Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 303
A PPLY YOUR K NOWLEDGE
Evaluation of Proposed Solution:
Which results(s) does the proposed solution produce?
A. The proposed solution produces the required
result but neither of the optional results.
B. The proposed solution produces the required
result and one of the optional results.
C. The proposed solution produces the required
result and both of the optional results.
D. The proposed solution does not produce the
required result.
6. CrystaBell Productions has hired you to improve
communication security between their two loca-
tions. Each location has an ISA Server sitting
between their internal private network and the
Internet.
Required Result:
All communications between the offices must be
encrypted.
Optional Desired Results:
Either office can initiate the connection.
The best security algorithms should be used for
the job.
Proposed Solution:
Obtain server certificates and be sure they are
loaded appropriately on the ISA Server comput-
ers. Use the VPN local and remote wizards on
the corresponding ISA Servers to create VPN
connections. Use all default settings, but select
L2TP/IPSec as the tunnel type.

Evaluation of Proposed Solution:
Which results(s) does the proposed solution produce?
A. The proposed solution produces the required
result but neither of the optional results.
B. The proposed solution produces the required
result and one of the optional results.
C. The proposed solution produces the required
result and both of the optional results.
D. The proposed solution does not produce the
required result.
Answers to Review Questions
1. Making changes in authentication methods, for
example, removing MS-CHAP, or requiring cer-
tificates or smart cards. See the sections,
“Examining Wizard Results” and “Making
Additional Configurations.”
2. Well, Sam could be requiring more restrictive
authentication methods and setting up certificates
and such. But those things can be done after the
wizards. Actually, the wizard does one thing that
Sam can’t do. The wizard creates a strong pass-
word for the user accounts and does not make
this available. Any password that Sam uses must
somehow be communicated to the person config-
uring the remote VPN endpoint. Even if Sam
does both connections, he knows the password
(the setup person knows the tunnel password).
When the wizard creates the password, no one
knows it. This is not to say that the wizard can
create a stronger password than Sam, or that the

password can’t be hacked, just that initially, the
tunnel password is not available to anyone. See
the section, “Using the Wizard.”
12 mcse CH09 6/5/01 12:07 PM Page 303
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
304 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES
A PPLY YOUR K NOWLEDGE
3. No static route has been created. See the section,
“Without the VPN Wizard.”
4. Each private network is using the same network.
Change one of the private networks to something
else. See the section, ”Without the VPN Wizard.”
5. You must obtain certificates for the tunnel end-
points. You can do so by setting up MS
Certificate Services and installing server certifi-
cates on each ISA Server. See the section,
“Configuring Microsoft Certificate Services.”
6. Yes. The certificates must be from a source
trusted by both endpoints. See the section,
“Configuring Microsoft Certificate Services.”
Answers to Exam Questions
1. A. Using Windows VPN client software and con-
figuring the ISA Server to allow client connec-
tions is the way to go. B is wrong because client
systems cannot use the disk. C is wrong. It is not
necessary to purchase third-party software. D is
wrong. There are no other offices!
2. B. A is incorrect, there already is a VPN set up
and they do not want to change it. C is incorrect,
the ISA Server will not allow PPTP to pass-

through by default. D is incorrect, they do not
want to remove the existing gateways. See the
section, “Configure VPN Pass-Through.”
3. D. A is incorrect The wizard creates user
accounts and passwords. B is incorrect. The wiz-
ard configures RRAS with user accounts. C is
incorrect. The wizard does this. See the section,
“Configure ISA Server as a VPN Endpoint.”
4. A. B and C are incorrect, the default sets up only
the remote VPN as the initiator of the connec-
tion. PPTP is not as secure as L2TP/IPSEc. See
the section, “Configure ISA Server as a VPN
Endpoint.”
5. B. Configuring server info on the alternative page
during the wizard allows both sides to initiate a
connection. C is wrong because PPTP is not as
secure as L2TP/IPSec. See the section. “Local ISA
VPN Wizard—Connection Receiver.”
6. C. Adding L2TP/IPSec makes the tunnel more
secure. See the section, “Local ISA VPN
Wizard—Connection Receiver.”
12 mcse CH09 6/5/01 12:07 PM Page 304
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 9 ISA VIRTUAL PRIVATE NETWORKS 305
A PPLY YOUR K NOWLEDGE
Thaddeus Fortenberry Windows 2000 Virtual
Private Networking, New Riders Publishing. 2001.
ISBN: 1-57870-246-1.
Roberta Bragg. Windows 2000 Security, Chapters 4,
15, and 17; New Riders. 2000.

