- Allowing clients inside the internal network to access services outside the Internet, controlled.
Instructions for installing on Windows 2000/2003 server:
- Server that installs ISA server 2000 must be a "clean" server, which means that other network services should not be deployed.This will help set up a system with high safety.Services should not be installed together with ISA server 2000:
Domain controller, Web Server, FTP Server, Certificate Server, NNTP Server, Exchange Server, Sharepoint Server
A normal firewall connects directly to the Internet, deploying more services, making it difficult to configure firewall, easy to show security holes from these services or attract attackers when the system exposes. many services .
Prepare Server:
- It is possible to install ISA server 2000 on the computer running Windows server 2000/20003 (these operating systems must first patch the holes through service pack, hot fixes .)
- Need 2 NIC Cards (LAN card), 1 for Internal Network, 1 to Internet. Or you can use 1 NIC, 1 modem (ADSL, Dial-up, ISDN, broadband routers .)
- All machines in LAN use TCP / IP protocol.
- This ISA server 2000 can be a domain member (if the Internal Network has built Internal Domain), or is a Stand-alone server not belonging to any Internal Domain.(in this tutorial I use Stand-along Server)
MODEL TO IMPLEMENT ISA SERVER 2000 INTERNAL NETWORK AND INTERNET
5 steps to install ISA SERVER 2000 at a safe level:
Step 1: Configure Network Cards
Step 2: Install and configure DNS Server on ISA SERVER 2000
Step 3: Install and configure DHCP Server on ISA SERVER 2000
Step 4: Install and configure ISA SERVER 2000 software
Step 5: Configure the Internal Computers role as DHCP Clients
All ISA Server 2000 configs run on Windows 2000 Advanced Server.If you run a config on the Windows 2003 Server OS, there is no significant difference.
Step 1: Configure Network Cards
Internal Network Card:
- Static IP, same Network address for Computers in the Local Network.
In this tutorial I use IP address: 192.168.1.200 /255.255.255.0
- Do not configure Defaul Gateway (it is recommended not to configure Defaul Gateway on ISA SERVER 2000)
- Use DNS Server: 192.168.1.200 (DNS server is also ISA SERVER 2000)
External Network Card:
- There are 2 cases with External Network Card:
+ Type of fixed Static IP usage (Lease-lines can be leased from ISPs)
+ Type of Dynamic IP (Dial-up, ADSL .)
- There are following connect methods for External modem, users should note:
+ DSL line connecting to ------- DSL Modem ------- ISA server 2000
(Note: There are built-in DSL types like 1 NIC Card-Ethernet Card)
+ Internet Cable ------ Cable Modem -------- Ethernet Card of ISA
+ T1 connection -------- Router --------- Etherner Card of ISA
+ DSL Broadband -------- Broadband Router ---------- Etherner Card of ISA
EXTERNAL NETWORK CARD CONNECTION OF ISA SERVER THROUGH BROADBAND ROUTER
- The IP address used for External Card if using Dynamic (Dial-up, ADSL .) is completely provided by ISPs, users do not need to interfere with the parameters.However, in this case I will use the Preferred DNS server parameter of 192.168.1.200 (internal DNS server), which is different from Figure
THE AUTOMATIC TCP / IP PARAMETERS ESTABLISH ON EXTERNAL CARD FROM ISPs
If using fixed IP address, such as lease-line subscription, etc ., it is possible to configure Static IP to be granted according to the following example:
CONFIGURING STATIC IP FOR EXTERNAL CARD ON ISA SERVER 2000
Note: This is the IP address provided by the ISP fixed, for your organization, completely different from the Private IP address (10.xxx, 172.16.xx, 192.168.xx), and not included in the configuration table Figure out the IP addresses we think of ourselves!
All enclosed parameters are provided permanently from ISP including: IP address, Subnet Mask, Default Gateway, Preferred DNS server.However, in this tutorial, I used the Preferred DNS server again, which is 192.168.1.200 (IP address of the internal DNS server), which is different from the Figure is the standard DNS parameter from ISP.If the front of the ISA Server firewall is a Broadband Router, these parameters are recommended to follow Broadband Router Manufacturer.
