Microsoft 2004 - Manual

ISA Server 2004 Configuration Guide 3 Learn about ISA Server 2004 features ISA Server 2004 is designed to protect your network from intruders located on the inside of your network and those outside of your network. The ISA Server 2004 firewall does this by controlling what communications can pass th...

ISA Server 2004 Configuration Guide 4 Practice configuring the ISA Server 2004 firewall The firewall is your first line of defense against Internet attackers. A misconfigured firewall can potentially allow Internet attacks access to your network. For this reason, it’s very important that you underst...

RAD IU S DH CP DN S W IN S Domain C ontroller Enterpris e CA Exc hange 2003 Server IIS 6.0 Caching-only DNS 172. 16.0.0/16 10. 0.0 .0/24 I P: 172.16. 0. 2/ 16D G: 172 .16 .0.1D NS: 172. 16.0.2 I P: 10. 0. 0.2/24D G: 10.0.0.1D NS: 10.0.0 .2W IN S: 10 .0.0.2 I P: 192 . 168. 1.70 /24D G: 192.168. 1. 60...

Conclusion In this ISA Server 2004 Configuration Guide document we discussed the goals of this guide and suggested methods you can use to get the most out of this guide. The remainder of this ISA Server 2004 Configuration Guide provided detailed step-by-step instructions on how to install and config...

ISA Server 2004 Configuration Guide: Installing Certificate Services Chapter 2 For the latest information, please see http://www.microsoft.com/isaserver/ ISA Server 2004 Configuration Guide 15

ISA Server 2004 Configuration Guide 16 Introduction Microsoft Certificate Services can be installed on the domain controller on the internal network and issue certificates to hosts within the internal network domain, as well as to hosts that are not members of the Internal network domain. We will us...

Install Internet Information Services 6.0 The Certificate Authority’s Web enrollment site uses the Internet Information Services World Wide Publishing Service. Because Exchange 2003 has already been installed on this machine, we will not need to manually install the IIS Web services. The Exchange 20...

6. On the CA Identifying Information page, enter a name for the CA in the Common name for this CA text box. This should be the DNS host name for the domain controller. Ideally, you will have configured a split DNS infrastructure and this name will be accessible from internal and external locations, ...

Conclusion In this ISA Server 2004 Configuration Guide document we discussed the uses of a certificate authority and how to install an Enterprise CA on the domain controller on the internal network. Later in this guide, we will use this Enterprise CA to issue machine certificates to VPN clients and ...

ISA Server 2004 Configuration Guide: Installing and Configuring the Microsoft Internet Authentication Service Chapter 3 For the latest information, please see http://www.microsoft.com/isaserver/ ISA Server 2004 Configuration Guide 22

ISA Server 2004 Configuration Guide 23 Introduction The Microsoft Internet Authentication Server (IAS) is an industry standard RADIUS server that can be used to authenticate users connecting to the ISA Server 2004 firewall machine. You can use IAS to authenticate Web Proxy clients on the internal ne...

ISA Server 2004 Configuration Guide: Installing and Configuring the Microsoft DHCP and WINS Server Services Chapter 4 For the latest information, please see http://www.microsoft.com/isaserver/ ISA Server 2004 Configuration Guide 30

ISA Server 2004 Configuration Guide 31 Introduction The Windows Internet Name Service (WINS) enables machines to resolve NetBIOS names of hosts on remote networks. Machines configured as WINS clients register their names with the WINS server. WINS clients are also able to send name queries to a WINS...

Installing the WINS Service The Windows Internet Name Service (WINS) is used to resolve NetBIOS names to IP addresses. On modern Windows networks, the WINS service is not required. However, many organizations want to use the My Network Places applet to locate servers on the network. The My Network P...

ISA Server 2004 Configuration Guide 33 The WINS server is ready to accept NetBIOS name registrations immediately. The ISA Server 2004 firewall, the domain controller, and the internal network clients are all configured to register with the WINS server in their TCP/IP Properties settings.

