installation folder, examine C:\Program Files\Microsoft ISA Server folder, type adamsites.exe /?, and
AdamSites.exe. then press Enter.
 Instead of configuring replication parameters between ADAM sites
in ADAM ADSI edit directly, you can use the AdamSites.exe tool. The
AdamSites tool can also create sites, and move CSS computers to new sites.
 You can download AdamSites from

b. At the command prompt, type adamsites.exe sites, and then press
Enter.
 The enterprise currently has one site named Default-First-Site-
Name, containing the CSS computer Florence.
c. At the command prompt, type adamsites.exe sitelinks, and then press
Enter.
 The site replicates configuration updates to other sites (if present)
every 180 minutes.
13. Examine the protocol a. In the ISA Server console, in the left pane, select
definitions related to CSS: Firewall Policy (ITALY).
b. In the task pane, on the Toolbox tab, in the Protocols section, expand
- MS Firewall Storage All Protocols.
- MS Firewall Storage Replication
c. In the list of protocols, right-click MS Firewall Storage, and then click
- MS Firewall Storage Server
Properties.
d. In the MS Firewall Storage Properties dialog box, select the Parameters
tab.
 Three protocol definitions are related to CSS network traffic:
 MS Firewall Storage - Outbound access to CSS (TCP ports 2171 and 2172)
 MS Firewall Storage Replication - Outbound CSS replication (TCP port
2173)
 MS Firewall Storage Server - Inbound access to CSS (TCP ports 2171 and
2172)
 The first two protocol definitions are used in system policy rules:
 Rule 31 (MS Firewall Storage) - Allows access from ISA Server to the CSS,
so that ISA Server can check for updates.
 Rule 32 (MS Firewall Storage) - Allows access from remote management
computers to ISA Server. This rule only applies when CSS is installed on ISA
Server..
 Rule 33 (MS Firewall Storage Replication) - Allows access to and from ISA
Server to replicate CSS. This rule only applies when CSS is installed on ISA
Server.
 You can use the MS Firewall Storage Server protocol definition to
publish CSS. This may be needed in a back-to-back ISA Server configuration,
or when installing an ISA Server in a new branch office.
e. Click Cancel to close the MS Firewall Storage Properties dialog box.
134 Lab Summary
Module H: Configuring Load Balancing

Exercise 1
Configuring Network Load Balancing (NLB)
In this exercise, you will configure ISA Server to use NLB for load balanced and fault
tolerant outbound and inbound access.
Note: The default background wallpaper on the Denver computer and the Istanbul computer,
only displays a single ISA Server (Paris). If needed, on those two computers you can select a
different background wallpaper which displays the two ISA Servers (Florence and Firenze)
that are used in this module.

 Note: This lab exercise uses the following computers: Denver - Florence - Firenze - Istanbul
1. On the Florence computer, a. On the Florence computer, on the Start menu, click Control Panel,
examine the current configuration click Network Connections, right-click Internal Connection, and then click
of the Internal Connection Properties.
network adapter, before NLB is  In the Internal Connection Properties dialog box, notice that
enabled. Network Load Balancing is not enabled yet on this network adapter.
 Note: Do not enable Network Load Balancing (NLB) in this dialog
box. You enable and configure NLB from the ISA Server console.
b. Click Cancel to close the Internal Connection Properties dialog box.
2. In the ISA Server console, a. On the Start menu, click All Programs, click Microsoft ISA Server,
enable NLB integration, and and then click ISA Server Management.
enable NLB on the Internal b. In the ISA Server console, expand Arrays, expand ITALY, expand
network. Configuration, and then in the left pane, select Networks.
c. In the right pane, select the Networks tab.
Primary Virtual IP address:
10.1.1.3 d. In the task pane, on the Tasks tab, click
Subnet mask: Enable Network Load Balancing Integration.
255.255.255.0  Enabling NLB integration results in the following two actions:
 ISA Server controls the NLB driver and adds additional functionality, such
as alerting the NLB driver when any ISA Server service fails and support for
handling network traffic when NLB is enabled on multiple networks on the
array.
 ISA Server manages the configuration of NLB, and overrides any manual
NLB changes you may make outside of ISA Server.
 Note: It is possible to use NLB on ISA Server in non-integrated
mode. However, in this configuration you don't have the added functionality
provided by ISA Server's control of the NLB driver.
e. In the Network Load Balancing Wizard dialog box, click Next.
f. On the Select Load Balanced Networks page, select Internal, and then
click Set Virtual IP.
g. In the Set Virtual IP Addresses dialog box, complete the following
information:
 Primary VIP: 10.1.1.3
 Subnet mask: 255.255.255.0
and then click OK.
 The NLB virtual IP (VIP) address is used on both array members.
The address must be in the same IP subnet as the dedicated IP addresses
(DIPs) on Florence (10.1.1.1) and Firenze (10.1.1.2).
 Later in this exercise, you will also enable NLB on the External
network.
h. On the Select Load Balanced Networks page, click Next.
i. On the Completing the Network Load Balancing Integration Wizard
page, click Finish.
 A message box appears, explaining that the name you specify for
the Configuration Storage server (CSS) should resolve to the intra-array IP
address. This only applies if CSS is installed on an array member, and NLB is
enabled.
j. Click OK to close the message box.
k. In the left pane, right-click ITALY, and then click Properties.
l. In the ITALY Properties dialog box, select the Configuration Storage
tab.
 The array uses the name Florence to specify the CSS on the
Florence computer. Both Florence and Firenze use a hosts file to resolve the
name Florence to the intra-array IP address of Florence (23.1.1.1). This means
that the array meets the requirement explained in the message box after you
enabled NLB integration.
m. Click Cancel to close the ITALY Properties dialog box.
3. Examine the NLB and a. In the left pane, select Networks, and in the right pane, on the Networks
CARP configuration on the tab, right-click Internal, and then click Properties.
Internal network. b. In the Internal Properties dialog box, select the NLB tab.
 NLB is enabled on the Internal network. The Primary VIP is
10.1.1.3.
c. Select the CARP tab, and ensure that CARP is NOT enabled on this
network.
 ISA Server supports the use of both CARP and NLB on the same
network, but in this exercise you will use only NLB.
d. Click OK to close the Internal Properties dialog box.
4. Examine the status of the a. In the left pane, select Monitoring, and then in the right pane, select the
Network Load Balancing service Services tab.
on the Monitoring/Services tab.  When NLB integration is enabled, ISA Server displays the status of
the Network Load Balancing service on the Services tab. This is not a real
Windows service, but represents the NLB network driver.
 Because you have not applied the configuration changes yet, the
current status of the Network Load Balancing service is Unavailable.
b. Do NOT click Apply yet to save the changes.
5. Start the Array Status a. Use Windows Explorer (or My Computer) to open the C:\Tools\Status
Monitor to quickly see the current folder.
CSS status and NLB status. b. In the Status folder, right-click ArrayStatus.hta, and then click Open.
 Array Status Monitor is an HTML application for use with this lab.
File:
It continually displays the CSS synchronization status and the NLB status of the
C:\Tools\Status\
array.
ArrayStatus.hta
 This is the same information that is displayed in the ISA Server
console at the Monitoring node on the Configuration tab (CSS Status) and on
136 Lab Summary
the Services tab (NLB Status).

c. Close the Status folder.
6. Apply the changes and a. In the ISA Server console, click Apply to save the changes.
d. Use the Array Status Monitor to wait until the CSS status is Synced, and
the NLB status is Running. This may take 5 to 10 minutes.
 After Florence and Firenze have received the new configuration,
ISA Server enables and configures NLB on both computers. The NLB status
Configuring means that the NLB driver is still converging the computers to a
consistent state.
 Note: Instead of waiting 5 to 10 minutes for NLB to convergence,
and display the status Running, you can continue with the next tasks.
7. Examine the NLB host IDs, a. In the left pane, select Servers.
and the network used for intra- b. In the right pane, right-click Florence, and then click Properties.
array communication.
 The Host ID number represent the NLB host identifier, assigned by
ISA Server. Florence uses host ID 2, Firenze uses host ID 3.
 All hosts in a NLB cluster must use a unique host ID between
1 and 32. ISA Server does not assign host ID 1, so the maximum number of
array members in a NLB cluster is 31.
 Note: Do not confuse the terminology. NLB uses the terms cluster
and hosts, while ISA Server uses the terms array and members. WLBS
(Windows NT Load Balancing Service) is an old name for NLB.
c. In the Florence Properties dialog box, select the Communication tab.
 Florence (and Firenze) use the IP address on the Perimeter
network (23.1.1.x) for communication between array members. This is a
configuration change performed during the lab setup. The default setting on
ISA Server is to use the first IP address of the network adapter on the Internal
Network for intra-array communication.
 Note: When you enable NLB on ISA Server, the intra-array
communication network must not be load-balanced. This is not needed for the
so-called NLB Heartbeat, but to allow normal intra-array communication.
(However, this requirement is removed in Windows Server 2003 Service
Pack 1.)
 In this exercise you will enable NLB on both the Internal network
and the External network.
d. Click Cancel to close the Florence Properties dialog box.
8. Delete all existing Web a. In the left pane, select Firewall Policy (ITALY).
publishing rules and Server  As is examined in more detail later, the behavior of NLB is
publishing rules. dynamic, and is influenced by the existence of Web publishing rules and Server
publishing rules.
 In the lab environment, to ensure that the behavior of NLB matches
exactly the description and the steps in this exercise, you must delete all
existing Web publishing rules and Server publishing rules.
b. In the right pane, in the Firewall Policy Rules list, for each Server
publishing rule, right-click the rule, click Delete, and then click OK to confirm
that you want to delete the rule.
 Note: Server publishing rules are indicated in the Order column by
a square icon containing a little gray server symbol.
c. For each Web publishing rule, right-click the rule, click Delete, and then
click OK to confirm that you want to delete the rule.
 Note: Web publishing rules are indicated in the Order column by a
gray server symbol connected to a blue workstation symbol.
9. Create a new access rule. a. In the right pane, select the first rule in the Firewall Policy Rules list, or
select Default rule if no other rule exists, to indicate where the new rule is
Name: Allow Web access (NLB) added to the rule list.
b. In the task pane, on the Tasks tab, click Create Access Rule.
Applies to: HTTP
text box, type Allow Web access (NLB), and then click Next.
From network: Internal
To network: External d. On the Rule Action page, select Allow, and then click Next.
e. On the Protocols page, in the This rule applies to list box, select
10. After NLB integration is a. Before you apply the new rule, ensure that NLB integration is fully
fully enabled, apply the changes. enabled on the ISA Server array. Wait until the CSS status is Synced, and the
NLB status is Running.
b. Click Apply to apply the new rule, and then click OK. Wait until the
CSS status is Synced, and the NLB status is Running.
connect to type http://istanbul.fabrikam.com/web.asp, and then press Enter.
http://  The Web Server Info Demo Page on Istanbul appears. The Web
istanbul.fabrikam.com/ server reports that the Web request was sent through Florence (39.1.1.1).
web.asp.
b. On the Tools menu, click Internet Options.
Use proxy server address: c. In the Internet Options dialog box, on the Connections tab, click
10.1.1.1:8080 LAN Settings.
and  Notice that currently Internet Explorer is still using IP address
10.1.1.3:8080 10.1.1.1 (Florence) as the proxy server address. This means that all Web proxy
traffic uses Florence.
 After you have enabled NLB, you should ensure that all client
computers use the NLB virtual IP address as the proxy server address (for Web
Proxy clients and Firewall clients), or as default gateway (for SecureNAT
clients).
 Address: 10.1.1.3
 Port: 8080
 Bypass proxy server for local addresses: enable
138 Lab Summary
and then click OK.