After configuring the parameters for both Internal and External Card, users need to pay attention to the order (order) of these Cards properly.This has an effect on resolving the Domain Name through DNS services.To speed up the resolution of Domain Names (also accessing websites, finding Servers hosting different services on the Internet or Intranet), you should go to the Internal Network Card at the top of the Network Interface List list.
Choose My Network Places , Properties , Network and Dial-up Connections , Advanced , Advanced Settings , Adapters and Bindings ensure LAN Cards are on the same list as the following:
In this tutorial assuming that I use External Network Card is a common Dial-up modem modem with the maximum bandwidth to ISA of 56 Kbps (this is really just a dream connection speed that is usually only approximately 40 Kbps). ).
ISA server 2000 calls a connection to ISP via Dial-up entry is a Connectiod .
Select My Network Places , Select Properties , Select Make New Connection , Welcome to the Network Connection Wizard , Select Dial-up to the Internet , Network Connection Type , Next , Select I want to connect through a local area network (LAN ), Next, Select I connect through a phone line and a modem , Thiết lập bạn đã kết nối , Internet account connection information, Area code and Telephone number (in this example I use 1268 - FPT connection number) , Internet logon information account , Username: 1280, password: 1280 . Name the Connection connection name as FPT Internet Connection and Finish .
Additional parameters can be set up to support Dial-up such as: Redial if line is dropped, Redial attempts, Time between lần thử lại, Idle time trước khi kết nối giá trị .
Note:Dial-up Modem connection is not stable, it requires solutions to stabilize connection, anti-drop line, especially peak hours.
Step 2: Install and configure DNS Server on ISA SERVER 2000
The next step will install the DNS server on the ISA server Firewall.Using DNS servers is required when users need to access Internet Servers via name, the DNS server task will resolve Hostname to IP address.Installing the DNS server in Caching-only DNS server mode on the ISA server Firewall itself has many advantages, and requires Internal Computers to set up this DNS server.
Follow these steps to perform a DNS server installation on Windows 2000 Advanced Server:
Click Start, click Settings, click Control Panel . Control Panel window, double click Add / Remove Programs click Add / Remove Windows Components . The Windows Components Wizard dialog box, select Networking Services Do not check the box! , click Details , the Networking Services dialog box, check the Domain Name System (DNS) checkbox, click OK .Continue Next to complete the installation process.
INSTALLING DNS SERVER SERVICE IN MAIN ISA SERVER FIREWALL.
Configure DNS Service:
The DNS server installed on this ISA server Firewall is responsible for receiving and responding to requests for querying the names of Internet servers from the client computers on the local network.Since it is set in Caching-only DNS server mode, it is also the default mode after the installation of DNS server 2000 so it does not contain Hostnames of Internal servers or Internet servers.Caching-only DNS server also only resolves Internet names or is stored in the cache, usually not using Caching-only DNS server to resolve the names of Internal servers.
In fact, if your Network already has DNS servers that support Internal Domains, you can configure Caching-only DNS servers, passing requests to access Internal Servers to these DNS servers.In this configuration guide, the network has no DNS servers supporting Domain or not.
Click Start , Programs, Administrative Tools . Click DNS on the Administrative Tools menu. Right click DNS server , View, click Advanced . Right click on Server select Properties , in the dialog box, click Interfaces tab. Chọn chỉ sau những địa chỉ IP . Clicking on any IP address in the list is not an IP address on the internal interface. Select these non-internal interface IP addresses and click Remove . Click Apply . Click Forwarders tab. Check Enable forwarders checkbox. Enter the DNS server ISP IP address that you connect in the IP address text box and click Add . Check Do not use recursion checkbox. Click Apply and click OK .
