getting started with microsoft isa server 2006
TRANSCRIPT
Getting started with Microsoft ISA Server 2006
Part I: Installation
Introduction
Microsoft Internet Security & Acceleration Server 2006 is a firewall and proxy product from Microsoft. It can protect local network from hackers, limit access for internet access, improve internet speed for users and also logging any connections that pass through ISA Server
Or you can say that ISA Server is a gateway between intranet(LAN) and internet so it has more than one network interfaces usually it has 2 or 3 network interfaces depends on network topology(Edge firewall, 3-Leg Perimeter, etc.) in your organization.This post will show how to install ISA Server 2006 Standard Edition on a Windows 2003 Server which has 2 network interfaces: one is connected to internal network(LAN) and the other connected to external(Internet). The diagram is as below:
Step-by-step
1. Open ISA setup program
2. Click Next.
3.
Enter your license information. Click Next.
4. Select Setup Type. If you want to customize features or change installed directory, select Custom. Otherwise, select Typical. I leave Typical for convenience.
5. On Internal Network, you must enter your internal IP address range. You can do this by adding manually or select from network adapter. Before click Next, ensure that your network addressed was configured correctly.
6.
On Firewall Client Connections, if you haven’t upgrade from previous ISA Server(ISA 2000 or 2004), leave the check box uncheck and click Next. Otherwise, checks the check box before continue.
7. On
Service Warning, click Next. Notice that some of services will be restarted or disabled while
installing.
8. Click Install.
9. Wait for install finishes.
10. You can check “Invoke ISA Server Management when the wizard closes” if you want to configure ISA now.
11. Now you have finished installing ISA Server 2006.
Question: How do I setup the network card that connected to external (Internet). My Internet connection through a router to local ISP with IP address like 60.25.115.23.?
Answer: For external interface, the IP Address should be in the same network as the router. Same subnet as the router. Gateway point to router’s IP Address.
DNS is ISP’s DNS.
Part II: Configure Network Topology
Network Topology
From Part I, you have finished install ISA Server 2006. Before using the server, you need to do some configurations first. On Getting Started with ISA Server 2006 page on ISA Server Management, there are 5 steps for set up ISA Server as the figure below.
To use ISA Server, only first 2 steps on the figure above are needed to be configured so this part will shows how to configure Network Topology on ISA Server which is the first step in the figure above. For the second step, I will cover in the next part (part III). Also, you need to enable client to access ISA Server
by configure on clients, too. Client Configuration will be covered in part IV.
ISA Server 2006 comes with many defined templates. Here are some details of each template. You can select one of them that match your network.
Edge Firewall
This is a standard network topology for small to medium organization. The ISA Server is a main gateway controlling traffic between intranet and internet. The ISA Server needs 2 network interfaces.
Leg PerimeterThis is a standard network topology for medium to large organization. There are another network which is Perimeter network adding to ISA server compare to edge firewall. The perimeter network or DMZ (Demilitarized Zone) is a network that is less secure for serving Web server, E-Mail server, DNS server,etc so that internet users can access these services without access to internal network. The ISA Server needs 3 network interfaces.
Front Firewall
This is a network topology for organization that security is high priority. In this case, there are more than 1 firewall server. When hacker attacks the server and one fails, there is still back firewall to protect your internal network. This template, ISA Server will be act as front firewall server between internet and perimeter network and needs 2 network interfaces.
Back Firewall
This is a network topology for organization that security is high priority. The configuration is the same as in Front Firewall template except that the ISA Server that you’re configuring is the back firewall that serperate internal and perimeter network.This template, ISA Server needs 2 network interfaces.
Single Network Adapter
This is a network topology for ISA Server to be act as Proxy server only. ISA Server can do caching to improve performance for users using Internet in organization. This template, ISA Server requires only a single network interface as the name of the template.
Note: For Front and Back Firewall templates, you have more than one firewall servers. It is best practice that you should use different firewall software or using hardware firewall with software firewall not the same on front and back. If hacker can destroy the front firewall, you still have back firewall which the hacker can’t use the previous technique to attack the firewall.
Step-by-stepThis example will configure ISA Server 2006 using Edge Firewall template.
1. Open ISA Server Management. 1) On left window, expand
Configuration and select Networks
2) On right window, select Templates tab.
3) Click on Edge Firewall template. Network Template Wizard window appears.
2. Click Next.
3. You can export your configurations before let the wizard overwrite the old one by click on Export button. Otherwise, click Next.
4. On Internal Network IP Addresses, you can configure your internel network IP Address. If the existing value is correct, click Next.
5. On Select a Firewall Policy, you can select firewall policy template. The description will display what will be configure on ISA Server. I select “Block all” to block all traffic between ISA Server. I will configure rules later in the the next part.
6. Click Finish to complete the wizard.
7. To make ISA Server takes effect, click on Apply.
Part III: Create Firewall Policy Rule
Firewall PolicyFrom part II, you have configured Network Topology. Now you need to create a policy rule to allow traffic pass through the ISA Server.By default, ISA Server is configured with default rule which blocks all traffics pass through ISA Server. But you can customize rules to match your policy in organization. On each rule, you can customize to allow or deny access, protocols, source and destination addresses, users (ISA Server can integrated with Active Directory), time to use the rule, content types.
Step-by-stepNext, I will create a new web access rule for all users in internal network to access internet (external network) with only HTTP (port 80) and HTTPS (port 443) protocols.
1. Open ISA Server Management. Expand server name (in this example, BKKFRW001) Right click on Firewall Policy New Access Rule.
2. New Access Rule Wizard appears, enter the name of access rule. Click Next.
On Rule Action, select Allow. Click Next.
3. On Protocols, click Add. Add Protocols window appears, expand Common protocols and select HTTP and HTTPS.
4. On Access Rule Sources, click Add. Add Network Entities window appears, expand Networks and select Internal.
5. On Access Rule Destinations, add External network.
6. On User Sets, leave All Users. Click Next.
7.7.7.7.7.7.7.7.7.7.
Click Finish to complete create new rule.
6. Again, don’t forget to apply your setting on ISA Server to take effect. Click Apply.
Question: How can i password protect a user from entering an IP address to: Internet option, connections, and LAN settings?
Answer: The best way is to use group policy to restrict users from modify settings. Here are the steps to disable tabs on Internet Options using Group Policy:1. Click the Start button. Type “gpedit.msc” into the Search box and press Enter.2. On Local Group Policy Editor, expand User Configuration Administrative
Templates Windows Components Internet Explorer click on Internet Control Panel.
3. On right side, you see polices that you can configure. If you want to disable users editing LAN Settings, you have to disable the Connections Page. Double-click on Disable the Connections page policy and change setting from Not Configured to Disabled.
