ISA安装设置全集.doc

ISA安装设置全集发布时间：2003-10-24 5inet 点击: 34171ISA安装设置全集文章来源：岚山夜话HTTP:/WWW.33D9.COM安装 ISA Server设定 ISA ServerPolicy Elements 设定如何建立 ISA Server 封包过滤Packet Filtering 原则Publishing Service 转送服务ISA 2000 Server 备份及还原ISA Server 记录档管理 ISA Server 入侵侦测功能 安装 ISA Server 将 Microsoft ISA 2000 Server 光碟放在 Windows 2000 伺服器上； 按下 Install ISA Server 如图下。Fig 1 1. 撰择 Full Installation ； ISA Server 2000 有下列三个安装元件:一、ISA Services: 防火墙运作及控制服务。二、Add-In Services: 附加网路服务元件，可选择安装包括 H.323 Gatekeeper Service， 这是提供内部使用者运用 MS Netmeeting 或 H.323 和外面网路 (Internet) 沟通的闸道 (Gateway)应用程式， Message Screener 用作提供过滤进出防火墙的 SMTP Packet 的管制监墆服务元件。三、Administrator Tools: 管理 ISA Server 介面程式包括H.323 Gatekeeper Service 的管理介面。这个管理工具可以安装在 Windows 2000 Professional 工作站作远端管理 ISA Server 运作。2. 警告讯息； 如你安装于 Windows 2000 Stand-Alone Server 且没有加任何 Active Directory， 这个讯息如图下是正常的！ Fig 2 接著按下 Yes 并选择 Integrated mode (注解如下) 。 Fig 3 Firewall CacheIntegrated是否能自订存取原则 (Access Policy)YesHTTP onlyYes是否能让内部网站转向 (Web Publishing) 给外部使用YesYesYes是否能让内部使用者运用虚拟网路 (VPN) 存取其他网路主机 YesNoYes是否能让内部伺服器应用程式转向(Web Publishing) 给外部使用YesNoYes是否提供快取服务 (Cache Service)NoYesYes是否提供封包过滤 (Packet filtering)YesNoYes是否提供进出防火墙网路应用程式的过滤程式 (Application filtering)YesNoYes是否提供即时监视 (Real-time monitoring)YesYesYes是否提供系塻发生错误或遭到攻击的警告 (Alerts)YesYesYes是否提供报告 (Reports) 塻计图表功能YesYesYes由于 ISA Server 2000 并不知道那一个 IP 位址段为内部网路。 你必须宣告防火墙架构中内部IP 位址区段 (Local Address Table 或 LAT)。 依据 RPC 1918 定义的内部私人网路 (Private Network) IP 位址范围如下:10.0.0.010.255.255.255172.16.0.0172.31.255.255192.168.0.0192.168.255.255设定 LAT 如下: 按下 Construct Table (Fig 4)； Fig 4 勾选 Add address ranges based on the Windows 2000 Routing Table ； 再勾选内部网路IP Address 为 10.10.10.254那张网卡； 接按三次 Ok 便完成安彚貱 Fig 5 设定 ISA Server为了防火墙的安全考虑， 将下列预墇服务程式暂时“停止”运作:Simple Mail Transfer Protocol (SMTP)World Wide Web Publishing ServiceNetwork News Transport Protocol (NNTP)IIS Admin ServiceFTP Publishing ServiceRouting and Remote Access由于在 ISA Server 上预墇是不允许内部使用者 PING 到外面 IP 位址。 也就是内对外“IP Routing”功能关闭。 因此你只要开这个 “IP Routing”功能即可让内部 PING 到外面网路 IP 位址。 一 Fig 6二 Fig 7注意 : 你内部网路使用端 TCP/IP 预墇闸道 (Default Gateway) 必须是 10.10.10.254 (ISA Server 对内网路 IP 位址 )。三 开启存取权限 Protocol rules:这是 ISA Server 判断使用者是否具有向网际网路存取权限的第一关。 而 ISA Server 预墇值是空白 (Fig. 8)， 也就是拒绝所有内部使用端主机进行对外通讯的服务 。 Fig 8开启存取权限 Protocol rules 如下图 : Fig 9 Fig 10点选: “Allow” “All IP Traffic ” “Always” “Any request ” 完成。 (Fig . 11) Fig 11ISA Server 共有下列三个使用端角色:一WEB Proxy Clients就是设定使用者端的浏览器上的Proxy 伺服器位址及埠口。二SecureNAT Clients让内部使用端能存取连线到网际网路 (Internet) 资源。如内部 Web Server 转向提供某些服务给外界使用者。三Firewall Clients内部使用端想存取外面网际网路 (Internet)必须经过使用者身份验证。 如采用 Firewall Client 角色； 必须为每一个使用端安装 Firewall Client 程式。四 Web Proxy Client 网页代理使用端使用端只要设定浏览器 (如: IE，Netscape) 上的代理服务伺服器 (Proxy Server) IP 位址壼勂 (Fig. 12)。 要注意的是 ISA Server 预墇代理服务埠口 (Port) 为“8080”。Fig 12五 Firewall Client 安装 (Optional)为何要在使用端安装 Firewall client 程式 ? 系塻管理者可以针对“使用者帐号”进行存取权控管。 