Enabling Secure Internet
Access with ISA Server
Enabling Secure Access to Internet
Resources
• What Is Secure Access to Internet Resources?
– Users can access the resources that they need
– The connection to the Internet is secure
– The data that users transfer to and from the Internet is
secure
– Users cannot download malicious programs from the
Internet
• Secure access to the Internet also means that
the user’s actions comply with the organization’s
security or Internet usage policy.
What Is Secure Access to Internet
Resources
• Secure access:
• Only users who have permission to access the Internet
can access the Internet.
• These users can use only approved protocols and
applications to access Internet resources.
• These users can gain access only to approved Internet
resources, or these users cannot gain access to denied
Internet resources
• These users can gain access to the Internet only in
accordance with any other restrictions
• the organization may establish, such as when and from
which computers access is permitted.
How ISA Server Enables Secure
Access to Internet Resources
• ISA Server provides the following
functionality to enable secure access
• Implementing ISA Server as a firewall
• Implementing ISA Server as a proxy
server.
• Using ISA Server to implement the
organization’s Internet usage policy
Configuring ISA Server as a Proxy
Server
• What Is a Proxy Server?
• A proxy server is a server that is situated between a
client application and a server to which the client
connects.
• All client requests are sent to the proxy server. The proxy
server creates a new request and sends the request to
the specified server. The server response is sent back to
the proxy server, which then replies to the client
application.
• A proxy server can provide enhanced security and
performance for Internet connections.
• Using a proxy server is to make the user’s connection to
the Internet more secure.
Configuring ISA Server as a Proxy
Server
• Proxy servers make the Internet
connection more secure in the following
ways:
• User authentication
• Filtering client requests
• Content inspection
• Logging user access
• Hiding the internal network details
How Proxy Servers Work
• How Does a Forward Proxy Server Work?
• How Does a Reverse Web Proxy Server
Work?
How Does a Forward Proxy Server
Work?
• When a proxy server is used to secure
outbound Internet access, it is configured
as a forwarding proxy server.
• Forward proxy servers are usually located
between a Web or Winsock application
running on a client computer on the
internal network and an application server
located on the Internet
How Does a Forward Proxy Server
Work?
1. A client application, such as a Web browser, makes a
request for an object located on a Web server. The client
application checks its Web proxy configuration to
determine whether the request destination is on the local
network or on an external network.
2. If the requested Web server is not on the local network,
the request is sent to the proxy server.
3. The proxy server checks the request to confirm that
there is no policy in place that blocks access to the
requested content.
4. If caching is enabled, the proxy server also checks if the
requested object exists in its local cache. If the object is
stored in the local cache and it is current, the proxy
server sends the object to the client from the cache. If
the page is not in the cache or if the page is out of date,
the proxy server sends the request to the appropriate
server on the Internet.
5.The Web server response is sent back to
the proxy server. The proxy server filters
the response based on the filtering rules
configured on the server.
6. If the content is not blocked and it is
cacheable, ISA Server saves a copy of
the content in its cache and the object is
then returned to the client application
that made the original request.
How Does a Reverse Web Proxy
Server Work?
1. A user on the Internet makes a request for an
object located on a Web server that is on an
internal network protected by a reverse proxy
server. The client computer performs a DNS
lookup using the fully qualified domain name
(FQDN) of the hosting server. The DNS name
will resolve to the IP address of the external
network interface on the proxy server.
2. The client application sends the request for the
object to the external address of the proxy
server
3.The proxy server checks the request to confirm that the
URL is valid and to ensure that there is a policy in place
that allows access to the requested content.
4. The proxy server also checks whether the requested
object already exists in its local cache. If the object is
stored in the local cache and it is current, the proxy
server sends the object to the client from the cache. If
the object is not in the cache, the proxy server sends the
request to the appropriate server on the internal network.
5. The Web server response is sent back to the proxy
server.
6. The object is returned to the client application that made
the original request
How to Configure ISA Server as a
Proxy Server
How to Configure Web and Firewall
Chaining
• ISA Server 2004 Standard Edition
supports the chaining of multiple servers
running ISA Server together to provide
flexible Web proxy services
How to Configure Web and Firewall
Chaining
Configuring Access Rule Elements
• By default, ISA Server 2004 denies all
network traffic between networks
connected to the ISA Server computer.
• Configuring an access rule is the only way
to configure ISA Server so that it will allow
traffic to flow between networks
What Are Access Rule Elements
• Access rule elements are configuration
objects in ISA Server that you use to
create access rules.
• Example:you may want to create an
access rule that allows only HTTP traffic,
ISA Server provides an HTTP protocol
access rule element that you can use
when creating the access rule
Access Rule Element Types
Element
Description
Protocols
defines protocols that you can use in an access rule.
User Sets
defines a group of one or more users to which a rule will be
explicitly applied, or which can be excluded from a rule.
Content
Types
provides common content types to which you may want
to apply a rule.
Schedules
allows you to designate hours of the week during which
the rule applies
Network
Objects
. allows you to create sets of computers to which a rule
will apply, or which will be excluded from a rule.