Part IV: Configure Client Type
IntroductionAfter completed part III, you have done basic configurations on ISA Server. In this part, you’re going to configure on client computer to be one of these types: SecureNAT Client, Firewall Client or Web Proxy Client. You can see more detail in topic below.
The table below compares the ISA Server clients.Feature\ Client types SecureNAT client Firewall client Web Proxy client
Installation requiredSome network
configuration changes may be required
YesNo, Web browser
configuration required
Operating system support
Any operating system that supports
Transmission Control Protocol/Internet
Protocol (TCP/IP)
Only Windows platforms
All platforms, but by way of Web application
Protocol supportApplication filters for multiple connection protocols required
All Winsock applications
Hypertext Transfer Protocol (HTTP),
Secure HTTP (HTTPS), File Transfer Protocol
(FTP), and Gopher
User-level authentication
Some network configuration changes
requiredYes Yes
Server applicationsNo configuration or installation required
Configuration file required
Not applicable
ConfigurationsOn this section, I will how to configure each client type on a client computer. You only select one of these three client types configurations.
1. SecureNAT client
To configure SecureNAT client, only change gateway in network properties to ISA Server:
o Open Network Connection Properties on client computer.
o On Network Properties, select Internet Protocol(TCP/IP) and click Properties.
o On Internet Protocol(TCP/IP) Properties, change IP Address on default gateway to ISA Server.
2. Firewall client o Download Firewall Client for ISA Server at
Microsoft or at here – Microsoft Firewall Client.
o Run setup program, set the ISA Server DNS name or IP Address on ISA Server Computer Selection page.
o After install, you’ll see icon as the figure below in task icon. The green color means the client has successfully connected to ISA Server. If the red shows, the client can’t connect to ISA Server. You can double-click on icon to see more detail.
o If you have double-clicked on previous step, select Settings tab and you can verify that ISA Server Selection is type correctly or not. Also, click on Apply Default Settings Now for other users on this computer can use this configuration,too.
3. Web Proxy client
o Open Web browser. In this example, I demonstate on Internet Explorer.On menu bar, select Tools Internet Options.
o On Internet Options, select Connections tab and click on LAN Settings.
o On Local Area Network (LAN) Settings, set Address and Port to your ISA Server configuration.Note: By default, Web proxy port is 8080.
Question: I have setup ISA 2006 Standard according to your guideline and it works fine. My ISA is on Domain and it has been installed as member server. I want all users of Active Directory to autheticate when they want to connect to online services. Is it possible to ask them to authenticate by web form so that I can monitor every users?
Answer: It is inferred that users in active directory are already authenticated when they’re logged in the domain so it is unnecessary to make them authenticate again when they want to use the Internet. And ISA Server has logging system to log every traffic pass in/out. So you can view users who are using the Internet and which website they surf.
Part V: Configure HTTP Filter
Have you ever need to block users using MSN or Yahoo Messenger? Or block them to using free email services? Or even block them to post anythings on web boards? Or block them to using bit torrent to download files? This topic can answer these questions by using Microsoft ISA Server 2006.
From Part I to IV, you have finished simple configurations on Microsoft ISA Server 2006 to work in your network. But ISA Server can do a lot more than that. Another benefit of ISA Server is that it can filter HTTP traffic. If you know attributes of each HTTP traffic, you can block MSN/Yahoo Messenger, Bit torrent, web mail, disallow post on web boards, etc by allow or block HTTP traffic using HTTP filter. I think most of the readers may not familiar what HTTP traffic look like so let’s see about HTTP traffic in the next section.
Note: This topic isn’t required in order to running ISA Server, only Part I to IV is sufficient. But this topic will be benefits in most organization to improve security.
HTTP TrafficHTTP Traffic on ISA Server is a data that pass through ISA Server using HTTP protocol (by default is on port 80) which is the protocol that is used by most applications. On each HTTP connection, there will be a header information about client that send to server or server to client. These information are such as Request Methods (GET, POST ,etc.), HTTP Versions (1.0,1.1,1.2), User-Agent (Mozilla/4.0, Firefox, etc.), Content-Type (application/xml, image/jpeg, text/xml, etc.), etc. I will not go into deep detail about HTTP protocol if you want more information, you can find at Wikipedia – HTTP. With these header information, ISA Server can filter HTTP traffic to allow or block specific application or traffic.
To see some sample of HTTP traffic, you can use sniffer program to capture each data packet that pass in/out a computer. The popular one is Ethereal. I have installed Ethereal on a computer which running a web server. Let see the different example of each HTTP header information below.When client sends request to the web server by browser the Internet Explorer to http://bkkexternal (bkkexternal is the computer that runs a web server).
Detail: The request method is GET. URI is /. The User-Agent is Mozilla (compatible: MSIE 6.0).
This the response header from the above request.
Detail: The response code is 200 (OK). The server is running by Apache 2.2.4. The Content-Type is text/xml
When you submit a form on the browser to the web server.
Detail: The request method is POST. The client host is bkkmisc01. The Content-Type is application/x-www-form-urlencoded.
Note: “/r/n” is tag that tells end of a line, a control line feed.
ConfigurationsTo configure HTTP filter, you need to know what attribute and value need to be configured. On this post, I will show only the following:
1. Block specific browser: Firefox.2. Block MSN Messenger, Windows Live Messenger.3. Block download file .torrent.4. Block AOL Messenger.5. Block Yahoo Messenger.6. Block Kazaa.7. Block free web mail. (e.g. hotmail.com, mail.yahoo.com, etc.)8. Block post on web boards.
Step-by-step1. Open Microsoft ISA Server Management Console.
2. Right-click on the rule that being configured HTTP filter -> select Configure HTTP.
3.
Click on Signatures tab and click Add.
4. Block specific browser: Firefox.
To block users to use Firefox browser by configure signature to “Firefox”, “User-Agent” in HTTP Header and Request headers in Search in.
5. Block MSN Messenger, Windows Live Messenger.
To block MSN Messenger by configure signature to “msnmsgr.exe”, “User-Agent” in HTTP Header and Request headers in Search in.
To block Windows Live Messenger by configure signature to “login.live.com”, “Host” in HTTP Header and Request headers in Search in.
6. Block downloads file .torrent.
To block download any .torrent files by configure signature to “application/x-bittorrent”, “Content-Type” in HTTP Header and Request headers in Search in.
7. Block AOL Messenger.
To block users to use AOL Messenger by configure signature to “Gecko”, “User-Agent” in HTTP Header and Request headers in Search in.
8. Block Yahoo Messenger.
To block users to use Yahoo Messenger by configure signature to “msg.yahoo.com”, “Host” in HTTP Header and Request headers in Search in.
9. Block Kazaa.
To block users to use Kazaa by configure signature to “KazaaClient”, “User-Agent” in HTTP Header and Request headers in Search in.
10. Block free web mail. (e.g. hotmail.com, mail.yahoo.com, etc.)
To block users to access free web mail, block any URL that contain string “mail” by configure on signature to mail.
