Virtual Lockdown
Microsoft’s ISA Server Enterprise exam tests your knowledge of security, policy-setting and troubleshooting — and your ability to read carefully.
by Chris Golubski
8/20/2001 --
|
|
|
Exam |
|
|
|
Installing, Configuring, and Administering Microsoft Internet Security and Acceleration Server (ISA) 2000, Enterprise Edition (70-227) |
|
Vendor |
|
|
|
Microsoft |
|
Status |
|
|
|
Live since Feb. 2001 |
|
Reviewer's Rating |
|
|
|
"If you have expert TCP/IP knowledge, a good foundation in Windows 2000, and know the details of how this product works, you should be able to pass." |
|
Test Price |
|
|
|
$100 (U.S.) |
|
Who Should Take This Exam? |
|
|
|
Elective credit for MCSE. |
|
|
Test Objectives URL |
|
|
|
Click here |
|
|
|
|
|
|
|
|
|
|
|
|
|
Internet Security and Acceleration (ISA) Server is aimed at adding security to a network environment that has a presence on the Internet. It's the direct descendent of Proxy Server. You can install it in one of three modes: cache, firewall or integrated. In cache mode, ISA Server acts as a centralized point for Web access and keeps frequently accessed Web content on its local hard drive, thus lowering the amount of enterprise bandwidth expended on Internet downloads. In firewall mode, ISA Server becomes a corporate firewall, which allows configuration of packet filtering, VPN access, and restriction of access to other Internet protocols. Finally, integrated mode allows the best of both worlds.
In this article I’ll discuss strategies for getting through the ISA Server exam. Remember that this test covers ISA Server 2000, Enterprise Edition.
Building a Fire(wall)
Our first task in the exploration of ISA Server is its preconfiguration and installation. Before we can install ISA Server, we have to ensure that we can connect to the Internet. The recipe for a successful installation is as follows: a dash of network card installation, a pinch of DNS troubleshooting, and a sprinkle of verifying connectivity on a TCP/IP subnet. Sound easy enough? It gets harder.
In addition to the basic preconfiguration tasks, you need to know the installation of ISA Server inside and out. Know how and when to install ISA Server in each of the supported modes. For example, you have to run the ISA Enterprise Initialization Tool before ISA Server can be installed in an array. The Enterprise Initialization Tool modifies the Windows 2000 Active Directory schema to support objects that ISA Server requires to have a multiserver configuration.
Tip: Make sure you know how to back up your Proxy Server 2.0 configuration, including using MMC to do this.
Also know how to configure and troubleshoot Local Address Table (LAT) problems. Simply put, the LAT is the range of IP addresses that make up your internal network. Make sure you don’t accidentally put an external address in your LAT. It could spell disaster!
Crafty Configuration and Thorough Troubleshooting
Once ISA Server is installed, you have to know how to configure and troubleshoot it. Think you can puzzle out most problems? Don’t get overconfident -- in life or the testing center. Read each question carefully and make sure you understand exactly what you’re being asked.
Make sure you understand how to configure ISA Server to keep the bad guys out and the good guys in. Once you have a firewall set up, how do you allow Web traffic through securely? Easy enough: You configure Web publishing. ISA Server supports Web publishing and server proxy, which directs Web requests to another machine. You can even configure ISA Server to forward SSL requests and maintain the integrity of the encryption. By the way, you should know how to configure all of this.
Once you have your Web servers working, how do you get your custom Web application going—especially since it’s behind the firewall and uses several ports? Well, folks, ISA Server has the answer to this one, too. The solution is called server publishing. You can set up ISA Server to allow applications to function that use multiple ports and offer services on a machine inside the firewall, but still have the protection of the external ISA Server.
Tip: Read Anil Desai’s article, “Private and Secure: The VPN Solution,” in the April issue to get a quick familiarity with VPN installation.
While you’re at it, make sure you understand virtual private networks (VPNs) and how to configure them. If you’re a Win2K network infrastructure whiz, you’re bound to do well here. Know how to configure ISA Server to allow VPN traffic through. Make sure you also know what needs to be set up within ISA Server’s configuration utility and what needs to be set up through the Routing and Remote Access Server console.
Also become familiar with configuring H.323 gatekeeper rules. In case you’re not familiar with the technology, H.323 is used for audio and video conferencing. In this case, we’re talking about NetMeeting. Know about the types of DNS records you need and how to configure destinations.
Tip: Make sure that you use the external IP address of the ISA Server machine in DNS for any services you advertise on the Internet.
Last, be certain you have a passing familiarity with redundancy services like Network Load Balancing (NLB) and how it helps an ISA Server array. Visit Microsoft’s Web site and download the white paper, “Network Load Balancing Technical Overview,” on how to configure NLB on Windows 2000 Advanced Server.