Configuring the DHCP Service The Dynamic Host Configuration Protocol (DHCP) is used to automatically assign IP addressing information to internal network clients and VPN clients. In the scenarios covered in the ISA Server 2004 Configuration Guide , the DHCP server will be used primarily to assign IP...

Conclusion In this ISA Server 2004 Configuration Guide document we discussed the uses of the Microsoft WINS and DHCP servers, installed the server services on the domain controller, and configured a scope on the DHCP server. Later in this guide we will see how the addition of the WINS and DHCP servi...

ISA Server 2004 Configuration Guide: Configuring DNS and DHCP Support for Web Proxy and Firewall Client Autodiscovery Chapter 5 For the latest information, please see http://www.microsoft.com/isaserver/ ISA Server 2004 Configuration Guide 39

ISA Server 2004 Configuration Guide 40 Introduction The Web Proxy Autodiscovery Protocol (WPAD) can be used to allow Web browsers and the Firewall client application to automatically discover the address of the ISA Server 2004 firewall. The client can then download autoconfiguration information from...

Configure DHCP WPAD Support The DHCP scope option number 252 can be used to automatically configure Web Proxy and Firewall clients. The Web Proxy or Firewall client must be configured as a DHCP client, and the logged on user must be a member of the local administrators group or Power users group (fo...

4. In the Value frame, enter the URL to the ISA Server 2000 firewall in the String text box. The format for this value is: http://ISAServername:AutodiscoveryPort Number/wpad.dat The default autodiscovery port number is TCP 80. You can customize this value in the ISA Management console. We will cover...

ISA Server 2004 Configuration Guide 44 Configure DNS WPAD Support Another method that used to deliver autodiscovery information to Web Proxy and Firewall clients is DNS. You can create a wpad alias entry in DNS and allow browser clients to use this information to automatically configure themselves. ...

Create the Wpad Entry in DNS The first step is to create a wpad alias entry in DNS. This alias (also known as a CNAME record) points to a Host (A) record for the ISA Server 2004 firewall. The Host (A) record resolves the name of the ISA Server 2004 firewall to the Internal IP address of the firewall...

4. In the Browse dialog box, double click on the Forward Lookup Zone entry in the Records frame. 5. In the Browse dialog box, double click on the name of your forward lookup zone in the Records frame. ISA Server 2004 Configuration Guide 46

6. In the Browse dialog box, select the name of the ISA Server 2000 firewall in the Records frame. Click OK . 7. Click OK in the New Resource Record dialog box. ISA Server 2004 Configuration Guide 47

8. The CNAME (alias) entry appears in the right pane of the DNS management console. 9. Close the DNS Management console. ISA Server 2004 Configuration Guide 48

4. In the DNS Suffix and NetBIOS Computer Name dialog box, enter the domain name that contains your wpad entry in the Primary DNS suffix of this computer text box. The operating system will append this domain name to the wpad name before sending the DNS query to the DNS server. By default, the prima...

Configure the Client Browser to Use Autodiscovery The next step is to configure the browser to use autodiscovery. To configure the Web browser to use autodiscovery to automatically configure itself to use the ISA Server 2000 firewall’s Web Proxy service: 1. Right click on the Internet Explorer icon ...

ISA Server 2004 Configuration Guide: Installing and Configuring a DNS Caching-only DNS Server on the Perimeter Network Segment Chapter 6 For the latest information, please see http://www.microsoft.com/isaserver/ ISA Server 2004 Configuration Guide 53

ISA Server 2004 Configuration Guide 54 Introduction DNS servers allow client systems to resolve names to IP addresses. Internet applications need to know the IP address of a destination host before they can connect. A caching-only DNS server is a special type of DNS in that is it not authoritative f...

Installing the DNS Server Service The first step is to install the DNS server service on the perimeter network host. This machine will act as both a secure caching-only DNS server and a publicly accessible Web and SMTP relay machine. Perform the following steps to install the DNS server service on t...

7. Click Apply and then click OK in the DNS server’s Properties dialog box. 8. Close the DNS management console. At this point, the caching-only DNS server is able to resolve Internet host names. Later, we will create Access Rules allowing hosts on the internal network to use the caching-only DNS se...