11. Block post on web boards.
Block users to sending any information to internet (e.g. post on web board) by configure to disallow HTTP method: POST.
o Select on Methods tab and select block specified methods.
o Click Add. New window appears, type “POST” on method and enter some
description.
o Don’t forget to apply the settings after configuration.
12. If the users are blocked by HTTP filter, they will see page like the figure.“Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter.”
Creating a Site to Site VPN using ISA 2006 Firewalls at the Main and Branch Office
In this, part 1 of a two part series on creating site to site VPNs using the new ISA firewall, we will go over the basic network configuration and then start the configuration for the site to site VPN at the main office ISA
firewall
A site-to-site VPN connection connects two or more networks using a VPN link over the Internet. The VPN site-to-site configuration works just like a LAN router; packets destined for IP addresses at a remote site are routed through the ISA Server 2006 firewall. The ISA firewall acts as a VPN gateway joining two networks over the Internet.
Each site-to-site link can use one of the following VPN protocols:
PPTP L2TP/IPSec IPSec Tunnel Mode
PPTP is the Point-to-Point Tunneling Protocol and can provide a good level of security, depending on the complexity of the password used to authenticate the PPTP connection. You can enhance the level of security applied to a PPTP link by using EAP/TLS-based authentication methods. For information on how to use EAP/TLS authentication for site to site VPN links, check out this link.
The L2TP/IPSec VPN protocol provides a higher level of security because it uses the IPSec encryption protocol to secure the connection and enforces machine authentication as well as user authentication. You can use computer and user certificates to provide an even higher level of security to the L2TP/IPSec connection. If you are not ready to deploy a certificate infrastructure, you can use a pre-shared key to create the site-to-site L2TP/IPSec VPN connection.
ISA 2006 firewall support IPSec tunnel mode for site-to-site VPN connections. Only use IPSec tunnel mode when you need to create a site-to-site link with third-party VPN gateways. There are three primary reasons for avoiding IPSec tunnel mode:
IPSec tunnel mode is less secure IPSec tunnel mode has limited routing abilities on Windows Server 2003 machines IPSec tunnel mode can reduce effective throughput through the VPN tunnel by as much as 50%. You can
confirm this by reading the ISA 2004 performance white paper.
The figure below depicts how such a site-to-site VPN works:
Figure 1
In this two part article series we will go through procedures required to create an L2TP/IPSec site-to-site link between two ISA Server 2006 firewall machines. The ISALOCAL machine will simulate the Main Office firewall, and the ISA2005BRANCH will simulate the Branch Office firewall. We will use the L2TP/IPSec VPN protocol to create the site-to-site link and both computer certificates and pre-shared keys to support the IPSec encryption protocol.
You will complete the following procedures to create the site-to-site VPN connection:
Create the Remote Network at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links
The lab network includes two ISA firewalls, one at the main office and one at the branch office, a domain controller that is also running Exchange 2003, and a client machine located behind the branch office ISA firewall, which in this case is Windows Server 2003 SP1. The figure below depicts the machines in this article and their IP addresses.
Figure 2
Note: It is important to note that both the EXCHANGE2003BE machine and the REMOTEHOST machine are DHCP servers. This is required to provide Routing and Remote Access Service IP addresses to assign the calling VPN gateways. If your network does not have a DHCP server, you can use static address pools configured on each of the ISA Server 2006 firewall/VPN gateways. I prefer to use DHCP because it will make it easier to assign on-subnet addresses to the VPN gateways virtual interfaces.
In this article I will not go through the process of deploying certificates and will use a pre-shared key for our L2TP/IPSec site to site VPN connection. I should note here that this is not a best practice and that you should use certificates for machine authentication for your site to site VPNs. There are a number of methods you can use to obtain and install machine certificates and I have gone through this procedure many times on the ISAserver.org Web site.
For a comprehensive review of how to obtain and install machine certificates for ISA firewalls in a site to site VPN scenario, I highly recommend that you check out the ISA Server 2000 VPN deployment kit. While the ISA firewall configuration is quite different, the certificate deployment issues remain unchanged. Check out the ISA Server 2000 VPN Deployment Kit.
Create the Remote Site at the Main Office ISA Firewall
We will begin by configuring the ISA firewall at the Main Office. The first step is to configure the Remote Site Network in the Microsoft Internet Security and Acceleration Server 2006 management console.
Perform the following steps to create the Remote Site Network at the Main Office ISA firewall:
1. Open the Microsoft Internet Security and Acceleration Server 2006 management console and expand the server name. Click on Virtual Private Networks (VPN) node.
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task pane. Click Add Remote Site Network.
3. On the Welcome to the Create VPN Site to Site Connection Wizard page, enter a name for the remote network in the Site to site network name text box. In this example, enter Branch. Click Next.
4. On the VPN Protocol page, you have the choice of using
Figure 3
IP Security protocol (IPSec Tunnel Mode,
Layer Two Tunneling Protocol (L2TP) over IPSec or
Point-to-Point Tunneling Protocol.
If you do not have certificates installed on the Main and Branch Office machines and do not plan to deploy them in the future, choose the PPTP option. If you have certificates installed on the Main and Branch Office firewalls, or if you plan to install them in the future, choose the L2TP/IPSec option (you can use the pre-shared key prior to installing the certificates).
Do not use the IPSec option unless you are connecting to a third-party VPN server (because of the low security conferred by IPSec Tunnel Mode site-to-site links and much lower throughput).
In this example, we will use pre-shared keys for our site to site VPN connection in preparation for deploying certificates after the L2TP/IPSec tunnels are established. Select Layer Two Tunneling Protocol (L2TP) over IPSec. Click Next.
5. A dialog box appears informing you that you need to create a user account on the main office ISA firewall. This user account will be used by the branch office ISA firewall to authenticate to the main office ISA firewall when the branch office ISA firewall attempts to create its site to site VPN connection to the main office ISA firewall.
The user account must have the same name as the Remote Site Network we’re creating, and that’s defined by the name we included in the first page in the wizard. In this example, we named the site to site Network connection Branch, so the user account we create on the main office ISA firewall must also have the name Branch, and we will need to enable dial-up access for that account. We’ll go through the details of creating that account later in this article. Click OK.
Figure 5
Figure 6
6. On the Connection Owner page you select which machine in the array should be the connection own for this site to site VPN connection. This option is only seen in ISA Enterprise Edition and not in Standard Edition. If you have NLB enabled on the array, then you don’t need to manually assign the connection owner, as the integrated NLB process will automatically assign a connection owner when NLB is enabled on the array.
In this example we are not using NLB on the main office array (I’ll do another article on how to do that in the future), and there is only one member of our main office ISA firewall Enterprise Edition array. So we’ll use the default entry, which is the name of the ISA firewall at the main office and click Next. (note, the name of the server in the graphic suggests that this machine is Standard Edition, but it is in fact Enterprise Edition).
