42237707-isa-server-2004
TRANSCRIPT
-
8/13/2019 42237707-ISA-Server-2004
1/609
ISA Server 2004 VPN Deployment KitTable of Contents
For the latest information, please see http://www.microsoft.com/isaserver/
-
8/13/2019 42237707-ISA-Server-2004
2/609
Contents:
Chapter 1ISA Server 2004 and VPN Networking
Chapter 2ow to !"e the #$ide
Chapter %In"talling ISA Server 2004 on &indow" Server 200%
Chapter 4Con'ig$ring the ISA Server 2004 (irewall a" a VPNServer
Chapter )Creating A**e"" Poli*y 'or VPN Client"
Chapter +Con'ig$ring the ISA Server 2004 (irewall 'or,$t-o$nd PP.P and /2.PIPSe* A**e""
Chapter Con'ig$ring &indow" Server 200% ADI!S S$pport'or VPN Client" 3 In*l$ding S$pport 'or AP./SA$thenti*ation
-
8/13/2019 42237707-ISA-Server-2004
3/609
Chapter 5Con'ig$ring the VPN Client and ISA Server 2004 VPNServer to S$pport Certi'i*ate67a"ed PP.P AP6./SA$thenti*ation
Chapter 8na-ling Network 7row"ing 'or ISA Server 2004 VPNClient"
Chapter 10
Creating PP.P and /2.PIPSe* Site6to6Site VPN" withISA Server 2004 (irewall"
Chapter 11Creating a Site6to6Site VPN with ISA Server 2004 at/o*al and emote Site" $"ing IPSe* .$nnel 9ode
Chapter 12Allowing In-o$nd /2.PIPSe* NA. .raver"alConne*tion" thro$gh a 7a*k6to67a*k ISA Server 2004Server D9:
Chapter 1%Allowing In-o$nd PP.P Conne*tion" thro$gh a 7a*k6
to67a*k ISA Server 2004 Server Perimeter Network
Chapter 14Con'ig$ring VPN ;$arantine
-
8/13/2019 42237707-ISA-Server-2004
4/609
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of thedate of publication. Because Microsoft must respond to changing maret conditions, it should not be interpreted to be a commitmenton the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. M!C"#$#FT M%&'$ (# )%""%(T!'$, '*+"'$$ #" !M+!'-, !( T!$-#CM'(T.
Complying with all applicable copyright laws is the responsibility of the user. ) ithout limiting the rights under copyright, no part of thisdocument may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means 0electronic,mechanical, photocopying, recording, or otherwise1, or for any purpose, without the e2press written permission of MicrosoftCorporation.
Microsoft may have patents, patent applications, trademars, copyrights, or other intellectual property rights covering sub3ect matter inthis document. '2cept as e2pressly provided in any written license agreement from Microsoft, the furnishing of this document does notgive you any license to these patents, trademars, copyrights, or other intellectual property.
4 5667 Microsoft Corporation. %ll rights reserved.
The e2ample companies, organi8ations, products, domain names, e9mail addresses, logos, people, places, and events depictedherein are fictitious. (o association with any real company, organi8ation, product, domain name, e9mail address, logo, person, place,or event is intended or should be inferred.
Microsoft, )indows, ) indows 5666, )indows 5666 $erver, )indows $erver 566, )indows $erver $ystem, !$% $erver, and !$%$erver 5667 are either registered trademars or trademars of Microsoft Corporation in the nited $tates and/or other countries.
The names of actual companies and products mentioned herein may be the trademars of their respective owners.
-
8/13/2019 42237707-ISA-Server-2004
5/609
ISA Server 2004 VPN Deployment Kit< ISAServer 2004 and VPN NetworkingChapter ;
For the latest information, please see http://www.microsoft.com/isaserver/
-
8/13/2019 42237707-ISA-Server-2004
6/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
7/609
!$% $erver 5667
!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6
!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6
Configuring the Microsoft !nternet %uthentication $ervice..................................................D6
!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5
!nstalling the )!($ $ervice................................................................................................D5
Configuring the -C+ $ervice............................................................................................... D
Conclusion...............................................................................................................................DA
!ntroduction............................................................................................................................. >A
!nstalling !$% $erver 5667...................................................................................................... >=
Conclusion.............................................................................................................................;66
!ntroduction........................................................................................................................ ... ;;6
'nable the
-
8/13/2019 42237707-ISA-Server-2004
8/609
!$% $erver 5667 D
Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@
!ssue a certificate to the
-
8/13/2019 42237707-ISA-Server-2004
9/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
10/609
!$% $erver 5667
Create the %ccess "ules at the Main #ff ice.........................................................................>6
Create the
$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7
Create the "emote $ite at the Branch #ffice........................................................................>A
Create the (etwor "ule at the Branch #ffice......................................................................>D
Create the %ccess "ules at the Branch #ffice......................................................................>>
Create the
-
8/13/2019 42237707-ISA-Server-2004
11/609
!$% $erver 5667 ;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to
the Bac9'nd !$% $erver 5667 Firewall/=
!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;
-
8/13/2019 42237707-ISA-Server-2004
12/609
!$% $erver 5667
#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@
"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56
!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the
Bac9'nd !$% $erver 5667 Firewall/
-
8/13/2019 42237707-ISA-Server-2004
13/609
!$% $erver 5667 5
!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@
!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6
Create a $ample
-
8/13/2019 42237707-ISA-Server-2004
14/609
Introduction
-
8/13/2019 42237707-ISA-Server-2004
15/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
16/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
17/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
18/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
19/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
20/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
21/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
22/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
23/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
24/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
25/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
26/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
27/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
28/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
29/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
30/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
31/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
32/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
33/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
34/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
35/609
!$% $erver 5667
!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6
!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6
Configuring the Microsoft !nternet %uthentication $ervice..................................................D6
!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5
!nstalling the )!($ $ervice................................................................................................D5
Configuring the -C+ $ervice............................................................................................... D
Conclusion...............................................................................................................................DA
!ntroduction............................................................................................................................. >A
!nstalling !$% $erver 5667...................................................................................................... >=
Conclusion.............................................................................................................................;66
!ntroduction........................................................................................................................ ... ;;6
'nable the
-
8/13/2019 42237707-ISA-Server-2004
36/609
!$% $erver 5667 D
Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@
!ssue a certificate to the
-
8/13/2019 42237707-ISA-Server-2004
37/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
38/609
!$% $erver 5667
Create the %ccess "ules at the Main #ff ice.........................................................................>6
Create the
$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7
Create the "emote $ite at the Branch #ffice........................................................................>A
Create the (etwor "ule at the Branch #ffice......................................................................>D
Create the %ccess "ules at the Branch #ffice......................................................................>>
Create the
-
8/13/2019 42237707-ISA-Server-2004
39/609
!$% $erver 5667 ;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to
the Bac9'nd !$% $erver 5667 Firewall/=
!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;
-
8/13/2019 42237707-ISA-Server-2004
40/609
!$% $erver 5667
#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@
"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56
!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the
Bac9'nd !$% $erver 5667 Firewall/
-
8/13/2019 42237707-ISA-Server-2004
41/609
!$% $erver 5667 5
!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@
!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6
Create a $ample
-
8/13/2019 42237707-ISA-Server-2004
42/609
Introduction
)elcome to the ISA Server 2004 VPN Deployment Kit L This it was designed to help youwith putting together a woring
-
8/13/2019 42237707-ISA-Server-2004
43/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
44/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
45/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
46/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
47/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
48/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
49/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
50/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
51/609
!$% $erver 5667 . The -($ server sends a reEuest for the !+ address ofhttp://www.e2ample.microsoft.com/to the e2ample.microsoft.com -($ server.