ISBN: 0-7357-0991-2.
Microsoft Windows 2000 Server Internetworking
Guide, a book in the Windows 2000 Resource Kit,
Microsoft Press, 2000. Chapter 6, “Demand-Dial
Routing,” Chapter 9, “Virtual Private Networking.”
ISBN: 1-57231-805-8.
Microsoft Windows 2000 Server Distributed Systems
Guide, a book in the Windows 2000 Resource Kit,
Microsoft Press, 2000. Chapter 14, “Cryptography
for Network and Information System Security,” and
Chapter 16, “Windows 2000 Certificate Services
and Public Key Infrastructure.” ISBN: 1-57231-
805-8.
“Virtual Private Networking, an Overview,” white
paper at />windows2000/library/howitworks/
communications/remoteaccess/vpnoverview.asp.
“Windows 2000 Virtual Private Networking
Supporting Interoperability,” a white paper at
/>howitworks/communications/remoteaccess/l2tp.asp.
“Windows 2000 Virtual Private Networking
Scenario,” a white paper at
/>howitworks/communications/remoteaccess/
w2kvpnscenario.asp.
Suggested Readings and Resources
12 mcse CH09 6/5/01 12:07 PM Page 305
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
12 mcse CH09 6/5/01 12:07 PM Page 306
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
III
CONFIGURING,MANAGING, AND

TROUBLESHOOTING POLICIES AND
RULES
10 Firewall Configuration
11 Manage ISA Server in the Enterprise
12 Access Control in the Enterprise
PART
13 mcse Pt 3 6/5/01 12:07 PM Page 307
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
13 mcse Pt 3 6/5/01 12:07 PM Page 308
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
O
BJECTIVES
10
CHAPTER
Firewall
Configuration
This chapter covers the following Microsoft-specified
objectives for the
Configuring, Managing, and
Troubleshooting Policies and Rules
section of the
Installing, Configuring, and Administering Microsoft
Internet Security and Acceleration (ISA) Server 2000
exam:
Configure and secure the firewall in accor-
dance with corporate standards.
. Configure the packet filter rules for different levels
of security, including system hardening.
Packet filter rules are written to control communi-
cation between networks. The ISA Server, by

default, does not allow any communication
between its networks until some combination of
the following allows access:
. Protocol rules and site and content rules—
outbound access.
. Publishing rules—inbound access.
. Packet filters—inbound and/or outbound traffic.
. Routing rules—move packets from some interface
to another.
The security administrator uses these objects to ful-
fill a security policy developed by management.
System hardening consists of applying security fea-
tures of the underlying operating system and then
supporting their configuration by applying appro-
priate packet filters and other mechanisms that can
keep that configuration stable.
14 mcse CH10 6/5/01 12:08 PM Page 309
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
O
UTLINE
S
TUDY STRATEGIES
Introduction 311
Understanding Packet Filters 312
Configuring Packet Filter Rules 312
Examining Default Packet Filters 313
Configuring New Packet Filters 314
Configuring/Enabling IP Packet
Filter Properties 316
Configuring and Using Application

Filters/Extensions 318
FTP Access Filter 318
HTTP Redirector Filter 319
RPC Filter 320
SOCKS V4 Filter 321
Configuring for System Hardening 321
Pre-Installation Considerations,
Lifetime Chores 321
Authentication Rules 322
Outgoing and Incoming Web
Requests 322
Authentication Methods 323
The ISA Server Security Configuration
Wizard 325
Special Considerations for Perimeter
Networks 328
Configuring the LAT 329
Publishing Perimeter Network Servers 330
Troubleshooting Access 330
Chapter Summary 331
Apply Your Knowledge 332
Exercises 332
Review Questions 332
Exam Questions 332
Answers to Review Questions 334
Answers to Exam Questions 334
. If you are not clear on the use of site and con-
tent rules, protocol rules, and publishing rules
to allow and deny access through the firewall,
revisit earlier chapters.