7. On the Remote Site Gateway page, enter the IP address or FQDN representing the external interface of the remote ISA Server 2006 firewall machine. Note that this is a new feature in the 2006 ISA firewall, in that before you could not use a FQDN. This is helpful as many branch offices must use dynamic addresses and so the only way to reliably connect to the branch office was via a DDNS service.
In this example, we’ll use the FQDN branch.msfirewall.org, so enter this value into the text box. Click Next.
8. On the Remote Authentication page, put a checkmark in the Local site can initiate connections to remote site using these credentials check box. Enter the name of the account that you will create on the branch office ISA Server 2006 firewall to allow the Main Office ISA firewall access. In this example, the user account will be named Main (the user account much match the name of the demand-dial interface created on the remote site). When we get to configuring the branch office ISA firewall, we will create a Remote Site Network with the name Main and then create a user account with the name Main on the branch office ISA firewall. The main office ISA firewall will use this account to authenticate to the branch office ISA firewall to create the site to site VPN connection.
Figure 7
Figure 8
The Domain name is the name of the branch office ISA Server 2006 firewall, which in this example is ISA2006BRANCH (if the remote ISA Server 2006 firewall were a domain controller, you would use the domain name instead of the computer name). Enter a password for the account and confirm the password. Write down the password so you will remember it when you create an account later on the branch office ISA 2006 firewall. Click Next.
9. On the L2TP/IPSec Outgoing Authentication page you select the method you want authenticate your machine against the branch office ISA firewall. In this example we’ll use the Pre-shared key authentication option and then enter a pre-shared key in the Pre-shared key text box. Make sure you write this down, as we’ll need this information when configuring the machine authentication settings at the branch office. Click Next.
10. 0Click Add Range on the Network Addresses page. In the IP Address Range Properties dialog box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.1.255 in the Ending address text box. Click OK.
11. Click Next on the Network Addresses page.
12.
On the Remote NLB page you tell the ISA firewall if NLB is being used on the branch office ISA firewall. If NLB is being used, then you would put a checkmark in the The
Figure 9
Figure 10
Figure 11
remote site is enabled for Network Load Balancing checkbox. Then you would add the dedicated IP addresses on the branch office NLB array by clicking the Add Range button.
We’re not running NLB at the branch office, so we’ll remove the checkmark from the The remote site is enabled for Network Load Balancing. In a future article I’ll show you how to create site to site VPNs with the NLB feature enabled. Click Next.
13. On the Site to Site Network Rule page you can configure a Network Rule that connects the main and branch office ISA firewall Networks. Remember, the ISA firewall requires that you always have a Network Rule to connect ISA firewall Networks to each other. Even if you create the Networks and create Access Rules, the connections will not work until you create a Network Rule.
The new ISA firewall fixes a problem that people had when creating site to site VPNs with ISA 2004, in that most people forget or didn’t know that they needed a Network Rule in order for it work. The 2006 ISA firewall will ask you if you want to create the Network Rule while still in the wizard, which is a nice convenience and great usability improvement. It’s clear that the ISA firewall’s development team are a lot more mindful of ease of use than the Exchange 2007 beta team!
Select the Create a Network Rule specifying a route relationship option and accept the default name. Note that you also have the I’ll create a Network Rule later option if you want to create the Network Rule manually. Notice that the default option is to set a route relationship between the main and branch office ISA firewall Networks. This is a excellent choice because you have a much wider range of protocol access when using route relationships.
Click Next.
14. Another new feature in the 2006 ISA firewall is the Site to Site Network Access Rule page. Here you can configure an Access Rule allowing connections from the main office to the branch office. With the ISA 2004 firewall, you had to do this manually after the wizard was completed, another kudo for the VPN developers on the ISA team!
You also have the option to not create an Access Rules at this time by selecting the I’ll change the Access Policy later option.
When you select the Create an allow Access Rule. This rule will allow traffic cetween the Internal Network and the new site to site Network for all users’ option, you’ll be given three choices from the Apply the rule to these protocols drop down list. This include:
Figure 13
All outbound traffic: Use this option if you want to allow all traffic from the main office to the branch office.
Selected protocols: Use this option if you want to control which traffic can move from the main office to the branch office. If you want to limit the connections to a selected list of protocols, select this option and click the Add button to all the protocols. Note that at this point you can’t lock down the protocol usage on a per user/group basis. You’ll have to wait until the wizard is complete and then go into the Firewall policy to make that change.
All outbound traffic except selected: Select this option if you want to allow all traffic except for a few protocols. Again, you use the Add button to set which protocols you want to block.
In this example, we’ll being by allowing all protocols. Later, I’ll show you how you can use user/group based authentication to control which users at the main office are allowed to connect to the branch office. This is important, as typically you don’t want average users to access to the branch office, you just want the administrators to get there. We’ll also see how you can use user/group based access controls at the branch office to prevent branch office users from getting adventurous.
Select the All outbound traffic option and click Next.
15. Click Finish on the Completing the New Site to Site Network Wizard page.
16. In the Remaining VPN Site to Site Tasks dialog box, it informs you that that you need to create a user account with the name Branch. We’ll do that in the next section. Click OK.
You can see the new ISA firewall Remote Site Network in the ISA firewall console, as seen in the figure below.
Select the Remote Site Network and click the Edit Selected Network link in the Task Pane.
Figure 14
Figure 15
Figure 16
In the Branch Properties dialog box, the General tab provides information about the Remote Site Network. You can also enable or disable the site to site VPN connection from this tab.
On the Server tab, you can change the connection owner for the site to site VPN. You only have to assign a connection owner when NLB isn’t enabled on the external
interface of the ISA firewall. If NLB is enabled on the external interface of the ISA firewall, then NLB will automatically assign the connection own for you. Keep in mind that you can create ISA firewall arrays of VPN gateways without NLB enabled
on the external interface. However, in most cases you will want to use NLB. We’re not using NLB on the external interface in this article because there is a single ISA Enterprise Edition firewall in our current configuration.
On the Addresses tab, you can change or add addresses to the definition of the Remote Site Network.
On the Remote NLB tab, you specify the dedicated IP addresses on the remote site VPN gateway. You only need to configure these addresses if the Remote Site
Network’s VPN gateway is using NLB. We won’t be adding addresses in our example because NLB won’t be enabled at the branch office ISA firewall.
On the Authentication tab you choose the authentication protocol you want the main office ISA firewall to use when authenticating with the branch office VPN gateway. The default is Microsoft CHAP Version 2. The most secure option is EAP, but that requires that you assign user certificates to the accounts used to authenticate with each gateway. Maybe in the future I’ll show you how to do it with 2006 ISA firewall’s, but the procedure is very similar to how you do it in ISA 2004, as shown in http://www.isaserver.org/articles/2004s2seapauth.html.