Conclusion In this ISA Server 2004 Configuration Guide document we discussed the uses of a caching- only DNS server and how to install and configure the Microsoft DNS server service. Later in this guide we will configure Access Policies that allow hosts on the internal network to use this DNS server...

ISA Server 2004 Configuration Guide: Installing ISA Server 2004 on Windows Server 2003 Chapter 7 For the latest information, please see http://www.microsoft.com/isaserver/ ISA Server 2004 Configuration Guide 61

ISA Server 2004 Configuration Guide 62 Introduction In this ISA Server 2004 Configuration Guide document we will install the ISA Server 2004 software onto the Windows Server 2003 computer we installed and configured in Chapter 1. Installing ISA Server 2004 is straightforward as there are only a few ...

Installing ISA Server 2004 Installing ISA Server 2004 on Windows Server 2003 is relatively straightforward. The major decision you make during setup is what IP addresses should be part of the Internal network. The Internal network address configuration is important because the firewall’s System Poli...

7. On the Custom Setup page you can choose which components to install. By default, the Firewall Services and ISA Server Management options are installed. The Message Screener , which is used to help prevent spam and file attachments from entering and leaving the network, is not installed by default...

11. Click OK in the Setup Message dialog box informing you that the Internal network was defined, based on the Windows routing table. 12. Click OK on the Internal network address ranges dialog box. 13. Click Next on the Internal Network page. ISA Server 2004 Configuration Guide 66

Viewing the System Policy By default, ISA Server 2004 does not allow outbound access to the Internet from any protected network and it does not allow Internet hosts access the firewall or any networks protected by the firewall. However, a default firewall System Policy is installed that allows netwo...

Order number Name Action (Allow or Deny) Protocols From (source network or host) To (destination network or host) Condition (who or what the rule applies to) You may want to widen the Name column to get a quick view rule the rule descriptions. Notice that not all the rules are enabled. Disabled Syst...

5. Review the System Policy Rules and then hide the rules by clicking the Show/Hide System Policy Rules button in the console’s button bar. This is the depressed (pushed in) button seen in the figure below. The following table includes a complete list of the default, built-in System Policy: Table 1:...

ISA Server 2004 Configuration Guide 74 Order Name Action Protocols From To Condition to specified Microsoft Error Reporting sites sites 24 4 Allow SecurID protocol from ISA Server to trusted servers Allow SecurID Local Host Internal All Users 25 5 Allow remote monitoring from ISA Server to trusted s...

Backing Up the Post-Installation Configuration Perform the following steps to back up the post installation configuration: 1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and right click on the server name in the left pane of the console. Click the Back Up com...

4. Click OK in the Exporting dialog box when you see the The configuration was successfully backed up message. Make sure to copy the backup file to another location on the network after the backup is complete. The backup file should be stored off-line on media that supported NTFS formatting so that ...

Conclusion In this ISA Server 2004 Configuration Guide document we discussed the procedures required to install the ISA Server 2004 software on a Windows Server 2003 computer. We also examined the firewall System Policy that is created during installation. Finally, we finished up with step by step p...

ISA Server 2004 Configuration Guide: Backing Up and Restoring Firewall Configuration Chapter 8 For the latest information, please see http://www.microsoft.com/isaserver/ ISA Server 2004 Configuration Guide 78

Backing up the Firewall Configuration The ISA Server 2004 integrated backup utility makes saving the firewall configuration very easy. There are only a handful of steps required to backup and restore the configuration. Perform the following steps to back up the entire firewall configuration: 5. Open...

Exporting Firewall Policy You may not always want or need to export all aspects of the ISA Server 2004 firewall configuration. For example, you may have problems with your Access Policies and want someone to view them for you. You can export the firewall’s current Access Policies and send the export...

Importing Firewall Policy The export file can be imported to the same machine or another machine that has ISA Server 2004 installed. In the following example, we will import the VPN Clients settings that were exported in the previous exercise. Perform the following steps to import the VPN Clients se...