. Examine default packet filters and understand
their meaning and use.
. Examine default application filters and under-
stand their meaning and use.
. Keep the following question in your mind: When
would I need to use packet filters?
. Go further than the exercises, create many
packet filters, and test them. Did they respond
the way you felt they should? Can you think of
another way to obtain the same effect?
14 mcse CH10 6/5/01 12:08 PM Page 310
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 10 FIREWALL CONFIGURATION 311
INTRODUCTION
Configure and secure the firewall in accordance with
corporate policies.
Make no mistake, the ultimate responsibility for information system
security lies with management. That’s right. Although IT is charged
with securing the information system infrastructure, it does so only
at the direction and blessing of management. Management sets the
policy; IT puts it into place.
It is important to realize this fact and determine the corporate policy
for security, before configuring and securing the firewall. What type
of access to the Internet does policy allow? What types of externally
originating communications are allowed to enter the internal net-
work? If you do not know the answers to these questions, you can-
not set the proper filters on the firewall, nor do you know how to set
alerts or intrusion detect devices to let you know when attackers are
present. You cannot simply use your own judgment as to what com-
munications to block, which to allow and which outside contact to

get excited about. Although your knowledge of typical settings,
warnings, bells and whistles is paramount to management’s under-
standing of the problem, it is management directive that colors your
implementation.
That said, it is important to know how to put management’s plan
into action on the ISA Server. Chapter 5, “Outbound Internet
Access” described how to use policy elements to construct site and
content rules, and protocol rules to allow or deny internal users
access to the Internet. Chapter 6, “ISA Server Hosting Roles” illus-
trated how to provide access for external users to internal resources,
in the most secure fashion.
This chapter addresses the protection of the internal network from
external access and covers these issues:
á Understanding packet filters
á Configuring packet filters
á Configuring and using application filters and extensions
á Configuring for system hardening
á Special considerations for perimeter networks
á Troubleshooting access
14 mcse CH10 6/5/01 12:08 PM Page 311
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
312 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
UNDERSTANDING
PACKET FILTERS
Packet filters are written to allow or block the passage of packets on
external interfaces (or perimeter network computers). Decisions are
made based on the following information in the packet:
á Protocol and or ports
á Direction (inbound, outbound, both)
á Which direction?

á The remote computer it came from or is directed to
These decisions can sometimes be accomplished by other means,
and it is desirable to do so; however, there are situations where you
must use packet filters:
á Publishing servers in a 3-home perimeter network.
á Running services, such as mail servers and Web servers on the
ISA server. Packet filters direct the traffic received for the
appropriate port to the service.
á Running applications on the ISA Server that need to connect
to the Internet. You create direct connections to the Internet
for these applications.
á Using protocols other than UDP or TCP. Web proxy handles
HTTP, HTTPS, and FTP. Firewall handles TCP and UDP. All
others (examine the ICMP default filters) must be handled by
packet filers.
CONFIGURING PACKET FILTER RULES
Configure the packet filter rules for different levels of
security, including system hardening.
Although packet filters are generally thought of as devices to control
access from the outside, in practice, they are used to control the
transfer of packets in either direction. They examine the protocol
used, and allow or deny (drop the packet) its passage. Packet filter-
ing is enabled by default in Firewall mode and in Integrated mode
TIP
IP Routing and Packet Filtering If nei-
ther packet filtering or routing is enabled,
no rules are applied to incoming packets,
and there is no security. Packet filtering
alone causes the ISA Server to drop all
packets on the external interface unless

they are explicitly allowed. You can com-
bine IP routing and packet filtering to route
between the Internet and a 3-homed
perimeter network. You should never enable
IP routing and not enable packet filtering.
In this case the ISA Server is no longer a
firewall, but a router.
EXAM
14 mcse CH10 6/5/01 12:08 PM Page 312
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 10 FIREWALL CONFIGURATION 313
but not in Caching mode. (In Caching mode, access to external sites
is managed using protocol rules and site and content rules.) When
packet filtering is enabled, all packets on the external interface are
dropped unless packet filters, access policy, or publishing rules allow
them. To help you understand packet filters and how to use them to
control access to your network, the following sections are provided:
á Examining Default Packet Filters
á Configuring New Packet Filters
á Configuring/Enabling IP Packet Filter Properties
Examining Default Packet Filters
Because the default setup of ISA Server drops all packets at the
external interface unless it’s configured to do otherwise, several
default rules exist, including
á ICMP outbound. The ISA computer can send ICMP
messages.
á ICMP ping response(in). The ISA Server can receive
inbound ping responses.
á ICMP source quench. The ISA Server receives instructions to
slow its packet-sending rate.