On the Protocol tab you configure what VPN protocol you want to use to create the site to site VPN tunnel. You can also change the pre-shared key here.
Figure 17
On the Connection tab you can change the credentials used to authenticated to the Remote Site Network’s VPN gateway. You can also configure how long you want the site to site VPN to stay up during idle periods. The default is Never drop the connection.
Close the Branch Properties dialog box.
Right click the Remote Site Network and click the Site to Site Summary command. In the Site to Site Summary dialog box you’ll see summary information about the local site to site settings and the Required site to site settings for the other end of this tunnel.
You can right click in the lower frame and Select All and then Copy to get the information on how to configure the Remote Site VPN gateway.
General VPN Settings Authentication Protocols (one or more of the following): MS-CHAP v2
VPN Network Authentication Protocols (one or more of the following): MS-CHAP v2
Outgoing Authentication Method: Pre-shared secret (the pre-shared key will appear here)
Incoming Authentication Method: Certificate and pre-shared secret (the pre-shared key will appear here)
Remote Gateway Address:
An IP address or a DNS resolvable name.
If NLB is enabled, the VIP of the remote array should be used.
Local User: ISA2006BRANCH\main
Remote Site User: Branch
Site-to-Site Network IP Addresses: 10.0.0.0-10.0.0.255, 10.255.255.255
Routable Local IP Addresses: 10.0.1.0-10.0.1.255
Complete the configuration by clicking Apply to save the changes and then click OK in the Apply New Configuration dialog box.
DHCP Configuration
One last thing you need to confirm is your addressing information for the site to site VPN gateway. You have two options to assign IP addresses:
DHCP Static address pool
I prefer to use DHCP because it allows you to assign VPN clients and gateways on-subnet addresses without having to manually remove those addresses from the definition of the default Internet Network, to which the internal interface of the ISA firewall belongs.
For example, suppose the ISA firewall’s internal interface has the IP address 192.168.1.1. The definition of the default Internal Network is 192.168.1.0-192.168.1.255. If we wanted to use a static address pool to assign on-subnet addresses, such as 192.168.1.10-192.168.1.20, we would have to change the definition of the default Internal Network because these addresses we want to assign VPN clients overlap with the definition of the default Internal Network. In this case the definition of the default Internal Network would change to:
192.168.1.0-192.168.1.9
192.168.1.21-192.168.1.255
On the other hand, if we used DHCP to assign the VPN clients on-subnet addresses, the ISA firewall will automatically remove any address assigned to a VPN client or VPN gateway from the definition of the default Internal Network and dynamically assign them to the definition of the VPN clients Network. This prevents overlap between the VPN Clients Network and the default Internal Network.
You can check on the IP address assignment method by clicking on the Virtual Private Networks (VPN) node in the left pane of the console and then clicking the Defiane Address Assignments link in on the Tasks tab in the Task Pane. You’ll see what appears in the figure below.
Note that the Dynamic Host Configuration Protocol (DHCP) option is only available on ISA Standard Edition or single-member ISA Enterprise Edition arrays. If you choose not to use DHCP, then you must click the Add button to manually add your IP addresses assignment to VPN clients and VPN gateways.
If you use a static address pool, you might want to consider using off-subnet IP addresses. There is no problem with this, but you must make your routing infrastructure aware that in order to reach the network ID used for the VPN clients network that they must forward those connections to the ISA firewall interface from which the connection was received.
In a simple dual NIC configuration, this would be the Internal interface. In a 3+ NIC configuration, you would configure the routers to forward requests to the VPN clients network ID to the ISA firewall interface closest to the routers.
Configure the Main Office Firewall’s Demand-dial Interface to not Register in DNS
A common problem encountered with multihomed computers is that they register multiple interfaces in the DNS. This is especially problematic when machines create site-to-site connections and register their demand-dial interface IP address. This can cause difficult to troubleshoot problems, such as Web Proxy and Firewall clients being unable to connect to the Internet. The reason why the Web Proxy and Firewall clients cannot connect to the Internet in this scenario is that the ISA Server 2004 firewall’s Demand-dial interface registered itself in the DNS, and the Web Proxy and Firewall clients attempt to connect to the ISA Server 2004 firewall via that address.
Perform the following steps to disable dynamic DNS registration for the ISA Server 2004 firewall’s Demand-dial interface:
1. At the Main Office ISA Server 2004 firewall, click Start, and point to Administrative Tools. Click Routing and Remote Access.
2. In the Routing and Remote Access console, expand the server name in the left pane of the console. Click the Network Interfaces node.
3. In the right pane of the Network Interfaces node, right click on Branch, and click Properties.
4. On the Branch Properties dialog box, click the Networking tab.
5. On the Networking tab, click Internet Protocol (TCP/IP) in the This connection uses the following items list, and click Properties.
6. On the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
7. On the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove the checkmark from the Register this connection’s addresses in DNS check box, and click OK.
8. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
8. Click OK in the Branch Properties dialog box.
9. Close the Routing and Remote Access console.
Create the VPN Gateway Dial-in Account at the Main Office
A user account must be created on the Main Office ISA firewall that the Branch Office firewall can use to authenticate when it creates the site-to-site connection. This user account must have the same name as the demand-dial interface on the Main Office computer. You will later configure the Branch Office ISA firewall to use this account when it dials the VPN site-to-site link.
Perform the following steps to create the account the remote ISA Server 2006 firewall will use to connect to the Main Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage. 2. In the Computer Management console, expand the Local Users and Groups node. Right click the Users
node, and click New User. 3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our current
example, the demand-dial interface is named Branch. Enter Branch into the text box. Enter a Password and confirm the Password. Write down this password because you’ll need to use it when you configure the remote ISA Server 2006 VPN gateway machine. Remove the checkmark from the User must change password at next logon check box. Place checkmarks in the User cannot change password and Password never expires check boxes. Click Create.
4. Click Close in the New User dialog box. 5. Double click the Branch user in the right pane of the
console. 6. In the Branch Properties dialog box, click the Dial-in tab.
Select Allow access. Click Apply, and then click OK.
Summary
In this, part 1 of a two part series on creating site to site VPNs using the new ISA firewall, we went over the basic network configuration and then started the configuration for the site to site VPN at the main office ISA firewall. We created the Remote Site Network at the main office ISA firewall and created the user account that the branch office ISA firewall will use when calling the main office ISA firewall.
In the second and last part of the site to site VPN series, we’ll move our attention to the branch office ISA firewall and configure it to connect to the main office ISA firewall. We’ll also create a user account that the main office firewall will be able to use when calling the branch office ISA firewall. Then we’ll test the solution by activating the site to site VPN link and checking the log files and sessions information to see what things look like in the ISA firewall console when the site to site VPN is successfully established.