How to Configure Access Rule
Elements
• ISA Server includes several default access
rule elements
How to Configure User Set
Elements
• access rule specifies which users will be allowed
or denied access by the access rule.
• To limit access to Internet resources based on
users or groups, you must create a user set
element.
• When you limit an access rule to specific users,
users must authenticate before they are granted
access.
• For each group of users, you can define the type
of authentication required
How to Configure User Set
Elements
• All Authenticated Users:This set includes all
users who have authenticated using any type of
authentication.
• All Users:This set includes all users, both
authenticated and unauthenticated.
• System and Network Service:This user set
includes the Local System service and the
Network service on the computer running ISA
Server. This user set is used in some system
policy rules
How to Configure User Set
Elements
• In ISA Server
How to Configure Content Type
Elements
• Create a new content type element, or use one
of the existing content type elements when you
create an access rule.
• Content type elements define Multipurpose
Internet Mail Extensions (MIME) types and file
name extensions.
• When a client such asMicrosoft Internet Explorer
downloads information from the Internet using
HTTP or File Transfer Protocol (FTP), the
content is downloaded in either MIME format or
as a file with a specified file name extension.
How to Configure Content Type
Elements
• Content type elements apply only to HTTP and FTP traffic that is
tunneled in an HTTP header.
• When a client requests HTTP content, ISA Server sends the request
to the Web server.
• When the Web server returns the object, ISA Server checks the
object’s MIME type or its file name extension, depending on the
header information returned by the Web server.
• ISA Server determines if a rule applies to a content type that
includes the requested filename extension, and processes the rule
accordingly
• ISA Server is preconfigured with the following content types:
Application, Application data files, Audio, Compressed files,
Documents, Hypertext Markup Language (HTML) documents,
Images, Macro documents, Text, Video, and Virtual Reality Modeling
Language (VRML).
• In ISA server
How to Configure Schedule
Elements
• To configure access to the Internet based
on the time of day.
• ISA Server :
• Weekends:Defines a schedule that
includes all times on Saturday and Sunday
• Work Hours:Defines a schedule that
includes the hours between 09:00 (9:00
A.M.) and 17:00 (5:00 P.M.) on Monday
through Friday
• In ISA server:
How to Configure Network Objects
• to define which Web sites or servers users can
or cannot access
• Networks:
– A network rule element represents a network, which is
all the computers connected
– EX:Internal, External, Branch Office
• Network Sets:
– A network-set rule element represents a grouping of
one or more networks
– Ex:All Protected Networks
How to Configure Network Objects
• Computer:
– A computer rule element represents a single
computer, identified by its IP address
– Ex:DC1 (IP Address: 192.168.1.10).
• Address Ranges:
– An address range is a set of computers
represented by a continuous range of IP
addresses
– Ex:All DCs (IP Address Range: 192.168.1.10
– 192.168.1.20).
How to Configure Network Objects
• Subnets:
– A subnet represents a network subnet,
specified by a network address and a mask.
– Ex:Branch Office Network (IP Addresses
192.168.2.0/24).
• Computer Sets:
– A computer set includes a collection of
computers identified by their IP addresses, a
subnet object, or an address-range object
– Ex:All DCs and Exchange Servers
How to Configure Network Objects
• URL Sets:
– URL sets specify one or more URLs grouped
together to form a set.
– Ex:Microsoft Web Site (http://
www.microsoft.com/*)
• Domain Name Sets:
– Domain name sets define one or more
domain names as a single set, so that you
can apply access rules to the specified
domains
How to Configure Network Objects
• In ISA server
Configuring ISA Server
Authentication
• to limit access to Internet resources based on users or
groups
• ISA Server Authentication Options:
• Basic authentication:
– Basic authentication sends and receives user information as
plaintext and does not use encryption
• Digest authentication:
– Digest authentication passes authentication credentials through
a process called hashing.
– Hashing creates a string of characters based onthe password
but does not send the actual password across the network,
ensuring that no one can capture a network packet containing
the password and impersonatethe user.
• Integrated Windows authentication:
– Uses either the Kerberos version 5 authentication protocol or
NTLM protocol, both of which do not send the user name and
password across the network.
• Digital certificates authentication:
– Requests a client certificate from the client before allowing the
request to be processed.
– Users obtain client certificates from a certification authority that
can be internal to your organization or a trusted external
organization.
• Remote Authentication Dial-In User Service
• RADIUS is an industry-standard authentication protocol.
ISA Server Clients and
Authentication
• SecureNAT Clients:
– For SecureNAT clients, there is no user-based
authentication
– Restrict access to the Internet based only on
network rules and other access rules
– If an access rule requires authentication,
SecureNAT clients will be blocked from
accessing the resources defined by the rule
• Firewall Clients
• When ISA Server authenticates a Firewall
client, it uses the credentials of the user
making the request on the computer
running the Firewall client
Configuring Access Rules for
Internet Access
• What Are Access Rules
How to Configure Access Rules