f. On the toolbar, click the Refresh button.
 The Web page reports that the Web request was sent through
Firenze (39.1.1.2). Apparently the NLB process assigns the Web proxy
connection from 10.1.1.5 to Firenze.
g. Close Internet Explorer.
 Note: Depending on the timing of the Florence and Firenze servers,
there is a very small chance that the Web proxy connection from 10.1.1.5 is still
going through the Florence server. In that case, the NLB distribution of the
connections through Florence and Firenze is exactly the opposite of the
description in this exercise. To ensure that the behavior of NLB matches exactly
the steps in this exercise, do the next task.
 Note: You only need to do the following task if the Web proxy connection in the previous task continued to go
through the Florence server.
12. On the Firenze computer, a. On the Firenze computer, in a Command Prompt window, type
stop, wait 10 seconds, and start the net stop fwsrv, and then press Enter.
Microsoft Firewall service.  The Microsoft Firewall service on Firenze is stopping. After
5 seconds, NLB on Florence will automatically reconfigure to handle all
connections through the array.
b. Wait 10 seconds, and then type net start fwsrv, and press Enter.
 After the Microsoft Firewall service on Firenze is started, all
connections through the array are load balanced between Florence and
Firenze again.
 Note: In the following tasks, you will enable NLB on the External network as well. This allows you to load
balance incoming connections to published servers on your network.
enable NLB on the External select Networks.
network. b. In the task pane, on the Tasks tab, click Configure Load Balanced
Networks.
Primary Virtual IP address:
c. In the Network Load Balancing Wizard dialog box, click Next.
39.1.1.3
Subnet mask: d. On the Select Load Balanced Networks page, select External, and then
255.255.255.0 click Set Virtual IP.
e. In the Set Virtual IP Addresses dialog box, complete the following
information:
 Primary VIP: 39.1.1.3
 Subnet mask: 255.255.255.0
and then click OK.
f. On the Select Load Balanced Networks page, click Next.
g. On the Completing the Load Balanced Networks Wizard page, click
Finish.
 Currently NLB is enabled on both the Internal network (virtual IP
10.1.1.3) and the External network (virtual IP 39.1.1.3).
 Note: When you use NLB on an ISA Server array, it is
recommended to enable NLB on all networks, except the network used for
intra-array communication (unless you use Windows Server 2003 Service
Pack 1).
h. Click Apply to apply the changes, and then click OK. Wait until the
14. Refresh the ISA Server a. In the left pane, right-click Firewall Policy (ITALY), and then click
console, so that the new virtual IP Refresh.
address is shown in the user  This step ensures that the ISA Server console rereads the IP
interface. addresses from the network adapters.
15. Create a new Web listener. a. In the left pane, select Firewall Policy (ITALY).
b. In the task pane, on the Toolbox tab, in the Network Objects section,
Name: right-click Web Listeners, and then click New Web Listener.
External Web 80 NLB
c. In the New Web Listener Definition Wizard dialog box, in the
Web listener name text box, type External Web 80 NLB, and then click Next.
SSL: disable
d. On the Client Connection Security page, select
Network: Do not require SSL secured connections with clients, and then click Next.
External - 39.1.1.3 e. On the Web Listener IP Addresses page, select the External check box,
Compression: disable and then click Select IP Addresses.
 Instead of listening on dedicated IP addresses (39.1.1.1 and
Authentication: none 39.1.1.2), it is recommended to only listen on the virtual IP address.
 Note: If you did not refresh the ISA Server console in the previous
task, it is possible that 39.1.1.3 is not listed as Virtual IP yet.
f. In the External Network Listener IP Selection dialog box, select the
Specified IP addresses option, and then in the Available IP Addresses list,
select 39.1.1.3, and click Add.
g. Click OK to close the External Network Listener IP Selection dialog
box.
 The Web listener will only listen on IP address 39.1.1.3, on the
External network.
h. On the Web Listener IP Addresses page, clear
ISA Server will compress content, and then click Next.
i. On the Authentication Settings page, in the drop-down list box, select
j. On the Single Sign On Settings page, click Next.
k. On the Completing the New Web Listener Wizard page, click Finish.
 A new Web listener (port 80 on IP address 39.1.1.3) with the name
External Web 80 NLB is created.
16. Create a Web publishing a. In the right pane, select the first rule in the Firewall Policy Rules list to
rule. indicate where the new rule is added to the rule list.
b. In the task pane, on the Tasks tab, click Publish Web Sites.
Name:
c. In the New Web Publishing Rule Wizard dialog box, in the
Web Home Page NLB
Web publishing rule name text box, type Web Home Page NLB, and then
click Next.
Publishing type:
single Web site d. On the Select Rule Action page, select Allow, and then click Next.
Internal site name: click Next.
denver.contoso.com f. On the Server Connection Security page, select Use non-secured
Public name:
shop.contoso.com g. On the Internal Publishing Details page, complete the following
information:
Web listener:  Internal site name: denver.contoso.com
External Web 80 NLB  Use a computer name or IP address: disable (is default)
Delegation: none h. On the next Internal Publishing Details page, complete the following
information:
i. On the Public Name Details page, complete the following information:
140 Lab Summary

 Public name: shop.contoso.com
 On Istanbul (Internet), the name shop.contoso.com must resolve to
39.1.1.3.
j. On the Select Web Listener page, in the Web listener drop-down list
box, select External Web 80 NLB, and then click Next.
k. On the Authentication Delegation page, select No delegation, and client
l. On the User Sets page, click Next.
m. On the Completing the New Web Publishing Rule Wizard page, click
Finish.
 A new Web publishing rule is created which publishes the Web site
at denver.contoso.com (10.1.1.5) as shop.contoso.com on the External network
on virtual IP address 39.1.1.3.
n. Click Apply to apply the new rule, and then click OK. Wait until the
verify the IP address of b. At the command prompt, type ping shop.contoso.com, and the press
shop.contoso.com, and then Enter.
connect to
 In the hosts file on Istanbul, shop.contoso.com is already defined as
http://shop.contoso.com/
39.1.1.3.
web.asp
 Note: Depending on firewall policy rules that you may have created
in earlier exercises, you may or may not receive replies on the ping requests to
39.1.1.
c. Open Internet Explorer. In the Address box, type
http://shop.contoso.com/web.asp, and then press Enter.
 The Web Server Info Demo page on Denver appears. The Web
server reports that the Web request was sent through Florence.
 Apparently the NLB process assigns the Web connection from
Istanbul (39.1.1.7) to Florence.
 Note: Because ISA Server blocks unsolicited network traffic on all
networks, the request and reply must go through the same ISA Server.
When ISA Server sends the Web request to Denver (10.1.1.5), it replaces the
client address (39.1.1.7) in the network packet with its own dedicated IP
address (10.1.1.1) on the Internal network. When Denver replies, it sends the
reply back to the client IP address (10.1.1.1), which is automatically the
correct ISA Server.
d. Close Internet Explorer.
Exercise 2
Examining Details on NLB
In this exercise, you will examine details on how ISA Server configures and controls the NLB
driver to provide load balancing functionality for array members. You will also perform the
steps needed to disable NLB integration on an array.

1. On the Florence computer, a. On the Florence computer, in a Command Prompt window, type
use the nlb query command to nlb query, and then press Enter.
see the current convergence state  The NLB utility shows which NLB hosts are currently part of the
of the NLB cluster. clusters for each network.
 Note: Florence is host ID 2, and Firenze is host ID 3. WLBS is an
old name for NLB.
2. Use the nlb queryport a. At the command prompt, type nlb queryport 8080, and then press
command to see the number of Enter.
accepted and dropped network  The NLB utility reports the number of accepted and dropped
packets. packets on Florence for the NLB port rule that applies to TCP or UDP port
8080.
 Remember the number of accepted and dropped packets through
the 10.1.1.3 cluster (Internal network) for comparison in the next task.
3. On the Firenze computer, a. On the Firenze computer, open a Command Prompt window.
use the nlb queryport command b. At the command prompt, type nlb queryport 8080, and then press
to see the number of accepted and Enter.
dropped network packets.
 The NLB utility on Firenze reports exactly the opposite numbers of
accepted and dropped packets through the 10.1.1.3 cluster (if no additional
new network traffic occurred in the meantime).
 Note: All TCP and UDP packets are sent to both NLB hosts. Each
hosts makes the exact same decision which hosts will handle a particular
network packet. For single affinity, this decision is based on the outcome of the
hash value of the source IP address.
 Apparently the hash value of 10.1.1.5 results in NLB host Firenze.
4. On the Florence computer, a. On the Florence computer, on the Start menu, click Control Panel,
examine the configuration of the click Network Connections, right-click Internal Connection, and then click
Internal Connection network Properties.
adapter.  Notice that ISA Server has enabled Network Load Balancing on
the network adapter.
b. In the Internal Connection Properties dialog box, select
Network Load Balancing (do NOT clear the check box), and then click
Properties.
142 Lab Summary
 The NLB cluster IP address is set to 10.1.1.3.

c. Select the Host Parameters tab.
 Florence is assigned Priority (or host ID) 2.
d. Select the Port Rules tab.
 There is a single port rule that specifies that TCP and UDP traffic
directed at any port is load balanced, using Single affinity.
 Single affinity means that NLB uses only the IP address of the
sender (and not the combination of the IP address and port) to calculate which
host handles the traffic. In effect, all network connections from a particular
computer use the same ISA Server.
 Note: Do not change any of the settings in the Network Load
Balancing Properties dialog box. ISA Server will override any changes you
make here.
e. Click CANCEL to close the Network Load Balancing Properties dialog
box.
f. Click Cancel to close the Internal Connection Properties dialog box.
g. In a Command Prompt window, type ipconfig /all, and then press
Enter.
 The Internal Connection network adapter now has two IP
addresses (10.1.1.1 and 10.1.1.3), and uses a new physical address (MAC)
02-BF-0A-01-01-03. NLB bases the new MAC address on the hexadecimal
representation of the cluster IP address.
5. On the Firenze computer, a. On the Firenze computer, open a Command Prompt window.
examine the configuration of the b. At the command prompt, type ipconfig /all, and then press Enter.
Internal Connection network
 The Internal Connection network adapter on Firenze uses the same
adapter.
cluster IP address (10.1.1.3), and the same MAC address
(02-BF-0A-01-01-03).
 Florence and Firenze do no longer use the original MAC address
on the Internal Connection network adapter, but use the same new MAC
address. This is called unicast mode in NLB.
 Note: When NLB integration is enabled, ISA Server always uses
unicast mode and single affinity.
6. On the Florence computer, a. On the Florence computer, in the ISA Server console, in left pane, select
b. In the right pane, select the first rule in the Firewall Policy Rules list, to
Name: Allow Ping to firewall indicate where the new rule is added to the rule list.
Applies to: PING
From network: Internal text box, type Allow Ping to firewall, and then click Next.
To network: Local Host e. On the Rule Action page, select Allow, and then click Next.

