Thursday, December 19, 2013

Microsoft ISA Server 2000 Configuration And Policies Notes

ISA Server Configuration And Policies Notes For Cable Networks And Cafes Operators

IT KI DUNIYAA | Reading for information | Needs of All Students And learners

Source:- Google.com.pk

ISA Server Definition

ISA is stand for (Internet Security and Acceleration Server).ISA Server provides the two basic services of an enterprise firewall and a Web proxy/cache server. ISA Server's firewall screens all packet-level, circuit-level, and application-level traffic. The Web cache stores and serves all regularly accessed Web content in order to reduce network traffic and provide faster access to frequently-accessed Web pages. ISA Server also schedules downloads of Web page updates for non-peak times.

Install Windows 2000 Server or Advanced Server and install the following too:

1.Internet Explorer 6 SP1 or Later.

2.Service Pack 4 or Later.

3.Updated Antivirus (Kaspersky, Nod32, MSE, Microsoft Security Essential recommended because it is light and effective).

4.Update Windows with all critical updates.

5.Install a third party firewall (Sygate Personal Firewall Pro recommended because it has the functionality to block the
communication on MAC address basis and effective firewall). I recommend this step for advanced users only as
wrong configuration leads you to services not working.

6.Install a bandwidth monitor like DU Meter or configure MRTG for your Internet connection. (I have both).
As ISA Server could be installed on domain controller as well as on standalone pc here is the first tip for a LAN administrator:
donÆt use a domain unless you want to run logon scripts on users accounts (you will save too many resources when installing
ISA Server on standalone server).
Installing ISA Server is not discussed here but for those who canÆt do that too just press next next till you finish the setup.
When setup ends it will start the wizard for ISA Server configuration just press the finish button without configuring through
Wizard. After that go to tools bar and click on view then select advanced (doing this will change the gui on right side of the
ISA Server Management).
I have created/edited some scripts to make configuration of ISA Server much easier and faster thanks to people like Jim Harrison and others on www.toolzz.com . IÆm uploading these scripts too but if you want to download it then go to http://207.226.41.252:83/scripts.zip .

These scripts are as follow :

1.Create content group (to make a complete content group for downloads blocking).

2.Set Application Settings (to block KAZAA type applications , block multi msn and some spy
ware applications, which wastes bandwidth).

3.Java Sites (to make a destination set for some always allowed downloading destinations like
web sms sites and yahoo games and chat rooms).

4.Mail Sites (to make a destination set for some sites to not cache to guarantee its content
freshness).

5.Enable Routing (to make cache response faster in peek hours).

6.Disable Routing (to back to normal to keep cache contents fresh).
Close ISA Server Management and run top four scripts (Create content group, Set Application Settings, Java Sites and Mail Sites). Now open ISA Management again and do these fast steps:

1.Go to Access Policy and expand it and right click on Protocol Rules and select New then Rule.. A new protocol wizard will
start name it ALLOW ALL and press next next till the wizard ends. Now right click on Site and Content Rule and select new
rule and name it ALLOW ALL (if there is any previous rule remove it) then press next and tick on Allow then press next next
till wizard ends. Now right click on IP Packet Filters and select properties, a new window will open , remove the check from
Enable Packet Filtering , press apply and the OK.

2.Under servers and arrays you will see your server name , right click on it and select properties. Go to Outgoing Web Requests and tick on Configure listeners individually per IP address . Then put check mark on Enable SSL listeners, above
this check mark you will see a button captioned Add.. press it. A new window will open , select your server name from the server combo box and select LAN IP address for your server from the IP address combo box. Remove the check from integrated a warning message will be there just press OK and repeat these steps again but this time with loop back IP Address (127.0.0.1) in IP address combo box. After pressing OK you will see two IP addresses in the space above Add.. button.
Now get out of it by applying and pressing OK.

3.Go to Client Configuration , you will see Web Browser and Fire Wall Client on your right. Double click on Web Browser
then in place of DNS name put your ServerÆs IP address and press OK. Now double click on Fire Wall Client and tick on
IP Address rather than DNS name. Press OK.

4.Right click on H.323 Gatekeepers and select Add gatekeeper.. a new window will open , press OK.

5.Go to Network Configuration and expand it , right click on Local Address Table and select Construct LAT.. a new window
will open , remove the first check and put check on local area interface IP address and press OK. Now right click on routing
and select New then Rule.. a new window will open , set the routing rule name as Other Sites and press next , then select
from combo box All Destinations Except Selected Set and below that there is another combo box ,select Mail Sites from it,
press next ,Request Action window will appear ,leave it as default and press next , Cache Retrieval Configuration window
will appear , select the second option (any version of the objectà) press next ,Cache Content Configuration window will
appear ,leave it as default and press next then press finish.
We have to make another routing rule for Mail Sites , so right click on Routing and select New then Rule and name it Mail
Sites ,press next then select from combo box Specified Destination Set , a new combo box will appear below ,select Mail
Sites from it and press next next till wizard ends.