In this part 2 of our article series we’ll finish up by configuring the branch office ISA firewall and then test the connection.
In part 1 in this two part series on configuring an L2TP/IPSec site to site VPN connection between two ISA firewalls we went over the details of the sample network and configured the main office ISA firewall.
Create the Remote Site at the Branch Office
Now that the Main Office is ready, we can configure the Branch Office ISA Server 2006 firewall. The first step is to create the Remote Site Network at the Branch Office.
Perform the following steps to create the Remote Site Network at the Branch Office:
1. Open the Microsoft Internet Security and Acceleration Server 2006 management console and expand the server name. Click on Virtual Private Networks (VPN) node.
2. Click on the Remote Sites tab in the Details pane. Click on the Tasks tab in the Task pane. Click Add Remote Site Network.
3. On the Welcome to the Create VPN Site to Site Connection Wizard page, enter a name for the remote network in the Site to site network name text box. In this example, enter Main. Click Next.
4. On the VPN Protocol page, you have the choice of using several VPN protocols. In this example, we will use pre-shared keys for our site to site VPN connection in preparation for deploying certificates after the L2TP/IPSec tunnels are established. Select Layer Two Tunneling Protocol (L2TP) over IPSec. Click Next.
5. A dialog box appears informing you that you need to create a user account on the branch office ISA firewall. This user account will be used by the main office ISA firewall to authenticate to the branch office ISA firewall when the main office ISA firewall attempts to create its site to site VPN connection to the branch office ISA firewall.
The user account must have the same name as the Remote Site Network we’re creating, and that’s defined by the name we included in the first page in the wizard. In this example, we named the site to site Network connection Main, so the user account we create on the branch office ISA firewall must also have the name Main, and we will need to enable dial-up access for that account. We’ll go through the details of creating that account later in this article. Click OK.
6. On the Connection Owner page you select which machine in the array should be the connection own for this site to site VPN connection. This option is only seen in ISA Enterprise Edition and not in Standard Edition. If you have NLB enabled on the array, then you don’t need to manually assign the connection owner, as the integrated NLB process will automatically assign a connection owner when NLB is enabled on the array.
In this example we are not using NLB on the main office array (I’ll do another article on how to do that in the future), and there is only one member of our main office ISA firewall Enterprise Edition array. So we’ll use the default entry, which is the name of the ISA firewall at the main office and click Next.
7. On the Remote Site Gateway page, enter the IP address or FQDN representing the external interface of the main office ISA Server 2006 firewall. In this example, we’ll use the FQDN main.msfirewall.org, so enter this value into the text box. Click Next.
8. On the Remote Authentication page, put a checkmark in the Local site can initiate connections to remote site using these credentials check box. Enter the name of the account that you created on the main office ISA firewall to allow the branch ISA firewall access. In this example, the user account is named Branch (the user account much match the name of the demand-dial interface created at the remote site). The branch office ISA firewall will use this account to authenticate to the main office ISA firewall to
create the site to site VPN connection.
The Domain name is the name of the main office ISA firewall, which in this example is ISA2006SE (if the remote ISA Server 2006 firewall were a domain controller, you would use the domain name instead of the computer name). Enter a password for the account and confirm the password. Click Next.
9. On the L2TP/IPSec Outgoing Authentication page you select the method you want authenticate your machine against the branch office ISA firewall. In this example we’ll use the Pre-shared key authentication option and then enter a pre-shared key in the Pre-shared key text box. Make sure this is the same key used at the main office ISA firewall. Click Next.
10. Click Add Range on the Network Addresses page. In the IP Address Range Properties dialog box, enter 10.0.0.0 in the Starting address text box. Enter 10.0.0.255 in the Ending address text box. Click OK.
11. Click Next on the Network Addresses page.
12. On the Remote NLB page you tell the ISA firewall if NLB is being used on the branch office ISA firewall. If NLB is being used, then you would put a checkmark in the The remote site is enabled for Network Load Balancing checkbox. Then you would add the dedicated IP addresses on the main office NLB array by clicking the Add Range button.
We’re not running NLB at the main office, so we’ll remove the checkmark from the The remote site is enabled for Network Load Balancing. In a future article I’ll show you how to create site to site VPNs with the NLB feature enabled. Click Next.
13. On the Site to Site Network Rule page you can configure a Network Rule that connects the main and branch office ISA firewall Networks. Remember, the ISA firewall requires that you always have a Network Rule to connect ISA firewall Networks to each other. Even if you create the Networks and create Access Rules, the connections will not work until you create a Network Rule.
Select the Create a Network Rule specifying a route relationship option and accept the default name. Note that you also have the I’ll create a Network Rule later option if you want to create the Network Rule manually. Notice that the default option is to set a route relationship between the main and branch office ISA firewall Networks. This is a excellent choice because you have a much wider range of protocol access when using route relationships.
The route relationship at the branch office should match the route relationship at the main office.Click Next.
14. On the Site to Site Network Access Rule page you can configure an Access Rule allowing connections from the branch office to the main office.
You also have the option to not create an Access Rules at this time by selecting the I’ll change the Access Policy later option.
When you select the Create an allow Access Rule. This rule will allow traffic cetween the Internal Network and the new site to site Network for all users option, you’ll be given three choices from the Apply the rule to these protocols drop down list. This includes:
All outbound traffic
Selected protocols
All outbound traffic except selected.
In this example, we’ll begin by allowing all protocols. Later, I’ll show you how you can use user/group based authentication to control which users at the branch office are allowed to connect to the main office. This will be a key configuration step, as branch office users should have very limited access to resources at the main office network and should be allowed access only to the server and protocols required to get their work done, and they must also be forced to authenticate before gaining access to the main office network.
Select the All outbound traffic option and click Next.
15. Click Finish on the Completing the New Site to Site Network Wizard page.
16. In the Remaining VPN Site to Site Tasks dialog box, it informs you that that you need to create a user account with the name Branch. We’ll do that in the next section. Click OK.
Make a note of the firewall policy
created by the VPN wizard and then click Apply to save the changes and click OK in the Apply New Configuration dialog box.
Remember to confirm your address assignment settings for VPN clients and gateways in the same way you did so at the main office. If the ISA firewall isn’t able to assign IP addresses to the remote gateway, the configuration will fail. In addition, remember to configure the demand dial interface to not register in DNS, as we did when we configured the main office demand dial interface to not register in DNS in part 1 of this series.
Create the VPN Gateway Dial-in Account at the Branch Office
We must create a user account that the Main Office ISA firewall can use to authenticate when it initiates the VPN site-to-site connection. The user account must have the same name as the demand-dial interface created on the Branch Office ISA firewall.