If connections are made through ISP Vietnam, you can fill in this IP Address List with the DNS IP Address parameter as follows:
FPT: VDC:
DNS1: 210.245.31.10 DNS1: 203.162.4.190
DNS2: 210.245.31.110 DNS2: 203.162.4.191
Right click on the DNS server name on the left pane and select All Tasks then click Restart. Restart the DNS server service.
Step 3: Install and configure DHCP Server on ISA SERVER 2000
- The DHCP Server service installed on ISA SERVER 2000 will provide TCP / IP settings for Internal Computers.
Warning:Disable all other DHCP Servers on the Network (if possible), only allow the DHCP Server service installed on this ISA SERVER 2000 to work, to provide exactly all the desired parameters.
Installing DHCP service on Windows 2000 Advanced Server:
Click Start, select Settings , click Control Panel . In Control Panel window, double click Add / Remove Programs . In the Add / Remove Programs window, click Add / Remove Windows Components . In the Windows Components Wizard dialog box, select Networking Services in the Components list. Do not check the box! Select Networking Services , click Details . In the Networking Services dialog box, check the Dynamic Host Configuration Protocol (DHCP) checkbox and click OK .
Click Next in Windows Components, Click Finish .
The main function of a DHCP Server, besides providing IP address, also provides additional parameters (called TCP / IP settings), including: Subnet mask, Default Gateway & DNS Server Addresses.In this guide, Default Gateway & DNS Server Addresses are Internal IP Address (192.168.1.200) on the ISA server Firewall.
DHCP server manages and distributes IP addresses for Internal Clients through DHCP scope .Accurate scope configuration is required.
When creating an IP address area in Scope, it is possible to include previously assigned IPs for Nodes on the Network (eg Internal server such as Web, Mail, Database server used these IPs), so In order to avoid DHCP server re-obtaining these IPs for further clients (causing Conflicts), the Admin must use the Exclusions function to create exclusion zones to avoid future conflicts.
Click Start, select Programs , Administrative Tools . Click DHCP . Open the DHCP console. Right click on server name, click New Scope . Click Next on Welcome to the New Scope Wizard . Enter the following name in the SecureNAT Client Scope Name text box.Click Next.
On the IP Address Range fill in Start IP address 192.168.1.1 and End IP address 192.168.1.254 in the text box.Click Next.
On Add Exclusions , enter Start IP address 192.168.1.200 (because this IP address was reserved for Internal Card on ISA Server 2000 firewall), click Add.If there are other servers that have also been allocated static IP addresses in the distribution area, follow the steps above to exclude them.
Accept the Lease Duration values and click Next.
On Configuring DHCP Options select Yes, I want to configure these options now and click Next.
On the Router fill in the IP address of the internal interface on the ISA Server 2000 firewall and click Add.Click Next.
On the Domain Name and DNS Servers enter the IP address of the internal interface on the ISA Server 2000 firewall in the IP address text box and click Add. If you have built an Active Directory domain on the internal network, put the internal network domain name in the Parent domain text box.Absolutely do not put domain names in a Parent domain text box unless an Active Directory domain exists on the internal network.Click Next.
Do not set up information at WINS Servers.Click Next.
Select Yes, I want to activate this scope now on Activate Scope and then click Yes.
Click Finish .
Step 4: Install and configure ISA SERVER 2000 software
- Windows Server 2000/2003 has set the parameters and installed the necessary services (DNS & DHCP), now is the time to start setup ISA SERVER Firewall 2000.
- If you have not implemented Service Pack, hot fixes for Windows 2000/2003 now is the time to finish this problem before installing ISA server 2000.
Installation steps:
Double click ISAAutorun.exe in the ISA Server 2000 CD-ROM to perform the autorun setup.Click Install ISA Server icon on the Microsoft ISA Server Setup page. Click Continue on Welcome to the Microsoft ISA Server installation program page. Enter the CD key on the CD Key page and click OK. Click OK on the registration number page . Click I Agree on the License Agreement page. Click Full Installation button on the Installation Type page.
