Complete Set of ISA Server installation settings

ISA Server user guide

As the use of the Internet continues to expand, security and performance also face challenges. In the past, software that only provided proxy services to us gradually became increasingly pale at our requirements. What should I do? We chose to find new software and solutions for enterprise Internet access. In the long run, we need more than just a proxy software, allowing enterprise employees to access the outside world through this proxy, let them perceive the world outside and learn about the ever-changing market as soon as possible. We not only need to take the initiative to understand the world, but also the world to understand us. Of course, at this time, the security and performance will be paid more and more attention by enterprises and users. Of course, the reason why the enterprise's network administrators are forced to look for better agent software is that the stability of the agent software decreases almost exponentially as the number of users and traffic increases. The number of proxy servers I have tried is not small. Every proxy server has been in use for more than a month, but it is not very satisfactory.

Summary

L sysgate: The function is too simple, the efficiency is not very high, and the stability is acceptable;

L Wingate: Moderate functionality, good speed and efficiency, and poor stability;

L WinRoute: Moderate functionality, high speed and efficiency, and good stability;

L CCProxy: the speed is good, but there are always some problems;

L Internet Connection Sharing: features are too simple, efficient, and stable;

Let's talk about the general situation of our unit. 8 m leased line ADSL connected to the Internet, two HP servers, the network center is m to the desktop, the entire enterprise network is a fully-switched network. In an enterprise, all Department machines need to be connected to the Internet, with about 200 Department machines. There are 4 data centers and about 200 machines in total. We need to be able to control which departments can access the Internet at any time, and to control the Internet bandwidth of these departments. The ability to flexibly control whether the data center can access the Internet at any time. You can create several web and FTP sites in an enterprise and publish them to the Internet through this proxy server, so that friends on the Internet can access these resources ...... After using these proxies, I gradually began to be disappointed. Didn't I really get satisfied with the proxy server? Finally, I used the Internet Security and Acceleration Server, the proxy server released by Microsoft.

First of all, I am definitely not a Microsoft gunman, and Microsoft will never find me a zombie. Or you will not feel like I'm boasting anything after reading the use of the ISA feature behind me.

Internet Security and Acceleration (ISA) Server is an upgraded version of Ms proxy Based on Windows NT 4.0. It fixes many security and cache defects on the basis of the previous version, providing a faster, safer, and more intuitive and easy-to-manage system. It also integrates enterprise-level firewall systems and high-performance caching mechanisms-that is, this software is not only a proxy software, but also acts as a "firewall" function.

ISA Server can be installed in one of the three modes: cache mode, firewall mode, and integration mode. When the network system needs to connect directly to the Internet through Isa, and the company's internal hosts need to be protected, the firewall or integrate mode is exactly what you need. However, many enterprises do not have any related Internet hosts or external firewalls, and they hope to speed up inter-network traffic transmission, the cache mode is the most ideal solution.

So what services does ISA provide to you?

Multi-layer firewall security

Firewalls can enhance security in various ways, including packet filtering, circuit layer filtering, and application.ProgramFilter. Advanced enterprise firewalls, such as the one provided by ISA Server, provide protection at multiple network layers by combining all three methods, provides enterprises with the highest return on the basis of the lowest investment.

Status detection

The status check checks the data and connection status in the firewall's protocol environment. At the packet layer, the ISA Server checks the communication source and target specified in the IP Message Header, and the port in the TCP or UDP message header of the network service or application used for identification.

The dynamic packet filter enables window opening to only respond to user requests, and the port opening duration meets the needs of the request, thus reducing attacks related to the port opening. The ISA Server can dynamically determine which packets can be transmitted to the circuit layer and application layer services of the internal network. The administrator can configure access policy rules to enable the port automatically only when the communication is enabled, and then disable the port when the communication ends. This process is called dynamic packet filtering, which minimizes the number of exposed ports in both directions, and provides higher security for the network and fewer problems.

Integrated Intrusion Detection

ISA Server leverages the technology provided by an Internet Security Systems company to help administrators identify common network attacks such as port scanning, winnuke, and Ping of death. And Isa can automatically respond to it. This technology provides the ISA Server with an integrated intrusion detection mechanism that can identify such attacks. When this attack is identified, the alert also identifies the action that the ISA Server should take, including sending an email or page call to the system administrator to stop the Firewall Service, write to System Event Logs or run any program or script.

High-performance Web Cache

ISA Server has completely redesigned the Web cache so that it can put the cache in Ram-I know that many users who use Wingate now want to get this cache solution. This high-performance Web Cache provides stronger backend scalability and provides a faster overall response time for web clients. This is especially important for the enterprise, because employees need to quickly access web content, and enterprises also need to properly save network bandwidth. This high-speed Web Cache can meet your needs.