Perform the following steps to create the account the main office ISA firewall will use to connect to the branch Office VPN gateway:
1. Right click My Computer on the desktop and click Manage. 2. In the Computer Management console, expand the Local
Users and Groups node. Right click the Users node and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface. In our current example, the demand-dial interface is named Main. Enter Main into the text box. Enter a Password and confirm the Password. Write down this password because you’ll need to use this when you configure the remote ISA Server 2006 VPN gateway machine. Remove the checkmark from the User must change password at next logon check box. Place checkmarks in the User cannot change password and Password never expires check boxes. Click Create.
4. Click Close in the New User dialog box. 5. Double click the Main user in the right pane of the
console. 6. In the Main Properties dialog box, click the Dial-in tab.
Select Allow access. Click Apply and then click OK.
Activate the Site-to-Site Links
Now that both the Main and Branch Office ISA Server 2006 firewalls are configured as VPN routers, you can test the site-to-site connection.
Perform the following steps to test the site-to-site link:
1. At the remote client computer behind the branch ISA firewall machine, click Start, and then click the Run command.
2. In the Run dialog box, enter cmd in the Open text box, and click OK.
3. In the command prompt window, enter ping –t 10.0.0.2 and press ENTER
4. You will see a few pings time out, and then the ping responses will be returned by the domain controller on the Main Office network.
5. Perform the same procedures at the domain controller at the Main Office network, but this time ping 10.0.1.2, which is the REMOTEHOST computer.
You can see the results of the ping queries in the figure below:
If you check the real time log view on the branch office ISA firewall, you’ll see lines like those in the figure below.
Now click on the Sessions tab at the branch office ISA firewall. You’ll see an active session representing the site to site VPN connection. Notice the filter to point out the site to site connection.
Figure 17 (Click image to enlarge)
You can go to the main office ISA firewall and perform similar checks.
Conclusion
In this article series we discussed how to create an L2TP/IPSec site to site VPN connection between two ISA firewalls. The discussion was limited to using a pre-shared key between the ISA firewalls at the main and branch offices, but you should keep in mind that in a production environment you should strive to use machine certificate authentication instead of a pre-shared key. I provided a link to the ISA Server 2000 VPN deployment kit which will provide you all the information you need to deploy your certificates.
In the next article we’ll take a look at two things you can do to help secure and accelerating your branch office connections: locking down the Access Rules for communications over the site to site VPN link and using Web proxy chaining so that the branch office ISA firewall can benefit from the larger cache contained on the main office ISA firewall. See you then! –Tom.
ISA Firewall Quick Tip: Internal DNS Forwarding Through ISA Server 2004/2006
This article shows to your how to configure your internal DNS server to forward requests to external servers, a common scenario to your ISP's DNS servers. Configurations are done on the Internal DNS server and also on ISA Server.
Configuration on DNS Server
1. Click Start, point to Administrative Tools, and then click DNS.
2. Right-click DNS-SRV ( ServerName ), where ServerName is the name of the server, and then click
the Forwarders tab.
3. Click a DNS domain in the DNS domain list. Or, click New, type the name of the DNS domain for
which you want to forward queries in the DNS domain box, and then click OK.
4. In the Selected domain's forwarder IP address box, type the IP address of the first DNS server to which you want to forward, and then click Add.
5. Repeat step 4 to add the DNS servers to which you want to forward, usually you might have two ISP's DNS server, enter them both.
6. Click OK7. The last thing you should do on your DNS Server is to set it as a Secure Nat Client, this is done by
setting its Default Gateway to be ISA Server Internal IP
This is all what you have to do on your Internal DNS Server, now lets see what we need to do with ISA Server.
Configuration on ISA Server
1. Open ISA Management Console
2. Create a new Access rule, Right click Firewall Policy , then click on New then choose Access Rule
3. The New Access Rule Wizard will be launched, give a name to your new rule , in this example we will name it Forward DNS To ISP, then click Next
4. In the Rule Action page, choose Allow, then click Next
5. In the Protocols page, From the drop down list of This Rule Applies To, choose Selected Protocols
click on Add button, the Add Protocol page will open, expand the Infrastructure container, choose the DNS protocol and click on Add , then click Close
The selected protocol will be displayed in the Protocols page, click Next
6. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog box, from the Menu Bar, click on New and choose Computer .
The New Computer Rule Element page will open, click on the Browse button, then write your Internal DNS server name in the first textbox under Name, and click on Find, the IP address of the DNS server will be listed. Click ok OK
You will return back to the New Computer Rule Element page, click on OK
7. click on the Computers folder. Double click on the DNS-SRV, then click the Close button in the
Add Network Entities dialog box. Click Next in the Access Rule Sources dialog box.
8. Click the Add button on the Access Rule Destinations page. In the Add Network Entities dialog
box, click the Networks folder. Double click the External entry and click Close in the Add Network Entities dialog box. Click Next on the Access Rule Destinations page.
9. On the User Sets page, accept the default setting of All Users.
10. Review your settings and click Finish on the Completing the New Access Rule Wizard page.
11. Click the Apply button to save the changes and update the firewall policy.
12. Your rule will look this :
13. The rule you have just created will permit your Internal DNS Server to communicate with your ISP's
DNS servers, now we need to create a rule to allow users to surf the internet, start creating a new Access Rule
14. Right click Firewall Policy , then click on New then choose Access Rule
15. Name this rule Allow Internet, then click Next
16. In the Rule Action page, choose Allow, then click Next
17. In the Protocols page, From the drop down list of This Rule Applies To, choose Selected Protocols, click on the Add button and from the Common Protocols folder, choose HTTP, HTTPS, POP3 and SMTP. Click Add on each protocol your choose and once you select them all click on Close. The protocols will e displayed in the Protocols page, click Next
18. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog box,
click on the Networks folder. Double click on the Internal network, then click the Close button in the Add Network Entities dialog box. Click Next in the Access Rule Sources dialog box.
19. Click the Add button on the Access Rule Destinations page. In the Add Network Entities dialog
box, click the Networks folder. Double click the External entry and click Close in the Add Network Entities dialog box. Click Next on the Access Rule Destinations page.
20. On the User Sets page, accept the default setting of All Users.
21. Review your settings and click Finish on the Completing the New Access Rule Wizard page.
22. Now, your rules will look like this:
23. Click the Apply button to save the changes and update the firewall policy.
Summary
In this article, we learned how to configure our Internal DNS Server to forward request to the ISP's DNS servers; also we learned to create the necessary rule to allow ISA to allow the DNS communication between the Internal DNS and the ISP DNS.
How i can detect user who use or run sniffung and spoofing programes from isa server.
To detect that kind of traffics, try to setup IDS in your system. The free popular one is
When i block MSN Messenger by configure signature to “msnmsgr.exe” this block msnmsgr.exe and also hotmail mail access. There any soulution to block msn access without blocking hotmail access.
If you blocked only the signature “msnmsgr.exe”, you can check email on hotmail through web access. I’ve tested it.