当你在使用端安装 Firewall client 程式时， 你在 ISA Server 上的存取政策 (Access Policy) 即可以依据使用端登入“使用者帐号”来进行身份验证及存取权控管。 如此一来， 你可以在 ISA Server 上设定控管对象是针对使用者“帐号”同时也可使用端的“IP 位址”来进行使用端存取权限监管。 当然Firewall client 安装程式只限在 Microsoft Windows 作业平台。 到使用端电脑上， 开启网路芳邻， 寻找 ISA Server 主机并选择开启一个名为“mspclnt”的共用资料夹， 对“Setup.exe”连续点选滑鼠右键二下即可。Policy Elements 设定禁止内部网路某一使用端对外网路服务存取实习一 : 你将新增一个规限使 10.10.10.1 至 10.10.10.99 IP 范围的内部使用端无法连线到网际网路上的 FTP 主机。点选“Policy Elements”下的“Client Address Sets ” “新增” “Set”(Fig 13) “Add” (Fig 14)； Fig 13 Fig 14 Fig 15 Fig 16接点选“Protocol rules” “新增” “Rules”(Fig 17)； Fig 17Fig 18给 Protocal rule name 一个名称 “Next”(Fig 18) “Deny ” (Fig 19) “Always” “Specific computers (client address sets)” “Add ”NoFTP “完成” (Fig 20)。Fig 19 Fig 20实习二 : 如何简单限制企业内部使用者去浏览色情网站。点选 “Policy Elements” “Destination sets” “新增” “Set” (Fig.21)Fig 21 Fig 22 Fig 23你输入这个目的位址 (Destination) 为“ www.hkgal.com ”(Fig. 23) 及该网站受限的目录 (Path) 为“/* ”； Path 之所以墇为“/*”是你要管制“ http:/www.hkgal.com”下所有网页档案。 接下按“OK” “OK”完成 (Fig. 24) 。 Fig 24接你又发现到一个新的色情网站“ http:/207.235.5.37”， 而如何新增这个网址到这个目的集 (Destination sets) 内呢？ 步骤如下:点选上述“NoSexWWW”按滑鼠右键 “内容”(Fig. 25) “Destinations” “Add”(Fig. 26) (Fig. 27) “OK” “确定”完成。Fig 25 Fig 26 Fig 27再订立一个新的站台及文件规则 (Site and Content Rules)； 点选 “Site and Content Rules” “新增” “Rule”(Fig. 28) (Fig. 29) “Deny” “Custom” “Specified destination set” “NoSexWWW” “Always” “Any request” (Fig. 30) “完成”。Fig 28 Fig 29 Fig 30如图 Fig 30， 由于是设定这个规则是属于 (Deny) ， 也就是所设定的文件“Images”都不会由 ISA Server 传给内部使用者。实习三 : 内部使用端对外存取时间限制设定点选先前设定的“All Access”原则， 按滑鼠右键并按下“内容”(Fig. 31)。 Fig 31再选择“Schedule” “New ”(Fig. 32) 输入新的排程元件 (Schedule) 为“LimitDate”(Fig. 33) 拖曳选择“星期天”时段 并点选“Inactive”按钮 “确定”。 这个设定即是星期天整天关闭存取服务不运作。 当然你可开启这个“LimitDate”来进行时段编修。Fig 32Fig 33实习四 : 自订文件类别 (Content Group)你可自行管制文件类别作内部向外存取规则。 接下来你将建立一个名为“SelfDefine01”的文件类别， 然后再加入到自订的站台及文件规则 (Site and Content Rule)。点选: “Content Groups” 按滑鼠右键 “新增” “Content Group” (Fig. 34) 输入名字“Name”为“SelfDefine01” (Fig. 35) 加入文件格式或副档名为文件类别 (Fig. 35) “OK ” 完成 (Fig. 36)。 Fig 34 Fig 35 Fig 36开启已存在的“NoSexWeb”文件规则内容中的“HTTP Content ” (Fig. 37) 点选“SelfDefine01” “确定”完成。 Fig 37(注: 要“Disable ”或“删除”某些规则功能。 按滑鼠右键选择“Disable”或“删除”即可。)实习五 : 汇出所有规则到档案点选: “Access Policy” 按滑鼠右键 “输出清单” 汇到档案名称为“2k012.txt ”。如何建立 ISA Server 封包过滤 (Packet Filtering) 原则实习六 : 设定允许对外回应 ICMP 封包过滤原则ISA Server 安装好后， 是无法由网际网路 (Internet) PING 到对内的网卡 (203.186.33.173)。 设定允许防火墙对外回应 ICMP 的封包过滤如下:点选: “IP Packet Filters” 按滑鼠右键 (Fig. 38) “新增” “Filters” 输入“ICMP_Ping_Query” “下一步” “Allow packet transmission” 点选“Predefined” 并向下拉再点选“ICMP ping query” “Default IP addresses for each external interface on the ISA Server computer”(注: 采用预设防火墙为本机对外网路卡IP (203.186.33.173) 位址) “All remote computers”“下一步” “完成” (Fig. 39)Fig 38Fig 39Publishing Service 转送服务Web Publishing Rules: 网页转送规则透过ISA Server设定可将内部HTTP 及FTP 主机传给外部网路使用者存取Server Publish Rules: 期他网路转送规则如 SMTP及 POP3实习七 : 启动 ISA Server 上 HTTP 转向服务点选: “Destination Set”(Fig. 40) 滑鼠右键 “新增” “Set” 输入名字 (Name) : “WWW” “Add” 点选“Destination” 并输入“www.kamo.101main.net”“OK”“确定”完成 (Fig. 41)。