 click Networks, click Local Host, click Add,
Internal network to the Local Host network (ISA Server).
q. Click Apply to apply the new rule, and then click OK. Wait until the
examine the MAC addresses used b. At the command prompt, type ping 10.1.1.1, and then press Enter.
by 10.1.1.1, 10.1.1.2, and 10.1.1.3.
 Florence returns four replies on the ping requests.
c. Type ping 10.1.1.2, and then press Enter.
 Firenze returns four replies on the ping requests.
 NLB does not load balancing ICMP traffic requests (ping). This
means that both Florence and Firenze return a reply to each ping request. The
ping application does not display the double responses.
e. Type arp -a, and then press Enter.
 The command displays the MAC addresses used for each IP
address during the last 2 minutes. Because NLB is using unicast mode, all IP
addresses return the same MAC address (02-BF-0A-01-01-03).
8. Connect to a. Open Internet Explorer. In the Address box, type
http:// http://istanbul.fabrikam.com/web.asp, and then press Enter.
istanbul.fabrikam.com/  Denver is using Web proxy address 10.1.1.3. The Web server
web.asp. reports that the Web request was sent through Firenze (39.1.1.2)
b. On the Tools menu, click Internet Options.
Use proxy server address:
10.1.1.3:8080 c. In the Internet Options dialog box, on the Connections tab, click
and LAN Settings.
use default gateway: d. In the Local Area Network (LAN) Settings dialog box, complete the
10.1.1.1. following information:
 Use a proxy server for your LAN: disable
and then click OK.
 Internet Explorer is no longer configured to use a proxy server
(Web Proxy client). Instead, the default gateway (10.1.1.1) on Denver is now
used to connect to the ISA Server (SecureNAT client).
Firenze (39.1.1.2).
9. Change the default gateway a. In a Command Prompt window, type ipconfig, and then press Enter.
from 10.1.1.1 to 10.1.1.3.  The default gateway is configured to 10.1.1.1.
 Note: Unlike a Web Proxy client that uses proxy server 10.1.1.1
(Florence), network traffic from a SecureNAT client that uses default gateway
144 Lab Summary
10.1.1.1, is load balanced correctly and handled by the NLB host (Firenze)
based on the hash value of the source IP address.
 The reason for this is that a Web Proxy client request is technically
from 10.1.1.5 to 10.1.1.1:8080 (with the HTTP headers indicating
istanbul.fabrikam.com), while a SecureNAT client request is from 10.1.1.5 to
39.1.1.7:80 (sent to the NLB cluster MAC address provided by 10.1.1.1).
 Note: It is still important to change the default gateway setting on
SecureNAT client computers to the virtual IP address (10.1.1.3), to ensure that
traffic is handled correctly when the computer with IP address 10.1.1.1 is
temporarily unavailable.
b. On the Start menu, click Control Panel, click Network Connections,
right-click Local Area Connection, and then click Properties.
c. In the Local Area Connection Properties dialog box, select
Internet Protocol (TCP/IP) (do NOT clear the check box), and then click
Properties.
d. In the Internet Protocol (TCP/IP) Properties dialog box, complete the
 Default gateway: 10.1.1.3
and then click OK.
e. Click Close to close the Local Area Connection Properties dialog box.
f. In the Command Prompt window, type ipconfig, and then press Enter.
 The default gateway is changed to the virtual IP address (10.1.1.3).
g. Close the Command Prompt window.
10. Connect to a. In Internet Explorer, in the Address box, type
http:// http://istanbul.fabrikam.com/reload.asp, and then press Enter.
istanbul.fabrikam.com/  The reload.asp page automatically refreshes the Web page every
reload.asp. 2 seconds. The Web server reports that each Web request was sent through
Firenze (39.1.1.2).
Use default gateway:
10.1.1.3.
use the ISA Server console to stop select Monitoring.
the Microsoft Firewall service on b. In the right pane, on the Services tab, select the Microsoft Firewall
Firenze. service for Firenze.
 Note: Ensure that you select the Microsoft Firewall on Firenze, not
on Florence.
c. In the task pane, on the Tasks tab, click Stop Selected Service.
 ISA Server stops the Firewall service on Firenze.
12. On the Denver computer, a. On the Denver computer, in Internet Explorer, wait until reload.asp is
wait until reload.asp is refreshed refreshed through Florence (39.1.1.1), instead of Firenze (39.1.1.2).
through Florence.  When the Firewall service stops, the following happens:
 ISA Server on Firenze notifies NLB that it should no longer be joined to the
NLB cluster.
 NLB on Firenze stops sending its normal one-per-second heartbeat
broadcast messages.
 After 5 missed heartbeat messages, NLB on Florence detects that NLB on
Firenze stopped functioning.
 NLB on Florence converges to a NLB cluster with one host. It will now
respond to all network packets, and handle the Web request from Denver.
 Note: The fact that NLB is notified when the Firewall service is not
running, is functionality that is only available when NLB integration is enabled.
13. On the Florence computer, a. On the Florence computer, in the ISA Server console, on the Services
use the ISA Server console to start tab, select the Microsoft Firewall service for Firenze.
the Microsoft Firewall service on b. In the task pane, on the Tasks tab, click Start Selected Service.
Firenze.
 ISA Server starts the Firewall service on Firenze.
c. Wait until the CSS status is Synced, and the NLB status is Running.
14. On the Denver computer, a. On the Denver computer, in Internet Explorer, notice that reload.asp
examine the continuing refresh of continues to be refreshed through Florence (39.1.1.1).
reload.asp.  NLB actually uses two steps to decide which host handles a network
packets:
Close and reopen Internet 1) Each NLB host maintains a list of current TCP connections handled by the
Explorer, and connect to host. Existing TCP connections are not disconnected when the cluster
http:// converges to include more NLB hosts. This also applies to PPTP (GRE) and
istanbul.fabrikam.com/ IPSec connections. However, UDP, ICMP and other IP connections may move
reload.asp. to other NLB hosts after a cluster converges.
2) For new connections, NLB uses the hash value of the source IP address
(when using single affinity), to determine the NLB host.
c. Open Internet Explorer again, and in the Address box, type
http://istanbul.fabrikam.com/reload.asp.
 The new Web request to reload.asp is handled through Firenze
(39.1.1.2).
d. Close Internet Explorer.
 Note: In the following tasks, you will explore how ISA Server controls the way NLB calculates its hash value,
so that network requests to published servers and the related network reply are always going through the same
ISA Server in an array. This is called bi-directional affinity (BDA).
connect to type http://shop.contoso.com/web.asp, and then press Enter.
http://shop.contoso.com/  The Web server reports that the Web request was sent through
web.asp. Florence.
 When ISA Server sends the Web request to the published server
(Denver), it replaces the client address in the network packet with its own
dedicated IP address (10.1.1.1) on the Internal network. When Denver replies,
it sends the reply back to the client IP address (10.1.1.1), which is
automatically the correct ISA Server.
16. On the Florence computer, a. On the Florence computer, in the ISA Server console, in the
change the Web Home Page NLB Firewall Policy Rules list, right-click Web Home Page NLB, and then click
rule. Properties.
b. In the Web Home Page NLB Properties dialog box, on the To tab, select
Requests appear to come from: Requests appear to come from the original client, and then click OK.
original client
 For Web publishing rules, the default is that requests appear to
come from the ISA Server computer. For Server publishing rules, the default is
that requests appear to come from the original client. You can change this
setting for any Web publishing rule or Server publishing rule.
c. Click Apply to apply the new rule, and then click OK. Wait until the
146 Lab Summary
17. On the Istanbul computer, a. On the Istanbul computer, in Internet Explorer, on the toolbar, click the
refresh the connection to Refresh button.
http://shop.contoso.com/  The Web server reports that the Web request was sent through
web.asp. Florence. ISA Server did not replace the client address, so the network packet
that arrived at Denver contains the original client address (39.1.1.7).
 How does Denver know which ISA Server the reply should go to?
Note: Denver does not inspect the Reverse-Via HTTP header in the Web
request, plus the same question applies to non-HTTP protocols, using Server
publishing rules, as well.
 The answer is: Denver (the published server) does not know which
ISA Server to reply to. Instead the server just sends a reply to the received
client address (39.1.1.7), which is sent to Denver's default gateway (10.1.1.3),
and NLB selects the correct ISA Server.
 NLB on the Internal network works together with NLB on the
External network in a so-called bi-directional affinity (BDA) team. Bi-
directional affinity means that the hash value to determine the NLB host to use,
matches in both directions. On the Web request from Istanbul, NLB on the
External network uses the hash value of the source IP address (39.1.1.7). On
the reply, NLB on the Internal network uses the hash value of the
destination IP address (which is the same 39.1.1.7).
18. On the Florence computer, a. On the Florence computer, in a Command Prompt window, type
use the nlb params command and nlb params 39.1.1.3, and the press Enter.
the C:\Tools\fwengmon /N  The NLB utility displays the configuration parameters of the NLB
command to examine the NLB bi- cluster on the External network.
directional configuration.
 Notice that BDATeaming (6th parameter from the bottom) is
enabled.
b. At the command prompt, type nlb params 10.1.1.3, and then press
Enter.
 The NLB cluster on the Internal network, also has BDA teaming
enabled.
 However, the setting to automatically use the hash value of the
destination IP address, instead of the source IP address (ReverseHash, 3rd
parameter from the bottom), is NOT enabled.
 When NLB integration is enabled, ISA Server specifically tells NLB
for which connections reversing hashing needs to be used.
c. Type cd \tools, and then press Enter.
d. Type fwengmon /?, and then press Enter.
 The Firewall Kernel Mode Tool (fwengmon.exe) is a tool you can
use to analyze and troubleshoot firewall connectivity by monitoring the ISA
Server kernel-mode firewall engine.
 You can download the tool from
e. Type fwengmon /N, and then press Enter.
 The output lists all the NLB hook rules that the ISA Server firewall
engine has defined. Each NLB hook rule specifies whether to use the hash value
of the source IP address (forward), or the destination IP address (reverse), for
particular network connections.
 To make it easier to read this list, you can save the output to a text
file.
f. Type fwengmon /N > nlbrules.txt, and then press Enter.
g. Type notepad nlbrules.txt, and then press Enter.