á ICMP timeout (in). The ISA Server can receive messages
relating to timeouts, for example of ping requests.
á ICMP unreachable. The ISA Server can receive notice of an
unreachable address.
á DHCP Client. The external interface can act as a DHCP
client. This rule is disabled by default.
á DNS filter. Requests for DNS lookup can pass.
These default rules can be enabled or disabled by right-clicking on
the rule and selecting Disable or Enable.
14 mcse CH10 6/5/01 12:08 PM Page 313
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
314 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
Configuring New Packet Filters
The New Filter wizard configures new rules. This wizard is run from
the Access Policy\IP Packet Filters folder of the ISA Server
Management console. To create a new packet filter, follow
Step by Step 10.1.
STEP BY STEP
10.1 Creating a New Packet Filter
1. In the ISA Management Console, right-click Servers and
Arrays\name\Access Policy\IP Packet Filters. Select
New\Filter.
2. Enter a name for the new packet filter and click Next.
3. Select Allow Packet Transmission or Block Packet
Transmission (see Figure 10.1). Click Next.
4. Select a predefined filter or a custom filter and click Next.
5. If Predefined is selected, select the filter from the drop-
down box. Skip to step 7. Predefined filters are described
in Table 10.1.
6. If Custom is selected, complete the Filter Settings page

(see Figure 10.2). Choices are listed and described in Table
10.2. Click Next.
7. On the Local Computer page, select the IP address to
which the Packet filter is applied (see Figure 10.3). the
choices are
• Default IP addresses for each external interface on
the ISA Server computer. Data traveling through
all external interfaces is inspected and the filter
applied.
• This ISA server’s external IP address. Indicate the
IP address of a particular ISA Server in the array,
or of one of the ISA Server’s external IP addresses.
• This computer (on the perimeter network). If a
perimeter network has been set up using a third
network interface card, enter the IP address of the
computer for which to filter traffic.
TIP
Packet Filter or Not? When should
packet filters be used? Packet filters stati-
cally open ports. It is always preferable to
open ports dynamically—when the request
arrives. You use ISA Server access policy
rules (site and content rules, protocol
rules) to allow internal clients access to
the Internet and create publishing rules to
allow external clients access to internal
servers. However, packet filters can be cre-
ated when it is necessary to route data
between networks. The firewall service can
forward packets between networks without

changing header information. Packet filters
create the rules that determine what type
of data can be routed where.
EXAM
FIGURE 10.1
Allowing block transmission.
14 mcse CH10 6/5/01 12:08 PM Page 314
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 10 FIREWALL CONFIGURATION 315
8. Click Next.
9. On the Remote Computers page, select the remote com-
puter whose packets to which you want to apply the filter,
either all remote computers, or the IP address of a partic-
ular computer. If a single computer is chosen, only pack-
ets with a source address of that computer will be blocked
or allowed. Click Next.
10. Review your selections and click Finish.
TABLE 10.1
PREDEFINED FILTERS
Filter Description Allow or Deny
DNS lookup UDP 17, Send Receive, DNS lookup queries.
remote port 53
ICMP Query Inbound. ICMP ping queries.
PPTP call Inbound and Both PPTP call and PPTP
outbound port 47 receive are necessary when setting
up ISA Server VPNs.
PPTP receive Inbound and Both PPTP call and PPTP
outbound port 47 receive are necessary when setting
up ISA Server VPNs.
SMTP Inbound port 25 Access to internal SMTP mail.