Fig 40Fig 41接点选“Web Publishing Rules”(Fig.42) 滑鼠右键 “新增”“Rule.” 输入“WebPub” 下拉到“Specified destination set” 再拉选名称 (Name) 为 “WWW” “下一步” 点选“Any request” 点选“Redirect the request to this internal Web server (name or IP address):” 输入“10.10.10.133”(注: 我内部Web Server IP位址为 10.10.10.133) “下一步” “完成” (Fig. 43)。Fig 42Fig 43由于ISA Server 倾听要求内送网页 (Listeners of Incoming Web Requests) 预设并未启动及指定倾听网路卡。 这个倾听功能主要是在 ISA Server 指定对外网路卡以利进行网页外传 (Outgoing) 或内送 (Incoming) 封包服务。 启动如下:点选本机名称如 “W2K1”(Fig. 44) “内容” 按下“Incoming Web Requests” 点选 “Use the same listener configuration for all IP addresses” “确定” “Save the changes and restart the service(s)” “OK ”完成。 Fig 44习作八 : HTTP-S 转向服务 :HTTP-S 服务采用的是 SSL (Secure Socket Layer) 通讯协定来保障网站与使用者之间资料传输的安全性。 而这 HTTP-S 的埠口 (Port) 是 443。 ISA Server 预设值是无法由外部使用者连到内部网路的 HTTPS 主机 (如 Exchange 2000 内含 Outlook Web Access 的网页收发 Email 功能， 其中一项变更密码就必须使用HTTPS 服务。) 。点选: “IP Packet Filters” “新增”(Fig. 45) “Filter” 输入原则名称为 “HTTPS_Filter” 选择 “Allow packet transmission” “Predefined” 再拉至 “HTTPS server (port 443)” 选择 “Default IP addresses for each external interface on the ISA Server computer” “All remote computers” “完成”(Fig. 46)。Fig 45Fig 46在伺服器转向规则 (Server Publishing Rules) 中， 新增一个规则。点选: “Server Publishing Rules” “新增” “Rules” (Fig. 47) 输入规则名称为 “HTTPS_Rule” “下一步” 输入“IP address of internal server” 为 “10.10.10.133” (注: 此内部主机为Exchange 2000 Server) 再输入“ External IP address on ISA Server” 为 “ 203.186.33.173 ” (Fig. 48) 拉至 “HTTPS Server ” “Any request” “完成”。Fig 47Fig 48习作九 : FTP 转向服务 :若你想将内部的 FTP 站台 (10.10.10.133) 开放给网际网路使用者存取使用。注意: 须要新增二个封包过滤原则； 允许网际网路传送 FTP 控制埠口 21 及 FTP传送资料埠口 20 给 ISA Server。1. 点选: “IP Packet Filters” “新增” “Filter” 输入封包过滤原则名称 “FTP_20 ” 选 “Allow packet transmission ” “Custom” 下拉 IP protocol 至 “TCP” Direction: 选择 “Inbound”(即封包传送方向是由外部网路送进来) Local port: = “Fixed port” Port number: = “20” Remote port: = “All ports” 点选 “Default IP addresses for each external interface on the ISA Server computer” “All remote computers” “完成”。 Fig 492. 点选: “IP Packet Filters” “新增” “Filter” 输入封包过滤原则名称 “FTP_21 ” 选 “Allow packet transmission ” “Custom” 下拉 IP protocol 至 “TCP” Direction: 选择 “Inbound”(即封包传送方向是由外部网路送进来) Local port: = “Fixed port” Port number: = “21” Remote port: = “All ports” 点选 “Default IP addresses for each external interface on the ISA Server computer” “All remote computers” “完成” (Fig. 50)。 Fig 503. 新增一个名为 “FTP_RULE” 伺服器转向规则 (Server Publishing Rules)。 点选: “Server Publishing Rules” “新增” “Rule” (Fig. 47) 输入 “FTP_RULE” 输入“IP address of internal server” 为 “10.10.10.133” (注: 此内部主机为Exchange 2000 Server) 再输入“ External IP address on ISA Server” 为 “ 203.186.33.173 ” (Fig. 48) 拉至 “FTP Server” “Any request” “完成”。习作十 : SMTP/POP3 转向服务 :设定 SMTP/POP3 的转向服务跟上述步骤不同， 你要采用 ISA 内的一个 “Secure Mail Server” 来设定SMTP/POP3 的转向服务。