 Notepad opens the text file with the list of NLB hook rules.
h. In Notepad, on the Format menu, ensure that Word Wrap is disabled.
i. Maximize the nlbrules.txt - Notepad window, if that is not done already.
 The firewall engine has defined a NLB hook rule for every possible
combination of IP subnets (except 127.0.0.0/8), related to the current ISA
Server networks configuration and publishing rules.
 For each publishing rule that is configured so that requests appear
to come from the original client, the firewall engine defines reverse NLB hook
rules for the published server IP address to all networks. This is called dynamic
BDA.
 The reverse NLB hook rule used for the
http://shop.contoso.com/web.asp reply from Denver is:
10.1.1.5-10.1.1.5 -> 24.0.0.0-126.255.255.255
j. Close Notepad.
connect to b. On the Tools menu, click Internet Options.
http://
LAN Settings.
web.asp.
d. Ensure that Internet Explorer is not configured to use a proxy server.
Use default gateway  Web requests will use the default gateway 10.1.1.3 (SecureNAT
10.1.1.3 client).
(Do not use a proxy server) e. Click OK to close the Local Area Network (LAN) Settings dialog box.
f. Click OK to close the Internet Options dialog box.
g. In the Address box, type http://istanbul.fabrikam.com/web.asp, and
then press Enter.
Florence (39.1.1.1).
 Before the publishing rule to Denver was created, NLB used the
hash value of the source IP address (10.1.1.5) for connections from Denver,
which resulted in the use of NLB host Firenze. However, now that the firewall
engine has defined a reverse NLB hook rule for network traffic from 10.1.1.5 to
the External network, based on the new Web publishing rule, NLB uses the
hash value of the destination IP address (39.1.1.7 for this connection) for all
network traffic from Denver to the External network, including network traffic
that is not related to the Web publishing rule.
20. Connect again to a. On the Tools menu, click Internet Options.
http:// b. In the Internet Options dialog box, on the Connections tab, click
istanbul.fabrikam.com LAN Settings.
web.asp.
c. In the Local Area Network (LAN) Settings dialog box, complete the
Use a proxy server:
10.1.1.3:8080  Use a proxy server for your LAN: enable
 Address: 10.1.1.3
 Port: 8080
and then click OK.
 Web requests will use the proxy server at 10.1.1.3:8080 (Web Proxy
client).
d. Click OK to close the Internet Options dialog box.
e. On the toolbar, click the Refresh button.
Firenze (39.1.1.2).
148 Lab Summary
 The firewall engine did not define a reverse NLB hook rule that
includes network traffic from 10.1.1.5 to the Internal network. For the
connection from 10.1.1.5 to 10.1.1.3, NLB uses the hash value of the
source IP address (10.1.1.5), which results in the use of NLB host Firenze.
 Note: In the following tasks, you will disable NLB on the ISA Server array. This consists of four steps that
need to be done in the correct order.
 Step 1 - Delete rules and rule elements that use any virtual IP address.
 Step 2 - Disable NLB on all networks.
 Step 3 - Apply the changes.
 Step 4 - Disable NLB integration, and apply the changes.
examine the warning message select Networks, and in the right pane, select the Networks tab.
when attempting to disable NLB b. In the task pane, on the Tasks tab, click
integration. Disable Network Load Balancing Integration.
 A warning message box appears. It explains that Windows NLB
will remain configured on the array computers (in a non-integrated mode),
when you disable NLB Integration in the ISA Server console.
 To disable NLB completely, you have to perform several steps.
c. Click CANCEL to indicate that you do NOT yet want to disable NLB
integration.
22. Delete the firewall policy a. In the left pane, select Firewall Policy (ITALY).
rules and rule elements that use the  The first step to disable NLB on an ISA Server array, is to
virtual IP addresses. reconfigure or to delete any rules and rule elements that use the virtual IP
addresses.
Firewall policy rule:
b. In the right pane, in the Firewall Policy Rules list, right-click
Web Home Page NLB
Web Home Page NLB, and then click Delete.
Web listener: c. Click Yes to confirm that you want to delete the Web Home Page NLB
External Web 80 NLB rule.
 You must delete the Web publishing rule, before you can delete the
(Step 1) Web listener that uses the virtual IP address.
d. In the task pane, on the Toolbox tab, in the Network Objects section,
under Web Listeners, right-click External Web 80 NLB, and then click
Delete.
e. Click Yes to confirm that you want to delete the External Web 80 NLB
Web listener.
23. Disable NLB on all a. In the left pane, select Networks, and in the right pane, select the
networks. Networks tab.
 The second step to disable NLB on an ISA Server array, is to
Networks: disable NLB on any network.
Internal
External
Configure Load Balanced Networks.
(Step 2) c. In the Network Load Balancing Wizard dialog box, click Next.
d. On the Select Load Balanced Networks page, clear the check boxes of
all networks, and then click Next.
e. On the Completing the Load Balanced Networks Wizard page, click
Finish.
 If NLB is still configured on a network, when you disable NLB
integration, NLB remains configured on the array in non-integrated mode.
24. Apply the changes. a. Click Apply to save the changes, and then click OK. Wait until the CSS
status is Synced, and the NLB status is Not configured.
(Step 3)  The third step to disable NLB on an ISA Server array, is to apply
the current changes, so that NLB is disabled on the network adapters, before
you disable NLB integration in ISA Server.

 The Not configured NLB status means that NLB integration is
enabled, but that no network is configured to use NLB.
25. Use nlb query, and a. In a Command Prompt window, type nlb query, and then press Enter.
ipconfig /all to examine the  The NLB utility reports that NLB (WLBS) is not installed on the
network configuration. computer.
b. At the command prompt, type ipconfig /all, and then press Enter.
 The virtual IP addresses (10.1.1.3 and 39.1.1.3) are no longer
assigned to the network adapters, and the original MAC addresses are used
again.
26. Disable NLB integration. a. In the ISA Server console, in the left pane, select Networks, and in the
right pane, select the Networks tab.
Apply the changes and restart the  The last step to disable NLB on an ISA Server array, is to disable
Firewall service. NLB integration, and to apply the change.
(Step 4)
Disable Network Load Balancing Integration.
c. Click OK to confirm that you want to disable NLB integration.
d. In the left pane, select Monitoring, and in the right pane, select the
Services tab.
 When NLB integration is disabled, the Network Load Balancing
service is no longer listed on the Services tab.
e. Click Apply to save the changes.
f. In the ISA Server Warning dialog box, CHANGE the current selection,
g. Click OK to close the Saving Configuration Changes dialog box.
h. Wait until the CSS status is Synced.
proxy server 10.1.1.1:8080, and b. In the Internet Options dialog box, on the Connections tab, click
change the default gateway to LAN Settings.
10.1.1.1.
 Address: 10.1.1.1
 Port: 8080
and then click OK.
 Internet Explorer now uses proxy server 10.1.1.1:8080.
f. On the Start menu, click Control Panel, click Network Connections,
right-click Local Area Connection, and then click Properties.
g. In the Local Area Connection Properties dialog box, select
Internet Protocol (TCP/IP) (do NOT clear the check box), and then click
Properties.
h. In the Internet Protocol (TCP/IP) Properties dialog box, complete the
 Default gateway: 10.1.1.1
150 Lab Summary
and then click OK.

i. Click Close to close the Local Area Connection Properties dialog box.
 The default gateway is changed to IP address 10.1.1.1.
Exercise 3
Using CARP to Distribute Cache Content
In this exercise, you will configure ISA Server to use Cache Array Routing Protocol (CARP).
When you enable CARP, the cache drives on all servers are treated as a single logical cache
drive.
You will also explore the CARP algorithm in the automatic configuration script that is used
by Internet Explorer.

verify that ISA Server listens for select Networks.
Web Proxy client requests on the b. In the right pane, on the Networks tab, right-click Internal, and then
Internal network. click Properties.
c. In the Internal Properties dialog box, on the Web Proxy tab, ensure that
Enable Web Proxy client connections on this network is enabled, and that
HTTP port is 8080.
 Cache Array Routing Protocol (CARP) does not require the
Internal network to listen for Web Proxy client requests, however in the next
tasks Web Proxy client requests are used to connect to ISA Server.
d. Select the CARP tab. (Do NOT enable CARP).
 Notice that CARP is not enabled yet. This is the default setting in
ISA Server.
e. Click OK to close the Internal Properties dialog box.
2. Create a new access rule. a. In the left pane, select Firewall Policy (ITALY).
b. In the right pane, select the first rule in the Firewall Policy Rules list, or
Name: Allow Web access select Default rule if no other rule exists, to indicate where the new rule is
(CARP) added to the rule list.
Applies to: HTTP
From network: Internal text box, type Allow Web access (CARP), and then click Next.
To network: External e. On the Rule Action page, select Allow, and then click Next.
152 Lab Summary