Conclusion In this ISA Server 2004 Configuration Guide section, we discussed the procedures for backing up and restoring the ISA Server 2004 firewall configuration. We also explored the export and import feature that allows you to back up selected elements of the firewall configuration. In the next ...

ISA Server 2004 Configuration Guide: Simplifying Network Configuration with Network Templates Chapter 9 For the latest information, please see http://www.microsoft.com/isaserver/ ISA Server 2004 Configuration Guide 90

ISA Server 2004 Configuration Guide 91 Introduction The ISA Server 2004 firewall comes with a number of pre-built Network Templates you can use to automatically configure Networks, Network Rules and Access Rules. The Network Templates are designed to get you started quickly by creating a base config...

ISA Server 2004 Configuration Guide 92 Scenario 1: The Edge Firewall Configuration The Edge Firewall template configures the ISA Server 2004 firewall to have a network interface directly connected to the Internet and a second network interface connected to the Internal network. The network template ...

3. Click Next on the Welcome to the Network Template Wizard page. ISA Server 2004 Configuration Guide 94

4. On the Export the ISA Server Configuration page, you are offered the opportunity to export the current configuration. You can return the ISA Server 2004 firewall to the state it was in prior to using the Edge Firewall network template using this file. We have already backed up the system configur...

6. On the Select a Firewall Policy page you can select a firewall policy and a collection of Access Rules. In this example, we want to allow Internal network clients access to all protocols to access all sites on the Internet. After you become more familiar with the ISA Server 2004 firewall, you sho...

ISA Server 2004 Configuration Guide 100 Scenario 2: The 3-Leg Perimeter Configuration The 3-leg perimeter configuration creates network relationships and Access Rules to support an Internal network segment and a perimeter (DMZ) network segment. The perimeter network segment can host your publicly-ac...

ISA Server 2004 Configuration Guide 101 Firewall Policy Description The following access rules will be created: 1. Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to the External Network (Internet) 2. Allow DNS from Internal Network, VPN Clients Network and Perimeter Network to ...

3. Click Next on the Welcome to the Network Template Wizard page. 4. On the Export the ISA Server Configuration page, you can choose to export your current configuration. This is useful if you find that you need to return the firewall to its current settings in the event that the template settings d...

5. On the Internal Network IP Addresses page, you set the addresses that represent the Internal network. The addresses included in the current Internal network are automatically included in the Address ranges list. We will not add any addresses to the Internal network. Click Next . ISA Server 2004 C...

6. You configure the addresses that comprise the perimeter network segment on the Perimeter Network IP Addresses page. The wizard does not make any assumptions regarding what addresses should be included in the perimeter network, so the Address ranges list is empty. ISA Server 2004 Configuration Gui...

7. Click the Add Adapter button. In the Network adapter details dialog box, put a checkmark in the DMZ check box. Note that the names that we previously set for network adapters appear in this list. Renaming network adapters helps you identify the network association of that adapter. Click OK . ISA ...

18. Click the Network Relationship tab. The default setting is Network Address Translation (NAT) . This is a slightly higher security configuration because it hides the addresses of the Internal network clients that connect to perimeter network hosts. However, NAT relationships can complicate access...

Conclusion In this ISA Server 2004 Configuration Guide chapter, we discussed how you can use the Edge Firewall and 3-Leg Perimeter network templates to simplify initial configuration of network addresses, Network Rules and Access Rules. In the next chapter of the ISA Server 2004 Configuration Guide,...

ISA Server 2004 Configuration Guide 114 Introduction An ISA Server 2004 client is a machine that connects to a resource by going through the ISA Server 2004 firewall. In general, the ISA Server 2004 client is located on an Internal or perimeter network segment and connects to the Internet through th...

ISA Server 2004 Configuration Guide 115 • Configuring the ISA Server 2004 Web Proxy client • Configuring the ISA Server 2004 Firewall client

ISA Server 2004 Configuration Guide 116 Configuring the SecureNAT Client The SecureNAT client configuration is simple. The only requirement is that the machine be configured with a default gateway that routes Internet-bound requests through the ISA Server 2004 firewall machine. There are two primary...