点选: “Server Publishing Rules” “Secure Mail Server” (Fig. 51) 恥选 “Incoming SMTP” 及 “Incoming POP3” (Fig. 52) 输入“ External IP address on ISA Server” 为 “ 203.186.33.173” 再输入“At this IP address ” 为 “10.10.10.133” “完成”。其实你也可以自行依前面设定 FTP 站转向服务的方式来自行订定 SMTP/POP3 转向服务。 Fig 51Fig 52ISA 2000 Server 备份及还原ISA Server 提供了一个简单的备份及还原功能。 其操作步骤如下:1. 备份 (Backup): 点撰ISA Server 主机名称 按右键并选择 “Back up” (Fig. 53) 输入备份档名 (Fig. 54) (注: 备份档副档名一定为“.bif”) “OK”。 Fig 53Fig 542. 还原 (Restore):点撰ISA Server 主机名称 按右键并选择 “Restore” (Fig. 53) “Browse ”来选择备份档存放位置 “OK”。 Fig 55ISA Server 记录档管理 ISA Server 记录档是修正企业安全防御工事的核心工具！ 不可轻视它的存在。 而 ISA Server 针对下列三个服务提供记录:一 Packet filter二 Firewall service三 Web proxy习作十一 : 记录档设定 :预设记录档位置在 C:Program FilesMicrosoft ISA ServerISALogs ； 当然你可自定记录档位置。点选: “Logs” (Fig. 55) “Packet filters” 按滑鼠右键 “内容” 依据自己需要设定档案内容即可。Packet Filter 记录档栏Date Date the packet was received.TimeThe time the packet was received (service info fields)Source IPThe internet protocol (IP) address of the source (remote) computer. Destination IPThe IP address of the destination (local) computer. The destination computer is usually the ISA Server computer.ProtocolThe particular transport level protocol that is used during the connection, such as TCP, UDP or ICMPSource portFor TCP and UDP protocols, the remote port used to create a connection.Destination PortFor TCP and UDP protocols, the local port used to create a connection.TCP flagsFor a TCP data packet, represents the TCP flag value in the IP header. The possible values are FIN, SYN, RST, RSH, ACK, and URG.Interface (filter-rule)Indicates whether the packet was accepted (1) or dropped (0). By default only dropped packets are logged.Interface IP addressInterface on which the packet was received; usually only one interface.Header (ip-header)The entire IP header of the date packet that generated the alert event. The IP header is logged in hexadecimal format.PayloadA listing of a portion of the data packet (after the IP header). The IP packet is logged in hexadecimal format. Firewall and Web Proxy 记录档栏位Client IPThe IP address of the requesting client.Client user nameAccount of the user making the request. If ISA Server Access Control is not being used, it uses anonymous.Client agentThe client application type sent by the client in the HTTP header. When ISA Server is actively caching, the client agent is ISA Server.Authentication statusIndicates whether or not client has been authenticated with ISA Server. Possible values are Y and N.DateThe date that the logged event occurred.TimeThe time that the logged event occurred. Service nameThe name of the service that is logged. w3proxy indicates outgoing Web requests to the Web Proxy service. Fwsrv indicates Firewall service. Proxy nameThe name of the computer running ISA Server. This is the computer name that is assigned in