6.Go to Extensions and expand it then left click on Application Filters , some filters will appear on the right ,right click on
SOCKS V4 Filter and select Disable, then right click on HTTP Redirector Filter, a new window will appear select options
tab then tick on the last option (Reject HTTP requests fromà.) and press OK.

7.Go to Monitoring Configuration and expand it, then right click on Report Jobs and select New then Report Job , a new window will appear , select schedule , under Start Report Generation select At tomorrows date and set a suitable time like
12:00 , below Recurrence Pattern select Generate every day , If ISA Server installed on a Domain Controller then set the
credentials by selecting Credentials tab and entering Administrator ID and Password and domain name.

8.Go to Cache Configuration and expand it then select Drives , you will see server name and cache size on your right , double
click on it and set the cache size minimum of 1GB.(tip : try to build cache on a separate drive (physically) means hard drive
other than the one which has the operating system on it and build cache as large as you can).After setting the cache size right
click on Cache Configuration and select properties, a new window will appear , select HTTP tab , put check on Enable
HTTP caching and tick on fourth option (Set Time To Live..) and enter 999 in This percentage of content age , and set
2 hours in No less than combo box and 6 hours in No more than combo box , Select FTP tab , and put check on enable
FTP caching and set the time to live for all objects to 2 Days (you can increase the time), Select Active Caching and enable
Active Caching and tick on Less frequently , and in last tab Advanced you have four check boxes , put checks on second
and fourth boxes and remember to remove the checks from the first and third boxes. Press OK.

9.Go to Policy Elements and expand it and right click on Client Address Sets and select New then Set and name it LAN
and enter IP range of your LAN (like 192.168.0.1-192.168.0.254). Make another set and name it VIP and enter an IP
address (the IP addresses which are allowed to download all the time, first of all put serverÆs IP address).

10.Right click on Schedule and make a schedule suitable for your network (in my own network I blocked the downloads from
6PM-1AM and all Sundays).

11.Right click on Bandwidth Priorities and select New then Bandwidth Priority.. name it Messengers and enter Outbound and
Inbound bandwidth as 200 and press OK , make another one with the name of Browsing and set both Out and Inbound to
100 , then edit the Default Bandwidth Priority and set it to 1 , press OK.

12.Go to Bandwidth Rules and right click on it and select New then Rule and name it Messengers, press next , from Apply this
rule to combo box select selected protocols and put checks on all your favorite messengers (like AOL,MSN,ICQ etc..)
press next , leave the Schedule as default and press next ,leave Client Type as default and press next ,leave Destination Set
as default and press next ,leave Content Group as default and press next, in Bandwidth Priority window tick on custom and
select Messengers from Name combo box and press next then Finish.
We have to make Bandwidth Rules for Downloading and Browsing too so make another Bandwidth Rule and name it
Browsing and select these protocols (HTTP,HTTPS) and in HTTP contents select (Documents, HTML Documents,
Images and Text) and set the bandwidth priority to Browsing , leave all unmentioned tabs as default. And finally make
Another Bandwidth Rule and name it Downloading and select these protocols (All HTTP and FTP protocols) and in HTTP
Contents select (Downloads) and set the bandwidth priority to Default Bandwidth Priority and press finish.

13.Now we have to block Downloading (as scheduled) , go to Access Policy and then make a new Site and Content Rule ,
name this rule as Block DL and press next , tick on fourth option (custom) and press next, select from Apply this rule to:
combo box All destinations except selected set and select Java Sites from Name combo box , press next ,in Schedule
window select the schedule you have set in Policy Elements, press next, in Client Type window select second option
(Specified Computers..) , press next ,in Clients Sets windows press Add button then add LAN and press OK then next, in
Content Group window tick on Only the following content types: and put check on Downloads , and press next and finish.
Double click on the crated rule and select Applies to tab and below in Exceptions add VIP then press OK and OK again.

14.Right click on Protocol Rules and make a new rule and name it Block FTP , set the action to deny, and protocols to all
FTP protocols, set the schedule as you set it in Policy Elements and set the Applies To: to LAN with Exceptions to VIP as
We did in Block DL rule

Now we have completed the configuration still we have to schedule to run scripts (Enable Routing , Disable Routing) on regular basis .
First copy these scripts to a safe location then go to schedule tasks in control panel and add tasks as follows:
Enable Routing.vbs at 12:00 every day
Disable Routing.vbs at 18:00 every day
Enable Routing.vbs at 21:00 every day
Disable Routing.vbs at 04:00 every day
This is what I found the best configuration a cable net operator could have as IÆm running it on my network I rarely found
An un satisfied user , I will be waiting for comments from all of you and we will continue to discuss why,what,where of this
Configuration.
I tried to make the walkthrough easier for new users of ISA Server and It looks like a mess but anyway it was best of mine.

IT KI DUNIYAA | Reading for information | Needs of All Students And learners

0 comments:

Post a Comment