q. Click Apply to apply the new rule, and then click OK. Wait until the
CSS status is Synced.
connect to type http://istanbul.fabrikam.com/web.asp, and then press Enter.
http://  The Web Server Info Demo Page on Istanbul appears. The Web
istanbul.fabrikam.com/ server reports that the Web request was sent through Florence (39.1.1.1).
web.asp
 Note: Internet Explorer is currently configured to use proxy server
10.1.1.1:8080.
10.1.1.1:8080 b. On the Tools menu, click Internet Options.
and c. In the Internet Options dialog box, on the Connections tab, click
10.1.1.2:8080 LAN Settings.
 Address: 10.1.1.2
 Port: 8080
and then click OK.
Firenze (39.1.1.2).
 Note: In the following tasks, you will enable CARP on the ISA Server array. This consists of four steps.
 Step 1 - Enable caching and configure cache settings and rules.
 Step 2 - Enable CARP on the Internal network.
 Step 3 - Configure a CARP load factor for each array member.
 Step 4 - Enable Web Proxy client requests on the intra-array communication network.
enable caching and configure select Cache.
cache settings and cache rules.  In the right pane, on the Cache Drives tab, notice that the cache
size for both Florence and Firenze is 0 MB. This means that caching in
(Step 1) disabled. That is the default setting in ISA Server.
b. In the right pane, on the Cache Drives tab, select Florence.
Define Cache Drives (Enable Caching).
 In the Florence Properties dialog box, you can set the maximum
disk cache size, for each physical disk on the Florence computer.
 Caching is enabled on Florence if the total cache size is not 0 MB.
d. Click Cancel to close the Florence Properties dialog box.
 Note: To avoid possible conflicts with other lab exercises, caching
is not enabled in this exercise. In a real environment, CARP only has any
function if caching is enabled.
e. Select the Cache Rules tab.
f. In the task pane, on the Tasks tab, click Configure Cache Settings.
g. In the Cache Settings dialog box, select the Advanced tab.
 The Cache Settings dialog box allows you to specify general cache
settings (independent of the requested URL).
h. Click Cancel to close the Cache Settings dialog box.
i. In the right pane, right-click Default rule, and then click Properties.
 Cache rules allow you to define cache settings that are specific to
requested URLs, or network destinations.
 The Default rule applies to all network destinations, and is used
when possible custom cache rules do not apply to the requested URL.
j. Click Cancel to close the Default rule Properties dialog box.
5. Create a new domain name a. In the left pane, select Firewall Policy (ITALY).
set for CARP exceptions: b. In the task pane, on the Toolbox tab, in the Network Objects section,
right-click Domain Name Sets, and then click New Domain Name Set.
Name:
c. In the New Domain Name Set Policy Element dialog box, in the Name
CARP Exception Web Sites
text box, type CARP Exception Web Sites, and then click Add.
Computer: d. In the New Domain text box, replace the text by typing
download.contoso.com download.contoso.com, and then press Enter.
e. Click OK to close the New Domain Name Set Policy Element dialog
box.
 A new domain name set named CARP Exception Web Sites is
created.
6. Enable CARP on the a. In the left pane, select Networks.
Internal network. b. In the right pane, on the Networks tab, right-click Internal, and then
click Properties.
Add the new domain name set as
c. In the Internal Properties dialog box, on the CARP tab, select
CARP exceptions.
Enable CARP on this network.
(Step 2)  When CARP is enabled on the Internal network, Web requests
coming from client computers on the Internal network will be balanced across
the servers in the array.
 Note: ISA Server 2006 (and ISA Server 2004 SP2) use a different
CARP distribution algorithm, than earlier ISA Server versions.
 In ISA Server 2006, CARP distributes Web requests to URLs on
same host name (such as www.microsoft.com) to the same array member. This
means that the source IP address never changes during a session to that Web
site.
In ISA Server 2004 and earlier, CARP distributed Web requests from a client
computer to URLs on the same host name, equally across the array members.
d. In the CARP Exceptions box, click Add.
e. In the Add Domain Name Sets dialog box,
 click CARP Exception Web Sites, and click Add,
and then click Close to close the Add Domain Name Sets dialog box.
 In ISA Server 2006, for Web requests to URLs in the CARP
Exceptions Web Sites (such as download.microsoft.com), CARP selects the
array member based on the client computer IP address. This means that
requests from different client computers to the same URL are distributed across
the array members.
In ISA Server 2004 and earlier, CARP distributed Web requests on the CARP
Exceptions list from all client computers to URLs on the same host name to the
same array member.
f. Select the NLB tab.
154 Lab Summary
 NLB is currently not enabled. However, you can enable both CARP
and NLB on the same network.
g. Click OK to close the Internal Properties dialog box.
 Note: You cannot enable CARP for Web requests coming from
client computers on the External network. ISA Server does cache content from
published Web servers, but does not use CARP to distribute that cache content.
7. Configure a a. In the left pane, select Servers.
CARP load factor for each array b. In the right pane, right-click Florence, and then click Properties.
member.
c. In the Florence Properties tab, select the CARP tab.
(Step 3)  The CARP load factor determines the relative number of Web
requests processed by this server compared to the other array servers. By
default all array servers use the same load factor of 100.
 The load factors are relative numbers. This means that the sum of
the load factors always represents 100%. For example, if the load factors of
Florence and Firenze are changed to 80 and 240, then Florence processes 25%
(80 of 320) of the Web requests, and Firenze processes 75% (240 of 320) of the
Web requests.
 Note: Do not change the load factors in this exercise. This ensures
that the behavior of CARP matches exactly the description and the steps in this
exercise.
8. Configure the network used a. In the Florence Properties dialog box, select the Communication tab.
for intra-array communication  Florence (and Firenze) use the IP address on the Perimeter
(Perimeter) to listen for Web network (23.1.1.x) for communication between array members.
Proxy client requests.
b. Click Cancel to close the Florence Properties dialog box.
(Step 4)  When using CARP, array members forward Web requests to each
other on the network that is configured for intra-array communication. This
requires that this network listens for Web Proxy client requests. Each ISA
Server computer is Web proxy client for the other ISA Server computer.
c. In the left pane, select Networks.
d. In the right pane, on the Networks tab, right-click Perimeter, and then
click Properties.
e. In the Perimeter Properties dialog box, on the Web Proxy tab, complete
the following information:
 Enable Web Proxy clients: enable
 Enable HTTP: enable (is default)
 HTTP port: 8080 (is default)
 Enable SSL: disable (is default)
and then click OK.
9. Apply the changes. a. Click Apply to apply the changes, and then click OK. Wait until the
CSS status is Synced.
10. On the Denver computer, a. On the Denver computer, in Internet Explorer, on the toolbar, click the
refresh the Web page Refresh button.
http://  The Web page reports that the Web request was sent through
istanbul.fabrikam.com/ Florence (39.1.1.1). However, Internet Explorer is currently configured to use
web.asp proxy server 10.1.1.2:8080, which is on Firenze.
 The following steps happen:
1) Denver sends the Web requests to Firenze (10.1.1.2).
10.1.1.2:8080
2) The CARP algorithm on Firenze determines that the URL
"http://istanbul.fabrikam.com/web.asp" must always be handled and cached by
Florence.
3) Firenze forwards the Web request to Florence (23.1.1.1).
4) Florence (39.1.1.1) sends the Web request to Istanbul (39.1.1.7).
 The reply goes back along the exact same route:

5) Istanbul sends the reply back to Florence.
6) Florence caches the reply (if caching was enabled)
7) Florence forwards the reply to Firenze
8) Firenze does NOT cache the reply, and sends the reply to Denver.
 Note: To avoid forwarding of Web requests between array servers, Internet Explorer on the client computer can
be instructed to use the CARP algorithm, and send the Web requests to the correct array server. ISA Server
provides Internet Explorer with a CARP calculation script, so that the client computer and the array servers use
the exact same calculation to determine which array server handles and caches a particular URL.
examine the URL of the CARP select Networks.
calculation script. b. In the right pane, on the Networks tab, right-click Internal, and then
click Properties.
c. In the Internal Properties dialog box, select the Firewall Client tab.
 When you install the Firewall Client software on client computers,
the installation process can update the configuration of the Web browser as
well. This dialog box displays the URL of the CARP calculation script.
 Note: In this lab environment, the name ITALY does not resolve to
an IP address, so to obtain the CARP calculation script you have to use the
ULR http://10.1.1.1:8080/array.dll?Get.Routing.Script
d. Select the Web Browser tab.
 The Web Browser tab specifies additional settings in the
configuration script. Internet Explorer will not contact ISA Server for Web
servers on the Internal network, and if ISA Server is unavailable, Internet
Explorer will attempt to connect directly to the Internet.
e. Click Cancel to close the Internal Properties dialog box.
an automatic configuration script. b. In the Internet Options dialog box, on the Connections tab, click
LAN Settings.
Address:
c. In the Local Area Network (LAN) Settings dialog box, in the
http://
Automatic configuration box, complete the following information:
10.1.1.1:8080/array.dll?
Get.Routing.Script  Use automatic configuration script: enable
 Address: http://10.1.1.1:8080/array.dll?Get.Routing.Script
and then click OK.
 You do not need to disable the proxy server configuration
(10.1.1.2:8080) in this dialog box. Only if the configuration script is not found,
will Internet Explorer use the proxy server configuration.
 Note: ISA Server generates the script on demand. The script and
array.dll do not exist as files on the ISA Server computer. This is just a URL
with a special meaning to ISA Server.
 Also note that the configuration script URL is case-sensitive!
13. Refresh the Web page a. On the toolbar, click the Refresh button.
http://  Denver sends the Web request for URL
istanbul.fabrikam.com/ "http://istanbul.fabrikam.com/web.asp" to Florence. The CARP algorithm on
web.asp Florence concludes the same, and forwards the Web request to Istanbul.
b. In the Address box, type http://ankara.fabrikam.com/web.asp, and
and connect to
then press Enter.
http://
ankara.fabrikam.com/  Note: ankara.fabrikam.com is a different host name, but resolves to
156 Lab Summary
web.asp the same IP address as istanbul.fabrikam.com (39.1.1.7).

 Denver sends the Web request for URL
Use configuration script. "http://ankara.fabrikam.com/web.asp" to Firenze. The CARP algorithm on
Firenze concludes the same, and forwards the Web request to Istanbul
(39.1.1.7).
 Because the CARP calculation for each URL on the client computer
is exactly the same as on the array servers, Florence and Firenze do not have
to forward Web requests to each other.
save a copy of the configuration http://10.1.1.1:8080/array.dll?Get.Routing.Script, and then press Enter.
script to  You can obtain a copy of the configuration script by typing the
C:\Tools\array.Script.txt script URL in the Address box.
 The configuration script URL is case-sensitive.
b. In the File Download dialog box, click Save.
c. In the Save As dialog box, browse to the C:\Tools folder, and then in the
File name text box, type array.Script.txt, and click Save.
 The configuration script is saved as C:\Tools\array.Script.txt.
 Note: The .txt extension is added, so that you can easily open the
script file in Notepad.
15. Examine the contents of a. Use Windows Explorer (or My Computer) to open the C:\Tools folder.
C:\Tools\array.Script.txt in b. In the Tools folder, right-click array.Script.txt, and then click Open.
Notepad.
 Notepad opens the array.Script.txt file.
 The configuration script is a JScript file. For each URL, Internet
Explorer calls the FindProxyForURL function in the script, which returns the
address and port of the proxy server that Internet Explorer should use to
connect to for that particular URL.
 In the MakeProxies function, on line 29 and 30 in the script, the IP
addresses (10.1.1.1, 10.1.1.2) and the relative load factors (1.000000 for both)
of the available proxy servers are specified.
 On line 9 in the script, the CARP exception Web site,
download.contoso.com, is listed. The other exceptions are from the Microsoft
Update Domain Name Set.
 On line 3 in the script, the UseDirectForLocal variable indicates
that Internet Explorer must bypass the proxy server for local addresses (URLs
without dots).
c. Scroll to the end of the script.
 The last part of the script contains the actual CARP algorithm.
 In summary, for a given URL, the script calculates a score
(multiplied by the load factor) for each proxy server. The highest scoring proxy
server for this URL is selected.
For URLs on a CARP exception Web site, the script includes a hash value of
the client IP address to calculate a score for each proxy server.
d. Close Notepad.
 Note: In the script, ISA Server always provides the dedicated IP
addresses, and never the NLB virtual IP address, of the proxy servers in the
array. This allows you to enable both CARP and NLB on the same network.
16. Use C:\Tools\carpdemo.js a. Open a Command Prompt window.
to calculate the selected proxy b. At the command prompt, type cd \tools, and then press Enter.
server for:
istanbul.fabrikam.com/  The Tools folder contains another script file, carpdemo.js for use
web.asp with this lab.
 Carpdemo uses the saved array.Script.txt file to calculate the

istanbul.fabrikam.com/ selected proxy server for a provided URL.
<yourname> d. Type carpdemo istanbul.fabrikam.com/web.asp, and then press
Enter.
ankara.fabrikam.com
 The result of the CARP algorithm for this URL shows that it is
handled and cached on proxy server 10.1.1.1. If the proxy server is not
izmir
available, Internet Explorer will connect to the next proxy server in the list
(10.1.1.2), and finally attempt to use its default gateway to connect to the Web
server (DIRECT).
e. Click OK. Type carpdemo istanbul.fabrikam.com/yourname
(replace yourname by your own name), and then press Enter.
 All URLs on istanbul.fabrikam.com are handled and cached on
proxy server 10.1.1.1. During a session to the same Web site, the source IP
address of the array member used remains the same.
f. Click OK. Type carpdemo ankara.fabrikam.com, and then press
Enter.
 All URLs on ankara.fabrikam.com are handled and cached on
proxy server 10.1.1.2.
g. Click OK. Type carpdemo izmir, and then press Enter.
 Izmir does not have a dot in the URL. The Web server is considered
to be on the internal network (local). Internet Explores does not connect to a
proxy server.
h. Click OK to close the CARP Routing Script demo message box.
i. Close the Command Prompt window.
17. Configure Internet Explorer a. In Internet Explorer, on the Tools menu, click Internet Options.
to use a proxy server: b. In the Internet Options dialog box, on the Connections tab, click
LAN Settings.
Address: 10.1.1.1:8080
 Use automatic configuration script: disable
 Address: 10.1.1.1
 Port: 8080
and then click OK.
disable CARP on the Internal select Networks.
network. b. In the right pane, on the Networks tab, right-click Internal, and then
click Properties.
c. In the Internal Properties dialog box, on the CARP tab, CLEAR the
Enable CARP on this network check box.
d. Click OK to close the Internal Properties dialog box.
 CARP is disabled on the Internal network.
e. Click Apply to save the changes, and then click OK. Wait until the CSS
status is Synced.
158 Lab Summary
Exercise 4
Using CARP and Scheduled Content Download Jobs
In this exercise, you will configure ISA Server to use CARP and a content download job to
update cache content.