ISA Server 2004 Configuration Guide 119 Configuring the Web Proxy Client The Web Proxy client configuration requires that the Web browser be set to use the ISA Server 2004 firewall as its Web Proxy server. There are several ways to configure the Web browser as a Web Proxy client. It can be: • manual...

ISA Server 2004 Configuration Guide 121 Configuring the Firewall Client The Firewall client software enables you to control Internet access on a per user/group basis for all Winsock (TCP or UDP) connections to the Internet. The Firewall client software automatically sends user credentials in the bac...

3. Click on the Auto Discovery tab. Place a checkmark in the Publish automatic discovery information check box. Leave the default port as 80 . Click Apply and OK . ISA Server 2004 Configuration Guide 124

3. Click the Detect Now button. The name of the ISA Server 2004 firewall computer will appear in the Detecting ISA Server dialog box when the client finds the ISA Server 2004 firewall. Click Close . ISA Server 2004 Configuration Guide 126

4. Confirm that there is a checkmark in the Enable Web browser automatic configuration checkbox and click the Configure Now button. Note that based on the settings we created on the ISA Server 2004 firewall, the browser has been automatically configured. Click OK in the Web Browser Settings Update d...

5. Click Apply and then click OK in the Microsoft Firewall Client for ISA Server 2004 dialog box. The machine is now configured as a Firewall client and can access the Internet in its role as a Firewall client based on the Access Rules configured on the ISA Server 2004 firewall. ISA Server 2004 Conf...

Conclusion In this ISA Server 2004 Configuration Guide section we discussed the various ISA Server 2004 client types and the features provided by each client. After discussing the types of ISA Server 2004 clients, we went over the procedures required to install and configure each client type. In the...

ISA Server 2004 Configuration Guide 131 Introduction The ISA Server 2004 firewall controls what communications move between networks connected to one another via the firewall. By default, the ISA Server 2004 firewall computer blocks all traffic. The methods used to allow traffic to move through the ...

ISA Server 2004 Configuration Guide 132 Rule Element Value Order (priority) 1 Action Allow Protocols HTTP and FTP (download). From/Listener Internal Network. To www.microsoft.com and ftp.microsoft.com. Condition Limited Web Access (Group). This rule limits allows users that belong to the Limited Web...

Create a User Account The first step is to create a user account to which we can later assign limited Internet access privileges. In practice, the user account can be created in the Active Directory or on the local user database on the firewall computer. In our current example, we will create the us...

5. Click Next on the Create an Exchange mailbox page. 6. Click Finish on the last page of the New User Wizard. ISA Server 2004 Configuration Guide 134

Create an Access Rule Limiting Protocols and Sites Users Can Access The first Access Rule will limit users access to only the HTTP and HTTPS protocols. In addition, the users will only be able to use these protocols when accessing Microsoft operated Web properties. A custom firewall group, Limited A...

11. In the Add Network Entities dialog box, click on the Domain Name Sets folder and then double click on the Microsoft entry. Click Close . ISA Server 2004 Configuration Guide 142

5. In the Add Protocols dialog box, click on the Instant Messaging folder. Double click on the IRC protocol. Click Close . ISA Server 2004 Configuration Guide 146

6. Click Apply and OK in the Configure HTTP policy for rule dialog box. ISA Server 2004 Configuration Guide 154

7. Repeat the preceding steps for the Limited Access Web Users rule. 8. Click Apply to save the changes and update firewall policy. 9. Click OK in the Apply New Configuration dialog box. ISA Server 2004 Configuration Guide 155

Test the Access Rules Now the we have an ISA Server 2004 Access Policy in place, we can test the policy. Perform the following steps to test Access Policy: 1. First, review the Access Policies created on the ISA Server 2004 firewall. In the Microsoft Internet Security and Acceleration Server 2004 ma...

Conclusion In this ISA Server 2004 Configuration Guide section, we discussed the variety of methods you can use to control outbound access to the Internet using ISA Server 2004 Access Rules. In the walkthroughs, you created Access Rules that controlled access to specific Web sites and protocols base...