POP3 Inbound port 110 Access to internal POP3 servers.
Identd Inbound port 113 Access to Identd server. An
Identd service can be installed on
the ISA server.
HTTP server (port 80) Inbound port 80 Access to Web servers listening
on port 80.
HTTPS server Inbound port 443 Access to Web servers available
(port 443) for SSL connections on port 443.
NetBIOS Both directions Allows NetBIOS clients to access
(WINS client only) NetBIOS ports across the ISA
Server.
NetBIOS (all) Both directions Allows access by all to NetBIOS
ports across the ISA Server.
FIGURE 10.2
Complete the Custom Filter page.
FIGURE 10.3
Determine the IP address.
14 mcse CH10 6/5/01 12:08 PM Page 315
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
316 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
TABLE 10.2
CUSTOM F
ILTER SETTINGS
Setting Description Choices
IP Protocol Select the protocol ID. Custom, Any, ICMP, TCP,
UDP.
Number If the IP Protocol is Enter the correct number if
Custom, enter the custom. There’s no choice if
protocol ID for the IP not.
protocol. Other choices

enter the appropriate
number for you.
Direction In which direction is Both, Inbound, or
the packet going? Outbound
Local Port Which port on source All ports, Fixed Port,
(the ISA server) will Dynamic (1025–5000).
be used?
Port Number A box exists for both Enter the correct number if
Local Port and Remote Fixed Port is chosen. No
Port. Enter the port choice otherwise.
number if the Fixed port
choice is made.
Remote Port Which port on the All ports, Fixed Port,
destination computer Dynamic.
will be used?
Configuring/Enabling IP Packet Filter
Properties
Options such as enabling routing, intrusion detection, filtering of IP
fragments, and allowing PPTP to pass through the firewall are con-
figured from the property pages of the IP Packet Filter folder. Packet
filter properties cannot be configured if ISA Server is installed in
Caching mode. Properties and their effect are detailed in Table 10.3.
14 mcse CH10 6/5/01 12:08 PM Page 316
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 10 FIREWALL CONFIGURATION 317
TABLE 10.3
IP PACKET F ILTER PROPERTIES
Option Property Page Default Description
Enable Packet General Enabled Use packet filters to
Filtering control inbound and

outbound access.
Enable General Disabled Allow the use of
Intrusion preconfigured intrusion
Detection detection filters.
Enable IP General Disabled Allow IP routing. Note
Routing that this cannot be
enabled unless Packet
Filtering is enabled.
Enable Packet Filters Disabled Allows filtering of IP
Filtering of fragments. All IP
IP Fragments fragments are dropped.
This blocks a well-
known attack, which
sends fragmented packets
and then reassembles
them in a harmful way.
Do not enable if video
streaming is allowed
through the ISA Server.
Enable Packet Filters Disabled Refuses all packets with
Filtering IP the words “IP Options”
Options in the header.
Log Packets Packet Filters Disabled All packets that pass
From “Allow” through the ISA Server
can be logged. Normally,
all dropped packets are
logged and all “allow”
packets are not logged.
Selecting this option logs
them, creating additional

load on the ISA Server
resources.
Intrusion Intrusion Disabled This option is fully
Detection Detection described in the section,
Parameters “Configuring Intrusion
Detection” later in this
chapter.
PPTP Through PPTP Disabled Allows the PPTP packets
ISA Firewall to pass through the ISA
Server firewall. Use this
option to allow packets
to and from internal
PPTP endpoints to pass.
14 mcse CH10 6/5/01 12:08 PM Page 317
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
318 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
CONFIGURING AND
USING
APPLICATION
FILTERS/EXTENSIONS
Configuring and using application filters and extensions can provide
additional control. Third-party extensions can be developed that fur-
ther extend the interface and are already available for virus and con-
tent checking. Standard ISA Server Application filters are provided.
Chapter 7, “H.323 Gatekeeper” describes how to configure and use
the H.323 filter and the streaming media filter. Chapter 6, “ISA
Server Hosting Roles” describes the use of the SMTP filter in con-
tent filtering. Filters designed for intrusion detection (DNS
Intrusion Detection Filter, POP Intrusion Detection Filter) are
defined in Chapter 15, “Monitoring Network Security and Usage.”