Setting Policy
Dealing with ISA Server policies is probably one of the most common tasks you’ll have as an administrator. You’ll have to perform many tasks efficiently and accurately in order to create a secure network environment.
Know how to configure packet filtering. Know common ports for common services like SMTP, HTTP, POP3, and LDAP, and understand how to troubleshoot common access problems with them. You should be familiar with how to do this in a variety of environments. For example, know how to deal with packet filtering configuration in a network with a single ISA Server, as well as a screened subnet or a DMZ (demilitarized zone). A DMZ is a subnet on the network between two ISA Server machines that usually contains Web servers and e-mail servers.
Along the same lines, you need to be able to troubleshoot problems that users have while trying to access resources. Be ready to determine whether the problem is client-side or server-side.
When it comes to learning ISA Server, spend time on configuring policies. It’s a major part of understanding the product. Policies consist of different kinds of rules. First come site and content rules. These allow you to restrict what sites and addresses the user can access. Second are protocol rules, which allow you to set which protocols can be used. As a side note, be able to configure custom protocols as well. If only things were as easy as accepting the default settings! Bandwidth rules allow you to set priorities for traffic, thus allowing you to restrict what kinds of traffic can enter and exit ISA Server.
Other items in a policy make your life a little bit easier, such as a schedule. A schedule does exactly what you’d expect it to do: set a time period in which a policy is effective. Two similar items, destination sets and client address sets, allow you to group resources together, so you don’t have to list hundreds of items in each policy over and over. You can create a set of clients or destinations and refer to them in each policy.
Tip: You can’t add items to a policy lower than the enterprise level if the enterprise policy doesn’t already have what you want. So it’s in your best interests to define policies liberally at the enterprise level and restrict at the lower levels.
Finally, you need to be able to configure policies on an enterprise basis. If you have an array of ISA Servers, you need to be able to write an enterprise policy and apply the policy to the array. Make sure you understand how an enterprise policy works and how it relates to policies that are applied at the array level and local level.
Client Configuration
Another important aspect of administration is the configuration of clients to use the services provided by ISA Server. For example, if you’re using ISA Server as a firewall, you need to install the Firewall Client on the client machine. Know the operating systems on which the Firewall Client can be installed. Make sure you understand the limitations of the Firewall Client as well.
Also know how to configure clients to use ISA Server as a proxy server. Spend time learning how an ISA Server client can auto-detect an ISA Server in firewall or integrated mode.
Tip: Make sure you understand what Unix clients can and can’t do. Think about what software can be installed on a Unix machine vs. a Windows machine.
Be certain you can distinguish what role the client plays at any given time with the given resources. For example, a client can access Web content through the firewall client or the proxy server configuration in the browser. Understand the ramifications of each.
Monitoring and Maintenance
Now that you have ISA Server installed and configured, you should be able to monitor and optimize the environment to enhance performance. Can you enable intrusion detection and take corrective action when security is breached? Can you gauge when you have too much security in place? For example, you need to know what security holes you may have to allow in order to have streaming audio and media present in your network.
Alerts allow you to automate the sending of a notification when a problem arises. Know how to configure ISA Server to send an e-mail message if this occurs. Also be familiar with ISA logging and how to make the log files write to an ODBC data source, particularly Microsoft SQL Server.
It’s useful when working with ISA Server to remember the tried and true command-line utilities like PING, NSLOOKUP and NETSTAT. You should be able to view incoming connections and understand how to stop them if necessary. Also learn how to use telnet to access a specific port to ensure it’s functioning properly. Know how to fix protocols when they’re not responding as well.
Tip: Study intrusion detection and all of its settings very well.
Of course, keeping the boss informed about corporate security and proxy server use is also important. ISA Server comes with some canned reports, which means you won’t have to explain esoteric technical concepts. They provide a simple graphical view of what’s occurring at the specified time. Learn how to run reports and export them.
Finally, make sure you understand general tuning practices of the Win2K Server family. Be able to spot when to add memory, a new hard drive, a faster hard drive, or an additional processor to a Win2K server that has ISA Server installed.
Tip: You can find online documentation for ISA Server here.
Spend Time with ISA Server
Before tackling the test, I’d recommend installing ISA Server several times and see what it can do. Configure policies, set up packet filtering and install clients. Work with the configuration of the caching functionality, as easy as it is. As always, experience is the best teacher. Good luck!
Copyright 2001 Microsoft Certified Professional Magazine. Reprinted with permission.
Chris Golubski, MCSE+Internet, MCDBA, MCSD, MCT, MCP+Site Building, is an independent trainer and consultant, and a major techno-geek. When he's not geeking out or studying for an exam, Chris is busy tending to the leaseholder on his apartment, his cat Blackie. Chris also holds Novell, Lotus, Prosoft, Cisco and CompTIA certifications. He welcomes comments and questions at .
More articles by Chris Golubski:
|