8/13/2019 42237707-ISA-Server-2004

1/609

ISA Server 2004 VPN Deployment KitTable of Contents

For the latest information, please see http://www.microsoft.com/isaserver/

8/13/2019 42237707-ISA-Server-2004

2/609

Contents:

Chapter 1ISA Server 2004 and VPN Networking

Chapter 2ow to !"e the #$ide

Chapter %In"talling ISA Server 2004 on &indow" Server 200%

Chapter 4Con'ig$ring the ISA Server 2004 (irewall a" a VPNServer

Chapter )Creating A**e"" Poli*y 'or VPN Client"

Chapter +Con'ig$ring the ISA Server 2004 (irewall 'or,$t-o$nd PP.P and /2.PIPSe* A**e""

Chapter Con'ig$ring &indow" Server 200% ADI!S S$pport'or VPN Client" 3 In*l$ding S$pport 'or AP./SA$thenti*ation

8/13/2019 42237707-ISA-Server-2004

3/609

Chapter 5Con'ig$ring the VPN Client and ISA Server 2004 VPNServer to S$pport Certi'i*ate67a"ed PP.P AP6./SA$thenti*ation

Chapter 8na-ling Network 7row"ing 'or ISA Server 2004 VPNClient"

Chapter 10

Creating PP.P and /2.PIPSe* Site6to6Site VPN" withISA Server 2004 (irewall"

Chapter 11Creating a Site6to6Site VPN with ISA Server 2004 at/o*al and emote Site" $"ing IPSe* .$nnel 9ode

Chapter 12Allowing In-o$nd /2.PIPSe* NA. .raver"alConne*tion" thro$gh a 7a*k6to67a*k ISA Server 2004Server D9:

Chapter 1%Allowing In-o$nd PP.P Conne*tion" thro$gh a 7a*k6

to67a*k ISA Server 2004 Server Perimeter Network

Chapter 14Con'ig$ring VPN ;$arantine

8/13/2019 42237707-ISA-Server-2004

4/609

This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of thedate of publication. Because Microsoft must respond to changing maret conditions, it should not be interpreted to be a commitmenton the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. M!C"#$#FT M%&'$ (# )%""%(T!'$, '*+"'$$ #" !M+!'-, !( T!$-#CM'(T.

Complying with all applicable copyright laws is the responsibility of the user. ) ithout limiting the rights under copyright, no part of thisdocument may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means 0electronic,mechanical, photocopying, recording, or otherwise1, or for any purpose, without the e2press written permission of MicrosoftCorporation.

Microsoft may have patents, patent applications, trademars, copyrights, or other intellectual property rights covering sub3ect matter inthis document. '2cept as e2pressly provided in any written license agreement from Microsoft, the furnishing of this document does notgive you any license to these patents, trademars, copyrights, or other intellectual property.

4 5667 Microsoft Corporation. %ll rights reserved.

The e2ample companies, organi8ations, products, domain names, e9mail addresses, logos, people, places, and events depictedherein are fictitious. (o association with any real company, organi8ation, product, domain name, e9mail address, logo, person, place,or event is intended or should be inferred.

Microsoft, )indows, ) indows 5666, )indows 5666 $erver, )indows $erver 566, )indows $erver $ystem, !$% $erver, and !$%$erver 5667 are either registered trademars or trademars of Microsoft Corporation in the nited $tates and/or other countries.

The names of actual companies and products mentioned herein may be the trademars of their respective owners.

8/13/2019 42237707-ISA-Server-2004

5/609

ISA Server 2004 VPN Deployment Kit< ISAServer 2004 and VPN NetworkingChapter ;

For the latest information, please see http://www.microsoft.com/isaserver/

8/13/2019 42237707-ISA-Server-2004

6/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

7/609

!$% $erver 5667

!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6

!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6

Configuring the Microsoft !nternet %uthentication $ervice..................................................D6

!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5

!nstalling the )!($ $ervice................................................................................................D5

Configuring the -C+ $ervice............................................................................................... D

Conclusion...............................................................................................................................DA

!ntroduction............................................................................................................................. >A

!nstalling !$% $erver 5667...................................................................................................... >=

Conclusion.............................................................................................................................;66

!ntroduction........................................................................................................................ ... ;;6

'nable the

8/13/2019 42237707-ISA-Server-2004

8/609

!$% $erver 5667 D

Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@

!ssue a certificate to the

8/13/2019 42237707-ISA-Server-2004

9/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

10/609

!$% $erver 5667

Create the %ccess "ules at the Main #ff ice.........................................................................>6

Create the

$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7

Create the "emote $ite at the Branch #ffice........................................................................>A

Create the (etwor "ule at the Branch #ffice......................................................................>D

Create the %ccess "ules at the Branch #ffice......................................................................>>

Create the

8/13/2019 42237707-ISA-Server-2004

11/609

!$% $erver 5667 ;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to

the Bac9'nd !$% $erver 5667 Firewall/=

!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;

8/13/2019 42237707-ISA-Server-2004

12/609

!$% $erver 5667

#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@

"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56

!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the

Bac9'nd !$% $erver 5667 Firewall/

8/13/2019 42237707-ISA-Server-2004

13/609

!$% $erver 5667 5

!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@

!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6

Create a $ample

8/13/2019 42237707-ISA-Server-2004

14/609

Introduction

8/13/2019 42237707-ISA-Server-2004

15/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

16/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

17/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

18/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

19/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

20/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

21/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

22/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

23/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

24/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

25/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

26/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

27/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

28/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

29/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

30/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

31/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

32/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

33/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

34/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

35/609

!$% $erver 5667

!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6

!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6

Configuring the Microsoft !nternet %uthentication $ervice..................................................D6

!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5

!nstalling the )!($ $ervice................................................................................................D5

Configuring the -C+ $ervice............................................................................................... D

Conclusion...............................................................................................................................DA

!ntroduction............................................................................................................................. >A

!nstalling !$% $erver 5667...................................................................................................... >=

Conclusion.............................................................................................................................;66

!ntroduction........................................................................................................................ ... ;;6

'nable the

8/13/2019 42237707-ISA-Server-2004

36/609

!$% $erver 5667 D

Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@

!ssue a certificate to the

8/13/2019 42237707-ISA-Server-2004

37/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

38/609

!$% $erver 5667

Create the %ccess "ules at the Main #ff ice.........................................................................>6