Cache array Routing Protocol

ISA Server uses the cache array routing protocol (CARP ). Therefore, you can use an array composed of multiple ISA server computers to provide seamless scaling and higher efficiency.

Active Cache

You can configure ISA Server to automatically update objects in the cache through a function called active cache. With this function, ISA Server can actively refresh the content to optimize bandwidth usage. Through the active cache, frequently accessed objects are automatically updated during low network traffic periods before they expire.

Unified management

ISA Server uses Windows 2000-based security, Active Directory Service, VPN, and Microsoft Management Console (MMC, Microsoft Management Console ). All these features, especially MMC, make management easier, because the operator is familiar with it and can manage both firewall and Web Cache from a console.

Enterprise policy and Access Control

ISA Server also supports creating enterprise-level and local array policies for centralized or local implementation. ISA Server can be installed as an independent server or as an array member. For ease of management, all array members use the same configuration. When the array configuration is modified, all ISA server computers in the array will also be modified, including all access and cache policies.

Well, after talking so much about it, maybe everyone is still not quite clear or wondering if this isa server can do this? Let's take our enterprise as an example to explain in detail the installation, debugging, and configuration process of ISA.

Getting started with ISA Installation

In the experiment, we used the isa2000 server of the Enterprise Edition, and we started to install ISA! Select "Install ISA Server" here ".

Here, you will be asked to enter the 10-digit "CD Key". Please input it and click "OK" to confirm. Then proceed to the next step.

In the face of M $ authorization information, what else can you do besides clicking "I agree? As for the content, I think it doesn't matter if I don't see it.

Here, the program will prompt you to select the installation path and the installation method. Here, I chose "full installation", because even full installation only requires 24 .5 MB of space, the installation speed is also very fast. So I recommend that you use full installation.

If your computer is not a domain controller but an independent server, ISA will send you a warning here. If you do not want to configure the ISA server array, you can ignore this warning and simply "yes.

The three working modes of ISA we mentioned earlier will be selected here! I chose the integration mode "integrated mode ".

If you have already installed IIS, ISA will remind you that it will immediately shut down Port 80 used by IIS. Because ISA exclusively uses port 80, this is also based on security considerations. As we all know, a successful hacker only needs port 80 to perform formatting on your hard disk. This is definitely not shocking. It is true. Of course, if you have to do web services on this machine, you only need to grievance your use of other ports, but you must note that port 80 and port 8080 cannot be used. Because ports 80 and 8080 both forcibly occupy Isa.

Here, let's take a look at your web services. We have almost perfect solutions.

Select the disk and cache capacity to store the cache. It is already in the broadband network era. Therefore, we recommend that you do not set the cache too much. Based on your actual usage, you can allocate bandwidth properly, isn't it good to try to use network resources? Here we set 100 m.

Here, ISA will ask you to set a local IP address range. Here we are dividing a Class B subnet, so here our IP range is 192.168.0.1 ~ 192.168.5.255. For medium and small networks, 255.255.255.0 is used as the mask and 192.168.0.x is used as the IP address, you can add this IP Segment Based on your local network. Then click "OK" to proceed to the next step.

Wait for the system to copy the necessary program files.

At this point, your ISA has basically been installed, and the rest is the configuration. Here, the system prompts you whether to perform "Wizard configuration ". We recommend that you do not use this wizard, because we do not actually use some of these features. Cancel the front tick of "Start ISA sserver getting started wizard" and then shock "OK ".

Congratulations, Your ISA server has been installed successfully.

Now, choose Start> program> Microsoft ISA Server> ISA management ".

In the management window, select the "monitoring" label under the "server name (bluewolf)" label, and then select the "services" label. Three service contents will appear on the right, since I installed the "integration mode", there are three services here. It is best to enable the three services properly so that you can use all the functions of ISA. If the active node can be started normally, the ISA needs to be re-installed. If the above problem occurs, uninstall Isa, check whether some services occupy the resources required by some ISA of the system, and stop some services that are not used, then Install ISA. You can view the log or use experience to determine the cause of service failure. These problems are generally caused by software conflicts. 2 pages in total.

Now, if all services are started, let's make the most basic settings for this ISA. First, ensure that the client can access the Internet normally. Then, let's do other work such as restrictions.

By default, ISA is a software firewall that does not allow any data to pass through it. Now, we need to allow ISA to allow all internal applications to access resources on the Internet.

Expand the "Access Policy" tab, right-click "Protocol rules", and select "new"> "rule ...". Then let's proceed with step-by-step settings.