Configure the Web Site The first step is to configure the Web site on the perimeter network segment. In a production environment, the Web site will already be configured and be ready to publish. In this current example, we need to create a default Web site document and set a few parameters so that w...

6. Use the Move Up button to move the default.txt entry to the top of the list. ISA Server 2004 Configuration Guide 162

Configure the FTP Site The next step is to configure the FTP site so that it is ready to be published. You will set the IP address the FTP site listens on and configure messages for the FTP site to return to users connecting to the site. In addition, you will enable users to upload files to the FTP ...

6. Click on the Home Directory tab. On the Home Directory tab, put a checkmark in the Write text box. Note that in a production environment you should be very careful about allowing write access to FTP sites. Internet intruders can take advantage of poorly-secured FTP sites and store illegal materia...

6. With the two Access Rules still selected, click the blue, up-pointing arrow in the console button bar to move the rules to the top of the list. 7. Click Apply to save the changes and update firewall policy. 8. Click OK in the Apply New Configuration dialog box. ISA Server 2004 Configuration Guide...

ISA Server 2004 Configuration Guide 170 Create the Web Publishing Rule You’re now ready to create the Web Publishing Rule. The Web Publishing Rule will configure the ISA Server 2004 firewall to listen for incoming requests for your Web site. Because the ISA Server 2004 firewall is an intelligent, ap...

6. On the Public Name Details page, select This domain name (type below) in the Accept requests for list. In the Public name text box, enter the name that external users will use to access the site. In this example we will use the name perimeter.msfirewall.org . When users enter http://perimeter.msf...

12. On the Port Specification page, confirm that there is a checkmark in the Enable HTTP check box and that the default HTTP port number is 80 . Click Next . ISA Server 2004 Configuration Guide 174

3. Add the following line to the HOSTS file: 172.16.0.2 perimeter.msfirewall.org Press ENTER at the end of the line so that the insertion point sits on the next line. Click File and then click Exit . In the Notepad dialog box, click Yes to indicate that you wish to save the changes. ISA Server 2004 ...

Create the FTP Server Publishing Rule Server Publishing Rules are simpler than Web Publishing Rules. A Server Publishing Rule forwards incoming requests to the published server and exposes them to application layer filters installed on the ISA Server 2004 firewall. The only information you need to s...

Test the Connection We are now ready to test the connection. Internet Explorer 6.0 can access both Web and FTP sites within the browser. The only difference in the current example is that you will specify http:// for the Web site and ftp:// for the FTP site. You will also see in the following walkth...

9. Click Apply to save the changes and update the firewall policy. 10. Click OK in the Apply New Configuration dialog box. ISA Server 2004 Configuration Guide 182

Conclusion In this ISA Server 2004 Configuration Guide document we discussed two primary methods that allow external users access to resources contained on protected networks. We first used a Web Publishing Rule to allow inbound access to resources contained in a perimeter network segment. Next, we ...

ISA Server 2004 Configuration Guide 186 Restore the System to its Post-installation State In order to fully test the inbound and outbound SMTP relay configuration in this scenario, we will return the machine to its post-installation state so that other Access Rules do not interfere with the scenario...

Install and Configure the SMTP Service Install the IIS 6.0 SMTP service before the ISA Server 2004 SMTP Message Screener. The SMTP service works together with the SMTP Message Screener to examine and block offending e-mail messages. Perform the following steps to install the IIS 6.0 SMTP service: 1....

14. Right click the Default SMTP Virtual Server node and click Stop . Right click the Default SMTP Virtual Server node and click Start . ISA Server 2004 Configuration Guide 190

Install the SMTP Message Screener The SMTP Message Screener is an optional ISA Server 2004 component. This feature integrates with the IIS 6.0 SMTP service to examine and block SMTP mail based on parameters you configure in the Message Screener. Perform the following steps to install the SMTP Messag...