The remaining filters are listed and defined here:
á FTP access filter
á HTTP redirector filter
á RPC filter
á SOCKS V4 filter
FTP Access Filter
SecureNAT clients use this filter when they require access to FTP.
You must create protocol rules to allow access to the FTP protocol.
If access is allowed, the filter forwards the requests to the firewall ser-
vice which dynamically opens secondary ports required by the FTP
protocol. This filter is enabled by default. The filter also performs
address translation for the SecureNAT clients. It uses three prede-
fined protocol definitions:
á FTP download only. Clients can only read data on FTP sites,
but cannot write data to these sites.
á FTP client.
á FTP server.
If, instead of using the FTP access filter, you define a protocol defin-
ition for FTP, you will not obtain address translation, secondary port
handling, or control over read and write FTP operations.
14 mcse CH10 6/5/01 12:08 PM Page 318
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 10 FIREWALL CONFIGURATION 319
To limit user rights to FTP read only you create a protocol rule,
which allows the FTP client read-only protocol for a client address
set. Step by Step 10.2 describes how to do so for the 192.168.5.0
subnetwork.
STEP BY STEP
10.2 Limiting FTP Access to Read Only
1. Create a Client Address Set called FTPro set for the sub-

network 192.168.5.0 (creating client address sets is
detailed in Chapter 5).
2. Right-click on Servers and Arrays\name\Access
Policy\Protocol Rules and select New\Rule.
3. Give it a name and click OK.
4. Select Allow and click Next.
5. In the Apply This Rule To: box select Selected Protocols
and in the Protocol box select FTP Download Only (see
Figure 10.4). Click Next.
6. Leave the default Always Schedule in place and click
Next.
7. On the Client Type page select Specific computers (Client
address set). Click Next, and select the FTPro set. Click
Next.
8. Review your choices and click Finish.
HTTP Redirector Filter
The HTTP Redirector Filter (enabled by default) forwards requests
from firewall and SecureNAT clients to the Web proxy service.
Requests are cached. No authentication information is passed.
If requests are redirected to the Web proxy service, firewall client
requests are unauthenticated. If you have configured specific rules
using user names and groups, these rules will not be followed. If the
rules deny access, access will actually be allowed as there is no way to
check which user is making the request. If you do not allow unau-
thenticated access, all requests will be denied.
FIGURE 10.4
Selecting the Protocol FTP Download Only.
14 mcse CH10 6/5/01 12:08 PM Page 319
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
320 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES

For example, if two protocol rules are written, one allowing firewall
client Peter access to external sites using FTP, and one denying fire-
wall client Fred access to external site using FTP then the following
will occur.
If unauthenticated access is allowed and a site and content rule exists
which allows access, both users, Peter and Fred will be allowed to use
FTP. If unauthenticated access is not allowed, both users will not be
allowed to use FTP.
The HTTP redirector filter has optional configurations available on
the Options tab of its properties page (see Figure 10.5). The HTTP
redirector can be configured to
á Redirect to local Web proxy service—the default.
á If the local service is unreachable, redirect requests to
requested Web server.
á Send to the requested Web server.
á Reject HTTP request from firewall and SecureNAT clients.
(Web proxy clients’ requests will not be rejected unless ISA
Server rules specify to deny the request.)
RPC Filter
The RPC filter (enabled by default) allows publishing of internal
RPC servers, thus making them available to external clients.
Although the filter is enabled by default, to publish a RPC server
you must create a server-publishing rule and apply the RPC proto-
col. Two protocol definitions are added with the RPC filter:
á Any RPC Server
á Exchange RPC Server
FIGURE 10.5
Configuring HTTP redirector options.
14 mcse CH10 6/5/01 12:08 PM Page 320
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Chapter 10 FIREWALL CONFIGURATION 321
SOCKS V4 Filter
The SOCKS filter (enabled by default) forwards SOCKS application
requests to the firewall service. Access policy rules must be config-
ured to allow or deny the SOCKS client’s application access to the
Internet. The default port for SOCKS request is 1080. To change it,
you modify the Port text box on the SOCKS filter
Properties\Options page (see Figure 10.6).
CONFIGURING FOR SYSTEM
HARDENING
It doesn’t make sense to place a firewall between public and private
networks if you are not going to make sure the system the firewall
sits on is itself hardened. If the underlying operating system can be
compromised, any firewall protection can be easily removed. To
make sure the ISA Server has a rock solid bed on which to operate
and utilizes the OS to support its functions, consider the following
options:
á Preinstallation considerations, lifetime chores
á Authentication Rules
á The ISA Server Security Configuration Wizard
Preinstallation Considerations,
Lifetime Chores
Chapter 2, “Plan Before Acting: Preinstallation Activities” lists and
describes steps to take to secure the underlying OS. You should
always be prepared to update these considerations as new security
considerations are discovered, or elaborated on. New service packs,
hotfixes, and security announcements can modify your preinstalla-
tion plans.
In addition, your monitoring of security related information on
Windows 2000 should not stop once the ISA Server is installed, but

