configuring access to internal resources
DESCRIPTION
Configuring Access to Internal Resources. What is ISA server publishing?. Publish internal servers to the Internet, so that users on the Internet can access those internal resources Making internal resources accessible to the Internet increases the security risks for the organization. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/1.jpg)
1
Configuring Access to Internal Resources
![Page 2: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/2.jpg)
2
What is ISA server publishing?
• Publish internal servers to the Internet, so that users on the Internet can access those internal resources
• Making internal resources accessible to the Internet increases the security risks for the organization.
• ISA Server uses Web and server publishing Web and server publishing rules rules to publish internal network resources to the Internet
![Page 3: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/3.jpg)
3
What is ISA server publishing?
Client Internet
Web ServerWeb Server
Mail ServerMail Server
File ServerFile Server
Remote UserRemote User
![Page 4: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/4.jpg)
4
What is ISA server publishing?
Web ServerWeb Server
Mail ServerMail ServerFile ServerFile Server
ISA server
Internal Network
Using a perimeter network is to Using a perimeter network is to provide an additional layer ofprovide an additional layer ofSecurity!!!Security!!!
![Page 5: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/5.jpg)
5
What Are Web Publishing Rules?
• Make Web sites on protected networks available to users on other networks, such as the Internet
• A Web publishing rule is a firewall rule that specifies how ISA Server will route incoming requests to internal Web servers
• Web Publishing is sometimes referred to as “reverse proxyingreverse proxying”.
![Page 6: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/6.jpg)
6
What do Web publishing rules provide?
• Access to Web servers running HTTP protocol• HTTP application-layer filtering• Path mapping• User authentication• Content caching• Support for publishing multiple Web sites
using a single IP address• Link translation
![Page 7: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/7.jpg)
7
What Are Server Publishing Rules
• Web publishing and secure Web publishing rules can grant access only to Web servers using HTTP or HTTPS.
• To grant access to internal resources using any other protocol, you must configure server publishing rulesserver publishing rules!!!!!!
![Page 8: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/8.jpg)
8
What do Server publishing rules provide?
• Access to multiple protocols• Application-layer filtering for
specified protocols• Support for encryption• IP address logging for the client
computer
![Page 9: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/9.jpg)
9
Considerations for Configuring DNS for Web and Server Publishing
Web ServerWeb Server
ISA server
Internal Network
IP address 172.16.10.1
External IP address
131.107.1.1
http://isalab.com
A split DNS uses two different DNS servers with the same DNS domain name to providename resolution for internally and externally accessible resources!
![Page 10: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/10.jpg)
10
Configuring Web Publishing Rules
• Web Listener• Non-SSL Web Publishing Rules• SSL Web Publishing Rules
![Page 11: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/11.jpg)
11
Web Listener• Web listeners are used by Web and secure
Web publishing rules• A Web listener is an ISA Server configuration
object that defines how the ISA Server computer listens for HTTP requests and SSL requests
• All incoming Web requests must be received by a Web listener
• A Web listener may be used in multiple Web publishing rules
![Page 12: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/12.jpg)
12
Web Listener
Web ServerWeb Server
ISA server
Internal Network
IP address 172.16.10.1
External IP address
131.107.1.1
http://isalab.com
Web Listener
Web Listener
![Page 13: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/13.jpg)
13
How to Configure Web Listeners
• Network• Port numbers• Client authentication methods• Client Connection Settings
![Page 14: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/14.jpg)
14
NetworkIf you have multiple network adapters or multiple IP addresses
![Page 15: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/15.jpg)
15
Port numbers
By default, the Web listener will listen on for HTTP requests on Port 80
![Page 16: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/16.jpg)
16
How to Configure Web ListenersWeb listener “listens” on aninterface or IP address that you choose for incoming connections to the port you define
![Page 17: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/17.jpg)
17
Configuring Non-SSL Web Publishing Rules
![Page 18: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/18.jpg)
18
Configuring Non-SSL Web Publishing Rules
Rule Action Page
![Page 19: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/19.jpg)
19
Configuring Non-SSL Web Publishing Rules
• Publishing Type Page– Publish a single Web
site or load balancer– Publish a server farm
of load balanced Web Servers
– Publish multiple web sites
![Page 20: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/20.jpg)
20
Configuring Non-SSL Web Publishing Rules
• The Server Connection Security Page:
![Page 21: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/21.jpg)
21
Configuring Non-SSL Web Publishing Rules
• The Internal Publishing Details Page:– Internal Site Name– Computer name or IP
address
![Page 22: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/22.jpg)
22
Configuring Non-SSL Web Publishing Rules
• The Internal Publishing Details Page:– Path Name– Forward the original
host header instead of the actual one
![Page 23: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/23.jpg)
23
Configuring Non-SSL Web Publishing Rules
• The Public Name Details Page– Accept requests
for– Public Name– Path (optional
![Page 24: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/24.jpg)
24
Configuring Non-SSL Web Publishing Rules
• The Select Web Listener Page and Creating an HTTP Web Listener:– Edit– New
![Page 25: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/25.jpg)
25
Configuring Non-SSL Web Publishing Rules
• The Authentication Settings Page
![Page 26: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/26.jpg)
26
Web Listener Authentication Methods
• Basic• Digest• Integrated• RADIUS• RADIUS OTP• SecurID• OWA Forms-based• Forms-Based Authentication• SSL Certificate
![Page 27: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/27.jpg)
27
Configuring Non-SSL Web Publishing Rules
• The Single Sign on Settings Page
![Page 28: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/28.jpg)
28
Configuring Non-SSL Web Publishing Rules
• The Authentication Delegation Page
![Page 29: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/29.jpg)
29
Secure Web Publishing
Client Internet
Web ServerWeb Server
Remote UserRemote User
Encrypted content
More More secure!!secure!!