 Note: In the following tasks, you will configure a cache content download job on the ISA Server array. This
allows you to update the ISA Server cache with HTTP content that may be requested by Web Proxy clients
later.
1. On the Florence computer, a. On the Florence computer, on the Start menu, click
examine the Microsoft ISA Administrative Tools, and then click Services.
Server Job Scheduler service. b. In the Services console, select the Microsoft ISA Server Job Scheduler
service (two services below Microsoft Firewall in the list)
 Automatic cache content download jobs are run by the Microsoft
ISA Server Job Scheduler service on each array server.
 To understand the configuration of content download jobs, it is
helpful to understand that conceptually there is no difference between the
following two methods to place objects in the ISA Server cache:
 A Web Proxy client user on the Internal network, sending multiple requests
to Web sites on the Internet.
 The ISA Server Job Scheduler service (running as Local System), on the
Local Host network, sending multiple requests to Web sites on the Internet,
based on URL information in a cache content download job.
 For configuration on ISA Server, the main difference is that a user
connects from the Internal network, while the content download jobs are run
from the Local Host network.
2. Configure the Local Host a. In the ISA Server console, in the left pane, select Networks.
network to listen for b. In the right pane, on the Networks tab, right-click Local Host, and then
Web Proxy client requests. click Properties.
c. In the Local Host Properties dialog box, on the Web Proxy tab,
complete the following information:
 Enable Web Proxy clients: enable
 Enable HTTP: enable (is default)
 HTTP port: 8080 (is default)
 Enable SSL: disable (is default)
and then click OK.
 The ISA Server Job Scheduler service connects as Web Proxy client
from the Local Host network.
 Note: Do not enable CARP on the Local Host network yet.
3. Enable system policy a. In the left pane, select Firewall Policy (ITALY).
rule 29 to allow HTTP from the b. In the task pane, on the Tasks tab, click Show System Policy Rules.
Local Host network for content
c. In the right pane, right-click system policy rule 29, and then click
download jobs.
Properties.
 System policy rule 29 is disabled by default. The rule allows HTTP
from the Local Host network to All Networks for content download jobs.
d. Select the Users tab.
 Note: The system policy rule applies to requests from the built-in
System account and the built-in Network Service account. It does not allow
unauthenticated access. This means that after this rule is enabled, ISA Server
blocks unauthenticated HTTP traffic from the Local Host network (ISA Server
computer).
 If you do not want to block unauthenticated HTTP traffic from the
ISA Server computer, you must not enable system policy rule 29, but instead
create an access rule that allows HTTP access for the content download jobs,
and place this new access rule last in the Firewall Policy Rules list.
e. Click Cancel to close the system policy rule 29 dialog box.
f. Right-click system policy rule 29, and then click Edit System Policy.
g. In the System Policy Editor dialog box, in the Configuration Groups
list, ensure that Scheduled Download Jobs is selected, and then select the
Enable check box.
h. Click OK to close the System Policy Editor dialog box.
 System policy rule 29 is now enabled.
i. In the task pane, on the Tasks tab, click Hide System Policy Rules.
status is Synced.
5. Create a new content a. In the left pane, select Cache, and then in the right pane, select the
download job. Content Download Jobs tab.
b. In the task pane, on the Tasks tab, click Schedule a Content Download
Name: Job.
Fabrikam News Site
c. In the New Content Download Job Wizard dialog box, in the
Content Download Job name text box, type Fabrikam News Site, and then
Download frequency:
click Next.
Daily at 7:00 AM
d. On the Download Frequency page, select Daily, and then click Next.
URL:  Note: The Download Frequency page mentions the use of CARP
http:// with content download jobs. You will enable CARP for this purpose, later in the
istanbul.fabrikam.com/ exercise.
news.htm e. On the Daily Frequency page, complete the following information:
 Job start date: today's date (is default)
 Job start time: 7:00 AM
 Run the job one time every day: enable (is default)
f. On the Content Download page, in the Download content from this
URL text box, type http://istanbul.fabrikam.com/news.htm and then click
Next.
 The job scheduler will download news.htm, and recursively
download Web pages linked in news.htm.
g. On the Content Caching page, click Next.
 Note: The content download job allows you to cache content, even
if the HTTP headers indicate that the content should not be cached. However,
the default is to cache content if the HTTP headers indicate to cache.
h. On the Completing the Scheduled Content Download Job Wizard page,
click Finish.
 A new content download job named Fabrikam News Site is created.
6. Examine the configuration a. In the left pane, select Monitoring, and then in the right-pane, select the
status of the array servers. Configuration tab.
b. In the task pane, on the Tasks tab, click Refresh Now.
 The configuration status of Florence and Firenze is Not synced.
 When you create a content download job, the configuration is
160 Lab Summary
updated on the array servers immediately. You do not have to click Apply to
save the changes.
c. Wait until the configuration status is Synced.
7. Edit the log viewer filter: a. Select the Logging tab.
 Note: You may (temporarily) need to close the task pane, to see the
Log Record Type: Logging tab.
Web Proxy Filter
Start the log viewer. c. In the Edit Filter dialog box, in the conditions list, select the existing
Log Record Type condition.
d. In the Value list box, select Web Proxy Filter, and then click Update.
e. Click Start Query to close the Edit Filter dialog box.
 The log viewer will display current network activity based on the
Web Proxy log file.
8. Start the a. In the left pane, select Cache, and in the right-pane select the
Fabrikam News Site content Content Download Jobs tab.
download job now. b. In the right pane, select the Fabrikam News Site job.
c. Scroll the contents of the right pane to the right, so that you can see the
Status column.
 The current job status is Idle.
d. In the task pane, on the Tasks tab, click Start Selected Jobs Now.
 The job scheduler will run the Fabrikam News Site content
download job on both array servers now, instead of waiting until the scheduled
time (7:00 AM).
e. After a few seconds, on the Tasks tab, click Refresh Now.
 The Fabrikam News Site is a very short job. After the refresh, the
job status in the Status column changes back from Running to Idle, and the
Stop Running Jobs task link changes back to Start Selected Jobs Now.
9. Stop the log viewer, and a. In the left pane, select Monitoring, and in the right pane select the
examine the Web Proxy log Logging tab.
entries. b. After a few seconds, in the task pane, on the Tasks tab, click
Stop Query.
 The log viewer displays log entries from the Web Proxy log file.
You may need to scroll to the right to see the URL and Server Name columns.
 Both Florence and Firenze first attempt an anonymous Web Proxy
connection (port 8080) to the Local Host network (127.0.0.1). System policy
rule 29 requires authentication. After that both array servers download
news.htm and economy.htm from 39.1.1.7.
The istanbul.fabrikam.com/news.htm Web page links to the
ankara.fabrikam.com/economy.htm Web page. Both host names resolve to
39.1.1.7.
 Note: All files in the content download job (news.htm and
economy.htm) are downloaded and cached by both array servers. This is
because CARP is not enabled for content download jobs yet.
10. Enable CARP on the a. In the left pane, select Networks.
Local Host network. b. In the right pane, on the Networks tab, right-click Local Host, and then
click Properties.
c. In the Local Host Properties dialog box, on the CARP tab, select
Enable CARP on this network.
 When CARP is enabled on the Local Host network, content
download jobs run only on a single array server. The downloaded Web pages
are distributed over the array servers, according to the CARP algorithm.
 Note: Currently CARP is disabled on the Internal network. When
you use a content download job to distribute cache content according to the
CARP algorithm, you have to ensure that Web Proxy clients on the Internal
network access the content using CARP as well.