Create the

$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7

Create the "emote $ite at the Branch #ffice........................................................................>A

Create the (etwor "ule at the Branch #ffice......................................................................>D

Create the %ccess "ules at the Branch #ffice......................................................................>>

Create the

8/13/2019 42237707-ISA-Server-2004

39/609

!$% $erver 5667 ;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to

the Bac9'nd !$% $erver 5667 Firewall/=

!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;

8/13/2019 42237707-ISA-Server-2004

40/609

!$% $erver 5667

#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@

"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56

!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the

Bac9'nd !$% $erver 5667 Firewall/

8/13/2019 42237707-ISA-Server-2004

41/609

!$% $erver 5667 5

!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@

!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6

Create a $ample

8/13/2019 42237707-ISA-Server-2004

42/609

Introduction

)elcome to the ISA Server 2004 VPN Deployment Kit L This it was designed to help youwith putting together a woring

8/13/2019 42237707-ISA-Server-2004

43/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

44/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

45/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

46/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

47/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

48/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

49/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

50/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

51/609

!$% $erver 5667 . The -($ server sends a reEuest for the !+ address ofhttp://www.e2ample.microsoft.com/to the e2ample.microsoft.com -($ server.

@. The e2ample.microsoft.com -($ server sends the !+ address of -($ hosthttp://www.e2ample.microsoft.com/to the -($ server. The -($ server places this resultin its -($ cache.

;6. The -($ server returns the result to the -($ client on the internal networ.

8/13/2019 42237707-ISA-Server-2004

52/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

53/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

54/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

55/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

56/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

57/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

58/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

59/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

60/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

61/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

62/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

63/609

!$% $erver 5667 . Clic ,Kin the Advan*ed .CPIP Setting"dialog bo2.

;@. Clic ,Kin the Internet Proto*ol @.CPIP Propertie"dialog bo2.

56. Clic Ne=ton the Networking Component"page.

5;. %ccept the default selection on the &orkgro$p or Comp$ter Domainpage. )e willlater mae this machine a domain controller, and the machine will be a member of thedomain we create at that time. Clic Ne=t.

55. !nstallation continues and when it finishes, the computer will restart automatically.

5. og on to the )indows $erver 566 using the password you created for the %dministratoraccount.

57. #n the 9anage Go$r Serverpage, put a checmar in the DonHt di"play thi" page atlogonchecbo2 and close the window.

In"tall and Con'ig$re DNS

The ne2t step is to install the -omain (aming $ystem 0-($1 server on the machine that willbe the domain controller. This is reEuired because the %ctive -irectory reEuires a -($

8/13/2019 42237707-ISA-Server-2004

64/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

65/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

66/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

67/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

68/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

69/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

70/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

71/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

72/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

73/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

74/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

75/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

76/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

77/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

78/609

!$% $erver 5667

!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6

!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6

Configuring the Microsoft !nternet %uthentication $ervice..................................................D6

!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5

!nstalling the )!($ $ervice................................................................................................D5

Configuring the -C+ $ervice............................................................................................... D

Conclusion...............................................................................................................................DA

!ntroduction............................................................................................................................. >A

!nstalling !$% $erver 5667...................................................................................................... >=

Conclusion.............................................................................................................................;66

!ntroduction........................................................................................................................ ... ;;6

'nable the

8/13/2019 42237707-ISA-Server-2004

79/609

!$% $erver 5667 D

Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@

!ssue a certificate to the

8/13/2019 42237707-ISA-Server-2004

80/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

81/609

!$% $erver 5667

Create the %ccess "ules at the Main #ff ice.........................................................................>6

Create the

$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7

Create the "emote $ite at the Branch #ffice........................................................................>A

Create the (etwor "ule at the Branch #ffice......................................................................>D

Create the %ccess "ules at the Branch #ffice......................................................................>>

Create the

8/13/2019 42237707-ISA-Server-2004

82/609

!$% $erver 5667 ;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to

the Bac9'nd !$% $erver 5667 Firewall/=

!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;

8/13/2019 42237707-ISA-Server-2004

83/609

!$% $erver 5667

#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@

"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56

!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the

Bac9'nd !$% $erver 5667 Firewall/

8/13/2019 42237707-ISA-Server-2004

84/609

!$% $erver 5667 5

!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@

!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6

Create a $ample

8/13/2019 42237707-ISA-Server-2004

85/609

Introduction

!n this ISA Server 2004 VPN Deployment Kitdocument, you will install the !$% $erver 5667software onto the )indows $erver 566 computer installed and configured in Chapter 5.

There are only a few decisions you will need to mae while installing !$% $erver 5667software. The most important configuration made during installation is the !nternal networ !+address range0s1. nlie !$% $erver 5666, !$% $erver 5667 does not use a ocal %ddressTable 0%T1 to define trusted and untrusted networs. !nstead, the !$% $erver 5667 firewallass for !+ addresses defining a networ entity nown as the Internalnetwor. The !nternalnetwor contains important networ servers and services such as %ctive -irectory domaincontrollers, -($, )!($, "%-!$, -C+, firewall management stations, and others. The !$%$erver 5667 firewall communicates with these services immediately after installation iscomplete.

The firewallJs System Policy, controls communications between the !nternal networ and the!$% $erver 5667 firewall. The $ystem +olicy is a collection of pre9defined %ccess "ulesdetermining the type of traffic allowed to and from the firewall immediately after installation.The $ystem +olicy is configurable, which enables you to control the limits of the default

$ystem +olicy %ccess "ules.

!n the document we will discuss the following procedures:

!nstalling !$% $erver 5667 on )indows $erver 566

8/13/2019 42237707-ISA-Server-2004

86/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

87/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

88/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

89/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

90/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

91/609

!$% $erver 5667 . ClicGe"in the 9i*ro"o't ISA Serverdialog bo2 informing you that the machine mustbe restarted.

;@. og on as %dministrator after the machine restarts.