It seems that the application will try attempt to connect on other ports (including 80) if the 5050 fails. Therefore, there is no way to block by using rule port. (But mine works, strange!)
So I want you to try block these servers: scs.msg.yahoo.com, scsa.msg.yahoo.com, scsb.msg.yahoo.com and scsc.msg.yahoo.com. These are servers that the messenger connects to. But I haven’t tested it yet.
Reference: How do I configure my firewall/proxy server?If the solution above doesn’t work. I think you may need to block by other means. For instance, block by using group policy (if the PC is in the domain) to restrict installing the application instead of blocking from firewall.
Yesterday I spent full day to monitor yahoo messenger packets by Wireshark, and I did block these TCP ports : 20,25,23,119,5050,5150,5051.(which I found that it was right as explained in the link you provided-thank you)It does work till now! And I hope it will
I will also try the servers and let you know the result but I wonder why the signature did not work I think it was best solution!
I think this is because new yahoo messenger use Mozilla interface which result in changed signature! I mean the signature become Mozilla/4.0! What’s your idea?thank you for your help and attention anyway. Now I’m working on Google Talk, any advice will be appreciated The signature is Google Talk in User-Agent area! but it does not work too )
You can customize the error pages on ISA Server. The templates are located in the folder – C:\Program Files\Microsoft ISA Server\ErrorHtmls.
I configured the VPN in isa server 2006 it give some error 800 i dont know why Please if you tell me VPN configuration.
I don’t have experience about VPN. I haven’t tried VPN yet. But there are many resources about configuring VPN on ISA Server on the Internet:
o Enabling the ISA Server 2004 VPN Server – ISAServer.orgo How to configure a VPN server by using Internet Security and Acceleration (ISA)
Server 2006 – Microsoft.como How to configure a VPN connection to your corporate network in Windows XP
Professional – Microsoft.como Error Message: VPN Connection Error 800: Unable to Establish Connection –
Microsoft.com
In my organisation we have implementing ISA server 2006 and we have created four policys mentioned below1. Only mail access rule – users can access the company mail only.2. Allowed sites access rule – users can access only particular sites.3. Access with restriction access rule – users can access al the websites except particular sites4. Full access rule – all the websites can access.In this scenario, only the Full access rule users can able to access the yahoo, msn and gtak etc..But, we need to give the chat permission for mail,allowed and access with restriction user also.How to create the policy for this senario, kindly help us.
I’m not sure about mail chat. I don’t have this kind of traffic in my environment.But I’ve found some posts related with this issue.
o Block Yahoo mail chat o Allowing/Denying IM and other protocols on ISA Server
i just configured VPN in isa server 2006 but the problem is that when iam typing \\isaserver in run from client it cant find the the server but when iam typing ip from server to a client it can find it that computerPlease if help me what is the problem.Note: when iam typing from server \\client computer cant find if iam typing an ip of client it can find it
You may have to check DNS configuration whether it points to the correct server.
I can’t block yahoo messenger 9 with isa 2006i tried to filter signatures: scs.msg.yahoo.com, scsa.msg.yahoo.com, scsb.msg.yahoo.com and scsc.msg.yahoo.com but didnt work
To completely block messengers from ISA Server aren’t easy. Most of them now can communicate through HTTP(80) which makes them even hard to block. The best way to solve the problem is control software restriction installation on PCs. This can be achieved using Group Policy.
How to block download for users. Or block only mp3 etc…
You can block specific extensions by open configure HTTP policy for rule -> Select extensions tab -> Select Block specified extensions (allow all others) -> Then you can add the extensions that you want to block such as .exe, .mp3, etc.
Having the problem that sometimes internet connection drops for few minutes and the interent connection just comes back online by itself or by restart the ISA server. They don’t have constant interent connection.
You should check the Internet link between ISA Server and your ISP to see if it drop or not. Sometimes, it could be hardware problem.If that is not the case, try to check system log on ISA Server. If there is a problem with the server, you will see some error message there.
Every thing is working fine except the voice and video for yahoo and msn. Please help me how to allow voice and video chat i have an rule in outlook that is allowed to send mails in the isa server, all outbound, from internal, to external, but the problem is users can browse all the sites in the internet, but when i change to rule for a specific sites, i cant send anymore,it doesnt see my webmail, In the ISA server console.
Right click the Firewall policy -> New ->Access RuleIn the name window type the rule name. Eg .mail allownext in the Rule action window select Allow.In the protocol window Select protocols under the This rules apply to. click add in the commom protocol select POP3 and SMTP click nextAccess rules source window select INTERNAL NextAccess rules destination window select EXTERNAL ( enter your email server ip or FQDN ) click nextin the user sets click next thats all.2.For Website access :In the ISA server console.Right click the Firewall policy -> New ->Access RuleIn the name window type the rule name. Eg .Website allownext in the Rule action window select Allow.In the protocol window Select protocols under the This rules apply to. click add in the commom protocol select HTTP and HTTPS click nextAccess rules source window select INTERNAL NextAccess rules destination window select EXTERNAL or URL set click nextin the user sets click next thats all.
how can i blocked facebook, orkut, game chating, sex site, in only one access deny rule. i have isa std etd.
first creat the Domain list for facebook, Orkut, game chating, sex sites.For crating Domain name listGoto Firewall Management console –> Right side Toolbox –> Click New –> Select Domain Name list–> In the name type (Any name ) –> click Add *.facebook.com again click add *.orkut.com and OKnow create a rule for Firewall Policy.Right click firewall policy– > Select New and Access Rule –> Type the Name you want –> then Next –> Rule action window Select DENY and next–> Protocol window select HTTP and HTTPS and Next –> In the Access Rule source window select INTERNAL and Next –> In Access Rule Destinations window Select (Created DOMAIN SET) and Next–> In the user set (select all user or crate some users for set of users) and next.
For deny the sexual sites:You cannot deny all the sexual sits, for that u have to configure HTTP Signature.After the Rule created, select the rule and right click select Configure HTTP select Signature Tabclick add type any name for your reference. in the Search in window select either select REQUEST URL or REQUEST BODy and In the Signature windowtype PORN, GAY, LESBIAN or SEX and give OK Note : This HTTP signature will only applicable on ALLOW RULE.I am not understand about the game chating
can u please tell me the difference between domain name set & url set.
The difference between Domain set and URL set is, if you want to block the only speific URL means we can use the URLlist.Ex. you want to block http://www.google.com, it will block only http://www.google.com for the client request and it will not blocl http://mail.google.com or http://msdn.microsoft.com. what URl you given that only will be blockDomain name list means will block the entire domain *.google.com, the * will use for including subdomains of google.This is the difference, will you understand.For online gaming: use HTTP signature to block, if you know the WEB URL, you can use either Domain or URL set for that.ThanksNandha