Click Yes on the dialog box informing you that ISA Server schema has not been installed in the Active Directory . Choose Integrated Mode . Click Continue .
Click OK in the dialog box telling you that IIS W3SVC service must be stopped . On the size page cache, select an NTFS formatted Partition, and fill in 150 in the Cache size (MB) text box. Click Set, click OK. Click Construct Table button on the LAT configuration page. In the Local Address Table dialog box, do not check Add the following private ranges . checkbox. Check Add address ranges based on the Windows 2000 Routing Table checkbox. Highlight the internal interface network card .Click OK.See picture
Click OK in Setup Message dialog box, Click OK on the LAT configuration page.Do not check Start ISA Server Getting Started Wizard checkbox and click OK.Click OK to complete the installation process.
Next, we need to install Service Packs for ISA server 2000, to fix Security for this Firewall itself:
- Download ISA Service Pack 1:http://www.microsoft.com/isaserver/downloads/sp1.mspx
- Download ISA Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?FamilyID=C8D3D98B-1CD4-406A-A04A-2AA2547D09A3&displaylang=en
- Download ISA Server 2000 Feature Pack 1 (contains hot fixes and enhancements for ISA 2000): http://www.microsoft.com/isaserver/featurepack1/default.mspx
After downloading the Virus scan, extract it and install Service packs, Feature Pack.
So basically until now we have a very strong and secure ISA server 2000.The remaining problems depend entirely on how the Security Admin configures ISA Server 2000 to ensure a secure firewall is at the highest possible level.
Recommendation: IIS services should be disabled on this Firewall for safety and performance reasons. To disable IIS services on the ISA Server 2000 firewall:
Click Start , select Programs, Administrative Tools . Click Services or click Run to run services.msc
Identify the following Services:
FTP Publishing Service
Network News Transport Protocol (NNTP)
Simple Mail Transport Protocol (SMTP)
World Wide Web Publishing Service
Proceed with the following steps on each Service:
a. Right click on the service and click Properties .
In Startup type , select Manual.
c. Then Click Stop button.
d. Click Apply and click OK.
Configuring ISA Server 2000:
The goal of this configuration is to allow Inernal Clients to access almost all services available on the Internet, but will also control multiple illegal access from attackers.
This function is required for External Interface Cards on ISA server 2000, when these External Cards use Dynamic IP from ISPs and these connections are usually Cable, DSL , but this Filter does not apply to Dial-up Connections . Attention !
So this is the first configuration move for ISA server 2000, if we have Dynamic IP address connection via DSL, Cable.
first. Click Start and select Programs . Select Microsoft ISA Server and click ISA Management .
2. In ISA Management console, open Servers and Arrays node and open server name. Open the Access Policy node and click IP Packet Filters .
3. In the right pane of the ISA Management console, we see DHCP Client packet filter. Packet filter is disabled by default. Next, enable this packet to enable External interfaces on the ISA Server 2000 firewall to receive the IP address from the ISP connection. Double click on the DHCP Client packet filter. On the General tab, Check Enable checkbox. Click Apply and click OK .
Open Prompt command on ISA server 2000, type C:> ipconfig / renew to check External card has received IP address from ISP.
Protocol Rule allows internal network computers to access application protocols that determine when the Client connects to the Internet Servers. (eg HTTP Protocol allows Internal Clients to connect to Web Servers, FTP Protocol connects to FTP servers .). This guide will create an 'All IP Traffic' Protocol Rule, allowing the internal network computers to access all common application protocols on the Internet, which are defined in Protocol Definitions below ISA Management. console
Note : This configuration allows most Internal network computers to access, but does not have all the current Applications on the Internet. To access applications that are not previously defined in Protocol Definitions, it is necessary to configure the corresponding parameters of that application on Protocol Definitions.
first. Open ISA Management console, open Servers and Arrays node then open server name. Open the Access Policy node and right click on the Protocol Rules node. Select New and click Rule .
2. In the Welcome to the New Protocol Rule Wizard page, type All Open in the Protocol Rule name text box and click Next .