Create the SMTP Server Publishing Rules The SMTP Message Screener works together with SMTP Server Publishing Rules. Each SMTP Server Publishing Rule can be configured with a custom set of SMTP Message Screener parameters. This allows you to create different e-mail screening policies for the inbound ...

Create the Outbound SMTP Access Rule Perform the following steps to create an outbound SMTP Access Rule that enables the ISA Server 2004 firewall to relay SMTP from the Internal Exchange Server to SMTP servers for other domains on the Internet: 1. In the Microsoft Internet Security and Acceleration ...

Configure SMTP Message Screener Logging The SMTP Message Screener logs all messages moving the inbound and outbound SMTP relays. This logging feature helps you troubleshoot and access the e-mail messages moving through the server and confirm that the SMTP Message Screener is doing what you expect it...

ISA Server 2004 Configuration Guide 202 Test SMTP Filtering Now that the SMTP Server Publishing Rule and SMTP Message Screener configurations are in place, we’re ready to test the effectiveness of the Message Screener. Perform the following on the external client machine to test the inbound SMTP rel...

Conclusion In this ISA Server 2004 Configuration Guide document, we discussed how to make the ISA Server 2004 firewall your front line protection as an e-mail defense in-depth plan. The ISA Server 2004 SMTP Message Screener can provide initial inspection and protection against dangerous and inapprop...

ISA Server 2004 Configuration Guide 205 Introduction One of the main reasons to deploy a ISA Server 2004 firewall is to protect Microsoft Exchange Servers. ISA Server 2004 includes a number of technologies focused on providing enhanced support to protect Microsoft Exchange Services published to the ...

Create the OWA Web Publishing Rule You can publish the Microsoft Exchange Outlook Web Access site using ISA Server 2004 Web Publishing after the site is configured to support secure SSL connections. These procedures include forcing SSL on the OWA directories and allowing the directories to accept on...

6. On the Bridging Mode page, select Secure connection to clients and mail server and click Next . ISA Server 2004 Configuration Guide 208

7. On the Specify the Web Mail Server page, enter the name for the Internal OWA Web site in the Web mail server text box. In this example, we will use the name owa.msfirewall.org . Click Next . ISA Server 2004 Configuration Guide 209

8. On the Public Name Details page, select This domain name (type below) in the Accept requests for list. Enter the name external users will use to access the OWA Web site in the Public name text box. In this example, the external users will use the name owa.msfirewall.org . Click Next . ISA Server ...

23. Click Apply and then click OK in the OWA SSL Listener Properties dialog box. 24. Click Next on the Select Web Listener page. ISA Server 2004 Configuration Guide 213

6. Add the following line to the HOSTS file: 10.0.0.2 owa.msfirewall.org Press ENTER at the end of the line so that the insertion point sits on the next line. Click File and Exit . In the Notepad dialog box, click Yes to indicate that you wish to save the changes. ISA Server 2004 Configuration Guide...

Create the SMTP Server Publishing Rule You can create an SMTP Server Publishing Rule to provide external users and servers access to the Microsoft Exchange SMTP service. In general, you will prefer to use the ISA Server 2004 firewall as a secure SMTP filtering relay to prevent external users and ser...

ISA Server 2004 Configuration Guide 219 Create the POP3 Server Publishing Rule Remote access to the Exchange Server POP3 service allows users located away from the office to download their mail from the Exchange Server to virtually any e-mail client application. Users must provide a user name and pa...

8. Click Next on the IP Addresses page. 9. Click Finish on the Completing the New Server Publishing Rule Wizard page. ISA Server 2004 Configuration Guide 220

Test the connection We are now ready to test the OWA, SMTP and POP3 connections to the Exchange Server located behind the ISA Server 2004 firewall. The first step is to create a HOSTS file entry on the client so that it correct resolves the name of the OWA site. In a production environment, you woul...

Conclusion In this ISA Server 2004 Configuration Guide document, we discussed how to publish a Microsoft Exchange Outlook Web Access (OWA) site and how to publish the Exchange POP3 and SMTP services. In the next document in this ISA Server 2004 Configuration Guide series, we will discuss how the fir...