8/13/2019 42237707-ISA-Server-2004

92/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

93/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

94/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

95/609

!$% $erver 5667 %llow -C+reEuests from!$% $erver to allnetwors

%llow -C+0reEuest1 ocal ost %nywhere %ll sers

@ %llow -C+replies from-C+ servers to!$% $erver

%llow -C+0reply1 %nywhere ocalost

%ll sers

;6 %llow !CM+0+!(1 reEuestsfrom selectedcomputers to !$%$erver

%llow +ing "emoteManagement Computers

ocalost

%ll sers

;; %llow !CM+reEuests from!$% $erver toselected servers

%llow !CM+!nformation"eEuest

!CM+Timestamp

+ing

ocal ost %ll(etwors

%ll sers

;5; %llow

8/13/2019 42237707-ISA-Server-2004

96/609

!$% $erver 5667 %llowTT+/TT+$reEuests from!$% $erver to

selected serversfor TT+connectivityverifiers

%llow TT+

TT+$

ocal ost %ll(etwors

%ll sers

;@> %llow accessfrom trustedcomputers to theFirewall Clientinstallation shareon !$% $erver

%llow MicrosoftC!F$0TC+1

MicrosoftC!F$0-+1

(etB!#$-atagram

(etB!#$ (ame$ervice

(etB!#$

$ession

!nternal ocalost

%ll sers

56@ %llow remoteperformancemonitoring of !$%$erver fromtrusted servers

%llow (etB!#$-atagram

(etB!#$ (ame$ervice

(etB!#$$ession

"emoteManagement Computers

ocalost

%ll sers

5; %llow (etB!#$from !$% $erverto trusted servers

%llow (etB!#$-atagram

(etB!#$ (ame$ervice

(etB!#$$ession

ocal ost !nternal %ll sers

55 %llow "+C from!$% $erver totrusted servers

%llow "+C0allinterfaces1

ocal ost !nternal %ll sers

5 %llowTT+/TT+$from !$% $erverto specifiedMicrosoft 'rror"eporting sites

%llow TT+

TT+$

ocal ost Microsoft'rror"eportingsites

%ll sers

8/13/2019 42237707-ISA-Server-2004

97/609

!$% $erver 5667 %llow $MT+ from!$% $erver totrusted servers

%llow $MT+ ocal ost !nternal %ll sers

5@ %llow TT+ from!$% $erver toselectedcomputers forContent-ownload obs

%llow TT+ ocal ost %ll(etwors

$ystem and(etwor$ervice

;This policy is disabled until the

8/13/2019 42237707-ISA-Server-2004

98/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

99/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

100/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

101/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

102/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

103/609

!$% $erver 5667

!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6

!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6

Configuring the Microsoft !nternet %uthentication $ervice..................................................D6

!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5

!nstalling the )!($ $ervice................................................................................................D5

Configuring the -C+ $ervice............................................................................................... D

Conclusion...............................................................................................................................DA

!ntroduction............................................................................................................................. >A

!nstalling !$% $erver 5667...................................................................................................... >=

Conclusion.............................................................................................................................;66

!ntroduction........................................................................................................................ ... ;;6

'nable the

8/13/2019 42237707-ISA-Server-2004

104/609

!$% $erver 5667 D

Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@

!ssue a certificate to the

8/13/2019 42237707-ISA-Server-2004

105/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

106/609

!$% $erver 5667

Create the %ccess "ules at the Main #ff ice.........................................................................>6

Create the

$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7

Create the "emote $ite at the Branch #ffice........................................................................>A

Create the (etwor "ule at the Branch #ffice......................................................................>D

Create the %ccess "ules at the Branch #ffice......................................................................>>

Create the

8/13/2019 42237707-ISA-Server-2004

107/609

!$% $erver 5667 ;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to

the Bac9'nd !$% $erver 5667 Firewall/=

!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;

8/13/2019 42237707-ISA-Server-2004

108/609

!$% $erver 5667

#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@

"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56

!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the

Bac9'nd !$% $erver 5667 Firewall/

8/13/2019 42237707-ISA-Server-2004

109/609

!$% $erver 5667 5

!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@

!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6

Create a $ample

8/13/2019 42237707-ISA-Server-2004

110/609

Introduction

The !$% $erver 5667 firewall can be configured as a

8/13/2019 42237707-ISA-Server-2004

111/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

112/609

!$% $erver 5667 . !n the Sele*t #ro$p"dialog bo2, clic the /o*ation"button. !n the /o*ation"dialogbo2, clic the m"'irewallorgentry and clic ,K.

@. !n the Sele*t #ro$pdialog bo2, enter Domain !"er"in the nter the o-e*t name" to"ele*tte2t bo2. Clic the Che*k Name"button. The group name will be underlined whenit is found in the %ctive -irectory. Clic ,K.

8/13/2019 42237707-ISA-Server-2004

113/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

114/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

115/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

116/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

117/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

118/609

!$% $erver 5667 . Clic Apply to save the changes and update the firewall policy.

;@. Clic ,Kin the Apply New Con'ig$rationdialog bo2.

56. "estart the !$% $erver 5667 firewall machine.

The machine will obtain a bloc of !+ addresses from the -C+ $erver on the !nternalnetwor when it restarts. (ote that on a production networ where the -C+ server is locatedon a networ segment remote from the !$% $erver 5667 firewall, all interposed routers willneed to have B##T+ or -C+ relay enabled so that -C+ reEuests from the firewall canreach the remote -C+ servers.

8/13/2019 42237707-ISA-Server-2004

119/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

120/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

121/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

122/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

123/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

124/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

125/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

126/609

!$% $erver 5667 . Clic ,Kin the dialog bo2 informing you that the certificate reEuest was successful.

5@. "eturn to the 9i*ro"o't Internet Se*$rity and A**eleration Server 2004managementconsole and e2pand the computer name in the left pane and clic on the (irewall Poli*ynode. "ight clic on the All ,pen 'rom /o*al o"t to Internal%ccess "ule and clicDi"a-le.

6. !n the 9i*ro"o't Internet Se*$rity and A**eleration Server 2004managementconsole, e2pand the Con'ig$rationnode and clic on the Add6in"node. "ight clic onthe PC (ilterentry in the -etails +ane and clic na-le.

;. Clic Apply to save the changes and update the firewall policy

5. !n the ISA Server &arningdialog bo2, select the Save the *hange" and re"tart the"ervi*e"option. Clic ,K.

. Clic ,Kin the Apply New Con'ig$rationdialog bo2.

(ote that you will not need to manually copy the enterprise C% certificate into the !$% $erver5667 firewallJs .r$"ted oot Certi'i*ation A$thoritie"certificate store because C%certificate is automatically installed on domain members. !f the firewall were not a member ofthe domain, then you would need to manually place the C% certificate into the .r$"ted ootCerti'i*ation A$thoritie"certificate store.