@. The e2ample.microsoft.com -($ server sends the !+ address of -($ hosthttp://www.e2ample.microsoft.com/to the -($ server. The -($ server places this resultin its -($ cache.
;6. The -($ server returns the result to the -($ client on the internal networ.
-
8/13/2019 42237707-ISA-Server-2004
52/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
53/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
54/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
55/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
56/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
57/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
58/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
59/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
60/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
61/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
62/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
63/609
!$% $erver 5667 . Clic ,Kin the Advan*ed .CPIP Setting"dialog bo2.
;@. Clic ,Kin the Internet Proto*ol @.CPIP Propertie"dialog bo2.
56. Clic Ne=ton the Networking Component"page.
5;. %ccept the default selection on the &orkgro$p or Comp$ter Domainpage. )e willlater mae this machine a domain controller, and the machine will be a member of thedomain we create at that time. Clic Ne=t.
55. !nstallation continues and when it finishes, the computer will restart automatically.
5. og on to the )indows $erver 566 using the password you created for the %dministratoraccount.
57. #n the 9anage Go$r Serverpage, put a checmar in the DonHt di"play thi" page atlogonchecbo2 and close the window.
In"tall and Con'ig$re DNS
The ne2t step is to install the -omain (aming $ystem 0-($1 server on the machine that willbe the domain controller. This is reEuired because the %ctive -irectory reEuires a -($
-
8/13/2019 42237707-ISA-Server-2004
64/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
65/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
66/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
67/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
68/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
69/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
70/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
71/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
72/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
73/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
74/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
75/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
76/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
77/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
78/609
!$% $erver 5667
!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6
!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6
Configuring the Microsoft !nternet %uthentication $ervice..................................................D6
!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5
!nstalling the )!($ $ervice................................................................................................D5
Configuring the -C+ $ervice............................................................................................... D
Conclusion...............................................................................................................................DA
!ntroduction............................................................................................................................. >A
!nstalling !$% $erver 5667...................................................................................................... >=
Conclusion.............................................................................................................................;66
!ntroduction........................................................................................................................ ... ;;6
'nable the
-
8/13/2019 42237707-ISA-Server-2004
79/609
!$% $erver 5667 D
Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@
!ssue a certificate to the
-
8/13/2019 42237707-ISA-Server-2004
80/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
81/609
!$% $erver 5667
Create the %ccess "ules at the Main #ff ice.........................................................................>6
Create the
$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7
Create the "emote $ite at the Branch #ffice........................................................................>A
Create the (etwor "ule at the Branch #ffice......................................................................>D
Create the %ccess "ules at the Branch #ffice......................................................................>>
Create the
-
8/13/2019 42237707-ISA-Server-2004
82/609
!$% $erver 5667 ;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to
the Bac9'nd !$% $erver 5667 Firewall/=
!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;
-
8/13/2019 42237707-ISA-Server-2004
83/609
!$% $erver 5667
#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@
"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56
!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the
Bac9'nd !$% $erver 5667 Firewall/
-
8/13/2019 42237707-ISA-Server-2004
84/609
!$% $erver 5667 5
!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@
!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6
Create a $ample
-
8/13/2019 42237707-ISA-Server-2004
85/609
Introduction
!n this ISA Server 2004 VPN Deployment Kitdocument, you will install the !$% $erver 5667software onto the )indows $erver 566 computer installed and configured in Chapter 5.
There are only a few decisions you will need to mae while installing !$% $erver 5667software. The most important configuration made during installation is the !nternal networ !+address range0s1. nlie !$% $erver 5666, !$% $erver 5667 does not use a ocal %ddressTable 0%T1 to define trusted and untrusted networs. !nstead, the !$% $erver 5667 firewallass for !+ addresses defining a networ entity nown as the Internalnetwor. The !nternalnetwor contains important networ servers and services such as %ctive -irectory domaincontrollers, -($, )!($, "%-!$, -C+, firewall management stations, and others. The !$%$erver 5667 firewall communicates with these services immediately after installation iscomplete.
The firewallJs System Policy, controls communications between the !nternal networ and the!$% $erver 5667 firewall. The $ystem +olicy is a collection of pre9defined %ccess "ulesdetermining the type of traffic allowed to and from the firewall immediately after installation.The $ystem +olicy is configurable, which enables you to control the limits of the default
$ystem +olicy %ccess "ules.
!n the document we will discuss the following procedures:
!nstalling !$% $erver 5667 on )indows $erver 566
-
8/13/2019 42237707-ISA-Server-2004
86/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
87/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
88/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
89/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
90/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
91/609
!$% $erver 5667 . ClicGe"in the 9i*ro"o't ISA Serverdialog bo2 informing you that the machine mustbe restarted.
;@. og on as %dministrator after the machine restarts.
