ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards...
-
Upload
sharyl-hampton -
Category
Documents
-
view
214 -
download
2
Transcript of ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards...
![Page 1: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/1.jpg)
ISA Server 2000ISA Server 2000 Best Practices from the Field Best Practices from the Field
Presenters:Presenters:Jim Harrison - Microsoft Corp Jim Harrison - Microsoft Corp
Jim Edwards - Microsoft CorpJim Edwards - Microsoft Corp
![Page 2: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/2.jpg)
AgendaAgenda
Introduction (Jim Harrison)Introduction (Jim Harrison)
Security (Jim Harrison)Security (Jim Harrison)
Reliability (Jim & Jim)Reliability (Jim & Jim)
Performance (Jim Edwards)Performance (Jim Edwards)
Q&AQ&A
![Page 3: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/3.jpg)
SecuritySecurityWindows ConfigurationWindows Configuration
Domain AssociationDomain Association
Perimeter Network ScenariosPerimeter Network Scenarios
ISA ConfigurationISA Configuration
ISA PoliciesISA Policies
ISA LogsISA Logs
ReferencesReferences
![Page 4: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/4.jpg)
Windows ConfigurationWindows Configuration
PatchesPatches, , PatchesPatches, , PATCHES!PATCHES!
Security checklists on Security checklists on – TechnetTechnet– ISAServer.orgISAServer.org– NSANSA
![Page 5: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/5.jpg)
Windows ConfigurationWindows Configuration
ISA Service DependenciesISA Service Dependencies– ISA Server Packet Filter Extension (mspfltex)ISA Server Packet Filter Extension (mspfltex)– Remote Access Connection Manager Remote Access Connection Manager
(rasman)(rasman)– WMI Driver Extensions (wmi)WMI Driver Extensions (wmi)
DCOM is required for ISADCOM is required for ISA
![Page 6: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/6.jpg)
Windows ConfigurationWindows Configuration
Service Dependencies created by ISAService Dependencies created by ISA– ICS (sharedaccess) depends on Microsoft ICS (sharedaccess) depends on Microsoft
Firewall (fwsrv)Firewall (fwsrv)– Routing and Remote Access (remoteaccess) Routing and Remote Access (remoteaccess)
depends on ISA Control (isactrl)depends on ISA Control (isactrl)
![Page 7: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/7.jpg)
Non-DomainNon-Domain
LAN DomainISA Server(s)
![Page 8: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/8.jpg)
Separate Domains (Forests)Separate Domains (Forests)
ISA Domain LAN Domain
One WayTrust fromISA to LAN
![Page 9: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/9.jpg)
Same Forest, Separate DomainsSame Forest, Separate Domains
ISA Domain LAN Domain
ImplicitTwo Way
Trust
Domain (Forest) root
![Page 10: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/10.jpg)
Single DomainSingle Domain
ISA / LAN Domain
![Page 11: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/11.jpg)
Two–Tier Perimeter NetworkTwo–Tier Perimeter Network
LAT Segment
2nd-TierPerimeterNetwork
192.168.0/24 192.168.1/24123.123.123/24
![Page 12: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/12.jpg)
Third-leg Perimeter NetworkThird-leg Perimeter Network
LAT Segment
ExternalSubnet192.168.0/24
123.123.123/24123.123.123/25
![Page 13: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/13.jpg)
LAT Perimeter NetworkLAT Perimeter Network
LAT Segment
LATSegment192.168.0/24
192.168.1/24
IPSec / RRAS IP Filters
![Page 14: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/14.jpg)
Cache modeCache mode
IP packet filtering IP packet filtering NOTNOT Available Available
LAT / LDT LAT / LDT NOTNOT Available Available
Outgoing and Incoming Web Requests Outgoing and Incoming Web Requests listener configurationslistener configurations
Best behind another (ISA) firewallBest behind another (ISA) firewall
![Page 15: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/15.jpg)
Firewall & Integrated modesFirewall & Integrated modes
IP Filtering makes this the most secureIP Filtering makes this the most secure
User- / group-based non-web traffic rulesUser- / group-based non-web traffic rules
Single-NIC installation is Single-NIC installation is NOTNOT supported supported without dialup as externalwithout dialup as external
LAT configurationLAT configuration
![Page 16: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/16.jpg)
LAT ConfigurationLAT Configuration
RightRight WrongWrong
![Page 17: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/17.jpg)
IP Packet FilteringIP Packet Filtering
RightRight WrongWrong
![Page 18: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/18.jpg)
IP Packet FilteringIP Packet Filtering
RightRight WrongWrong
![Page 19: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/19.jpg)
Admin RightsAdmin Rights
RightRight Right?Right?