The ne2t step is to issue a computer certificate to the

8/13/2019 42237707-ISA-Server-2004

127/609

!$% $erver 5667 . Clic Clo"ein the Add Standalone Snap6indialog bo2.

;@. Clic ,Kin the Addemove Snap6indialog bo2.

56. !n the left +ane of the console, e2pand the Certi'i*ate" @/o*al Comp$terthe Per"onalnodes. Clic on theJPer"onalJCerti'i*ate"node. -ouble clic on the Admini"tratorcertificate in the right +ane of the console.

5;. !n the Certi'i*atedialog bo2, clic the Certi'i*ation Pathtab. %t the top of the certificatehierarchy seen in the Certi'i*ation pathframe is the root C% certificate. Clic theCAN#200%7certificate at the top of the list. Clic View Certi'i*ate.

55. !n the C% certificateJs Certi'i*atedialog bo2, clic the Detail"tab. Clic Copy to (ile.

5. Clic Ne=tin the &el*ome to the Certi'i*ate =port &iFardpage.

57. #n the =port (ile (ormatpage, select Cryptographi* 9e""age Synta= Standard 3PKCS Certi'i*ate" @P7and clic Ne=t.

5A. #n the (ile to =portpage, enter *

8/13/2019 42237707-ISA-Server-2004

128/609

!$% $erver 5667 . Clic ,Kin the Certi'i*atedialog bo2. Clic ,Kagain in the Certi'i*atedialog bo2.

5@. !n the left +ane of the console, e2pand the .r$"ted oot Certi'i*ation A$thoritie"node, and clic the Certi'i*ate"node. "ight clic theJ.r$"ted oot Certi'i*ationA$thoritie"JCerti'i*ate"node. +oint to All .a"k"and clic Import.

6. Clic Ne=ton the &el*ome to the Certi'i*ate Import &iFardpage.

;. #n the (ile to Importpage. se the 7row"ebutton to locate the C% certificate yousaved to the local hard dis and clic Ne=t.

5. #n the Certi'i*ate Storepage, accept the default settings and clic Ne=t.

. #n the Completing the Certi'i*ate Import &iFardpage, clic (ini"h.

7. #n the Certi'i*ate Import &iFarddialog bo2 informing you that the import wassuccessful, clic ,K.

-isconnect from the

8/13/2019 42237707-ISA-Server-2004

129/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

130/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

131/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

132/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

133/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

134/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

135/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

136/609

!$% $erver 5667

!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6

!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6

Configuring the Microsoft !nternet %uthentication $ervice..................................................D6

!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5

!nstalling the )!($ $ervice................................................................................................D5

Configuring the -C+ $ervice............................................................................................... D

Conclusion...............................................................................................................................DA

!ntroduction............................................................................................................................. >A

!nstalling !$% $erver 5667...................................................................................................... >=

Conclusion.............................................................................................................................;66

!ntroduction........................................................................................................................ ... ;;6

'nable the

8/13/2019 42237707-ISA-Server-2004

137/609

!$% $erver 5667 D

Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@

!ssue a certificate to the

8/13/2019 42237707-ISA-Server-2004

138/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

139/609

!$% $erver 5667

Create the %ccess "ules at the Main #ff ice.........................................................................>6

Create the

$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7

Create the "emote $ite at the Branch #ffice........................................................................>A

Create the (etwor "ule at the Branch #ffice......................................................................>D

Create the %ccess "ules at the Branch #ffice......................................................................>>

Create the

8/13/2019 42237707-ISA-Server-2004

140/609

!$% $erver 5667 ;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to

the Bac9'nd !$% $erver 5667 Firewall/=

!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;

8/13/2019 42237707-ISA-Server-2004

141/609

!$% $erver 5667

#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@

"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56

!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the

Bac9'nd !$% $erver 5667 Firewall/

8/13/2019 42237707-ISA-Server-2004

142/609

!$% $erver 5667 5

!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@

!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6

Create a $ample

8/13/2019 42237707-ISA-Server-2004

143/609

Introduction

%n impressive feature of !$% $erver 5667 is its ability to apply firewall policy to

8/13/2019 42237707-ISA-Server-2004

144/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

145/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

146/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

147/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

148/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

149/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

150/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

151/609

!$% $erver 5667 . Clic Apply to save the changes and update the firewall policy.

;@. Clic ,Kin the Apply New Con'ig$rationdialog bo2.

56. "estart the !$% $erver 5667 firewall machine.

The machine will obtain a bloc of !+ addresses from the -C+ $erver on the !nternalnetwor when it restarts. (ote that on a production networ where the -C+ server is locatedon a networ segment remote from the !$% $erver 5667 firewall, all interposed routers willneed to have B##T+ or -C+ relay enabled so that -C+ reEuests from the firewall canreach the remote -C+ servers.

8/13/2019 42237707-ISA-Server-2004

152/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

153/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

154/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

155/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

156/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

157/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

158/609

!$% $erver 5667 . Clic Ne=ton the !"er"page.

8/13/2019 42237707-ISA-Server-2004

159/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

160/609

8/13/2019 42237707-ISA-Server-2004

161/609

!$% $erver 5667 . #n the &el*ome to the New Proto*ol De'inition &iFardpage, enter the name for the+rotocol -efinition in the Proto*ol de'inition namete2t bo2. !n this e2ample, name theprotocol Dire*t A**e"" @44). Clic Ne=t.

@. #n the Primary Conne*tion In'ormationpage, clic New.

;6. #n the Newdit Proto*ol Conne*tionpage, set the Proto*ol typeto .CP. $et theDire*tionas ,$t-o$nd. !n the Port angeframe, set the (romentry to 44)and the .oentry to 44). Clic ,K.

8/13/2019 42237707-ISA-Server-2004

162/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

163/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

164/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

165/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

166/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

167/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

168/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

169/609

!$% $erver 5667 . #n the A**e"" $le So$r*e"page, clic Add. !n the Add Network ntitie"dialog bo2,clic the Network"folder. -ouble clic on VPN Client". Clic Clo"e.

@. Clic Ne=ton the A**e"" $le So$r*e"page.

;6. #n the A**e"" $le De"tination"page, clicAdd. !n the Add Network ntitie"dialogbo2, clic the Newmenu. Clic Comp$ter.