-
8/13/2019 42237707-ISA-Server-2004
92/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
93/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
94/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
95/609
!$% $erver 5667 %llow -C+reEuests from!$% $erver to allnetwors
%llow -C+0reEuest1 ocal ost %nywhere %ll sers
@ %llow -C+replies from-C+ servers to!$% $erver
%llow -C+0reply1 %nywhere ocalost
%ll sers
;6 %llow !CM+0+!(1 reEuestsfrom selectedcomputers to !$%$erver
%llow +ing "emoteManagement Computers
ocalost
%ll sers
;; %llow !CM+reEuests from!$% $erver toselected servers
%llow !CM+!nformation"eEuest
!CM+Timestamp
+ing
ocal ost %ll(etwors
%ll sers
;5; %llow
-
8/13/2019 42237707-ISA-Server-2004
96/609
!$% $erver 5667 %llowTT+/TT+$reEuests from!$% $erver to
selected serversfor TT+connectivityverifiers
%llow TT+
TT+$
ocal ost %ll(etwors
%ll sers
;@> %llow accessfrom trustedcomputers to theFirewall Clientinstallation shareon !$% $erver
%llow MicrosoftC!F$0TC+1
MicrosoftC!F$0-+1
(etB!#$-atagram
(etB!#$ (ame$ervice
(etB!#$
$ession
!nternal ocalost
%ll sers
56@ %llow remoteperformancemonitoring of !$%$erver fromtrusted servers
%llow (etB!#$-atagram
(etB!#$ (ame$ervice
(etB!#$$ession
"emoteManagement Computers
ocalost
%ll sers
5; %llow (etB!#$from !$% $erverto trusted servers
%llow (etB!#$-atagram
(etB!#$ (ame$ervice
(etB!#$$ession
ocal ost !nternal %ll sers
55 %llow "+C from!$% $erver totrusted servers
%llow "+C0allinterfaces1
ocal ost !nternal %ll sers
5 %llowTT+/TT+$from !$% $erverto specifiedMicrosoft 'rror"eporting sites
%llow TT+
TT+$
ocal ost Microsoft'rror"eportingsites
%ll sers
-
8/13/2019 42237707-ISA-Server-2004
97/609
!$% $erver 5667 %llow $MT+ from!$% $erver totrusted servers
%llow $MT+ ocal ost !nternal %ll sers
5@ %llow TT+ from!$% $erver toselectedcomputers forContent-ownload obs
%llow TT+ ocal ost %ll(etwors
$ystem and(etwor$ervice
;This policy is disabled until the
-
8/13/2019 42237707-ISA-Server-2004
98/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
99/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
100/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
101/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
102/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
103/609
!$% $erver 5667
!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6
!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6
Configuring the Microsoft !nternet %uthentication $ervice..................................................D6
!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5
!nstalling the )!($ $ervice................................................................................................D5
Configuring the -C+ $ervice............................................................................................... D
Conclusion...............................................................................................................................DA
!ntroduction............................................................................................................................. >A
!nstalling !$% $erver 5667...................................................................................................... >=
Conclusion.............................................................................................................................;66
!ntroduction........................................................................................................................ ... ;;6
'nable the
-
8/13/2019 42237707-ISA-Server-2004
104/609
!$% $erver 5667 D
Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@
!ssue a certificate to the
-
8/13/2019 42237707-ISA-Server-2004
105/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
106/609
!$% $erver 5667
Create the %ccess "ules at the Main #ff ice.........................................................................>6
Create the
$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7
Create the "emote $ite at the Branch #ffice........................................................................>A
Create the (etwor "ule at the Branch #ffice......................................................................>D
Create the %ccess "ules at the Branch #ffice......................................................................>>
Create the
-
8/13/2019 42237707-ISA-Server-2004
107/609
!$% $erver 5667 ;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to
the Bac9'nd !$% $erver 5667 Firewall/=
!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;
-
8/13/2019 42237707-ISA-Server-2004
108/609
!$% $erver 5667
#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@
"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56
!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the
Bac9'nd !$% $erver 5667 Firewall/
-
8/13/2019 42237707-ISA-Server-2004
109/609
!$% $erver 5667 5
!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@
!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6
Create a $ample
-
8/13/2019 42237707-ISA-Server-2004
110/609
Introduction
The !$% $erver 5667 firewall can be configured as a
-
8/13/2019 42237707-ISA-Server-2004
111/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
112/609
!$% $erver 5667 . !n the Sele*t #ro$p"dialog bo2, clic the /o*ation"button. !n the /o*ation"dialogbo2, clic the m"'irewallorgentry and clic ,K.
@. !n the Sele*t #ro$pdialog bo2, enter Domain !"er"in the nter the o-e*t name" to"ele*tte2t bo2. Clic the Che*k Name"button. The group name will be underlined whenit is found in the %ctive -irectory. Clic ,K.
-
8/13/2019 42237707-ISA-Server-2004
113/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
114/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
115/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
116/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
117/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
118/609
!$% $erver 5667 . Clic Apply to save the changes and update the firewall policy.
;@. Clic ,Kin the Apply New Con'ig$rationdialog bo2.
56. "estart the !$% $erver 5667 firewall machine.
The machine will obtain a bloc of !+ addresses from the -C+ $erver on the !nternalnetwor when it restarts. (ote that on a production networ where the -C+ server is locatedon a networ segment remote from the !$% $erver 5667 firewall, all interposed routers willneed to have B##T+ or -C+ relay enabled so that -C+ reEuests from the firewall canreach the remote -C+ servers.
-
8/13/2019 42237707-ISA-Server-2004
119/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
120/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
121/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
122/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
123/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
124/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
125/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
126/609
!$% $erver 5667 . Clic ,Kin the dialog bo2 informing you that the certificate reEuest was successful.
5@. "eturn to the 9i*ro"o't Internet Se*$rity and A**eleration Server 2004managementconsole and e2pand the computer name in the left pane and clic on the (irewall Poli*ynode. "ight clic on the All ,pen 'rom /o*al o"t to Internal%ccess "ule and clicDi"a-le.
6. !n the 9i*ro"o't Internet Se*$rity and A**eleration Server 2004managementconsole, e2pand the Con'ig$rationnode and clic on the Add6in"node. "ight clic onthe PC (ilterentry in the -etails +ane and clic na-le.
;. Clic Apply to save the changes and update the firewall policy
5. !n the ISA Server &arningdialog bo2, select the Save the *hange" and re"tart the"ervi*e"option. Clic ,K.
