Nội dung Text: Microsofts ISA Server 2004 Firewall phần 5
Configuring the Web Proxy Client
The web proxy client is any system that has been configured to use a proxy for Winsock
applications. This is typically done in the client web browser settings, specifying the IP
address and port number that should be used to access the proxy server. From the ISA
server side, the web proxy configuration is performed by clicking Networks in the
management console to open the Networks configuration screen and then right-clicking
the internal network and selecting Properties, as shown in Figure 8-17.
Figure 8-17. Selecting the Internal Network Properties
[View full size image]
From the Internal Network Properties screen, select the Web Proxy tab and specify
whether to enable web proxy clients (by default, they are enabled) and define the port
number that the clients will connect on. You can click Authentication to define which
users will/will not be permitted access. Figure 8-18 shows the Web Proxy tab.
Figure 8-18. Web Proxy Configuration
Configuring the Firewall Client
Configuring the firewall client is a little bit more involved than the other client
configurations. First, the firewall client must be installed on the client computers. This
can be done in the following manners:
• Via file sharing and manually running the installation
• Via Active Directory Group Policy
• Via silent installation scripts and integration with login scripts
• Via Microsoft Systems Management Server (SMS)
During the firewall client installation, you must specify the ISA server that the firewall
client will get its configuration from. This step allows you to manage the firewall client
configuration at a single location, the ISA Server 2004 firewall itself, and ensure that all
firewall clients receive the same configuration settings.
On the ISA server itself, two general firewall client configuration tasks need to be
Step 1. Configure the general firewall client configurations settings.
Step 2. Configure the firewall client application settings.
The firewall client general configuration is performed in a similar fashion to the web
proxy client configuration. Just right-click the appropriate network in the management
console, choose Properties, and then select the Firewall Client tab, as shown in Figure 8-
Figure 8-19. Firewall Client Tab
Doing so enables you to define settings such as the configuration script that should be
used and whether the client should use a proxy server. In addition, you can specify the
names of domains that the firewall client should not apply to by selecting the Domains
tab and entering the domain name.
The firewall client application settings can be configured by clicking General in the
management console then clicking Define Firewall Client Settings. Doing so launches the
Firewall Client Settings screen, as shown in Figure 8-20. On this screen, you can define
applications that will or will not be permitted to run on the client computer and how
permitted applications will be allowed to communicate on the network. An important
thing to keep in mind is that the application name is a constant; so if the users change the
name of the application (for example, from kazaa.exe to happy.exe), the firewall client
settings no longer apply, because the application name no longer matches the name that
was defined. An alternative is to use third-party products that integrate with Microsoft
ISA Server 2004.
Figure 8-20. Firewall Client Settings Screen
Caching Web Data
Configuring the firewall to cache web data is a straightforward process. In the
management console, navigate to the Cache screen, right-click the server, and choose
Properties to launch the Server Cache Properties screen, as shown in Figure 8-21. Notice
how the Cache icon has a red arrow pointing down, denoting that caching is not currently
Figure 8-21. Launching the Cache Properties Screen
[View full size image]
To enable caching, just select the drives and the maximum cache size and click Set.
When you have finished, click OK and then click Apply to apply the configuration
change to the firewall. You must restart the ISA services before the caching functionality
will be enabled.
When caching has been enabled, you can define rules regarding what data should be
cached and how it should be cached by selecting the Cache Rules tab from the Cache
screen and defining an appropriate rule. Like most other tasks in Microsoft ISA Server
2004, this is a wizard-driven process that is relatively straightforward and easy to
Microsoft ISA Server 2004 Checklist
Enabling and configuring Microsoft ISA Server 2004 can be a relatively complex task. It
is not something that should be performed without extensive planning and design prior to
implementation. To get a basic ISA Server 2004 implementation in place and operational,
the following tasks should be performed:
Step 1. Install the underlying operating system.
Step 2. Ensure that network services such as DNS are functioning properly.
Step 3. Configure routing on the firewall as required.
Step 4. Determine the firewall clients that will be implemented.
Step 5. Determine the edition of Microsoft ISA Server 2004 that is most appropriate
for your environment.
Step 6. Install ISA Server 2004.
Step 7. Harden the appropriate underlying operating system and applications.
Step 8. Configure the system policy rules.
Step 9. Configure access rules (filter outbound access).
Step 10. Configure server publishing rules (filter inbound access).
Step 11. Enable web data caching.
Step 12. Configure the firewall clients accordingly.
Step 13. Perform application filtering.
Step 14. Configure additional functionality (that is, VPN, remote logging, and so on) as