The name of this Protocol rule is entered here. You can set it based on your needs and preferences. Set "alow to Internet" here ".

Here is how you choose to handle this Protocol rule. Here there are two options: "allow" and "deny", that is, allow and deny the pass. Here we want machines in the LAN to allow access to the outside, so here we select "allow ".

Here, we will allow you to select this rule to apply to those IP addresses. Here, we will not impose any restrictions, so we can modify it later. Select "All IP traffic" -- allow all IP addresses to pass through.

Here is the time period for the Protocol rule to take effect. You can set the date and time range of the Agreement as needed. For example, if you want to allow this rule to take effect during the working hours from week 1 to week 5, and the weekend is open all day, you can set it here, which is very flexible. But here is a drop-down box that allows you to select for the moment, and then wait for us to make detailed modifications. Here we select "always ".

Here, you can authorize the client that is allowed to pass through. Here, you can set which clients are allowed to pass through this. Here, we will not limit it. After defining the group, we will modify the settings.

OK! This Protocol rule has been configured. Click "finish.

Now that the rule is configured, we can use this isa proxy to access the Internet. We are looking for a client to open IE, then enter the internal lan ip address of this ISA in the tool> Internet Options> connection tab> LAN Settings> proxy server of IE, enter port 8080, and then confirm and save the settings. At this time, the client can access the Internet-of course, ISA is already connected to the internet!

For other services, I suggest you install an ISA client. After you have installed the ISA server, you can find a shared directory in the directory you have installed. You can copy this directory, then install the software on other machines to enjoy all the services.

But another problem is that QQ cannot be connected! This issue must be clarified. Because QQ is an authentic "Made in China", ISA will not open a protocol rule for QQ. We also need to add this Protocol rule by ourselves. After three days of research, we finally clarified the QQ sending and receiving ports. Please follow us below.

Now let's define a port number so that QQ data can be smoothly imported. Expand the "policy elements" label, select the "protocol definitions" label, right-click the label, and select "new"> "Definition ".

Select the definition name here. The name here is "Tencent QQ ".

After the next step, we define the port number and protocol! Here, QQ needs to send a data to port 8000 of the server relative to ISA, and QQ uses UDP protocol, so we will set it here as shown in the figure below. Next step.

The settings here are a little more complex. We know that the default QQ client uses port 4000, while adding a QQ port adds 1. Compared with the QQ client, the client accepts messages. Of course, the UDP protocol is used. After setting, click "OK" and "Next.

OK. The definition of QQ is also completed. Now let's try it. Make sure that QQ can be launched, and you don't feel any delay at all. It's almost the same as local dialing. It definitely reflects the speed !!!

ISA installation and configuration (advanced tutorial)

Restrict Internet clients by IP Address

In Protocol RUL, all clients are allowed to connect to the external internet through this ISA. But now I want to classify this client and control which IP addresses can access the Internet and which IP addresses cannot access the Internet at different times. In this case, what should we do? Let's move on with me.

First, we need to define the group. Expand the "policy elements" tag, select the "client address sets" tag, right-click the tag, and choose "New"> "set ...".

Enter a group name in the "name" column. You do not need to write the following description. Then you can add the IP address range as needed. Here, we use the 307 data center as an example. The IP address range here is 192.168.3.2 ~ 192.168.3.80. After adding it, confirm it is correct and click "OK" to save it.

In the same way, you can add other groups. Have you seen it? Here are the groups I have added. Now, let's set to allow only these groups to access the Internet through Isa.

Now let's go back to "Protocol rules" under the "Access Policy" label, select the "Allow to Internet" protocol rule we created on the right, and right-click and select "attribute ".

Switch to the "applies to" label. Then, select the "client address sets specified below" in the middle ". Then, click "add" on the right side of the "client sets" box below.

Select the groups I just set, click "add", add all these groups to the right box, and click OK to save.

The selected group has already been added here. Click "OK" to go to OK! As long as the IP addresses in these groups are not used, they cannot access the Internet.

Control the time period for accessing the Internet

In order to reasonably utilize bandwidth and improve work efficiency, we can control the time periods for these groups to access the Internet on ISA. Do you want to know how to do this? Do it with me. Return to "Protocol rules" under the "Access Policy" label, select the "Allow to Internet" protocol rule we created on the right, and right-click the rule and select "attribute ".

In the displayed window, select the "Schedule" schedule label. Then click "new ..." Button.

At the top is a name. You can enter it based on your preferences. Below I set that all staff can access the Internet from Monday to Friday, while the Internet is available all day on Saturday and Sunday. The specific settings are simple, so you can flexibly control them. After the verification is complete, click "OK" to confirm and save.