. Clic ,Kin the Apply New Con'ig$rationdialog bo2.
(ote that you will not need to manually copy the enterprise C% certificate into the !$% $erver5667 firewallJs .r$"ted oot Certi'i*ation A$thoritie"certificate store because C%certificate is automatically installed on domain members. !f the firewall were not a member ofthe domain, then you would need to manually place the C% certificate into the .r$"ted ootCerti'i*ation A$thoritie"certificate store.
The ne2t step is to issue a computer certificate to the
-
8/13/2019 42237707-ISA-Server-2004
127/609
!$% $erver 5667 . Clic Clo"ein the Add Standalone Snap6indialog bo2.
;@. Clic ,Kin the Addemove Snap6indialog bo2.
56. !n the left +ane of the console, e2pand the Certi'i*ate" @/o*al Comp$terthe Per"onalnodes. Clic on theJPer"onalJCerti'i*ate"node. -ouble clic on the Admini"tratorcertificate in the right +ane of the console.
5;. !n the Certi'i*atedialog bo2, clic the Certi'i*ation Pathtab. %t the top of the certificatehierarchy seen in the Certi'i*ation pathframe is the root C% certificate. Clic theCAN#200%7certificate at the top of the list. Clic View Certi'i*ate.
55. !n the C% certificateJs Certi'i*atedialog bo2, clic the Detail"tab. Clic Copy to (ile.
5. Clic Ne=tin the &el*ome to the Certi'i*ate =port &iFardpage.
57. #n the =port (ile (ormatpage, select Cryptographi* 9e""age Synta= Standard 3PKCS Certi'i*ate" @P7and clic Ne=t.
5A. #n the (ile to =portpage, enter *
-
8/13/2019 42237707-ISA-Server-2004
128/609
!$% $erver 5667 . Clic ,Kin the Certi'i*atedialog bo2. Clic ,Kagain in the Certi'i*atedialog bo2.
5@. !n the left +ane of the console, e2pand the .r$"ted oot Certi'i*ation A$thoritie"node, and clic the Certi'i*ate"node. "ight clic theJ.r$"ted oot Certi'i*ationA$thoritie"JCerti'i*ate"node. +oint to All .a"k"and clic Import.
6. Clic Ne=ton the &el*ome to the Certi'i*ate Import &iFardpage.
;. #n the (ile to Importpage. se the 7row"ebutton to locate the C% certificate yousaved to the local hard dis and clic Ne=t.
5. #n the Certi'i*ate Storepage, accept the default settings and clic Ne=t.
. #n the Completing the Certi'i*ate Import &iFardpage, clic (ini"h.
7. #n the Certi'i*ate Import &iFarddialog bo2 informing you that the import wassuccessful, clic ,K.
-isconnect from the
-
8/13/2019 42237707-ISA-Server-2004
129/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
130/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
131/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
132/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
133/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
134/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
135/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
136/609
!$% $erver 5667
!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6
!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6
Configuring the Microsoft !nternet %uthentication $ervice..................................................D6
!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5
!nstalling the )!($ $ervice................................................................................................D5
Configuring the -C+ $ervice............................................................................................... D
Conclusion...............................................................................................................................DA
!ntroduction............................................................................................................................. >A
!nstalling !$% $erver 5667...................................................................................................... >=
Conclusion.............................................................................................................................;66
!ntroduction........................................................................................................................ ... ;;6
'nable the
-
8/13/2019 42237707-ISA-Server-2004
137/609
!$% $erver 5667 D
Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@
!ssue a certificate to the
-
8/13/2019 42237707-ISA-Server-2004
138/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
139/609
!$% $erver 5667
Create the %ccess "ules at the Main #ff ice.........................................................................>6
Create the
$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7
Create the "emote $ite at the Branch #ffice........................................................................>A
Create the (etwor "ule at the Branch #ffice......................................................................>D
Create the %ccess "ules at the Branch #ffice......................................................................>>
Create the
-
8/13/2019 42237707-ISA-Server-2004
140/609
!$% $erver 5667 ;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to
the Bac9'nd !$% $erver 5667 Firewall/=
!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;
-
8/13/2019 42237707-ISA-Server-2004
141/609
!$% $erver 5667
#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@
"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56
!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the
Bac9'nd !$% $erver 5667 Firewall/
-
8/13/2019 42237707-ISA-Server-2004
142/609
!$% $erver 5667 5
!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@
!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6
Create a $ample
-
8/13/2019 42237707-ISA-Server-2004
143/609
Introduction
%n impressive feature of !$% $erver 5667 is its ability to apply firewall policy to
-
8/13/2019 42237707-ISA-Server-2004
144/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
145/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
146/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
147/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
148/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
149/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
150/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
151/609
!$% $erver 5667 . Clic Apply to save the changes and update the firewall policy.
;@. Clic ,Kin the Apply New Con'ig$rationdialog bo2.
56. "estart the !$% $erver 5667 firewall machine.
The machine will obtain a bloc of !+ addresses from the -C+ $erver on the !nternalnetwor when it restarts. (ote that on a production networ where the -C+ server is locatedon a networ segment remote from the !$% $erver 5667 firewall, all interposed routers willneed to have B##T+ or -C+ relay enabled so that -C+ reEuests from the firewall canreach the remote -C+ servers.
-
8/13/2019 42237707-ISA-Server-2004
152/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
153/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
154/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
155/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
156/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
157/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
158/609
!$% $erver 5667 . Clic Ne=ton the !"er"page.
-
8/13/2019 42237707-ISA-Server-2004
159/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
160/609
-
8/13/2019 42237707-ISA-Server-2004
161/609
!$% $erver 5667 . #n the &el*ome to the New Proto*ol De'inition &iFardpage, enter the name for the+rotocol -efinition in the Proto*ol de'inition namete2t bo2. !n this e2ample, name theprotocol Dire*t A**e"" @44). Clic Ne=t.
@. #n the Primary Conne*tion In'ormationpage, clic New.
;6. #n the Newdit Proto*ol Conne*tionpage, set the Proto*ol typeto .CP. $et theDire*tionas ,$t-o$nd. !n the Port angeframe, set the (romentry to 44)and the .oentry to 44). Clic ,K.