;;. !n the New Comp$ter $le lementdialog bo2, enter the name of the computer in the

Namete2t bo2. !n this e2ample, enter &e- nrollment Site. 'nter the !+ address of the)eb enrollment site in the Comp$ter IP Addre""te2t bo2. !n this e2ample, enter10002into the te2t bo2. Clic ,K.

8/13/2019 42237707-ISA-Server-2004

170/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

171/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

172/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

173/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

174/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

175/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

176/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

177/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

178/609

!$% $erver 5667

!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6

!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6

Configuring the Microsoft !nternet %uthentication $ervice..................................................D6

!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5

!nstalling the )!($ $ervice................................................................................................D5

Configuring the -C+ $ervice............................................................................................... D

Conclusion...............................................................................................................................DA

!ntroduction............................................................................................................................. >A

!nstalling !$% $erver 5667...................................................................................................... >=

Conclusion.............................................................................................................................;66

!ntroduction........................................................................................................................ ... ;;6

'nable the

8/13/2019 42237707-ISA-Server-2004

179/609

!$% $erver 5667 D

Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@

!ssue a certificate to the

8/13/2019 42237707-ISA-Server-2004

180/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

181/609

!$% $erver 5667

Create the %ccess "ules at the Main #ff ice.........................................................................>6

Create the

$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7

Create the "emote $ite at the Branch #ffice........................................................................>A

Create the (etwor "ule at the Branch #ffice......................................................................>D

Create the %ccess "ules at the Branch #ffice......................................................................>>

Create the

8/13/2019 42237707-ISA-Server-2004

182/609

!$% $erver 5667 ;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to

the Bac9'nd !$% $erver 5667 Firewall/=

!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;

8/13/2019 42237707-ISA-Server-2004

183/609

!$% $erver 5667

#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@

"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56

!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the

Bac9'nd !$% $erver 5667 Firewall/

8/13/2019 42237707-ISA-Server-2004

184/609

!$% $erver 5667 5

!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@

!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6

Create a $ample

8/13/2019 42237707-ISA-Server-2004

185/609

Introduction

sers behind your !$% $erver 5667 firewall may need to use a

8/13/2019 42237707-ISA-Server-2004

186/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

187/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

188/609

!$% $erver 5667 . #n the A**e"" $le So$r*e"page, clic Add. !n the Add Network ntitie"dialog bo2,clic the Network"folder and double clic on the Internalnetwor. Clic Clo"e.

@. Clic Ne=ton the A**e"" $le So$r*e"page.

;6. #n the A**e"" $le De"tination"page, clic Add. !n the Add Network ntitie"dialog

bo2, clic the Network"folder and double clic on the =ternalnetwor. Clic Clo"e.

;;. Clic Ne=ton the A**e"" $le De"tination"page.

;5. %ccept the default entry, All !"er", on the !"er" Set"page. Clic Ne=t.

;. Clic (ini"hon the Completing the New A**e"" $le &iFardpage.

;7. The ++T+ %ccess "ule appears in the (irewall Poli*ylist.

8/13/2019 42237707-ISA-Server-2004

189/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

190/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

191/609

!$% $erver 5667 . Clic Addon the Primary Conne*tion In'ormationpage.

@. !n the Newdit Proto*ol Conne*tiondialog bo2, set the Proto*ol typeto !DP. $etthe Dire*tionto Send e*eive. !n the Port angeframe, set the (rom entry to 4)00and the .oentry to 4)00. Clic ,K

;6. Clic Ne=ton the Primary Conne*tion In'ormation page.

8/13/2019 42237707-ISA-Server-2004

192/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

193/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

194/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

195/609

!$% $erver 5667 . ClicGe"in the Potential S*ripting Violationdialog bo2.

@. #n the Certi'i*ate I""$edpage, clic In"tall thi" *erti'i*ate.

;6. ClicGe" on the Potential S*ripting Violationpage.

;;. Close the browser after viewing the Certi'i*ate In"talledpage.

;5. Clic StartEand then clic the $ncommand. 'nter mm*in the ,pente2t bo2, and clic

,K.

;. !n Con"ole1, clic the (ilemenu and the Addemove Snap6incommand.

;7. Clic Addin the Addemove Snap6indialog bo2.

;A. $elect Certi'i*ate"in the Availa-le Standalone Snap6in"list in the Add StandaloneSnap6indialog bo2. Clic Add.

;=. $elect Comp$ter a**o$nton the Certi'i*ate" "nap6inpage.

;D. $elect /o*al *omp$teron the Sele*t Comp$terpage.

;>. Clic Clo"ein the Add Standalone Snap6indialog bo2.

;@. Clic ,Kin the Addemove Snap6indialog bo2.

56. !n the left +ane of the console, e2pand the Certi'i*ate" @/o*al Comp$ternode andthen e2pand the Per"onalnode. Clic onJPer"onalJCerti'i*ate". -ouble clic on theAdmini"tratorcertificate in the right +ane of the console.

5;. !n the Certi'i*atedialog bo2, clic the Certi'i*ation Pathtab. The root C% certificate isat the top of the certificate hierarchy in the Certi'i*ation pathframe. Clic theCAN#200%7certificate at the top of the list. Clic View Certi'i*ate.

55. !n the C% certificateJs Certi'i*atedialog bo2, clic the Detail"tab. Clic Copy to (ile.

5. Clic Ne=tin the &el*ome to the Certi'i*ate =port &iFardpage.

8/13/2019 42237707-ISA-Server-2004

196/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

197/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

198/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

199/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

200/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

201/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

202/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

203/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

204/609

!$% $erver 5667 . ClicGe"in the Potential S*ripting Violationdialog bo2.

@. #n the Certi'i*ate I""$edpage, clic In"tall thi" *erti'i*ate.

;6. ClicGe" on the Potential S*ripting Violationpage.

;;. Close the browser after viewing the Certi'i*ate In"talledpage.

;5. Clic StartEand then clic the $ncommand. 'nter mm*in the ,pente2t bo2, and clic,K.

;. !n the Con"ole1, clic the (ilemenu, and then clic Addemove Snap6in.

;7. Clic Addin the Addemove Snap6indialog bo2.

;A. $elect Certi'i*ate"from the Availa-le Standalone Snap6in"list in the AddStandalone Snap6indialog bo2. Clic Add.

;=. $elect Comp$ter a**o$nton the Certi'i*ate" "nap6inpage.

;D. $elect /o*al *omp$teron the Sele*t Comp$terpage.