Windows 2000.Referring server nameIf ISA Server is used upstream in a chained configuration, this indicates the server name of the downstream server that sent the request.Destination nameThe domain name for the remote computer that provides service to the current connection. For the Web Proxy service, a (-) in this field may indicate that an object was retrieved from the Web Proxy server cache and not from the destinationDestination IPThe network IP address for the remote computer that provides service to the current connection. For the Web Proxy service, a (-) in this field may indicate that object was sourced from the Web Proxy server cache and not from the destination. One exception is negative caching. In that case, this field indicates a destination IP address for which a negative-cached object returned.Destination portThe reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request.Processing timeThis indicates the total time in ms., that is needed by ISA Server to process the current connection. It measures elapsed server time from the time that the server first received the request to the time when final processing occurred on the server-when results were returned to the client and the connection was closed.For cache requests that were processed through the Web Proxy service, processing time measures the elapsed server time needed to fully process a client request and return an object from the server cache to the client.Bytes sentThe number of bytes sent from the internal client to the external server during the current connection. A (-), a (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to remote computer.Bytes receivedThe number of bytes sent from the external computer and received by the client during the current connection. A (-), (0) or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the external computer.Protocol nameSpecifies the application protocol used for the connection. Common values are HTTP, FTP, Gopher and HTTPS. For Firewall service, the port number is also logged.TransportSpecifies the transport protocol used for the connections. Common values are TCP and UDP.OperationSpecifies the application method used. For Web Proxy, common values are GET, PUT, POST and HEAD.For Firewall service, common values are CONNECT, BIND, SEND, RECEIVE, GHBN (GetHostByName), GHBA (GetHostByAddress).Object nameFor the Web Proxy service, this field shows the contents of the URL request. This field applies only to the Web Proxy service log.Object MINEThe MIME type for the current object. This field may also contain a (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer. This field applies only to the Web Proxy service log.Object sourceIndicates the source that was used to retrieve the current object. This field applies only to the Web Proxy service log.Result codeThis field can