should continue for the lifetime of the server. Each new security
FIGURE 10.6
Changing the SOCKS port.
14 mcse CH10 6/5/01 12:08 PM Page 321
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
322 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
related W2K advisory should be examined to see if it affects the ISA
Server, and corresponding changes made to the underlying OS.
Monitoring the ISA Server can alert you to other potential security
issues that must be addressed.
Authentication Rules
Authentication rules determine whether outgoing and inbound
requests are authenticated, and if they are, which authentication
methods are used. Because authentication can be configured sepa-
rately for incoming and outgoing requests, to fully understand ISA
Server related authentication rules, you must examine authentication
in light of the following:
á Outgoing and incoming Web requests
á Authentication methods
Outgoing and Incoming Web Requests
Authentication for outgoing and incoming Web requests is config-
ured on the Servers and Arrays\name\Properties\Outgoing Web
Requests page or Incoming Web Requests page (see Step by Step
10.3) and by writing access rules that specify users and groups that
are allowed or denied access to external sites. (Access rules are cov-
ered in Chapter 5.)
STEP BY STEP
10.3 Configuring Incoming and Outgoing Web
Request Authentication
1. Right-click the Servers and Arrays\name\ and select

Properties.
2. Select the Outgoing Web Requests or the Incoming Web
Requests page.
14 mcse CH10 6/5/01 12:08 PM Page 322
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 10 FIREWALL CONFIGURATION 323
3. If you want to require all clients to authenticate outgoing
Web requests (or incoming Web requests) Check the box
Ask Unauthenticated Users for Identification on the
respective (outgoing or incoming Web requests) page
(see Figure 10.7).
4. Click the radio button Configure Listeners Individually
per IP address.
5. Click the Add button.
6. On the Add/Edit Listeners dialog box, use the Server
drop-down box to select the ISA Server.
7. Use the IP address’ drop-down box to select the IP
address.
8. By default the Integrate box is checked. Select the desired
authentication method, and/or select Use a Server
Certificate to Authenticate to Web Clients if mutual
authentication is required.
9. If server certificates are required, click the Select button
and select the server certificate to be used. (A server cer-
tificate must be obtained and installed prior to making
this choice.)
10. Click OK to return to the Property pages, then click OK
to close the Property pages.
11. Choose whether to save changes and restart the services
and click OK.

Authentication Methods
Multiple authentication methods can be configured in support of
incoming and outgoing Web requests. The authentication methods,
and opportunities are described in Table 10.4. Additional informa-
tion on the use of certificates and pass-through authentication is also
provided.
FIGURE 10.7
Finding the backup and restore utilities.
14 mcse CH10 6/5/01 12:08 PM Page 323
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
324 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
TABLE 10.4
AUTHENTICATION
PROCESSES
Method Description Who Can Use It?
Basic Credentials sent in Users with accounts on the ISA
encoded text characters Server computer or trusted
(easily read—no domain of the ISA Server.
encryption).
Digest Credentials modified User with accounts in a trusted
with values that identify domain of the ISA Server.
user, computer, and
domain are time stamped
and then are hashed to
create a message digest.
(The result of this one-
way encryption process;
by one-way, it is meant
that the product cannot
be decrypted.)

Integrated Integrated Windows Windows user accounts. Can use
authentication. Kerberos if W2K domain user
(Authentication protocol accounts are being used from a
is dependent on OS and W2K domain member computer.
client account member- Kerberos cannot be used in a
ship involved.) pass-through scenario.
Pass-through ISA Server can pass a Outgoing and incoming Web
client authentication requests.
information to the
destination server.
See the numbered list in
section, “Pass-through
Authentication.”
Certificates Certificate Authority Clients and servers.
issued certificates are
used for authentication.
See the section, “Certificates.”
Pass-Through Authentication
If a client needs to authenticate to an external or internal server, the
ISA Server can pass the client authentication information to the
other server. It works like this:
14 mcse CH10 6/5/01 12:08 PM Page 324
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 10 FIREWALL CONFIGURATION 325
1. The client sends a GET request to a Web server and the ISA
Server sends it on.
2. The Web server receives the request and returns a 401 error
(authentication required).
3. The ISA Server passes this request to the client.
4. The client returns authentication info to the ISA Server.