![Page 30: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/30.jpg)
30
Cryptography issues• Only sender, intended receiver should
“understand” message contents– sender encrypts message– receiver decrypts message
Receiver
Sender DecryptEncrypt
![Page 31: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/31.jpg)
31
Types of Cryptography
• Crypto often uses keys:– Algorithm is known to everyone– Only “keys” are secret
• Public key cryptography – Involves the use of two keys
• Symmetric key cryptography– Involves the use one key
• Hash functions– Involves the use of no keys– Nothing secret: How can this be useful?
![Page 32: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/32.jpg)
32
Secret-Key or Symmetric Cryptography
Sender and Receiver agree on an encryption method and a shared key
Send encrypted message
Sender uses the key and the encryption
method to encrypt (or encipher) a message
Receiver uses the same key and the related decryption method to decrypt (or decipher) the message.
![Page 33: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/33.jpg)
33
Public key or Asymmetric Cryptography
Use public key to determine a
private key.
use sender’s public key to
encrypt a message
Sender generates a public key
Send encrypted message
Send public key
use private key to decrypt this message
sendersender receiverreceiver
No-one without access to Sender’s private No-one without access to Sender’s private key (or the information used to construct it) key (or the information used to construct it)
can easily decrypt the message!!can easily decrypt the message!!
![Page 34: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/34.jpg)
34
Hash Function Algorithms
• A hash function is a math equation that create a message digest from message.
• A message digest is used to create a unique digital signature from a particular document.
• MD5 example
Hash Function
Original Message(Document, E-mail)
Digest
![Page 35: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/35.jpg)
35
digital signature
Send encrypted message
receiverreceiver
sendersender
Public keyPublic key
Private keyPrivate key
Decrypt message
How can Receiver determine that How can Receiver determine that the message received was indeed the message received was indeed
sent by Sender?sent by Sender?
![Page 36: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/36.jpg)
36
digital signatureData
Hash
VerifySignature
Public Key
?
![Page 37: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/37.jpg)
37
Man in MiddleMan in Middle
receiverreceiversendersenderModify
![Page 38: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/38.jpg)
38
Digital certificate
• A digital certificate (DC) is a digital file that certifies the identity of an individual or institution, or even a router seeking access to computer- based information. It is issued by a Certification Authority (CA), and serves the same purpose as a driver’s license or a passport
![Page 39: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/39.jpg)
39
Digital certificate
CERTIFICATE
IssuerIssuer
SubjectSubject
Issuer DigitalIssuer DigitalSignatureSignature
Subject Public Subject Public KeyKey
![Page 40: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/40.jpg)
40
Certification Authorities• A trusted agent who certifies public keys for general
use (Corporation or Bank).– User has to decide which CAs can be trusted.
• The model for key certification based on friends and friends of friends is called “Web of Trust”.– The public key is passing from friend to friend.– Works well in small or high connected worlds.– What if you receive a public key from someone you don’t
know?
![Page 41: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/41.jpg)
41
CA model
Root Certificate
CA Certificate
Browser Cert.
CA Certificate
Server Cert.
![Page 42: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/42.jpg)
42
What is the Process of obtaining a certificate
CA
Sender Receiver
generates a public/private
key pair
Verify sender’s identity and issues digital certificate
containing the public key
Privatekey
Publickey
Encrypt Verify and Decrypt
Certificate
OK!!
![Page 43: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/43.jpg)
43
Secure Sockets Layer
• Secure Sockets Layer (SSL) is used to validate the identities of two computers involved in a connection across a public network, and to ensure that the data sent between the two computers is encrypted
• SSL uses digital certificates and public and digital certificates and public and privateprivate keyskeys
![Page 44: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/44.jpg)
44
Secure Sockets Layer
ApplicationSSLTCP
IP
ApplicationSSLTCP
IP
![Page 45: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/45.jpg)
45
Advantages of SSL
• Independent of application layer• Includes support for negotiated encryption
techniques.– easy to add new techniques.
• Possible to switch encryption algorithms in the middle of a session
![Page 46: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/46.jpg)
46
HTTPS Usage
• HTTPS is HTTP running over SSL.– used for most secure web transactions.– HTTPS server usually runs on port 443.– Include notion of verification of server via a
certificate.– Central trusted source of certificates
![Page 47: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/47.jpg)
47
SSL and ISA server 2006
• SSL bridging
SSL tunneling
![Page 48: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/48.jpg)
48
Configuring SSL-to-SSL Bridging for Secured Websites
• Working with Third-Party Certificate Authorities
• Installing a Local Certificate Authority and Using Certificates
• Modifying a Rule to Allow for End-to-End SSL Bridging
![Page 49: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/49.jpg)
49
Configuring SSL-to-SSL Bridging for Secured Websites
• Installing an SSL Certificate on a SharePoint Server
• Exporting and Importing the SharePoint SSL Certificate to the ISA Server
![Page 50: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/50.jpg)
50
Configuring SSL-to-SSL Bridging for Secured Websites
• Creating a SharePoint Publishing Rule
![Page 51: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/51.jpg)
51
Configuring SSL-to-SSL Bridging for Secured Websites
• Choosing a certificate for the listener
![Page 52: Configuring Access to Internal Resources](https://reader031.vdocument.in/reader031/viewer/2022020112/56813a84550346895da281d8/html5/thumbnails/52.jpg)
52
Configuring Server Publishing Rule