ISA Server 2004 Configuration Guide 226 Introduction The ISA Server 2004 firewall can be configured as a VPN server. The VPN server component enables it to accept incoming VPN client calls so that the VPN client computer can become a member of a protected network. Traditional VPN servers allow VPN c...

Enable the VPN Server By default, the VPN server component is disabled. The first step is to enable the VPN server feature and configure the VPN server components. Perform the following steps to enable and configure the ISA Server 2004 VPN Server: 1. Open the Microsoft Internet Security and Accelera...

10. Click the Protocols tab. On the Protocols tab, put a checkmark in the Enable L2TP/IPSec check box. ISA Server 2004 Configuration Guide 229

11. Click the User Mapping tab. Put a checkmark in the Enable User Mapping check box. Put a checkmark in the When username does not contain a domain, use this domain check box. Enter msfirewall.org in the Domain Name text box. ISA Server 2004 Configuration Guide 230

Enable Dial-in Access for the Administrator Account In non-native mode Active Directory domains, all user accounts have dial-in access disabled by default. In this circumstance, you must enable dial-in access on a per account basis. In contrast, Active Directory domains in native mode have dial-in a...

Test the VPN Connection The ISA Server 2004 VPN server is now ready to accept VPN client connections. Perform the following steps to test the VPN Server: 1. On the Windows 2000 external client machine, right click the My Network Places icon on the desktop and click Properties . 2. Double click the M...

Conclusion In this ISA Server 2004 Configuration Guide document, we discussed how to enable the ISA Server 2004 VPN server component and how to configure the VPN server. We tested the VPN server functionality by creating a VPN client connection to the server and accessing resources on the Internal n...

ISA Server 2004 Configuration Guide: Creating a Site-to-Site VPN with ISA Server 2004 Firewalls Chapter 16 For the latest information, please see http://www.microsoft.com/isaserver/ ISA Server 2004 Configuration Guide 238

Create the Remote Site at the Main Office We will begin by configuring the ISA Server 2004 firewall at the main office. First, create the Remote Site Network in the Microsoft Internet Security and Acceleration Server 2004 management console. Perform the following steps to create the Remote Site Netw...

ISA Server 2004 Configuration Guide 244 10. Click Next on the Network Addresses page. 11. Click Finish on the Completing the New Network Wizard page.

ISA Server 2004 Configuration Guide 245 Create the Network Rule at the Main Office The ISA Server 2004 firewall must know what method to use to route packets to the branch office network. There are two options: Route and NAT. A route relationship routes packets to the branch office and preserves the...

11. Click Finish on the Completing the New Network Rule Wizard page. ISA Server 2004 Configuration Guide 246

Create the Access Rules at the Main Office In this example, we want the clients on both the main and branch office networks to have full access to all resources on each network. We must create Access Rules to allow traffic from the main office to the branch office and from the branch office to the m...

ISA Server 2004 Configuration Guide 252 Create the Remote Site at the Branch Office Now that the main office is ready, we can configure the branch office ISA Server 2004 firewall. First, create the Remote Site Network at the branch office: Perform the following steps to create the Remote Site Networ...

Create the Network Rule at the Branch Office Just as we did at the main office, we must create a routing relationship between the branch office and the main office networks. We will configure a route relationship so that we can get the highest level of protocol support. Perform the following steps t...

ISA Server 2004 Configuration Guide 255 Create the Access Rules at the Branch Office We need to create two Access Rules, one that allows traffic from the branch office to the main office, and the second to allow traffic from the main office to the branch office. To create Access Rules that allow tra...

ISA Server 2004 Configuration Guide 260 Activate the Site to Site Links Now that both the main and branch office ISA Server 2004 firewalls are configured as VPN routers, you can test the site-to-site connection. Perform the following steps to test the site-to-site link: 1. At the remote client compu...

Conclusion In this ISA Server 2004 Configuration Guide document we discussed how to use the ISA Server 2004 firewall as a VPN gateway that enables site-to-site VPN links. We configured two ISA Server 2004 firewalls, one at the main office and a second at the branch office. We tested the VPN site-to-...