How ISA server restricts access and open internal resources and system maintenance

Source: Internet
Author: User
Tags iis mail save file strong password firewall

First, restrict internet access

Create access rules, in Access rule properties, to limit Internet time and access to audio and video

Open access to internal network resources

After the ISA firewall is established in the Enterprise network, the extranet users can't access the internal network, including the network services and resources. So we're going to post the specified service.

Publish an internal SSL Web site

1. Establish the SEC virtual directory in the Web site and enable SSL

2. Configure external DNS servers

3. Configure the internal DNS server

4. Publish a DNS server, publish an external DNS server on ISA (or add the corresponding host record to the hosts file of the external computer)

5. Establish a Certificate Server (install IIS, install Certificate Services)

6. Establish a certificate request file on the Web server (when requesting a certificate, the certificate common name is critical, it must match the domain name used by the extranet user to access the site exactly, and if it does not match, an error message will appear.) )

7. Submit certificate request to Certificate Server, login Certificate Server, issue and download certificate.

8. Install the certificate on the Web server (in the IIS Administrator Web site properties, select "Directory Security" to suspend the requested certificate)

9. Let the Web server and the ISA computer trust the CA (download the CA certificate chain on the Web server, import the certificate chain file to the Web server trusted root certification authority, and then follow the same steps to make the ISA computer trust the CA)

10. Export Web site certificate to save file (Export private key)

11. Import the Web site certificate to the ISA computer (the exported Web site certificate replicates the ISA computer and then imports it.) Once the certificate has been successfully imported, use "http://www.qq.com" and "Https://www.qq.com/sec" on the ISA computer to access the unencrypted pages and encrypted pages to ensure successful access. If unsuccessful, establish ISA to internal access rules on ISA and point to internal DNS with the preferred DNS server address for the ISA internal network card.

12. Publish an internal SSL Web site

13. Test Web Site Publishing Success (Extranet PC Access "http://www.qq.com" and "https://www.qq.com/sec" access to unencrypted pages and encrypted pages)

Second, publish internal Exchange SSL OWA Web site

1. Establish an Exchange 2007 mail server (install Exchange 2007 to ensure that users can access the mail server through OWA)

2. Configuring the DNS server (extranet DNS, configuring MX Records)

3. Configure the DNS server (intranet DNS, configure MX records)

4. Publish DNS server (publish extranet DNS on ISA firewall)

5. Establish a Certificate Server (log on to the mail server as an administrator, install and configure the Certificate Server ("Enterprise CA"))

6. Configure the Web server certificate and export the certificate (IIS Manager, Default Web site properties, create a new server certificate, export the private key, and configure the key save password)

7. Import certificates into ISA Server (copy previously exported certificates to ISA computer, import certificates to ISA computer)

8. Configure ISA access rules (protocol "Http,https")

9. Establish certificate trusts (need to establish trust relationships on certificates between ISA Server and Exchange Server, implemented through CA certificate chain)

10. Publish mail server (create Exchange Web Client Access publishing rules)

11. Verifying Mail server Publishing (using OWA Client Access)

Third, ISA system maintenance

Backup and recovery of ISA server

ISA provides backup and recovery features that allow system information to be saved so that configuration information can be restored when the system fails

What you can back up:

Entire ISA Server configuration

All networks, or one of the selected networks

All network rules, or one of the selected network rules

All content download jobs in the cache configuration, or one or more of the selected content download jobs

The entire firewall policy, or one of the selected rules

...

(When backing up a firewall policy, the system policy rules cannot be backed up by default.) To back up the system policy, you can do so through the export System Policy task. )

When to make a backup

Change cache size or location

Change firewall Policy

Change Rule Basics

Change System rules

Change the network, such as changing network definitions or network rules

Delegating administrative rights or deleting delegates

(regularly backs up specific configurations of ISA Server on your network, such as local application filters, performance parameters, cached content, and log files.) This information ISA Server itself cannot be backed up, but can be backed up through the Windows operating system backup program. )

Performing an Isa backup

Back to the column page: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/

(You must be an enterprise administrator or enterprise auditor to back up your enterprise configuration.) To back up confidential information, you must be an enterprise administrator. Because the backup configuration file contains sensitive information, you need to secure the file. Specify a strong password to ensure that the encrypted information is properly protected. If the password provides a valid defensive capability to prevent unauthorized access, you can treat the password as a strong password. )

Restoring ISA configuration with Backup

Note When restoring array configuration:

You cannot back up an array's configuration, and then restore this configuration to another array or server.

The enterprise configuration Backup cannot be restored to the array.

If you want to restore the array configuration, and the enterprise policy settings used during the backup are different, you cannot restore the array location.

ISA Server Log Management

ISA provides a series of monitoring tools for tracking network status and ISA traffic

The monitoring capabilities of ISA include:

Alerts

Session

Service

Report

Connectivity of

Log

ISA log is a record of the ISA operation

Log storage format

MSDE Database

SQL Database

Files (ISA Server log, in the World Wide Web Association (WWW) format, ISA Server format, saved to files)

The setting of the log content

Edit filter: You can set the content that the primary record administrator cares about.

Configure Firewall log: Sets which firewall-related fields are logged in the log.

Configure the Web Proxy log: The contents of the Web proxy that is logged in the configuration log.

ISA Server Alert

Alerts are used to monitor the occurrence of specific events. If a predetermined event occurs, the system notifies the administrator in a manner specified by the Administrator to take appropriate action

Create and configure new alerts (can be created and configured based on the category and severity of the monitoring events)

ISA Server Report

In addition to tracking security events through logs, you can also use ISA reports to track ISA events

What the ISA report can display:

The user who is accessing the site and the site being visited

The most commonly used protocols and applications today

General Communication mode

Cache ratio

How the report Works

The ISA reporting mechanism combines the logs of ISA into each of the ISA computer's databases, and when the report is created, all relevant summary databases are merged into a single reporting database. The report was created from a summary of these merges

This article from "Hello_ Small Strong" blog, please be sure to retain this source http://xiaozhuang.blog.51cto.com/4396589/913070

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.