-
8/13/2019 42237707-ISA-Server-2004
162/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
163/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
164/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
165/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
166/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
167/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
168/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
169/609
!$% $erver 5667 . #n the A**e"" $le So$r*e"page, clic Add. !n the Add Network ntitie"dialog bo2,clic the Network"folder. -ouble clic on VPN Client". Clic Clo"e.
@. Clic Ne=ton the A**e"" $le So$r*e"page.
;6. #n the A**e"" $le De"tination"page, clicAdd. !n the Add Network ntitie"dialogbo2, clic the Newmenu. Clic Comp$ter.
;;. !n the New Comp$ter $le lementdialog bo2, enter the name of the computer in the
Namete2t bo2. !n this e2ample, enter &e- nrollment Site. 'nter the !+ address of the)eb enrollment site in the Comp$ter IP Addre""te2t bo2. !n this e2ample, enter10002into the te2t bo2. Clic ,K.
-
8/13/2019 42237707-ISA-Server-2004
170/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
171/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
172/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
173/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
174/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
175/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
176/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
177/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
178/609
!$% $erver 5667
!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6
!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6
Configuring the Microsoft !nternet %uthentication $ervice..................................................D6
!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5
!nstalling the )!($ $ervice................................................................................................D5
Configuring the -C+ $ervice............................................................................................... D
Conclusion...............................................................................................................................DA
!ntroduction............................................................................................................................. >A
!nstalling !$% $erver 5667...................................................................................................... >=
Conclusion.............................................................................................................................;66
!ntroduction........................................................................................................................ ... ;;6
'nable the
-
8/13/2019 42237707-ISA-Server-2004
179/609
!$% $erver 5667 D
Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@
!ssue a certificate to the
-
8/13/2019 42237707-ISA-Server-2004
180/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
181/609
!$% $erver 5667
Create the %ccess "ules at the Main #ff ice.........................................................................>6
Create the
$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7
Create the "emote $ite at the Branch #ffice........................................................................>A
Create the (etwor "ule at the Branch #ffice......................................................................>D
Create the %ccess "ules at the Branch #ffice......................................................................>>
Create the
-
8/13/2019 42237707-ISA-Server-2004
182/609
!$% $erver 5667 ;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to
the Bac9'nd !$% $erver 5667 Firewall/=
!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;
-
8/13/2019 42237707-ISA-Server-2004
183/609
!$% $erver 5667
#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@
"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56
!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the
Bac9'nd !$% $erver 5667 Firewall/
-
8/13/2019 42237707-ISA-Server-2004
184/609
!$% $erver 5667 5
!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@
!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6
Create a $ample
-
8/13/2019 42237707-ISA-Server-2004
185/609
Introduction
sers behind your !$% $erver 5667 firewall may need to use a
-
8/13/2019 42237707-ISA-Server-2004
186/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
187/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
188/609
!$% $erver 5667 . #n the A**e"" $le So$r*e"page, clic Add. !n the Add Network ntitie"dialog bo2,clic the Network"folder and double clic on the Internalnetwor. Clic Clo"e.
@. Clic Ne=ton the A**e"" $le So$r*e"page.
;6. #n the A**e"" $le De"tination"page, clic Add. !n the Add Network ntitie"dialog
bo2, clic the Network"folder and double clic on the =ternalnetwor. Clic Clo"e.
;;. Clic Ne=ton the A**e"" $le De"tination"page.
;5. %ccept the default entry, All !"er", on the !"er" Set"page. Clic Ne=t.
;. Clic (ini"hon the Completing the New A**e"" $le &iFardpage.
;7. The ++T+ %ccess "ule appears in the (irewall Poli*ylist.
-
8/13/2019 42237707-ISA-Server-2004
189/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
190/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
191/609
!$% $erver 5667 . Clic Addon the Primary Conne*tion In'ormationpage.
@. !n the Newdit Proto*ol Conne*tiondialog bo2, set the Proto*ol typeto !DP. $etthe Dire*tionto Send e*eive. !n the Port angeframe, set the (rom entry to 4)00and the .oentry to 4)00. Clic ,K
;6. Clic Ne=ton the Primary Conne*tion In'ormation page.
-
8/13/2019 42237707-ISA-Server-2004
192/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
193/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
194/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
195/609
!$% $erver 5667 . ClicGe"in the Potential S*ripting Violationdialog bo2.
@. #n the Certi'i*ate I""$edpage, clic In"tall thi" *erti'i*ate.
;6. ClicGe" on the Potential S*ripting Violationpage.
;;. Close the browser after viewing the Certi'i*ate In"talledpage.
;5. Clic StartEand then clic the $ncommand. 'nter mm*in the ,pente2t bo2, and clic
,K.
;. !n Con"ole1, clic the (ilemenu and the Addemove Snap6incommand.
;7. Clic Addin the Addemove Snap6indialog bo2.
;A. $elect Certi'i*ate"in the Availa-le Standalone Snap6in"list in the Add StandaloneSnap6indialog bo2. Clic Add.
;=. $elect Comp$ter a**o$nton the Certi'i*ate" "nap6inpage.
;D. $elect /o*al *omp$teron the Sele*t Comp$terpage.
;>. Clic Clo"ein the Add Standalone Snap6indialog bo2.
;@. Clic ,Kin the Addemove Snap6indialog bo2.
56. !n the left +ane of the console, e2pand the Certi'i*ate" @/o*al Comp$ternode andthen e2pand the Per"onalnode. Clic onJPer"onalJCerti'i*ate". -ouble clic on theAdmini"tratorcertificate in the right +ane of the console.
5;. !n the Certi'i*atedialog bo2, clic the Certi'i*ation Pathtab. The root C% certificate isat the top of the certificate hierarchy in the Certi'i*ation pathframe. Clic theCAN#200%7certificate at the top of the list. Clic View Certi'i*ate.
55. !n the C% certificateJs Certi'i*atedialog bo2, clic the Detail"tab. Clic Copy to (ile.
5. Clic Ne=tin the &el*ome to the Certi'i*ate =port &iFardpage.
-
8/13/2019 42237707-ISA-Server-2004
196/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
197/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
198/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
199/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
200/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
201/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
202/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
203/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
204/609
!$% $erver 5667 . ClicGe"in the Potential S*ripting Violationdialog bo2.
@. #n the Certi'i*ate I""$edpage, clic In"tall thi" *erti'i*ate.
;6. ClicGe" on the Potential S*ripting Violationpage.