;>. Clic Clo"ein the Add Standalone Snap6indialog bo2.

;@. Clic ,Kin the Addemove Snap6indialog bo2.

56. !n the left +ane of the console, e2pand the Certi'i*ate" @/o*al Comp$ternode, andthen e2pand the Per"onalnode. Clic onJPer"onalJCerti'i*ate". -ouble clic on theAdmini"tratorcertificate in the right +ane of the console.

5;. !n the Certi'i*atedialog bo2, clic the Certi'i*ation Pathtab. The root C% certificate isat the top of the certificate hierarchy in the Certi'i*ation pathframe. ClicCAN#200%7at the top of the list. Clic View Certi'i*ate.

55. !n the C% certificateJs Certi'i*atedialog bo2, clic the Detail"tab. Clic Copy to (ile.

8/13/2019 42237707-ISA-Server-2004

205/609

!$% $erver 5667 . Clic ,Kin the Certi'i*atedialog bo2. Clic ,Kagain in the Certi'i*atedialog bo2.

5@. !n the left +ane of the console, e2pand the .r$"ted oot Certi'i*ation A$thoritie"nodeand clic the Certi'i*ate"node. "ight clicJ.r$"ted oot Certi'i*ationA$thoritie"JCerti'i*ate", point to All .a"k"and clic Import.

6. Clic Ne=ton the &el*ome to the Certi'i*ate Import &iFardpage.

;. #n the (ile to Importpage, use the 7row"ebutton to locate the C% certificate yousaved to the local hard dis and clic Ne=t.

5. #n the Certi'i*ate Storepage, accept the default settings and clic Ne=t.

. Clic (ini"hon the Completing the Certi'i*ate Import &iFardpage.

7. Clic ,Kon the Certi'i*ate Import &iFarddialog bo2 informing you that the import wassuccessful.

8/13/2019 42237707-ISA-Server-2004

206/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

207/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

208/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

209/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

210/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

211/609

!$% $erver 5667 . Clic Apply to save the changes and update the firewall policy.

;@. Clic ,Kin the Apply New Con'ig$rationdialog bo2.

56. "estart the !$% $erver 5667 firewall machine.

8/13/2019 42237707-ISA-Server-2004

212/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

213/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

214/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

215/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

216/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

217/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

218/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

219/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

220/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

221/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

222/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

223/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

224/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

225/609

!$% $erver 5667

!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6

!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6

Configuring the Microsoft !nternet %uthentication $ervice..................................................D6

!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5

!nstalling the )!($ $ervice................................................................................................D5

Configuring the -C+ $ervice............................................................................................... D

Conclusion...............................................................................................................................DA

!ntroduction............................................................................................................................. >A

!nstalling !$% $erver 5667...................................................................................................... >=

Conclusion.............................................................................................................................;66

!ntroduction........................................................................................................................ ... ;;6

'nable the

8/13/2019 42237707-ISA-Server-2004

226/609

!$% $erver 5667 D

Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@

!ssue a certificate to the

8/13/2019 42237707-ISA-Server-2004

227/609

8/13/2019 42237707-ISA-Server-2004

228/609

!$% $erver 5667

Create the %ccess "ules at the Main #ff ice.........................................................................>6

Create the

$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7

Create the "emote $ite at the Branch #ffice........................................................................>A

Create the (etwor "ule at the Branch #ffice......................................................................>D

Create the %ccess "ules at the Branch #ffice......................................................................>>

Create the

8/13/2019 42237707-ISA-Server-2004

229/609

!$% $erver 5667 ;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to

the Bac9'nd !$% $erver 5667 Firewall/=

!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;

8/13/2019 42237707-ISA-Server-2004

230/609

!$% $erver 5667

#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@

"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56

!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the

Bac9'nd !$% $erver 5667 Firewall/

8/13/2019 42237707-ISA-Server-2004

231/609

!$% $erver 5667 5

!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@

!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6

Create a $ample

8/13/2019 42237707-ISA-Server-2004

232/609

Introduction

!n networ environments where the !$% $erver 5667 firewall is used as an edge firewall withan interface connected to the !nternet, it is best to not 3oin the firewall machine to the domain.

This mitigates the ris of a compromised machine from leveraging its domain members toattac other machines on the networ.

!$% $erver 5667 firewalls that are not members of the user domain must use a mechanismother than )indows authentication to identify and authenticate domain users. The !$% $erver5667 firewall can authenticate

8/13/2019 42237707-ISA-Server-2004

233/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

234/609

!$% $erver 5667 . #n the Additional In'ormationpage, leave the ADI!S Standardentry in the Client6Vendordrop down list bo2. Kour !$% $erver f irewall/

8/13/2019 42237707-ISA-Server-2004

235/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

236/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

237/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

238/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

239/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

240/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

241/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

242/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

243/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

244/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

245/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

246/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

247/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

248/609

!$% $erver 5667 . Clic the Proto*ol"tab. +ut a checmar in the na-le /2.PIPSe*chec bo2.

8/13/2019 42237707-ISA-Server-2004

249/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

250/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

251/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

252/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

253/609

!$% $erver 5667 . Clic Apply to save the changes and update the firewall policy.

;@. Clic ,Kin the Apply New Con'ig$rationdialog bo2.

56. "estart the !$% $erver 5667 firewall machine and log on as %dministrator.

8/13/2019 42237707-ISA-Server-2004

254/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

255/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

256/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

257/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

258/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

259/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

260/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

261/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

262/609

!$% $erver 5667

!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6

!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6

Configuring the Microsoft !nternet %uthentication $ervice..................................................D6

!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5

!nstalling the )!($ $ervice................................................................................................D5

Configuring the -C+ $ervice............................................................................................... D

Conclusion...............................................................................................................................DA

!ntroduction............................................................................................................................. >A

!nstalling !$% $erver 5667...................................................................................................... >=

Conclusion.............................................................................................................................;66

!ntroduction........................................................................................................................ ... ;;6

'nable the

8/13/2019 42237707-ISA-Server-2004

263/609

8/13/2019 42237707-ISA-Server-2004

264/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

265/609

!$% $erver 5667

Create the %ccess "ules at the Main #ff ice.........................................................................>6

Create the

$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7

Create the "emote $ite at the Branch #ffice........................................................................>A

Create the (etwor "ule at the Branch #ffice......................................................................>D

Create the %ccess "ules at the Branch #ffice......................................................................>>

Create the

8/13/2019 42237707-ISA-Server-2004

266/609

!$% $erver 5667 ;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to

the Bac9'nd !$% $erver 5667 Firewall/=

!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;

8/13/2019 42237707-ISA-Server-2004

267/609

!$% $erver 5667

#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@

"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56

!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the

Bac9'nd !$% $erver 5667 Firewall/

8/13/2019 42237707-ISA-Server-2004

268/609

!$% $erver 5667 5

!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@

!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6

Create a $ample

8/13/2019 42237707-ISA-Server-2004

269/609

Introduction

!n networ environments where the !$% $erver 5667 firewall is used as an edge firewall withan interface connected to the !nternet, it is best to not 3oin the firewall machine to the domain.

