ISA Server

ISA Server
Leeven Chang GJUN CTEK leevenchang@msn.com
2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Agenda
Introduction to ISA Server 2006 Secure Application Publishing Branch Office Protection Firewall and Proxy Enhancements Monitoring ISA with MOM
Service s Edge
Ne tw or k
Enc rypt ing File Sys BitL tem ock (EF er S)
Server Applications
Ac c es s
Pr
ot ec t io
Information Protection
n (N
Client and Server OS

AP )
Identity Management
Active Directory Federation Services (ADFS)
Systems Management
Guidance Developer Tools
ISA Server 2006

Application Layer Firewall
Protects internal resource from the outside Separate from the rest of the network Control how Internet resources are used Examines each network packet against your rules
VPN Proxy Server

Makes network requests and forwards data Caches sites for improved performance
ISA Server 2006 Editions
ISA Server 2006 Standard Edition
ISA Server 2006 Enterprise Edition
Appliances
Preinstalled on optimized hardware Partner solutions extends ISA
Antivirus gateways, URL filtering, availability
Both for Standard and Enterprise Edition

Enterprise get extended NLB and caching functionalities
Support for unattended installation using a USB flash drive
Appliances - Benefits
Easy deployment Everything is tested Hardened configuration -> Reduced attack surface Extra configuration tools and web administration
Advantages of Appliances
Easier purchase process no separate software licensing complexity Lower cost of deployment Plug & Play, Set & Forget
Controlled components and drivers Automated patch management (on some offerings)
Fewer calls to tech support Easy roll-back to factory configuration Quick learning curve for IT administrators Appliances are the whole solution, not just part
A Traditional Firewalls View of a Packet

Only packet headers are inspected
Application layer content appears as black box
IP Header: Source Address, Dest. Address, TTL, Checksum TCP Header: Sequence Number Source Port, Destination Port, Checksum Application Layer Content: ??????????????????????????????? ??????????????????????????????? ???????????????????????????????
Forwarding decisions based on port numbers

Expected HTTP Traffic Unexpected HTTP Traffic
Legitimate traffic and application layer attacks use identical ports
Internet
Attacks Non-HTTP Traffic Corporate Network
ISA Servers View of a Packet

Packet headers and application content are inspected
IP Header: Source Address, Dest. Address, TTL, Checksum TCP Header: Sequence Number Source Port, Destination Port, Checksum Application Layer Content: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"
Forwarding decisions based on content

Only legitimate and allowed traffic is processed

Allowed HTTP Traffic Prohibited HTTP Traffic Attacks Non-HTTP Traffic Corporate Network
Internet
Multi-Network Support
Simplify complexity and administration of managing network security
Subdivide network into multiple segments with a single ISA license Extend virtual firewall protection across each segment
QUARANTINE VPN
Enforce rules on per network basis Easy setup

Network templates
Internet ISA 2006

Local Area Network
VPN CorpNet_1
DMZ_1
CorpNet_n
DMZ_n
Net A
ISA 2004/2006 Policy Model
Single, ordered rule base

Logical and easier to understand Easy to view and to audit
Default System Policy
Default System Policy/Lockdown

System Policy a default set of access rules applied to the ISA Server itself Lockdown mode:
Protects the operating system when firewall services are offline because
Security event triggers firewall service shut down Planned firewall service shut ISA Server reboot
down
Exploring some basic tasks
Application Publishing
Use internal resources from the Internet
Outlook Web Access
Publish through one external IP address Cached content to external client Supports IIS authentication methods Pre-authenticate users Path configuration
OWA Publishing
x36dj23s http://... <a href 2oipn49v
ISA Server
ISA Server is the host
ISA terminates all connections Decrypts HTTPS Inspects content Inspects URL against rules Re-encrypts for delivery to OWA
OWA Exchange
AD
What is Publishing?
ISA Server impersonates internal servers through a reverse proxy process
To make internal sites/services accessible to users outside the corporate network, including partners To add a layer of security at the network edge
External Web Server
Exchange DMZ Internet HEAD QUARTERS
SharePoint
Intranet Web Server Administrator Internal Network
RADIUS
Active Directory
The Solution
Remote User
Automatic translation of links to internal shares
Strong user/group based access controls
Load balancing of server farms
Hacker
NTLM, Kerberos authentication support