;;. Close the browser after viewing the Certi'i*ate In"talledpage.
;5. Clic StartEand then clic the $ncommand. 'nter mm*in the ,pente2t bo2, and clic,K.
;. !n the Con"ole1, clic the (ilemenu, and then clic Addemove Snap6in.
;7. Clic Addin the Addemove Snap6indialog bo2.
;A. $elect Certi'i*ate"from the Availa-le Standalone Snap6in"list in the AddStandalone Snap6indialog bo2. Clic Add.
;=. $elect Comp$ter a**o$nton the Certi'i*ate" "nap6inpage.
;D. $elect /o*al *omp$teron the Sele*t Comp$terpage.
;>. Clic Clo"ein the Add Standalone Snap6indialog bo2.
;@. Clic ,Kin the Addemove Snap6indialog bo2.
56. !n the left +ane of the console, e2pand the Certi'i*ate" @/o*al Comp$ternode, andthen e2pand the Per"onalnode. Clic onJPer"onalJCerti'i*ate". -ouble clic on theAdmini"tratorcertificate in the right +ane of the console.
5;. !n the Certi'i*atedialog bo2, clic the Certi'i*ation Pathtab. The root C% certificate isat the top of the certificate hierarchy in the Certi'i*ation pathframe. ClicCAN#200%7at the top of the list. Clic View Certi'i*ate.
55. !n the C% certificateJs Certi'i*atedialog bo2, clic the Detail"tab. Clic Copy to (ile.
-
8/13/2019 42237707-ISA-Server-2004
205/609
!$% $erver 5667 . Clic ,Kin the Certi'i*atedialog bo2. Clic ,Kagain in the Certi'i*atedialog bo2.
5@. !n the left +ane of the console, e2pand the .r$"ted oot Certi'i*ation A$thoritie"nodeand clic the Certi'i*ate"node. "ight clicJ.r$"ted oot Certi'i*ationA$thoritie"JCerti'i*ate", point to All .a"k"and clic Import.
6. Clic Ne=ton the &el*ome to the Certi'i*ate Import &iFardpage.
;. #n the (ile to Importpage, use the 7row"ebutton to locate the C% certificate yousaved to the local hard dis and clic Ne=t.
5. #n the Certi'i*ate Storepage, accept the default settings and clic Ne=t.
. Clic (ini"hon the Completing the Certi'i*ate Import &iFardpage.
7. Clic ,Kon the Certi'i*ate Import &iFarddialog bo2 informing you that the import wassuccessful.
-
8/13/2019 42237707-ISA-Server-2004
206/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
207/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
208/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
209/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
210/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
211/609
!$% $erver 5667 . Clic Apply to save the changes and update the firewall policy.
;@. Clic ,Kin the Apply New Con'ig$rationdialog bo2.
56. "estart the !$% $erver 5667 firewall machine.
-
8/13/2019 42237707-ISA-Server-2004
212/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
213/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
214/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
215/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
216/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
217/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
218/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
219/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
220/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
221/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
222/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
223/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
224/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
225/609
!$% $erver 5667
!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6
!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6
Configuring the Microsoft !nternet %uthentication $ervice..................................................D6
!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5
!nstalling the )!($ $ervice................................................................................................D5
Configuring the -C+ $ervice............................................................................................... D
Conclusion...............................................................................................................................DA
!ntroduction............................................................................................................................. >A
!nstalling !$% $erver 5667...................................................................................................... >=
Conclusion.............................................................................................................................;66
!ntroduction........................................................................................................................ ... ;;6
'nable the
-
8/13/2019 42237707-ISA-Server-2004
226/609
!$% $erver 5667 D
Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@
!ssue a certificate to the
-
8/13/2019 42237707-ISA-Server-2004
227/609
-
8/13/2019 42237707-ISA-Server-2004
228/609
!$% $erver 5667
Create the %ccess "ules at the Main #ff ice.........................................................................>6
Create the
$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7
Create the "emote $ite at the Branch #ffice........................................................................>A
Create the (etwor "ule at the Branch #ffice......................................................................>D
Create the %ccess "ules at the Branch #ffice......................................................................>>
Create the
-
8/13/2019 42237707-ISA-Server-2004
229/609
!$% $erver 5667 ;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to
the Bac9'nd !$% $erver 5667 Firewall/=
!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;
-
8/13/2019 42237707-ISA-Server-2004
230/609
!$% $erver 5667
#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@
"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56
!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the
Bac9'nd !$% $erver 5667 Firewall/
-
8/13/2019 42237707-ISA-Server-2004
231/609
!$% $erver 5667 5
!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@
!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6
Create a $ample
-
8/13/2019 42237707-ISA-Server-2004
232/609
Introduction
!n networ environments where the !$% $erver 5667 firewall is used as an edge firewall withan interface connected to the !nternet, it is best to not 3oin the firewall machine to the domain.
This mitigates the ris of a compromised machine from leveraging its domain members toattac other machines on the networ.
!$% $erver 5667 firewalls that are not members of the user domain must use a mechanismother than )indows authentication to identify and authenticate domain users. The !$% $erver5667 firewall can authenticate
-
8/13/2019 42237707-ISA-Server-2004
233/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
234/609
!$% $erver 5667 . #n the Additional In'ormationpage, leave the ADI!S Standardentry in the Client6Vendordrop down list bo2. Kour !$% $erver f irewall/
-
8/13/2019 42237707-ISA-Server-2004
235/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
236/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
237/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
238/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
239/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
240/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
241/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
242/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
243/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
244/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
245/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
246/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
247/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
248/609
!$% $erver 5667 . Clic the Proto*ol"tab. +ut a checmar in the na-le /2.PIPSe*chec bo2.
-
8/13/2019 42237707-ISA-Server-2004
249/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
250/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
251/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
252/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
253/609
!$% $erver 5667 . Clic Apply to save the changes and update the firewall policy.
;@. Clic ,Kin the Apply New Con'ig$rationdialog bo2.
56. "estart the !$% $erver 5667 firewall machine and log on as %dministrator.