![Page 20: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/20.jpg)
Protocol RulesProtocol Rules
RightRight
![Page 21: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/21.jpg)
Protocol RulesProtocol Rules
WrongWrong
![Page 22: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/22.jpg)
Site & Content RulesSite & Content Rules
AnonymousAnonymous
![Page 23: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/23.jpg)
Site & Content RulesSite & Content Rules
UnfilteredUnfiltered
![Page 24: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/24.jpg)
Server PublishingServer Publishing
![Page 25: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/25.jpg)
Incoming Web ListenersIncoming Web Listeners
Right ?Right ?RightRight
![Page 26: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/26.jpg)
Web PublishingWeb Publishing
WrongWrongRightRight
![Page 27: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/27.jpg)
Web PublishingWeb Publishing
![Page 28: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/28.jpg)
Web PublishingWeb Publishing
![Page 29: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/29.jpg)
ISA LogsISA LogsOther Server LogsOther Server Logs– SMTP, DNS, etc.SMTP, DNS, etc.
Forensic AnalysisForensic Analysis– Securityfocus.comSecurityfocus.com article article
Legal EvidenceLegal Evidence– Computer ForensicsComputer Forensics– Trail of EvidenceTrail of Evidence
![Page 30: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/30.jpg)
IP Packet Filter LogsIP Packet Filter Logs
External scans, External scans, attacks, spoofsattacks, spoofs
Log field selectionsLog field selections– Payload is limited to Payload is limited to
the first 256 bytesthe first 256 bytes
![Page 31: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/31.jpg)
IP PF Log ExamplesIP PF Log Examples
source-ip destination-ip proto param#1 param#2 flags
68.124.157.106 123.123.123.10 Tcp 1646 17300 SYN193.179.148.234 123.123.123.12 Tcp 4738 22 SYN
209.221.223.108 123.123.123.10 ICMP 8 0209.221.223.108 123.123.123.11 ICMP 8 0209.221.223.108 123.123.123.12 ICMP 8 0209.221.223.108 123.123.123.13 ICMP 8 0
62.111.208.195 123.123.123.10 Tcp 2736 135 SYN62.111.208.195 123.123.123.11 Tcp 2737 135 SYN62.111.208.195 123.123.123.12 Tcp 2738 135 SYN 62.111.208.195 123.123.123.13 Tcp 2739 135 SYN
![Page 32: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/32.jpg)
IP PF Log Bonus SlideIP PF Log Bonus Slide
211.41.55.136 123.123.123.11 Tcp 3127 3127 SYN
211.41.55.136 123.123.123.12 Tcp 3135 3127 SYN
211.41.55.136 123.123.123.13 Tcp 3140 3127 SYN
![Page 33: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/33.jpg)
Firewall LogsFirewall Logs
Internal virus / worms Internal virus / worms detectiondetection
Log field selectionsLog field selections
– WP and FW share WP and FW share many logging optionsmany logging options
![Page 34: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/34.jpg)
Firewall Log ExamplesFirewall Log Examples
c-ipc-ip r-ip r-ip r-portr-port cs-protcs-prot s-opers-oper sc-status sc-status
192.168.0.1 123.123.123.123192.168.0.1 123.123.123.123 135135 TCPTCP ConnectConnect 1330113301
192.168.0.1192.168.0.1 207.46.245.214 135135 TCPTCP ConnectConnect 00
192.168.0.1 192.168.0.1 207.46.245.214 1730017300 TCPTCP ConnectConnect 1330113301
192.168.0.1 192.168.0.1 207.46.245.214 1730017300 TCPTCP ConnectConnect 00