Exchang e Farm
Exchange & SharePoint publishing tools
Smartcard & one-time password support
Internet link SharePoin t Internal Network
ISA 2006
Inspection of encrypted traffic using SSL Bridging
Single sign-on for access to multiple servers Pre-authentication so only valid traffic reaches servers
Active Director y
Authentication with Active directory via LDAP
18
Branch Office Gateway

Key Differentiating Points
Easy Integration with Existing Branch Office Infrastructure Integrated Application-Layer Firewall Provides Added Protection Integrated Cache Functionality Increases Speed
Integrated S2S VPN Functionality Lowers TCO Centralized Management from HQ
Branch Office Performance Improvements

BITS caching for Microsoft update platform
Reduce the impact of software updates on network bandwidth in the branch office Improve value of ISA 2006 by reducing days-of-risk in branch office locations
Compression of HTTP content

Compress HTTP content before going over the WAN to accelerate Web browsing and improve bandwidth usage Cache compressed and uncompressed content
Diffserv (Differentiated Services) to prioritize HTTP and HTTPS application traffic

Improve response time for critical HTTP and HTTPS applications Determine what traffic has priority over other traffic based on URL and corresponding configured Diffserv service level
Branch Office Scenario

Branch 1 Headquarters Branch 2
Leased lines
Branch 3
Branch Office Gateway

ISA Server 2004/2006 Features
Easy Deployment Better Protection Better Management Lower Connectivity Costs Bandwidth Optimization Flexible Branch Office Network Topology Integrated Firewall Integrated S2S VPN Gateway HTTP Caching Distributed Caching & Web Proxy Chaining
Windows Server R2
BITS Caching Complements R2 Remote Differential Caching
Enterprise Policies
Enterprise policies:
Multiple template policies for an organization Arrays are assigned Enterprise Policies
Effective policy:
Calculated from Enterprise Policies and Array Policies Result: An ordered set of allow/deny rules
Enterprise Policy Structure

An enterprise policy consists of:
Enterprise rules (before) Array policy Place Holder Enterprise rules (after)
Configuration Storage Server

Management Console
ISA 2006 Server Array
Local configuration copy
Replication
CSS CSS
Balancing Published Servers

External Client : 192.168.1.8 ISA- 1 - External DIP : 128.1.1.2 1 VIP : 128.1.1.100
2 6 NLB Cluster NLB Cluster 5
ISA- 1 - Internal DIP : 10.10.10.2 VIP : 10.10.10.100

3 4 Published Server 1 : 11.11.11.1
Internet
ISA 1 ISA 2
Published Server 2 : 11.11.11.2
ISA- 2 - External DIP : 128.1.1.1 VIP : 128.1.1.100
Balancing Outbound Access

ftp.microsoft.com 157.31.56.100 ISA- 1 - External DIP : 128.1.1.2 VIP : 128.1.1.100 ISA- 1 - Internal DIP : 10.10.10.2 VIP : 10.10.10.100 NLB Cluster
4 2
NLB Cluster
Internet
ISA 1 ISA 2
Laptop
Internal Client : 12.12.12.1
ISA- 1 - External DIP : 128.1.1.1 VIP : 128.1.1.100
ISA Server 2006

Integrated security
Application filtering, BITS caching Headquarters
Branch 1
Secure access
HTTP compression, traffic prioritization
Efficient management
Site-tosite VPN
Branch 2
Easy deployment, fast propagation of policies

Branch 3
Integrated Security
BITS caching, Background Intelligent Transfer Service
Transfers files between client and server Uses leftover bandwidth Maintains transfers if disconnected
Windows Updates
Data is cached on the ISA Server Subsequent users pull them from the local cache
Secure Access
HTTP compression
When someone requests the response are compressed at the ISA server at the HQ It reaches the branch and gets decompressed
Traffic Prioritizing
Control when bandwidth is limited Diffserv protocol ISA inspects requests and assigns priority depending on destination
Effective Management
Branch Office Connectivity Wizard
Answer files for unattended installation
More effective policy propagation Reduced server requirements Optimization for low bandwidth use Secure Remote Management is possible
Templates and configuration tools
Configure the Branch Office Gateway
Proxy server features