-
8/13/2019 42237707-ISA-Server-2004
254/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
255/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
256/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
257/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
258/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
259/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
260/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
261/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
262/609
!$% $erver 5667
!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6
!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6
Configuring the Microsoft !nternet %uthentication $ervice..................................................D6
!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5
!nstalling the )!($ $ervice................................................................................................D5
Configuring the -C+ $ervice............................................................................................... D
Conclusion...............................................................................................................................DA
!ntroduction............................................................................................................................. >A
!nstalling !$% $erver 5667...................................................................................................... >=
Conclusion.............................................................................................................................;66
!ntroduction........................................................................................................................ ... ;;6
'nable the
-
8/13/2019 42237707-ISA-Server-2004
263/609
-
8/13/2019 42237707-ISA-Server-2004
264/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
265/609
!$% $erver 5667
Create the %ccess "ules at the Main #ff ice.........................................................................>6
Create the
$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7
Create the "emote $ite at the Branch #ffice........................................................................>A
Create the (etwor "ule at the Branch #ffice......................................................................>D
Create the %ccess "ules at the Branch #ffice......................................................................>>
Create the
-
8/13/2019 42237707-ISA-Server-2004
266/609
!$% $erver 5667 ;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to
the Bac9'nd !$% $erver 5667 Firewall/=
!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;
-
8/13/2019 42237707-ISA-Server-2004
267/609
!$% $erver 5667
#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@
"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56
!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the
Bac9'nd !$% $erver 5667 Firewall/
-
8/13/2019 42237707-ISA-Server-2004
268/609
!$% $erver 5667 5
!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@
!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6
Create a $ample
-
8/13/2019 42237707-ISA-Server-2004
269/609
Introduction
!n networ environments where the !$% $erver 5667 firewall is used as an edge firewall withan interface connected to the !nternet, it is best to not 3oin the firewall machine to the domain.
This mitigates the ris of a compromised machine from leveraging its domain members toattac other machines on the networ.
!$% $erver 5667 firewalls that are not members of the user domain must use a mechanismother than )indows authentication to identify and authenticate domain users. The !$% $erver5667 firewall can authenticate
-
8/13/2019 42237707-ISA-Server-2004
270/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
271/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
272/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
273/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
274/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
275/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
276/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
277/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
278/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
279/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
280/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
281/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
282/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
283/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
284/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
285/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
286/609
!$% $erver 5667 . Clic the Proto*ol"tab. +ut a checmar in the na-le /2.PIPSe*chec bo2.
-
8/13/2019 42237707-ISA-Server-2004
287/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
288/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
289/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
290/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
291/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
292/609
!$% $erver 5667 . Clic Applyin the Virt$al Private Network" @VPN Propertie"dialog bo2. Clic ,Kinthe ISA Server 2004 dialog bo2 informing you that the "outing and "emote %ccess$ervice may restart. Clic ,Kin the Virt$al Private Network" @VPN Propertie"dialogbo2.
;@. Clic Apply to save the changes and update the firewall policy.
56. Clic ,Kin the Apply New Con'ig$rationdialog bo2.
5;. "estart the !$% $erver 5667 firewall machine and log on as %dministrator.
-
8/13/2019 42237707-ISA-Server-2004
293/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
294/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
295/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
296/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
297/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
298/609
!$% $erver 5667 . !n the left pane of the console, e2pand the .r$"ted oot Certi'i*ation A$thoritie"nodeand clic Certi'i*ate". "ight clicJ.r$"ted oot Certi'i*ation A$thoritie"JCerti'i*ate",point to All .a"k"and clic Import.
5@. Clic Ne=ton the &el*ome to the Certi'i*ate Import &iFardpage.
6. #n the (ile to Importpage, use the 7row"ebutton to locate the C% certificate yousaved to the local hard dis, and clic Ne=t.
;. #n the Certi'i*ate Storepage, accept the default settings and clic Ne=t.
5. Clic (ini"hon the Completing the Certi'i*ate Import &iFardpage.
. Clic ,Kon the Certi'i*ate Import &iFarddialog bo2 informing you that the import wassuccessful.
(ote that you will not need to manually copy the enterprise C% certificate into the !$% $erver5667 firewallJs .r$"ted oot Certi'i*ation A$thoritie"certificate store because the C%
certificate is automatically installed on domain members. !f the firewall were not a member ofthe domain, you would need to manually place the C% certificate into the .r$"ted ootCerti'i*ation A$thoritie"certificate store.
-
8/13/2019 42237707-ISA-Server-2004
299/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
300/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
301/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
302/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
303/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
304/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
305/609
!$% $erver 5667 . Clic ,Kin the Addemove Snap6indialog bo2.
;@. !n the left pane of the console, e2pand the Certi'i*ate" @/o*al Comp$ternode andthen e2pand the Per"onalnode. Clic onJPer"onalJCerti'i*ate". -ouble clic on theAdmini"tratorcertificate in the right pane of the console.
56. !n the Certi'i*atedialog bo2, clic the Certi'i*ation Pathtab. The root C% certificate isat the top of the certificate hierarchy seen in the Certi'i*ation pathframe. Clic
CAN#200%7at the top of the list. Clic View Certi'i*ate.
5;. !n the C% certificateJs Certi'i*atedialog bo2, clic Detail". Clic Copy to (ile.
55. Clic Ne=tin the &el*ome to the Certi'i*ate =port &iFardpage.
5. #n the =port (ile (ormatpage, select Cryptographi* 9e""age Synta= Standard 3PKCS Certi'i*ate" @P7and clic Ne=t.
57. #n the (ile to =portpage, enter *
-
8/13/2019 42237707-ISA-Server-2004
306/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
307/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
308/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
309/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
310/609
!$% $erver 5667 . % Conne*t VPNdialog bo2 appears that contains the name on the user certificate youobtained from the C%. Clic ,K.
@. Clic ,Kin the Conne*tion Completedialog bo2 informing you that the connection is
established.;6. -ouble clic on the connection icon in the system tray.
;;. !n the ISA VPN Stat$"dialog bo2, clic Detail". Kou will see an entry for IPSCn*ryption , indicating that the 5T+/!+$ec connection was successful.
