Thanks to Ronald Beekelaar, the ISA Server Lab is so refined that I can complete this more complicated experiment with just a few changes.
Many friends have raised the issue of incorrectly configuring ISA Server 2004 in the domain environment, mainly in the inability to reference domain users and DNS unresolved. In this article, I'll show you how to configure ISA Server 2004 in a domain environment with an instance of a domain environment. From this article, you can learn how to configure ISA firewall in a domain environment, enable domain user authentication, configure internal clients, configure DNS forwarding on domain control, and establish access rules.
The network topology structure of this experiment is shown in the following illustration:
This is a domain environment of three computers that may seem simple, but it is enough to simulate most of the actions in the configuration of ISA Server in a domain environment. which
- Denver(dc/dns server)
FQDN:denver.contoso.com;
IP:10.2.1.2/24;
dg:10.2.1.1;
dns:10.2.1.2;
Note: This is a domain control, the default gateway is the internal interface of ISA Server, and DNS is set to native.
- Florence (ISA Server 2004)
Fqdn:florence (currently in the workgroup environment, not joined the domain, I will be in the next operation to join the domain);
(1) Internal Interface:
Ip:10.2.1.1/24
Dg:none
dns:10.2.1.2
(2) External Interface:
Ip:61.139.1.1/24
dg:61.139.1.1
Dns:none
Note: IP settings on ISA server are more fastidious, first DNS can only be set to internal AD DNS servers, and then the default gateway is external exports.
- Sydney(dns/web server)
FQDN:www.isacn.org
Ip:61.139.1.2/24
dg:61.139.1.1
dns:61.139.1.2
Note: This computer is used to simulate external DNS and Web servers. Later we will set up DNS forwarding on the internal DC, forward the Non-domain DNS resolution requests to this DNS server, and then access a Web site on this Web server through the domain name www.isacn.org.
In this article, we will use the following steps to configure the ISA Server 2004 firewall for the internal domain:
- Install ISA Firewall on a stand-alone server;
- Join the ISA Firewall computer to the domain;
- Authorization for full ISA control of the domain administrator on the ISA firewall;
- establish access rules for all external protocols through authenticated domain administrators;
- test the access rule to access an external Web server via an IP address;
- set up DNS forwarding on the DNS server for internal AD;
- establish access rules that allow all users of the internal network to access external DNS services;
- testing the forwarding of internal DNS resolution requests and accessing external Web sites through domain names;
- Configure ISA firewall to allow access to external sites
1. Install ISA Firewall on a stand-alone server
There are several articles on the installation of ISA Server 2004 that are not duplicated here. According to the network topology structure of this experiment, it is OK to check the internal network interface by adding adapters when the internal network is selected. Once installed, the internal network is shown in the following illustration:
At this point, only the default rule is in the firewall policy:
Although there are only default rules, the ISA firewall's system policy is to allow ISA firewall to access Domain Services, so we can still access the internal domain.
2. Join the ISA Firewall computer to the domain
Now we need to add Florence to the internal domain. Use admin account login Florence, right click on My Computer , open system properties, and then on the computer name page, click Change ; on the Computer name change page that pops up, click Subordinate to the field below the list, and then enter the name of the internal domain contoso.com, and then click OK .
At this point, the system will allow you to enter the account to join the domain permissions, enter the domain Administrator account and password, click OK ;
System verification is correct, will pop up welcome to join the contoso.com Domain dialog box, click OK ;
You will be prompted to reboot the computer, click OK , and then reboot the ISA firewall computer;
3. Authorization of Domain Admins to complete ISA control on ISA firewall
Since I installed ISA Server 2004 first and then joined the domain, the domain administrator does not have administrative permissions on ISA Server. If the computer first joins the domain and then installs Isa Server, then the domain administrator has full administrative rights, and this step can be omitted.
Now we need full administrative authorization of ISA Server for Domain Admins:
First log on to the ISA computer using the local admin account,
Open the ISA Management console, click General , and then click Admin Delegation on the right panel.
The ISA Server Administration Delegation Wizard pops up, click Next ;
On the Delegate Control page, click Add ;
In the Admin Delegation dialog box, click Browse ;
In the Select User and Group dialog box, enter contoso\domain admins, click OK ;
Because at this time is logged into the machine, no Contoso domain browsing rights, so the system will prompt you to enter the contoso.com have the right account, enter the domain administrator account, click OK ;
Then click OK on admin delegation page;
On the Delegate Control page, click next ;
After completing the Admin Delegation Wizard page, click Finish;
4. Establish access rules for all external protocols through authenticated Domain Admins
Now we can log in using the Domain Admin account.
Then open the ISA Management console, right-click the firewall Policy , and click New to select access rules ;
In the New Access Rule Wizard page, enter the name of the rule, where we named Allow Domain Admins access External, click Next ;
On the Rule Action page, select allow ; click next ;
On the Protocol page, select all outbound traffic and click Next ;
In the access Rule Source page, select internal , click Next ;
In the access Rule Target page, select external , click Next ;
On the user set page, delete the default for all users , click Add ,
In the Add User dialog box, click New ;
In the Welcome to the New User Set Wizard page, enter the user set name, which we named Domain Admins, click Next ;
Current 1/2 page
12 Next read the full text