d. Click OK to close the Local Host Properties dialog box.
e. Click Apply to save the changes, and then click OK. Wait until the CSS
status is Synced.
11. On the Denver computer, a. On the Denver computer, in a Command Prompt window, in the
use C:\Tools\carpdemo.js to C:\Tools folder, type carpdemo istanbul.fabrikam.com/news.htm, and then
calculate the selected proxy server press Enter.
for:  The content download job URL is handled on array server 10.1.1.1
(Florence). This means that the job scheduler on Florence will run the
istanbul.fabrikam.com/ Fabrikam News Site job.
news.htm
b. Click OK. Type carpdemo ankara.fabrikam.com/economy.htm, and
then press Enter.
and
 The economy.htm Web page is downloaded and cached on array
ankara.fabrikam.com server 10.1.1.2 (Firenze).
economy.htm c. Close the Command Prompt window.
start the log viewer. select Monitoring, and in the right pane select the Logging tab.
b. In the task pane, on the Tasks tab, click Start Query.
Web Proxy log file.
13. Start the a. In the left pane, select Cache, and in the right-pane select the
Fabrikam News Site content Content Download Jobs tab.
download job now. b. In the right pane, select the Fabrikam News Site job.
c. In the task pane, on the Tasks tab, click Start Selected Jobs Now.
 The job scheduler will run the Fabrikam News Site content
download job now. Because CARP is enabled on the Local Host network,
CARP calculates that only the job scheduler on Florence runs the job.
d. After a few seconds, on the Tasks tab, click Refresh Now.
 The Stop Running Jobs task link changes back to Start Selected
Jobs Now.
14. Stop the log viewer, and a. In the left pane, select Monitoring, and in the right pane select the
examine the Web Proxy log Logging tab.
entries. b. After a few seconds, in the task pane, on the Tasks tab, click
Stop Query.
 Note: Because the log entries are collected from two array
members, and happen within the same second, they may not be in the correct
order.
 The log entries show that Florence downloads and caches news.htm
from Istanbul (39.1.1.7). After that Florence forwards the request for
economy.htm to Firenze (23.1.1.2). Firenze downloads and caches
economy.htm from ankara.fabrikam.com (39.1.1.7).
 Notice that all files in the content download job (news.htm and
economy.htm) are downloaded and cached only once, according to the CARP
distribution.
15. Edit the log viewer filter: a. In the left pane, select Monitoring, and then in the right-pane, select the
Logging tab.
Log Record Type: b. In the task pane, on the Tasks tab, click Edit Filter.
Firewall or Web Proxy Filter
162 Lab Summary
c. In the Edit Filter dialog box, in the conditions list, select the existing
Log Record Type condition.
d. In the Value list box, select Firewall or Web Proxy Filter, and then
click Update.
e. Click Start Query to close the Edit Filter dialog box.
Firewall log file and the Web Proxy log file.
f. On the Tasks tab, click Stop Query.
16. Delete the a. In the left pane, select Cache.
Fabrikam News Site content b. In the right pane, on the Content Download Jobs tab, right-click the
download job. Fabrikam News Site job, and then click Delete.
c. Click Yes to confirm that you want to delete the Fabrikam News Site
job.
 The change is updated on the array servers immediately. You do
not have to click Apply to save the changes.
d. Wait until the CSS status is Synced.
 Note: You cannot disable Web Proxy clients on the Local Host
network, when a content download job exists.
17. Disable Web Proxy clients a. In the left pane, select Networks.
and CARP on the Local Host b. In the right pane, on the Networks tab, right-click Local Host, and then
network. click Properties.
c. In the Local Host Properties dialog box, on the Web Proxy tab, CLEAR
the Enable Web Proxy clients check box.
d. On the CARP tab, CLEAR the Enable CARP on this network check
box.
e. Click OK to close the Local Host Properties dialog box.
 Web Proxy clients and CARP are disabled on the Local Host
network.
18. Disable Web Proxy clients a. On the Networks tab, right-click Perimeter, and then click Properties.
on the network used for intra-array b. In the Perimeter Properties dialog box, on the Web Proxy tab, CLEAR
communication (Perimeter). the Enable Web Proxy clients check box.
c. Click OK to close the Perimeter Properties dialog box.
 Web Proxy clients is disabled on the Perimeter network.
19. Disable system policy a. In the left pane, select Firewall Policy (ITALY).
rule 29. b. In the task pane, on the Tasks tab, click Show System Policy Rules.
c. In the right pane, right-click system policy rule 29, and then click
Edit System Policy.
d. In the System Policy Editor dialog box, in the Configuration Groups
list, ensure that Scheduled Download Jobs is selected, and then CLEAR the
Enable check box.
e. Click OK to close the System Policy Editor dialog box.
 System policy rule 29 is now disabled.
f. In the task pane, on the Tasks tab, click Hide System Policy Rules.
status is Synced.
Module I: Using Monitoring, Alerting

and Logging
Exercise 1
Monitoring the ISA Server
In this exercise, you will explore the monitoring functions of ISA Server.

examine the alert definition for the Microsoft ISA Server, and then click, ISA Server Management.
Service Shutdown event. b. In the ISA Server console, in the left pane, expand Paris, and then select
Monitoring.
c. In the right pane, select the Dashboard tab.
 The Monitoring node has multiple tabs that allow you to monitor,
control, investigate, troubleshoot and plan firewall operations.
 On the first tab (Dashboard), five of the other tabs are represented
by a summary box providing a quick summary of the detailed information on
those other tabs. Whenever you need to investigate a particular event or
reported issue in more detail, you switch from the Dashboard to the other tabs.
d. Select the Alerts tab.
 The Alerts tab lists events at the ISA Server that are significant
enough to alert you.
e. In the task pane, on the Tasks tab, click Configure Alert Definitions.
f. In the Alert Properties dialog box, select the Service Shutdown line (do
not clear the check box for Service Shutdown), and then click Edit.
 On the General tab, in the Severity drop-down list box, notice that
ISA Server considers a Service Shutdown an Information alert.
g. In the Service Shutdown Properties dialog box, select the Events tab.
 On the Events tab you specify the threshold to trigger an alert when
the event occurs. In this example, the event is a shutdown of any ISA Server
service
h. Select the Actions tab.
 On the Actions tab you specify the action, besides listing it on the
Alerts tab, that should happen when an alert for this event is triggered. In this
example, the only action is to report the alert in the Windows event log
(Application log).
i. Click Cancel to close the Service Shutdown Properties dialog box.
j. Click Cancel to close the Alerts Properties dialog box.
 Notice that the current status of the ISA Server services is
164 Lab Summary
considered so significant that there is also a special tab (Services) that will
specifically display the status of the services.
2. Use the Services console to a. On the Start menu, click Administrative Tools, and then click
stop the Microsoft ISA Server Services.
Job Scheduler service to simulate b. In the Services console, in the right pane, right-click
an unexpected shutdown of the Microsoft ISA Server Job Scheduler service, and then click Stop.
service.
 The ISA Server Job Scheduler service is stopped. This simulates an
unexpected shutdown of one of the ISA Server services.
3. Examine how an alert a. In the ISA Server console, on the Alerts tab, wait for 30 seconds for the
shows up on the Alerts tab, and new alert (Service Shutdown) to show up, or in the task pane, on the Tasks
the Dashboard tab. tab, click Refresh Now.
 A new Information alert (Service Shutdown) appears.
b. Select the Dashboard tab. Wait for 30 seconds, or in the task pane, on
the Tasks tab, click Refresh Now.
 In the Alerts summary box, the Service Shutdown Information alert
is displayed as well. Notice the column that lists the number of New (not
acknowledged yet) alerts.
 The icon in the top left corner of each summary box, indicates the
highest severity or status of the information in that summary box. You may click
the circle with the two up-arrows to roll-up the summary box.
4. Investigate the a. On the Dashboard tab, click the heading of the Alerts summary box to
Service Shutdown alert and return to the Alerts tab.
resolve the issue by starting the b. On the Alerts tab, select the Service Shutdown alert, and then expand
ISA Server Job Scheduler service the Service Shutdown alert.
on the Services tab.
 The Messages area shows a general description of the event. (The
service was stopped gracefully.)
c. Select the second Service Shutdown alert line.
 The Messages area shows a more specific description of the event.
(The ISA Server Job Scheduled service was stopped gracefully.)
 When multiple similar alerts occur, they are grouped with a
common general description.
d. In the task pane, on the Tasks tab, click Acknowledge Selected Alerts.
 The Status of the Service Shutdown alert changes from New to
Acknowledged to indicate that you have seen this alert.
 Acknowledged alerts are removed from the Alerts summary box on
the Dashboard tab as well.
e. Select the Services tab, and then in the task pane, on the Tasks tab, click
Refresh Now.
f. In the right pane, select Microsoft ISA Server Job Schedule, and then
in the task pane, on the Tasks tab, click Start Selected Service.
 The ISA Server Job Scheduler service is started again.
g. On the Alerts tab, select the second acknowledged Service Shutdown
alert line.
h. In the task pane, on the Tasks tab, click Reset Selected Alerts.
i. Click Yes to confirm that you want to reset Service Shutdown.
 The Service Shutdown alert is removed from the Alerts tab to
indicate that you have resolved this alert. The alert will still be in the Windows
Event Application log.
 Note: The particular event (Service Shutdown) is used as an
example in this exercise. You would normally investigate a Service Shutdown
alert on the ISA Server computer more extensively, than just start up the service
again.
5. Examine the intrusion a. In the ISA Server console, in the left pane, expand Configuration, and
detection options. then select General.
b. In the right pane, click Enable Intrusion Detection and DNS Attack
Detection.
 In the dialog box, you can enable detection of well-known intrusion
attempts. Detected attempts trigger an intrusion detection alert.
 Notice that intrusion detection is enabled by default.
c. Click Cancel to close the dialog box.
6. Examine the performance a. On the Start menu, click All Programs, click Microsoft ISA Server,
monitoring options. and then click ISA Server Performance Monitor.
 A pre-configured System Monitor console for ISA Server appears.
 ISA Server 260 defines five System Monitor objects and
approximately 170 performance counters to monitor the performance of the
ISA Server.
b. Close the ISA Server Performance Monitor console.
c. If a message box appears, click No to confirm that you do not want to
save console settings to msisaprf.msc.
166 Lab Summary
Exercise 2
Checking Connectivity from the ISA Server
In this exercise, you will explore the connectivity checking functions of ISA Server.

 Note: This lab exercise uses the following computers: Paris - Istanbul
create two new connectivity Monitoring.
verifiers: b. In the right pane, select the Connectivity Verifiers tab.
 The Connectivity Verifiers tab allows you to define
Name: Istanbul (ping)
Connectivity Verifiers. A connectivity verifier periodically connects from the
Server: 39.1.1.7
ISA Server to other computers that you specify, to test current connectivity.
Method: Ping
This helps with troubleshooting server connectivity problems.
Name: Istanbul (http)  ISA Server automatically defines the required System policy rules
Server: 39.1.1.7 to allow the network traffic to check the connectivity to the other computers.
Method: HTTP "GET" The connectivity verifiers are not intended to check the ISA Server
configuration, or the Firewall policy rules, but instead are intended to check
the network connectivity from the ISA Server computer to the specified
computers.
Create New Connectivity Verifier.
d. In the New Connectivity Verifier Wizard dialog box, in the
Connectivity Verifier name text box, type Istanbul (ping), and then click
Next.
e. On the Connectivity Verification Details, complete the following
information:
 Monitor connectivity to this server or URL: 39.1.1.7
 Group type used to categorize: Web (Internet)
 Verification method: Send a Ping request
f. On the Completing the Connectivity Verifier Wizard page, click Finish.
 A new connectivity verifier is added. ISA Server will ping 39.1.1.7
(Istanbul) every 30 seconds and compare the response time with the timeout
response threshold of 5000 msec.
g. In the task pane, on the Tasks tab, click
Create New Connectivity Verifier.
h. In the New Connectivity Verifier Wizard dialog box, in the
Connectivity Verifier name text box, type Istanbul (http), and then click
Next.
i. On the Connectivity Verification Details, complete the following
information:
 Monitor connectivity to this server or URL: 39.1.1.7
 Group type used to categorize: Web (Internet)
 Verification method: Send an HTTP "GET" request
j. On the Completing the Connectivity Verifier Wizard page, click Finish.
k. If the Enable HTTP Connectivity Verification message box appears,
click Yes to confirm that a system policy rule is enabled.