-
8/13/2019 42237707-ISA-Server-2004
311/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
312/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
313/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
314/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
315/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
316/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
317/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
318/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
319/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
320/609
!$% $erver 5667
!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6
!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6
Configuring the Microsoft !nternet %uthentication $ervice..................................................D6
!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5
!nstalling the )!($ $ervice................................................................................................D5
Configuring the -C+ $ervice............................................................................................... D
Conclusion...............................................................................................................................DA
!ntroduction............................................................................................................................. >A
!nstalling !$% $erver 5667...................................................................................................... >=
Conclusion.............................................................................................................................;66
!ntroduction........................................................................................................................ ... ;;6
'nable the
-
8/13/2019 42237707-ISA-Server-2004
321/609
!$% $erver 5667 D
Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@
!ssue a certificate to the
-
8/13/2019 42237707-ISA-Server-2004
322/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
323/609
!$% $erver 5667
Create the %ccess "ules at the Main #ff ice.........................................................................>6
Create the
$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7
Create the "emote $ite at the Branch #ffice........................................................................>A
Create the (etwor "ule at the Branch #ffice......................................................................>D
Create the %ccess "ules at the Branch #ffice......................................................................>>
Create the
-
8/13/2019 42237707-ISA-Server-2004
324/609
!$% $erver 5667 ;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to
the Bac9'nd !$% $erver 5667 Firewall/=
!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;
-
8/13/2019 42237707-ISA-Server-2004
325/609
!$% $erver 5667
#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@
"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56
!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the
Bac9'nd !$% $erver 5667 Firewall/
-
8/13/2019 42237707-ISA-Server-2004
326/609
!$% $erver 5667 5
!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@
!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6
Create a $ample
-
8/13/2019 42237707-ISA-Server-2004
327/609
Introduction
% primary reason to setup a
-
8/13/2019 42237707-ISA-Server-2004
328/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
329/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
330/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
331/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
332/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
333/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
334/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
335/609
!$% $erver 5667 . %ccept the default settings in the DCP elay Propertie" 3 Internet Propertie"dialogbo2 and clic ,K.
The -C+ server and -C+ "elay %gent are now ready to use. Kou can connect your
-
8/13/2019 42237707-ISA-Server-2004
336/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
337/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
338/609
!$% $erver 5667 . (otice on the bottom of the Sy"tem Propertie"dialog bo2 the comment, Change" will
take e''e*t a'ter yo$ re"tart thi" *omp$ter. Clic ,K.
@. ClicGe"in theSy"tem Setting" Changedialog bo2. This will restart the computer.
;6. og off and then log on again. This time log on with your domain account. Confirm thatyou are logging on to the domain by confirming that the domain appears in the /og ontodrop down list bo2. se a domain username and password. These credentials log you
-
8/13/2019 42237707-ISA-Server-2004
339/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
340/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
341/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
342/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
343/609
!$% $erver 5667 . "ight clic 9y Comp$teron the destop and clic Propertie".
@. Clic the Network Identi'i*ation tab. )e need to now add the msfirewall$or# domainname to this computerJs name. Clic Propertie".
;6. #n theIdenti'i*ation Change"dialog bo2, clic 9ore.
-
8/13/2019 42237707-ISA-Server-2004
344/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
345/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
346/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
347/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
348/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
349/609
!$% $erver 5667
!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6
!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6
Configuring the Microsoft !nternet %uthentication $ervice..................................................D6
!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5
!nstalling the )!($ $ervice................................................................................................D5
Configuring the -C+ $ervice............................................................................................... D
Conclusion...............................................................................................................................DA
!ntroduction............................................................................................................................. >A
!nstalling !$% $erver 5667...................................................................................................... >=
Conclusion.............................................................................................................................;66
!ntroduction........................................................................................................................ ... ;;6
'nable the
-
8/13/2019 42237707-ISA-Server-2004
350/609
!$% $erver 5667 D
Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@
!ssue a certificate to the
-
8/13/2019 42237707-ISA-Server-2004
351/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
352/609
!$% $erver 5667
Create the %ccess "ules at the Main #ff ice.........................................................................>6
Create the
$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7
Create the "emote $ite at the Branch #ffice........................................................................>A
Create the (etwor "ule at the Branch #ffice......................................................................>D
Create the %ccess "ules at the Branch #ffice......................................................................>>
Create the
-
8/13/2019 42237707-ISA-Server-2004
353/609
!$% $erver 5667 ;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to
the Bac9'nd !$% $erver 5667 Firewall/=
!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;
-
8/13/2019 42237707-ISA-Server-2004
354/609
!$% $erver 5667
#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@
"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56
!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;
Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the
Bac9'nd !$% $erver 5667 Firewall/
-
8/13/2019 42237707-ISA-Server-2004
355/609
!$% $erver 5667 5
!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@
!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6
Create a $ample
-
8/13/2019 42237707-ISA-Server-2004
356/609
Introduction
% site9to9site
-
8/13/2019 42237707-ISA-Server-2004
357/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
358/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
359/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
360/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
361/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
362/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
363/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
364/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
365/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
366/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
367/609
!$% $erver 5667
-
8/13/2019 42237707-ISA-Server-2004
368/609
!$% $erver 5667 . ClicGe"in the Potential S*ripting Violationdialog bo2.
@. #n the Certi'i*ate I""$edpage, clic In"tall thi" *erti'i*ate.
;6. ClicGe" on the Potential S*ripting Violationpage.
;;. Close the browser after viewing the Certi'i*ate In"talledpage.
;5. Clic Start$n. 'nter mm*in the ,pente2t bo2, and clic ,K.
;. !n Con"ole1, clic the (ilemenu, and then clic Addemove Snap6in.
;7. Clic Addin the Addemove Snap6indialog bo2.
;A. $elect the Certi'i*ate"entry in the Availa-le Standalone Snap6in"list in the AddStandalone Snap6indialog bo2. Clic Add.
;=. $elect Comp$ter a**o$nton the Certi'i*ate" "nap6inpage.
;D. $elect /o*al *omp$teron the Sele*t Comp$terpage.
;>. Clic Clo"ein the Add Standalone Snap6indialog bo2.
;@. Clic ,Kin the Addemove Snap6indialog bo2.
56. !n the left pane of the console, e2pand Certi'i*ate" @/o*al Comp$ter, and then e2pand
Per"onal. Clic onJPer"onalJCerti'i*ate". -ouble clic on the Admini"tratorcertificatein the right pane of the console.
5;. !n the Certi'i*atedialog bo2, clic the Certi'i*ation Pathtab. The root C% certificate isat the top of the certificate hierarchy seen in the Certi'i*ation pathframe. Clic theCAN#200%7certificate at the top of the list. Clic View Certi'i*ate.
-
8/13/2019 42237707-ISA-Server-2004
369/609