192.168.0.1 192.168.0.1 207.46.245.214 8080 TCPTCP ConnectConnect 1330113301
192.168.0.1 192.168.0.1 207.46.245.214 8080 TCPTCP ConnectConnect 00
![Page 35: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/35.jpg)
Web Proxy LogsWeb Proxy Logs
Internal, external virus Internal, external virus / worms detection/ worms detection
Log field selectionsLog field selections
![Page 36: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/36.jpg)
Web Proxy Log ExamplesWeb Proxy Log Examples
CodeRed
<SourceIP> GET www 12202
<SourceIP> GET www 200
Nimda
<SourceIP> GET <ISAExtIP> 12202
<SourceIP> GET <ISAExtIP> 200
Auth Failure
<SourceIP> GET http://www.thatsite.tld 12209
![Page 37: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/37.jpg)
Romper-Room No-No’sRomper-Room No-No’s
IP Packet Filtering off & IP Routing onIP Packet Filtering off & IP Routing on
Enable IP Routing via RRAS or TCP/IPEnable IP Routing via RRAS or TCP/IP
LAT includes external (or DMZ) subnetsLAT includes external (or DMZ) subnets
Same-subnet on internal / external NICsSame-subnet on internal / external NICs
FW Client installed on the ISAFW Client installed on the ISA
““All destinations” web publishing ruleAll destinations” web publishing rule
![Page 38: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/38.jpg)
Security and Critical HotfixesSecurity and Critical Hotfixes
Service Pack 1Service Pack 1– KB 283213KB 283213 ICMP blocking (Nachi defense) ICMP blocking (Nachi defense)
Post SP1Post SP1– KB 319374 & 321846KB 319374 & 321846 Web Proxy crash Web Proxy crash– MS02-027MS02-027 BO in Gopher protocol handler BO in Gopher protocol handler– MS03-009MS03-009 DoS in DNS IDS filter DoS in DNS IDS filter– MS03-012MS03-012 DoS in Firewall Service DoS in Firewall Service– MS03-028MS03-028 XSS in ISA Error pages XSS in ISA Error pages– MS04-001 H.323 VulnerabilityMS04-001 H.323 Vulnerability
![Page 39: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/39.jpg)
Security ReferencesSecurity References
Microsoft checklists and guides: Microsoft checklists and guides: http://www.microsoft.com/technet/security/chklist/Default.http://www.microsoft.com/technet/security/chklist/Default.aspasp
http://www.microsoft.com/http://www.microsoft.com/
technet/security/tools/default.asptechnet/security/tools/default.asp
CC configurationCC configuration
https://https://s.microsoft.com/isaserver/code/commoncriterias.microsoft.com/isaserver/code/commoncriteria//
![Page 40: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/40.jpg)
Security ReferencesSecurity References
NSA configurationNSA configuration
http://www.nsa.gov/snac/win2k/guides/w2k-11.phttp://www.nsa.gov/snac/win2k/guides/w2k-11.pdfdf
http://www.nsa.gov/snac/win2k/guides/inf/isa.infhttp://www.nsa.gov/snac/win2k/guides/inf/isa.inf
Log ForensicsLog Forensics
http://securityfocus.com/infocus/1712http://securityfocus.com/infocus/1712
![Page 41: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/41.jpg)
ReliabilityReliability
Windows ConsiderationsWindows Considerations
ISA Server 2000 Firewall ConsiderationsISA Server 2000 Firewall Considerations
![Page 42: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/42.jpg)
Reliability Windows SettingsReliability Windows Settings
NIC binding orderNIC binding order
Routing tableRouting table
Patch Patch Patch!Patch Patch Patch!
