Module 3:

Enabling Access
to Internet
Resources
Overview

ISA Server 2004 as a Proxy Server

Configuring Multi-Networking on ISA
Server
Configuring Access Rule Elements
Configuring Access Rules for Internet
Access
Lesson: ISA Server 2004 as a
Proxy Server

How ISA Server Enables Secure Access

to Internet Resources
Why Use a Proxy Server?
How Does a Forward Web Proxy Server
Work?
What Is a Reverse Web Proxy Server?
How to Configure ISA Server as a
Proxy Server
DNS Configuration for Internet Access
How to Configure Web Chaining
How to Configure Dial-Up Connections
How ISA Server Enables Secure Access
to
Internet Resources

Is the …
User allowed access?
Computer allowed
access?
Protocol allowed?
Destination allowed?
Content allowed?

ISA
Serv
er
Web
Serv
er

Proxy
Server
Why Use a Proxy Server?

ISA Server Web

Server
Improved Internet access security:
User authentication
Filtering client requests
Content inspection
Logging user access
Hiding the internal network details

Improved Internet access performance

How Does a Forward Web Proxy
Server Work?

Is the …
User allowed
access?
Protocol
3 allowed?
Destination
allowed?
6
1 5

2
4
ISA Web
Server Server
What Is a Reverse Web Proxy
Server?
Is the …
Request
allowed?
Web Protocol
Server allowed?
Destination
3 DNS
allowed?
Server
4

5 2 1

ISA 6
Server
How to Configure ISA Server as a
Proxy Server
DNS Configuration for Internet
Access

If no internal DNS server is available

to resolve Internet addresses,
configure the ISA Server clients to
use an Internet DNS server
Configure ISA Server clients to use an
internal DNS server if the DNS server
can resolve Internet addresses

ISA Server can proxy DNS requests

for Web proxy and Firewall clients but
not for SecureNAT clients

ISA Server includes a DNS cache that

caches the results of all DNS lookups
performed through
ISA Server
 How to Configure Web Chaining

Inter
net

Branch Office Branch Office

Head Office
How to Configure Dial-Up
Connections

Enable dial-
up
for
connection
s
to this
network
Use this
dial-up
connection

Logon
using
this
account
Practice: Configuring ISA Server as a
Web Proxy Server

Configuring the proxy

server settings on ISA
Server
Den-ISA-01

Internet
Den-DC-01
Lesson: Configuring Multi-
Networking on ISA Server

How Does ISA Server 2004 Support

Multiple Networks?
Default Networks Enabled in ISA
Server
About Network Objects
How to Create and Modify Network
Objects
What Are Network Rules?
How Does ISA Server 2004 Support
Multiple Networks?

Support any Number of

Internet
Networks
VPN Networks Represented
VPN
as Networks
Dynamic Network
Membership
Perimeter1
Per Network Rules
Per Network Policies
LAN1

Network Sets
LAN2 Perimeter2
Default Networks Enabled in ISA
Server

Default Network Includes

Local Host The ISA Server
All IP addresses not
Default External associated with another
network
All IP addresses specified
Internal as internal during
installation
All IP addresses for
VPN Clients currently connected VPN
clients
All IP addresses of
Quarantined VPN connected VPN clients that
Clients have not cleared
quarantine
About Network Objects

Network
Includes
Object
All computers connected to a
Network
single network interface
Network Set One or more networks
A single computer identified by
Computer
an IP address included in
All computers
Computer Set specified computer, subnet or
address range identified
All computers objects by
Address Range continuous
IP
Alladdresses
computers on a specified
Subnet
subnet
URL Set All specified URLs
Domain Name
All specified domain names
Set
The IP address on which the ISA
Web Listener
Server listens for connections
 How to Create and Modify
Network Objects
Click Firewall
Policy,
Toolbox, then
Network
Objects

Click Networks,
then Networks or
Network Sets
What Are Network Rules?

Route connection:
• A route relationship is bidirectional
• If a routed relationship is defined
from network A
to network B, a routed relationship
also exists from network B to network
A
NAT connection:
A NAT relationship is directional
Addresses from the source network
are always translated when passing
through ISA Server
Practice: Managing Network
Objects

Configuring a new network

on ISA Server
Configuring a new network
rule
on ISA Server
Configuring a new
computer network
object onDen-ISA-01
ISA Server

Internet
Den-DC-01
Lesson: Configuring Access Rule
Elements

What Are Access Rule Elements?

How to Configure Protocol Elements
How to Configure User Elements
How to Configure Content Type
Elements
How to Configure Schedule Elements
How to Configure Domain Name Sets
and URL Sets
What Are Access Rule Elements?

Access Rule
Used to Configure
Element
The protocols that will be
Protocols allowed or denied by an
access rule
The users that will be allowed
Users
or denied by an access rule
The content type that will be
Content Types allowed or denied by an
access rule
The time of day when Internet
Schedules access will be allowed or
denied by an access rule
The computers or destinations
Network Objects that will be allowed or denied
by an access rule
How to Configure Protocol
Elements
How to Configure User Elements
How to Configure Content Type
Elements

Define the
MIME
types and file
extensions to
include
How to Configure Schedule
Elements

Define the
times when
this schedule
is active or
inactive
How to Configure Domain Name
Sets and URL Sets

Use this to configure

access to an entire
domain
Use this to configure
access to a URL
Practice: Configuring Firewall
Rule Elements

Configuring a new user set

Configuring a new content
type element
Configuring a new schedule
element
Den-ISA-01
Configuring a new URL set

Internet
Den-DC-01
Lesson: Configuring Access Rules for
Internet Access

What Are Access Rules?

How Network Rules and Access Rules
Are Applied
About Authentication and Internet
Access
How to Configure Access Rules
How to Configure HTTP Policy
How to Troubleshoot Access to
Internet Resources
What Are Access Rules?

Access rules
always define: Destination
Network
Allo
Destination IP
w U Destination
Deny ser Site
action on traffic from user from source to destination
with conditions
Protocol
Source Schedule
IP
network Content
Port/Typ
Source IP Type
e
How Network Rules and Access
Rules Are Applied

Network Access
Rules 3 Rules
4
5

2 6
ISA Web
Server Server

Domain
Controller
About Authentication and
Internet Access

Authentication and ISA Server Clients

Authentication Methods
 Basic authentication
 Digest authentication
 Integrated Windows authentication
 Digital certificates authentication
 RADIUS authentication
 RSA SecureID authentication
How to Configure Access Rules
 How to Configure HTTP Policy

Configure
additional
Configure filtering
maximum options
header length
Configure
maximum
payload
length
Configure
maximum URL
and query
length
Practice: Managing Access Rules

Creating a DNS Lookup Rule

Creating a Managers Access
Rule
Testing Internet Access

Den-ISA-01

Internet
Den-Clt-01Den-DC-01
How to Troubleshoot Access to
Internet Resources

To troubleshoot Internet access

issues:
Check for DNS name resolution
Determine the extent of the problem
Review access rule objects and access
rule configuration
Review access rule order
Check access rule authentication

Use ISA Server logging to determine

which access rule is granting or
denying access
Lab: Enabling Access to Internet
Resources

Exercise 1: Configuring
ISA Server Access Rule
Elements
Exercise 2: Configuring
ISA Server Access Rules
Exercise 3: Testing ISA
Server Access Rules
Den-ISA-01

Internet
Den-DC-01
Den-ISA-02