HOW TO INSTALL ISA SERVER ENTERPRISE 2000 - Part II

HOW TO INSTALL ISA SERVER ENTERPRISE 2000 (part 2) 

  UNDERSTAND THE SERVICES OPERATING ON ISA SERVER

One of the most important parts on ISA Server systems is to understand exactly what services are running on ISA server, how these Services work together, and with what types of ISA Clients.

A simple diagram can be sketched as follows about the main Services running on the ISA server.

HOW TO INSTALL ISA SERVER ENTERPRISE 2000 - Part II Picture 1  

How ISA Clients work with ISA server

1. All requests from ISA Clients to ISA server are reviewed by Packet filters.

2. Requirements from SecureNAT Client (note that ISA server works directly with 3 types of ISA Client, SecureNaT Client, Web Proxy Client and ISA Firewall Client , I will analyze these ISA client types in the next section), okay send to the NAT protocol driver and then go to the Firewall service where this rule is imposed (through the Rule Engine).

Note : SecureNAT clients do not send authentication information to the ISA server.

3. Requests from the ISA Firewall client are sent to Firewall service on ISA server, if it is an HTTP request (when the ISA Firewall Client accesses the Web), then instead of sending to the Firewall service, the HTTP redirector on ISA server will send love. This type of request to Web proxy service on ISA server.

4. All requests for HTTP / HTTPS, FTP and Gopher are always sent to the Web proxy service.

Main services on ISA server:

- ISA Control Service (MSPADMIN.EXE)

ISA control service controls functions on the following ISA Server:

1. IP packet filters, when you Enable and record Log functions on the ISA server

2. Give Alerts warnings and take specific actions when Alerts are activated (for example, when ISA server sees signs of attack, the alert function will be activated and the next action is to send mail. alert Admin, or stop the entire ISA Server Firewall)

3. Perform synchronizing every ISA server with the rest of ISA servers array .

4. Update the Client ( client configuration files) configuration files, such as msplat.txt and mspclnt.ini and delete any unused log files .

5. Restart other ISA services when there is a configuration change on these Services.

HOW TO INSTALL ISA SERVER ENTERPRISE 2000 - Part II Picture 2

The image depicts a service stop

Admin can use the command line to Stop a certain Service:

C:> Net stop mspadmin

Note : mspadmin is the name of the service to be stopped

And also note that if you stop the ISA Server Control Service, then all ISA Server services also stop following.

- Scheduled Cache Content Download Service (W3PREFCH.EXE)

1. This service allows you to download Web-related content (HTTP contents) to the storage on the ISA server ( ISA Server Local cache ), in accordance with the times that were previously Configured (Download scheduled).

2. Can configure the content from which websites and at which point the Cache (pre-cache) download will take place, this is very useful in case the client wants to speed up access to the content of the website. Or in case the website is down, the Client can still access content through the Cache.

Example: Scheduled Cache Content Download is as follows: Download the content of Website www.nis.com.vn at level 2 (deep level = 2), which means: if the homepage of NIS is deep 1 , the next link from the homepage will be deep 2. Download time is at 12:00 PM. The next morning your Clients will be served by this Pre-cache without having to submit a request to the Online Website.

3. Using this service can download the entire Website if you want to do it

Note : Websites contain pop-up scripts, cookies or packages that install software that are compatible with the Website - language packs installation (for example, Japanese, Chinese, Thai websites, etc .), which cannot be downloaded. .

- HTTP redirector filter

This filter allows the Firewall and SecureNAT clients to be more convenient when working with the features of ISA caching, when HTTP redirector is enabled (this is ISA server default), this service redirects the relevant requests. to HTTP (redirect HTTP request) directly to Web proxy service instead of going to other Services.

- NAT protocol driver

Note : Microsoft does not recommend running RRAS ( Rouring and Remote Access Service), on ISA server because it may conflict with NAT Protocol Driver.

This driver allows clients on the Local Network to access resources on the Internet. Clients in the Local Network will use Private IP Addresses in accordance with the Internet Assigned Numbers Authority (IANA), which are the following IP zones:

+ 10.0.0.0 - 10.255.255.255

+ 172.16.0.0 - 172.31.255.255

+ 192.168.0.0 - 192.168.255.255

(You should refer to RFC 1597 for more details about Private IP Address Ranges)

When Clients use the IP Address in the area listed, the client's Internet requests will be transferred to this Driver, and the packet header contains the IP address of the Client that will be replaced by the IP address of External Interface on the ISA server (because of the IPs). In the Private IP Address Ranges area of ​​clients, there is no communication value directly on the Internet, and all computers on the Internet do not use these IP addresses), after ISA server retrieves the Internet resources, it responds for Clients in the intranet.

- Firewall Service (FWSRV.EXE)

1. Firewall service is a circuit-level proxy for applications (Winsock applications).

I will have some definitions for you to understand more as follows:

+ Proxy : Only a computer system or a separate router connecting between the sender and the receiver (Receiver). It acts as a relay system (Relay) between two objects: Client   (want to access resources) and Server (provide resources that clients need) Thanks to this forwarding (controlled relay) function, Proxy systems (or Proxy servers) are used to help prevent attackers from invading. Entering Intranet And proxies are also one of the tools used to build Firewall.

The proxy also means "acting on behalf of another person" and the proxy Proxy server has done that, it acts on behalf of the Client and the Server. All requests from the Client to the Internet must first go to the Proxy, the Proxy checks to see if the request, if allowed, will forward control over the Internet request to the service provider (Internet Hosts). And similarly will respond (response) or start the checked requests from the Internet and transfer this request to the Client. Both Client and Server think they talk directly to each other but actually only "talk" directly with the Proxy.