3. Select Allow option on the Rule Action page and click Next .
4. Select All IP traffic on the Protocols page and click Next
5. Accept the default settings, Always , on the Schedule page and click Next.
6. Select Any request option on the Client Type page and click Next.
7. Click Finish on the Completing the New Protocol Rule Wizard page.
Enable IP Routing on ISA Server 2000 firewall computer significantly increases performance for internal network computers and also allows these Internal Clients to PING, and connect to Internet VPN servers via PPTP (Point to Point Tunneling Protocol) VPN.
Open ISA Management console, open Servers and Arrays node and then open server name. Open the Access Policy node and right click on the IP Packet Filters node and click Properties .
first. On the General tab in the IP Packet Filters Properties dialog box, check Enable IP routing checkbox.
2. Click on the Packet Filters tab. Check Enable filtering of IP options .
3. Click PPTP tab. Check PPTP through ISA firewall checkbox.
Configure a Dial-up Entry (Dial-up connections only)
ISA Server 2000 firewall computer uses a dial-up connection to connect to the Internet, requiring the establishment of a Dial-up Entry in the ISA Management console. Dial-up entry depends on the Dial-up Networking connectoid that we configured at the beginning
Open ISA Management console, open Servers and Arrays node, open server name. Open Policy Elements node and click on Dial-up Entries node. Right click Dial-up Entries node, select New and click Dial-up Entry .
first. In New Dial-up Entry dialog box, type ISP in the Name text box.
2. Click the Select button. In the Select Network Dial-up Connection dialog box, select dial-up connectoid (FPT connection) from the ISP and click OK .
3. Click Set Account button. In Set Account dialog box, type user name ISP provided for account. Type the password ISP issued in Password text box and confirm the password in Confirm password text box. Click OK .
4. Click OK in New Dial-up Entry dialog box.
5. Right click on Network Configuration node frame on the left of ISA Management console and select Use primary connection option. In the Network Configuration Properties dialog box, check Use dial-up entry checkbox.
6. Click Apply and then click OK in the Network Configuration Properties dialog box.
7.
STEP 5: Configuration for Internal Network Computers
The Internal network computers will be established as ISA Server SecureNAT clients. A SecureNAT is a machine that only determines the default gateway address in its TCP / IP configuration.This default gateway address can be a Router behind ISA Server 2000 firewall, if SecureNAT Clients are not in the same Network ID with the Internal Interface of ISA server (must configure this router to reach Internal card on ISA server), or IP address of Internal Card on ISA server.
In the previous section, we have configured the DHCP server to provide these parameters
Attention:
If the Network Model is only 1 Network ID small, we may not be busy when configuring SecureNAT clients, but the Big Network model has multiple Network Ids, there are Routers behind ISA server firewall that need to consider Routing configuration skills and Split Network IDs correctly.
Configure the Internal Clients to be DHCP Clients
The DHCP client will require IP address and parameters from the DHCP server.
Proceed at Client Computers
Right click My Network Places icon on the desktop and click the Properties
first. In the Network Connections window, right click on the network interface and click the Properties
2. In the Properties dialog box, click Internet Protocol (TCP / IP) and click the Properties button.
3. In Internet Properties (TCP / IP) Properties dialog box, select Obtain an IP address automatically option.
Select Use the following DNS server addresses option. Type 192.168.1.200 in the Preferred DNS server text box. Click OK in Internet Protocol (TCP / IP) Properties dialog box.
5. Click OK . In fact 4 and 5 can choose Obtain DNS server address automatically, because the Clients Computer has used the DHCP server of the Network (of course if Client Computers with Network ID with DHCP server, if other Network ID can be configured, add DHCP Relay agent feature) on Routers .)
(continue to part 2, 3, 4.5)
Ho Viet Ha - Instructor Team Leader
hvha@newhorizons.com.vn
New Horizons VietNam (Computer Learning Centers in VietNam)
Network Information Security (NIS.COM.VN - My Website come soon)