This mitigates the ris of a compromised machine from leveraging its domain members toattac other machines on the networ.

!$% $erver 5667 firewalls that are not members of the user domain must use a mechanismother than )indows authentication to identify and authenticate domain users. The !$% $erver5667 firewall can authenticate

8/13/2019 42237707-ISA-Server-2004

270/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

271/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

272/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

273/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

274/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

275/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

276/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

277/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

278/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

279/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

280/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

281/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

282/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

283/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

284/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

285/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

286/609

!$% $erver 5667 . Clic the Proto*ol"tab. +ut a checmar in the na-le /2.PIPSe*chec bo2.

8/13/2019 42237707-ISA-Server-2004

287/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

288/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

289/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

290/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

291/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

292/609

!$% $erver 5667 . Clic Applyin the Virt$al Private Network" @VPN Propertie"dialog bo2. Clic ,Kinthe ISA Server 2004 dialog bo2 informing you that the "outing and "emote %ccess$ervice may restart. Clic ,Kin the Virt$al Private Network" @VPN Propertie"dialogbo2.

;@. Clic Apply to save the changes and update the firewall policy.

56. Clic ,Kin the Apply New Con'ig$rationdialog bo2.

5;. "estart the !$% $erver 5667 firewall machine and log on as %dministrator.

8/13/2019 42237707-ISA-Server-2004

293/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

294/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

295/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

296/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

297/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

298/609

!$% $erver 5667 . !n the left pane of the console, e2pand the .r$"ted oot Certi'i*ation A$thoritie"nodeand clic Certi'i*ate". "ight clicJ.r$"ted oot Certi'i*ation A$thoritie"JCerti'i*ate",point to All .a"k"and clic Import.

5@. Clic Ne=ton the &el*ome to the Certi'i*ate Import &iFardpage.

6. #n the (ile to Importpage, use the 7row"ebutton to locate the C% certificate yousaved to the local hard dis, and clic Ne=t.

;. #n the Certi'i*ate Storepage, accept the default settings and clic Ne=t.

5. Clic (ini"hon the Completing the Certi'i*ate Import &iFardpage.

. Clic ,Kon the Certi'i*ate Import &iFarddialog bo2 informing you that the import wassuccessful.

(ote that you will not need to manually copy the enterprise C% certificate into the !$% $erver5667 firewallJs .r$"ted oot Certi'i*ation A$thoritie"certificate store because the C%

certificate is automatically installed on domain members. !f the firewall were not a member ofthe domain, you would need to manually place the C% certificate into the .r$"ted ootCerti'i*ation A$thoritie"certificate store.

8/13/2019 42237707-ISA-Server-2004

299/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

300/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

301/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

302/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

303/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

304/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

305/609

!$% $erver 5667 . Clic ,Kin the Addemove Snap6indialog bo2.

;@. !n the left pane of the console, e2pand the Certi'i*ate" @/o*al Comp$ternode andthen e2pand the Per"onalnode. Clic onJPer"onalJCerti'i*ate". -ouble clic on theAdmini"tratorcertificate in the right pane of the console.

56. !n the Certi'i*atedialog bo2, clic the Certi'i*ation Pathtab. The root C% certificate isat the top of the certificate hierarchy seen in the Certi'i*ation pathframe. Clic

CAN#200%7at the top of the list. Clic View Certi'i*ate.

5;. !n the C% certificateJs Certi'i*atedialog bo2, clic Detail". Clic Copy to (ile.

55. Clic Ne=tin the &el*ome to the Certi'i*ate =port &iFardpage.

5. #n the =port (ile (ormatpage, select Cryptographi* 9e""age Synta= Standard 3PKCS Certi'i*ate" @P7and clic Ne=t.

57. #n the (ile to =portpage, enter *

8/13/2019 42237707-ISA-Server-2004

306/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

307/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

308/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

309/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

310/609

!$% $erver 5667 . % Conne*t VPNdialog bo2 appears that contains the name on the user certificate youobtained from the C%. Clic ,K.

@. Clic ,Kin the Conne*tion Completedialog bo2 informing you that the connection is

established.;6. -ouble clic on the connection icon in the system tray.

;;. !n the ISA VPN Stat$"dialog bo2, clic Detail". Kou will see an entry for IPSCn*ryption , indicating that the 5T+/!+$ec connection was successful.

8/13/2019 42237707-ISA-Server-2004

311/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

312/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

313/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

314/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

315/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

316/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

317/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

318/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

319/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

320/609

!$% $erver 5667

!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6

!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6

Configuring the Microsoft !nternet %uthentication $ervice..................................................D6

!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5

!nstalling the )!($ $ervice................................................................................................D5

Configuring the -C+ $ervice............................................................................................... D

Conclusion...............................................................................................................................DA

!ntroduction............................................................................................................................. >A

!nstalling !$% $erver 5667...................................................................................................... >=

Conclusion.............................................................................................................................;66

!ntroduction........................................................................................................................ ... ;;6

'nable the

8/13/2019 42237707-ISA-Server-2004

321/609

!$% $erver 5667 D

Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@

!ssue a certificate to the

8/13/2019 42237707-ISA-Server-2004

322/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

323/609

!$% $erver 5667

Create the %ccess "ules at the Main #ff ice.........................................................................>6

Create the

$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7

Create the "emote $ite at the Branch #ffice........................................................................>A

Create the (etwor "ule at the Branch #ffice......................................................................>D

Create the %ccess "ules at the Branch #ffice......................................................................>>

Create the

8/13/2019 42237707-ISA-Server-2004

324/609

!$% $erver 5667 ;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to

the Bac9'nd !$% $erver 5667 Firewall/=

!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;

8/13/2019 42237707-ISA-Server-2004

325/609

!$% $erver 5667

#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@

"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56

!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the

Bac9'nd !$% $erver 5667 Firewall/

8/13/2019 42237707-ISA-Server-2004

326/609

!$% $erver 5667 5

!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@

!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6

Create a $ample

8/13/2019 42237707-ISA-Server-2004

327/609

Introduction

% primary reason to setup a

8/13/2019 42237707-ISA-Server-2004

328/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

329/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

330/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

331/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

332/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

333/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

334/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

335/609

!$% $erver 5667 . %ccept the default settings in the DCP elay Propertie" 3 Internet Propertie"dialogbo2 and clic ,K.