+ Application Level and Circuit Level Proxy
Proxy servers are available for common services on the internet, for example: an HTTP proxy used for Web access, an FTP proxy used for file transfers. These Proxies are called application-level proxies or "application-level gateways", because they are assigned to work with applications and protocols and identify the content of Packets being sent to it. Another proxy system is called circuit-level proxy , supporting multiple applications at the same time. For example, SOCKS is an IP-based proxy server ( circuit-level proxy), most support   TCP and UDP based applications

+ SOCKS or Sockets

It is a circuit-level proxy server for Internet Engineering Task Force ( IETF ) - a community of network designers, operators, vendors, and workers involved in building Internet architecture and more and more Internet perfection.) SOCKS was written by David and Michelle Koblas in the early 1990s. SOCKS quickly became a de facto standard ( hardware or software widely used but not certified from organizations that specialize in providing standards), on the contrary, are de jure standard. Although SOCKS was born early and is commonly used, the first SOCKS approved by IETF is SOCKS5. SOCKS was originally a proxy system used for traffic such as FTP, Telnet, etc., but not for HTTP. SOCKS4 controls TCP connections (most Internet applications), SOCKS5 also supports UDP, ICMP, User (user authentication) authentication and resolves hostname (DNS service).
SOCKS requires Client to be configured to transfer requests directly to SOCKS server, or vice versa SOCKS driver will prevent Clients from transferring non-SOCKS application requests. Many Web browsers and other Internet applications currently support SOCKS, so it is quite easy to work with SOCKS servers. Go to http://www.socks.permeo.com/TechnicalResources/SOCKSFAQ/SOCKSGeneralFAQ/index.asp (Permeo Technologies' SOCKS Web site), to find out details about SOCKS and Applications that follow SOCKS Also need to see more models TCP / IP stack communication.

2. The ISA Firewall service provides Winsock client applications with the ability to connect to the Internet, as if connected directly.

3. If the HTTP redirector is set to Default (this is also the default configuration), then HTTP requests will be sent to the Web proxy service (so Firewall Service does not directly manage these types of requests, and takes use the advantages of Cache.

4. Firewall service will operate as a stand-alone service on Windows 2000 server if installing ISA server selects Firewall mode . Note: If ISA is installed in Firewall mode, ISA Server cannot create Cache (no caching) storage area.

5. Firewall service establishes a connection port (gateway connections) between Winsock applications on Client and Internet Hosts. The internal network is still secure, because communication is possible through ISA.

6. The Firewall service can be enhanced to function through Application filters

7. The Firewall client will identify the communication from Winsock applications on your Computer and redirect them to the Firewall service, where the actual communication with the Hosts will take place.

8. Control channel will control the remote Winsock messages and distribute the internal IP table LAT (Local Address Table) to the firewall client. This channel also sets up TCP connections from clients to ISA server and it is used to build virtual connections (virtual connections) while ISA server is connecting with remote applications on the Hosts remote.

9. Firewall service also uses control channel to communicate with service management, connection and on authentication information on UDP port 1745.

10. This service also uses LAT to determine whether the client sends requests to it, whether it comes from an intranet or from an unsecured network . (from attacker networks v.vv)

- Web Proxy Service (W3PROXY.EXE)

1. This Service allows any CERN clients (Web Browsers or standard compatible applications CERN- (website www.cern.ch), for example, Internet Explorer or Netscape , for example), can access access Internet resources such as HTTP, HTTPS (HTTP secure), Gopher (File names search program and other resources on the Internet and arranged in the form of menus for users, these resourse are practically scattered throughout thousands Gopher server on the Internet - available on 7000 Gopher servers) and FTP protocols.

2. Web Proxy Service is an application level service that serves for CERN-compliant applications (as discussed above) and these applications have been configured to use Web proxy service (using Internet Explorer can use Web proxy service Select Tools, Internet Options, Connections, LAN settings and include the parameters as shown in Figure

HOW TO INSTALL ISA SERVER ENTERPRISE 2000 - Part II Picture 3

then click Advanced to see

HOW TO INSTALL ISA SERVER ENTERPRISE 2000 - Part II Picture 4

On this illustration, Internal Interface of ISA server is 192.168.1.200, and opens port 8080 (the port where the Web Proxy Service on ISA server receives requests from Web Proxy Clients or is generally CERN-compliant applications )

Web Proxy Service accepts requests from CERN-compliant applications, regardless of which Applications are installed on the Operating System.

3. Web proxy service operating as a process on Windows 2000 Server (Win2k process) is exactly W3proxy.exe ).

4. ISA Server will use Secure Web publishing and Reverse hosting functions (I will explain in the following sections).   In order to submit requests for Web-publishing servers (Web servers that allow clients outside the Internet to access, for security reasons they must be behind the ISA server firewall, and must use Web-publishing functionality on the ISA Server to providing access, using Web-publishing does not reduce the security of the LAN)

5. Web proxy service supports SSL (secure socket layer) and Web (ISAPI) filters.

6. Web proxy service includes the cache feature on the ISA server.

Part I: HOW TO INSTALL ISA SERVER ENTERPRISE 2000

Ho Viet Ha - Instructor Team Leader

hvha@newhorizons.com.vn

New Horizons VietNam (Computer Learning Centers in VietNam)

Network Information Security (NIS.COM.VN - My Website come soon)