Enhanced worm resiliency, mitigate the impact on the network Faster alert triggers and responses To avoid DOS attacks ISA Server controls:
Log throttling measures the volume of denied records Memory consumption Pending DNS queries
The Solution
Attacker
Enhanced protection against DoS, DDoS & DNS attacks
Integrated application-layer firewall & web proxy
Integrated Network Load Balancing for high availability
Comprehensive alert triggers & responses
External Web Site
Securityenhanced remote management using TLS Built-in traffic inspection for over 120 protocols
Internet
ISA Server 2006 Array
Customizable cache rules for flexibility Fast RAM & ondisk caching for fast web page response times Enhanced worm protection through connection quotas
INTERNA L NETWOR K
Flood Resiliency
Protect ISA Server from
Worm propagation Syn floods Denials of service Distributed DoS HTTP bombing
In some cases, computers behind ISA are also protected, but this isnt the primary goal of the feature
Web Access Protection

Key Differentiating Points
Deep Content Inspects Actual Content of Traffic Multi-network Architecture Eases Infrastructure Integration Flexible SDK allows Easy Development of New Application Filters CARP Provides High Performance for Caching Easy-to-Use UI Makes Configuration Easier
Monitoring ISA Server 2006

MOM Management pack Health indicators Knowledge from the designers
Monitoring and Alarming

Real-time Firewall Status Alarming Mechanism
Report
Firewall Active Log
Detail Message Scheduling Browseable Exportable
Summary
Firewall, VPN, Proxy Application Publishing Branch Office
Caching Compression Prioritizing of traffic

ISA Server

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISA Server

Uploaded by

Copyright:

Available Formats

ISA Server

Leeven Chang GJUN CTEK leevenchang@msn.com

Client and Server OS

Active Directory Federation Services (ADFS)

Guidance Developer Tools

ISA Server 2006

VPN Proxy Server

ISA Server 2006 Editions

ISA Server 2006 Standard Edition

ISA Server 2006 Enterprise Edition

Both for Standard and Enterprise Edition

Support for unattended installation using a USB flash drive

A Traditional Firewalls View of a Packet

Forwarding decisions based on port numbers

Legitimate traffic and application layer attacks use identical ports

Attacks Non-HTTP Traffic Corporate Network

ISA Servers View of a Packet

Forwarding decisions based on content

Only legitimate and allowed traffic is processed

Enforce rules on per network basis Easy setup

Internet ISA 2006

ISA 2004/2006 Policy Model

Single, ordered rule base

Default System Policy

Default System Policy/Lockdown

Exploring some basic tasks

ISA Server is the host

Exchange DMZ Internet HEAD QUARTERS

Intranet Web Server Administrator Internal Network

Automatic translation of links to internal shares

Strong user/group based access controls

Load balancing of server farms

NTLM, Kerberos authentication support

Exchange & SharePoint publishing tools

Smartcard & one-time password support

Internet link SharePoin t Internal Network

Inspection of encrypted traffic using SSL Bridging

Authentication with Active directory via LDAP

Branch Office Gateway

Integrated S2S VPN Functionality Lowers TCO Centralized Management from HQ

Branch Office Performance Improvements

Compression of HTTP content

Diffserv (Differentiated Services) to prioritize HTTP and HTTPS application traffic

Branch Office Scenario

Branch Office Gateway

BITS Caching Complements R2 Remote Differential Caching

Enterprise Policy Structure

Configuration Storage Server

ISA 2006 Server Array

ISA 2006 Server Array

ISA 2006 Server Array

Local configuration copy

Local configuration copy

Local configuration copy

Balancing Published Servers

ISA- 1 - Internal DIP : 10.10.10.2 VIP : 10.10.10.100

Published Server 2 : 11.11.11.2

ISA- 2 - External DIP : 128.1.1.1 VIP : 128.1.1.100

ISA- 2 - Internal DIP : 10.10.10.1 VIP : 10.10.10.100

Balancing Outbound Access

Internal Client : 12.12.12.1

ISA- 1 - External DIP : 128.1.1.1 VIP : 128.1.1.100