 A new connectivity verifier is added. ISA Server will establish an
HTTP GET request to 39.1.1.7 (Istanbul) every 30 seconds and compare the
response time with the timeout response threshold of 5000 msec.
2. Examine the System policy a. In the left pane, select Firewall Policy.
rules used by the connectivity b. In the task pane, on the Tasks tab, click Show System Policy Rules.
verifiers.
 In the right pane, System policy rule 12 allows Ping requests from
the ISA Server computer (Local Host) to All Networks.
Rule 19 allows HTTP requests from the ISA Server computer to All Networks.
 Note: Instead of allowing HTTP requests to All Networks, you may
consider configuring rule 19 to use a custom Computer Set that only includes
the computers for which you have defined a HTTP connectivity verifier.
c. In the task pane, on the Tasks tab, click Hide System Policy Rules.
3. Apply changes to save and a. In the left pane, select Monitoring.
activate the new connectivity b. In the right pane, click Apply to save the new connectivity verifiers, and
verifiers. then click OK.
 The two connectivity verifiers are now active.
4. Wait for the successful a. On the Connectivity Verifiers tab, wait one minute, and then in the task
check of the two connectivity pane, on the Tasks tab, click Refresh Now.
verifiers for Istanbul.  Note: Refresh Now updates the information in the ISA Server
console, it does not interfere with the connectivity verifiers periodic checking.
 Two green checkmark icons appear in the Verifier Name column.
A green checkmark icon indicates that the response time from Istanbul is less
than the timeout response threshold (5000 ms).
stop the Default Web Site to Administrative Tools, and then click
simulate a failure of the Web Internet Information Services (IIS) Manager.
server. b. In the IIS Manager console, expand ISTANBUL (local computer),
expand Web Sites, right-click Default Web Site, and then click Stop.
 The Web site is stopped. Istanbul will no longer respond to HTTP
requests. This simulates a failure of the Web server.
6. On the Paris computer, wait a. On the Paris computer, on the Connectivity Verifiers tab, wait one
for the failure state of the minute, and then in the task pane, on the Tasks tab, click Refresh Now.
Istanbul (http) connectivity  In the Verifier Name column, a red error icon appears for the
verifier. Istanbul (http) connectivity verifier. The red error icon indicates that the
connectivity verifier did not receive a response from Istanbul to its HTTP
request.
 Notice that the Istanbul (ping) connectivity verifier does not report
an error.
7. On the Istanbul computer, a. On the Istanbul computer, in the IIS Manager console, right-click
start the Default Web Site again. Default Web Site (Stopped), and then click Start.
 The Web server is started again.
b. Close the IIS Manager console.
8. On the Paris computer, wait a. On the Paris computer, on the Connectivity Verifiers tab, wait one
for the success state of the minute, and then in the task pane, on the Tasks tab, click Refresh Now.
168 Lab Summary
Istanbul (http) connectivity  A green checkmark icon appears again for the Istanbul (http)
verifier. connectivity verifier. ISA Server has successfully received a response to its
HTTP request to Istanbul.
9. Delete the two connectivity a. Right-click the Istanbul (http) connectivity verifier, and then click
verifiers for Istanbul. Delete.
b. Click Yes to confirm that you want to delete the connectivity verifier.
c. Right-click the Istanbul (ping) connectivity verifier, and then click
Delete.
d. Click Yes to confirm that you want to delete the connectivity verifier.
 Both connectivity verifiers are removed.
 Note: The connectivity verifiers in this exercise check connectivity to the Istanbul computer on the Internet.
Other examples for using connectivity verifiers are checking DNS connectivity (TCP port 53) to DNS servers
on the Internet, and checking service connectivity to published servers in the perimeter network.
Exercise 3
Logging Client Computer Access
In this exercise, you will explore the logging functions of ISA Server.

1. On the Paris computer, find a. On the Paris computer, in the ISA Server console, in the left pane, select
the location of the ISA Server log Monitoring, and then select the Logging tab.
files.  Note: You may (temporarily) need to close the task pane in order to
b. In the task pane, on the Tasks tab, click Configure Firewall Logging.
c. In the Firewall Logging Properties dialog box, on the Log tab, click
Options.
 The Options dialog box shows that ISA Server saves the Firewall
service log files in the ISALogs folder in the ISA Server installation folder
(C:\Program Files\Microsoft ISA Server).
d. Click Cancel to close the Options dialog box.
 The Firewall Logging Properties dialog box shows that the log file
names are in the form ISALOG_yyyymmdd_FWS_nnn.mdf.
e. Click Cancel to close the Firewall Logging Properties dialog box.
 The Web Proxy log files (ISALOG_yyyymmdd_WEB_nnn.mdf) are
also saved in the ISALogs folder.
2. Start a new online log a. On the Logging tab, click Start Query.
query.  Start Query starts a new online log query of the ISA Server log
files. When a successful of failed connection is made through ISA Server, the
records of log file are displayed on the screen.
3. Create a new access rule. a. In the ISA Server console, in the left pane, select Firewall Policy.
Name: Allow Web access rule exists, to indicate where the new rule is added to the rule list.
(logging test)
Applies to: HTTP d. In the New Access Rule Wizard dialog box, in the Access rule name
text box, type Allow Web access (logging test), and then click Next.
From network: Internal e. On the Rule Action page, select Allow, and then click Next.
To network: External f. On the Protocols page, in the This rule applies to list box, select
170 Lab Summary

use Internet Explorer to connect to type http://istanbul.fabrikam.com, and then press Enter.
http://  Internet Explorer displays the Istanbul Web site.
create a filter definition for online Monitoring, and then select the Logging tab.
mode logging.  ISA Server lists all Firewall service log file and Web Proxy log file
records on the screen, since the Start Query command. This may include
Filter by: several of the same denied NetBIOS Name Service and NetBIOS Datagram
Destination IP requests. The HTTP request to Istanbul (39.1.1.7) is also in this list. You can
Condition: Equals filter the on-screen display, by creating a filter definition.
Value: 39.1.1.7
c. In the Edit Filter dialog box, complete the following information:
 Filter by: Destination IP
 Condition: Equals
 Value: 39.1.1.7
and then click Add To List to add the filter definition.
d. Click Start Query to close the Edit Filter dialog box.
 The on-screen display is cleared, and the new filter definition
(Destination IP equals 39.1.1.7) is in effect.
6. On the Denver computer, a. On the Denver computer, in Internet Explorer, ensure that the
refresh the content of the Web http://istanbul.fabrikam.com Web page is opened.
page at http:// b. Hold the Ctrl-key, and click the Refresh button on the toolbar, to
istanbul.fabrikam.com twice. refresh the content of the Web page, regardless of any changes.
c. Wait a few seconds, and then click the Refresh button on the toolbar
- First press Ctrl-F5
(without the Ctrl-key) to refresh the content of the Web page when it has
(Ctrl-Refresh).
changed.
- then press F5 (Refresh)
 Internet Explorer displays the same Istanbul Web page after each
refresh.
7. Attempt to open the a. In Internet Explorer, in the Address box, type
non-existing Web page at http:// http://istanbul.fabrikam.com/test.htm, and then press Enter.
istanbul.fabrikam.com/  Internet Explorer cannot find the test.htm page (HTTP Error 404).
test.htm
8. On the Paris computer, a. On the Paris computer, on the Logging tab, wait a few moments for the
view the online mode logging log file entries for destination IP 39.1.1.7 to appear on the screen.
records for destination IP 39.1.1.7.  A total of three or more log file records will appear for
Add column: Destination IP 39.1.1.7 (Istanbul)

HTTP Status Code b. Right-click the Log Time heading, and then click
Add/Remove Columns.
 You can add additional columns in the display, by moving the
columns from the Available columns list to the Displayed columns list.
c. In the Add/Remove Columns dialog box, in the Available columns list
box, select HTTP Status Code, and then click Add ->.
 HTTP Status Code is moved into the Displayed columns list.
d. In the Displayed columns list, select HTTP Status Code, and then
click Move Up, until HTTP Status Code is just after HTTP Method.
e. Click OK to close the Add/Remove Columns dialog box.
 Use the horizontal scroll bar to see all the fields of the following
log file records on the screen:
 Protocol http - HTTP Method GET - HTTP Status Code 200
 Result code 200 means Success (is after Ctrl-F5), 304 means
Content not changed (is after F5), and 404 means File not found (is after
attempt to get test.htm).
9. Remove the online filter a. In the task pane, on the Tasks tab, click Edit Filter.
definition, and stop the query. b. In the Edit Filter dialog box, select the Destination IP - Equals -
39.1.1.7 expression, and then click Remove.
c. Click Start Query to close the Edit Filter dialog box.
d. In the task pane, on the Tasks tab, click Stop Query.
 The online log query of the Firewall Server log files is stopped.

ISA 2006 Lab Manual

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

ISA 2006 Lab Manual

Caricato da

Copyright:

Formati disponibili

ISA Server 2006

Module A: Introduction to ISA Server 6

Den Par Flo Fir Ist Lab

Exercise 3 Configuring DiffServ Settings to Prioritize Network Traffic...........116

 Denver.contoso.com (green) is domain controller for the contoso.com domain

The computers cannot communicate with the host computer.

To start the lab

To start any virtual machine:

To log on to a computer in a virtual machine:

Enjoy the lab!

Comments and feedback

Lab version 3.0f (6-Aug-2006)

Module A: Introduction to ISA Server

Tasks Detailed steps

Tasks Detailed steps

array administrator to make changes to an individual array.

selected network (Internal) can access other networks through ISA Server, by

Tasks Detailed steps

 Search in: Request headers

Tasks Detailed steps

i. Click Cancel to close the Firewall Logging Properties dialog box.

Module B: Configuring Outbound

Tasks Detailed steps

 The Add Protocols dialog box appears.

Tasks Detailed steps

Tasks Detailed steps

3. Test your connectivity a. Open a Command Prompt window.

Note: This exercise applies to new functionality in ISA Server 2006.

Tasks Detailed steps

5. On the Denver computer, a. On the Denver computer, open Internet Explorer.

 Note: The IP addresses on the 42.1.0.0 network do not exist in the

 Condition: Greater or Equal

Module C: Publishing Web Servers and

Tasks Detailed steps

c. At the command prompt, type tasklist /svc | find "nnnn", and then

www.contoso.com and 39.1.1.1.

Tasks Detailed steps

Port: 81 click Next.

Page (on Denver) rule (currently order 2).

Tasks Detailed steps

Note: This exercise applies to new functionality in ISA Server 2006.

Tasks Detailed steps

m. On the User Sets page, click Next.

Note: This exercise applies to new functionality in ISA Server 2006.

Tasks Detailed steps

Monitoring: http://*/  Description: Shopping Web Server 1

 Perform the following steps on the Istanbul computer.

 Perform the following steps on the Istanbul computer.

Web server. This is referred to as client stickiness.

 Perform the following steps on the Denver computer.

 Perform the following steps on the Paris computer.

 The Sales Web Site rule is deleted.

Tasks Detailed steps

 Perform the following steps on the Paris computer.

Publish RDP c. In the task pane, on the Tasks tab, click

 Perform the following steps on the Denver computer.

Remote Desktop box, clear Enable Remote Desktop to this computer.

Module D: Publishing an Exchange

This exercise also demonstrates the new certificate management functionality of

Tasks Detailed steps

f. Right-click ExchWeb, and then click Properties.

 Perform the following steps on the Paris computer.

Tasks Detailed steps