The -C+ server and -C+ "elay %gent are now ready to use. Kou can connect your

8/13/2019 42237707-ISA-Server-2004

336/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

337/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

338/609

!$% $erver 5667 . (otice on the bottom of the Sy"tem Propertie"dialog bo2 the comment, Change" will

take e''e*t a'ter yo$ re"tart thi" *omp$ter. Clic ,K.

@. ClicGe"in theSy"tem Setting" Changedialog bo2. This will restart the computer.

;6. og off and then log on again. This time log on with your domain account. Confirm thatyou are logging on to the domain by confirming that the domain appears in the /og ontodrop down list bo2. se a domain username and password. These credentials log you

8/13/2019 42237707-ISA-Server-2004

339/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

340/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

341/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

342/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

343/609

!$% $erver 5667 . "ight clic 9y Comp$teron the destop and clic Propertie".

@. Clic the Network Identi'i*ation tab. )e need to now add the msfirewall$or# domainname to this computerJs name. Clic Propertie".

;6. #n theIdenti'i*ation Change"dialog bo2, clic 9ore.

8/13/2019 42237707-ISA-Server-2004

344/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

345/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

346/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

347/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

348/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

349/609

!$% $erver 5667

!nstalling and Configuring the Microsoft !nternet %uthentication $ervice................................D6

!nstalling the Microsoft !nternet %uthentication $ervice ......................................................D6

Configuring the Microsoft !nternet %uthentication $ervice..................................................D6

!nstalling the )!($ $erver $ervice and Configuring the -C+ $erver.................................D5

!nstalling the )!($ $ervice................................................................................................D5

Configuring the -C+ $ervice............................................................................................... D

Conclusion...............................................................................................................................DA

!ntroduction............................................................................................................................. >A

!nstalling !$% $erver 5667...................................................................................................... >=

Conclusion.............................................................................................................................;66

!ntroduction........................................................................................................................ ... ;;6

'nable the

8/13/2019 42237707-ISA-Server-2004

350/609

!$% $erver 5667 D

Create the #utbound 5T+/!+$ec %ccess "ule at the ocal !$% $erver 5667 Firewall.......;>@

!ssue a certificate to the

8/13/2019 42237707-ISA-Server-2004

351/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

352/609

!$% $erver 5667

Create the %ccess "ules at the Main #ff ice.........................................................................>6

Create the

$et the $hared +assword in the ""%$ Console at the Main #ffice.....................................>7

Create the "emote $ite at the Branch #ffice........................................................................>A

Create the (etwor "ule at the Branch #ffice......................................................................>D

Create the %ccess "ules at the Branch #ffice......................................................................>>

Create the

8/13/2019 42237707-ISA-Server-2004

353/609

!$% $erver 5667 ;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward 5T+/!+$ec Connections to

the Bac9'nd !$% $erver 5667 Firewall/=

!ssue a Machine Certificate to the Bac9end Firewall...........................................................7@;

8/13/2019 42237707-ISA-Server-2004

354/609

!$% $erver 5667

#verview of the Bac9to9bac !$% $erver 5667 Firewall (etwor Topology........................A;@

"estore the Bac9end Firewall Machine to it +ost9!nstallation $tate.....................................A56

!nstall the !$% $erver 5667 Firewall $oftware on the Front9'nd Firewall.............................A5;

Configure the Front9'nd !$% $erver 5667 Firewall to Forward ++T+ Connections to the

Bac9'nd !$% $erver 5667 Firewall/

8/13/2019 42237707-ISA-Server-2004

355/609

!$% $erver 5667 5

!nstall the ?uarantine $ervice istener on the !$% $erver 5667 Firewall.............................A>@

!nstall the Connection Manager %dministration &it on the !$% $erver 5667 Firewall...........A@6

Create a $ample

8/13/2019 42237707-ISA-Server-2004

356/609

Introduction

% site9to9site

8/13/2019 42237707-ISA-Server-2004

357/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

358/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

359/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

360/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

361/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

362/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

363/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

364/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

365/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

366/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

367/609

!$% $erver 5667

8/13/2019 42237707-ISA-Server-2004

368/609

!$% $erver 5667 . ClicGe"in the Potential S*ripting Violationdialog bo2.

@. #n the Certi'i*ate I""$edpage, clic In"tall thi" *erti'i*ate.

;6. ClicGe" on the Potential S*ripting Violationpage.

;;. Close the browser after viewing the Certi'i*ate In"talledpage.

;5. Clic Start$n. 'nter mm*in the ,pente2t bo2, and clic ,K.

;. !n Con"ole1, clic the (ilemenu, and then clic Addemove Snap6in.

;7. Clic Addin the Addemove Snap6indialog bo2.

;A. $elect the Certi'i*ate"entry in the Availa-le Standalone Snap6in"list in the AddStandalone Snap6indialog bo2. Clic Add.

;=. $elect Comp$ter a**o$nton the Certi'i*ate" "nap6inpage.

;D. $elect /o*al *omp$teron the Sele*t Comp$terpage.

;>. Clic Clo"ein the Add Standalone Snap6indialog bo2.

;@. Clic ,Kin the Addemove Snap6indialog bo2.

56. !n the left pane of the console, e2pand Certi'i*ate" @/o*al Comp$ter, and then e2pand

Per"onal. Clic onJPer"onalJCerti'i*ate". -ouble clic on the Admini"tratorcertificatein the right pane of the console.

5;. !n the Certi'i*atedialog bo2, clic the Certi'i*ation Pathtab. The root C% certificate isat the top of the certificate hierarchy seen in the Certi'i*ation pathframe. Clic theCAN#200%7certificate at the top of the list. Clic View Certi'i*ate.

8/13/2019 42237707-ISA-Server-2004

369/609