be used to indicate: For values less than 100, a windows(Win32) error code For values between 100 and 1000, an HTTP status code For values between 10000 and 11004, a Winsock error code Cache infoThis number reflects the cache status of the object, which indicates why the object was or was not cached. This field applies only to the Web Proxy service log.Rules # 1This reflects the rule that either allowed or denied access to the request, as follows: If an outgoing request is allowed, this field reflects the protocol rule that allowed the request. If an outgoing request is denied by a protocol rule, this field reflects the protocol rule. If an outgoing request is denied by a site and content rule, this field reflects the protocol rule that would have allowed the request. If an incoming request was denied, this field reflects the Web publishing or server publishing rule that denied the request. If no rule specifically allowed the outgoing or incoming request, the request is denied. In this case, the field empty. Rule # 2This reflects the second rule that either allowed or denied access to the request. If an outgoing request is allowed, this field reflects the site and content rule that allowed the request. If an outgoing request is denied by a site and content rule, this field reflects the site and content rule that denied the request. If no rule specifically allowed the outgoing or incoming request, the request is denied. In this case, the field is empty. Session IDThis identifies a sessions connections. For Firewall clients, each process that connects through the Firewall service initiates a session. For secure network address translation (SecureNAT) clients, a single session is opened for all the connections that originate from the same IP address. This field is not included in the Web Proxy service log.Connection IDThis identifies entries that belong to the same socket. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address. This field is not included in the Web Proxy service log. This field applies only to the Firewall service log.ISA Server 入侵侦测功能ISA Server 包含了一项入侵侦测的功能， 它可以让你的 ISA Server 在遭受攻击或入侵时发出警示 (Alert) 或者将这个攻击或入侵的动作写入作业系统日志形成一个事件 (Event)。点选: “IP Packet Filters” 按滑鼠右键选择 “内容”(Fig 56) 在 “General ” 页中勾选 “Enable Intrusion detection ” (Fig 57) 再点选 “Intrusion Detection ” 页设定入侵侦测选项 (Fig 58)。选项解释如下:Windows out-of-band attack侦测 DoS (Denial-of-Service)。 (类似 Land attack 一种攻击行为， 手法主要针对 MS Windows 作业系统上 TCP 网路通讯埠口 139 。)IP half scan attack侦测 IP 封包不回应攻击。 (一般攻击手法为故意使用 IP 协定和伺服主机连结某一个通讯服务， 但连结到一半即断线的愚弄主机行为， 并演化成主机拒绝服务 (DoS) 的攻击行为。) 。Land attack侦测 IP Spoofing 入侵攻击。 (攻击者将 IP 封包来源端位址变成和目的端相同的位址， 如此一来收到这个 IP 封包的主机便形成自己的封包而传给自己， 可是又等不到回应， 于是令到主机资源耗尽便无法服务其他使用者。)UDP bomb attack侦测 UDP 炸弹封包攻击All ports scan attack侦测扫瞄所有埠口所受攻击；有二项选择: Well-known ports: 范围包括 0 2048 埠口 Ports: 包括 0 65535 埠口 Fig 56Fig 57Fig 58