5. The ISA Server passes this on to the Web server.
6. The client and the Web server communicate directly with each
other.
Certificates
SSL Server certificates can be used to authenticate the ISA Server to
the client when the client requests an object. The server must have a
certificate installed and the client must have a copy of the issuing
CA’s certificate in its certificate stores. When the client request is
received, the server sends a copy of its server certificate to the client.
Because the client can recognize the issuing CA signature (by using
the copy of the CA’s certificate it holds) on the certificate, the server
can be authenticated. The server can request certificate authentica-
tion of the client as well. This process of both client and server
authenticating to each other is called mutual authentication. The
client certificate needs to be issued by a CA that the server recog-
nizes. One solution is to install a Microsoft Certificate Services
Enterprise CA. Certificates can be issued automatically to servers
and all clients with Active Directory domain accounts can request
client certificates.
The ISA Server Security Configuration
Wizard
Microsoft has provided a Security Configuration Wizard (see Figure
10.8), which allows the automatic configuration of multiple
Windows 2000 security features. Three possibilities exist (see Figure
10.9). Selecting Configure Firewall Protection\Secure Your ISA
Server Computer from the task pad view (see Step by Step 10.4) can
run the wizard. Or by right-clicking on the ISA Server Computer
under the Computer folder, and selecting Secure.
14 mcse CH10 6/5/01 12:08 PM Page 325
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

326 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICIES AND RULES
Each hardening choice uses one of six (three for domain controllers
and three for servers) standard Windows 2000 templates to make
security configuration settings (see Table 10.5). Templates ending in
“dc” are for domain controllers, and the others are for servers.
TABLE 10.5
SECURITY
WIZARD
Security Level Recommended Usage Security Template
Secure Other services are running on Basicsv.inf or Basicdc.inf
the ISA Server computer, such
as a Web server or mail server.
Limited Services ISA Server in Integrated mode Securews.inf or Hisecdc.inf
or servers as a caching server
behind another firewall.
Dedicated ISA Server as a dedicated firewall. Hisecws.inf or Hisecdc.inf
STEP BY STEP
10.4 Configuring System Hardening with the Security
Configuration Wizard
1. Right-click the ISA Server in the Details pane of Servers
and Arrays\name\Computers and select Secure.
2. Read the warning and click Next.
3. Select the System Security Level and click Next
(see Figure 10.9).
4. Review your choice and click Finish.
5. When configuration is completed, you are prompted to
restart the system. Click OK.
6. Restart the system.
FIGURE 10.8
The Security Configuration Wizard.

FIGURE 10.9
System hardening choices.
14 mcse CH10 6/5/01 12:08 PM Page 326
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 10 FIREWALL CONFIGURATION 327
To examine the changes made, you can use the Security
Configuration and Analysis (SCA) console. This Windows 2000
snap-in tool can be loaded into an MMC console and used to com-
pare any template with the current computer’s configuration. For
example, after running the Limited Services choice, you can load the
Setup template in SCA and analyze the current settings against it to
see the changes made.
The Limited Services configuration makes numerous changes to the
local security configuration database. Most of the changes are listed
here:
á Password history set at 24 passwords remembered.
á Minimum password age set at 2 days.
á Minimum password length set to 8 characters.
á Complexity requirements for passwords set.
á Account lockout threshold set to 5 invalid logon attempts.
á Auditing configured and set for success and failure on audit
account logon events, and audit policy changes. Audit logon
events and Audit privilege use are set to audit for failure.
á Additional restrictions for anonymous connections are set to
Do Not Allow Enumeration of Sam Accounts and Shares.
á Digitally sign server communication (when possible) is set to
Enabled.
á LAN Manager Authentication Level is set to NTLM Only.
á Smart card removal behavior is set to Lock workstation.
á The maximum security log size is set to 5,120 bytes.

á Guest access to the logs is enabled.
á Event retention is set to overwrite events as needed.
If you decide you do not like the changes made by the wizard, you
may need to manually reconfigure all the items modified.
14 mcse CH10 6/5/01 12:08 PM Page 327
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.