RedundancyRedundancy
System ServicesSystem Services
Extraneous ServicesExtraneous Services
![Page 43: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/43.jpg)
Reliability Windows Settings:Reliability Windows Settings:NIC Binding OrderNIC Binding Order
InternalInternal– Top of listTop of list– NO Default gatewayNO Default gateway– DNS/WINSDNS/WINS
ExternalExternal– Default gatewayDefault gateway– Dial up issuesDial up issues
RASRAS– Dial up issuesDial up issues
DMZDMZ– Doesn’t matterDoesn’t matter
![Page 44: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/44.jpg)
Reliability Windows Settings:Reliability Windows Settings:Routing TableRouting Table
Static RoutesStatic Routes– Windows Windows
routing tablerouting table– RRAS routing RRAS routing
tabletable
Dynamic RoutesDynamic Routes– VPN issuesVPN issues
VPN ClientsVPN Clients– Mystery of the Windows VPN client gatewayMystery of the Windows VPN client gateway
![Page 45: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/45.jpg)
Reliability Windows Settings:Reliability Windows Settings:Patches!Patches!
Service PacksService Packs– Install them nowInstall them now– Latest OS and ISA SP and FPLatest OS and ISA SP and FP
HotfixesHotfixes– Do you need them?Do you need them?– What about Windows Update?What about Windows Update?
Security UpdatesSecurity Updates– What’s going to break?What’s going to break?
Testing labTesting lab– Mirror config in labMirror config in lab– Don’t let the production network be your regression Don’t let the production network be your regression
testing labtesting lab
![Page 46: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/46.jpg)
Reliability Windows Settings:Reliability Windows Settings:RedundancyRedundancy
What are you What are you trying to accomplish?trying to accomplish?Web v. Server Web v. Server Publishing RulesPublishing RulesNLB v. RainwallNLB v. Rainwall– Bidirectional Bidirectional
what?what?
Hardware Load Hardware Load BalancersBalancers– Pay to playPay to play
RainConnectRainConnect– Redundant Internet Redundant Internet
connectivityconnectivity– Outbound and inboundOutbound and inbound
NextLAND Proturbo 800NextLAND Proturbo 800
![Page 47: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/47.jpg)
Reliability Windows Settings:Reliability Windows Settings:System ServicesSystem Services
Disable Junk ServicesDisable Junk Services– (list several of these)(list several of these)
Determining Required Determining Required ServicesServices– Disable and testDisable and test
Remote Registry Remote Registry ServiceService
![Page 48: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/48.jpg)
Reliability Windows Settings:Reliability Windows Settings:Extraneous SoftwareExtraneous Software
Server ServicesServer Services– It’s a firewall, not a firesaleIt’s a firewall, not a firesale
Not a workstationNot a workstation– No Kaaza No Kaaza – No VPN client connectionsNo VPN client connections
Plug In’sPlug In’s– Test test testTest test test
![Page 49: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/49.jpg)
Reliability ISA SettingsReliability ISA Settings
Test All PoliciesTest All Policies
Separate Inbound and Outbound DutiesSeparate Inbound and Outbound Duties
Backing UpBacking Up
Caching ArraysCaching Arrays
![Page 50: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/50.jpg)
Reliability ISA Settings:Reliability ISA Settings:Field Test All PoliciesField Test All Policies
Protocol RulesProtocol Rules– The dreaded “all open” ruleThe dreaded “all open” rule
Site and Content RulesSite and Content Rules– Kill anonymous access Site and Kill anonymous access Site and
Content RulesContent Rules– Server client address set for Server client address set for
anonymous accessanonymous accessKill the HTTP (Re)DirectorKill the HTTP (Re)Director– Can’t block via Site/Content rulesCan’t block via Site/Content rules
Packet FiltersPacket Filters– This ain’t no pix(en)This ain’t no pix(en)
Web and Server Publishing RulesWeb and Server Publishing Rules– FQDN in Destination SetsFQDN in Destination Sets– The mystery of the ephemeral The mystery of the ephemeral
outbound IP addressoutbound IP addressVMwareVMware– Buy now or pay laterBuy now or pay later
![Page 51: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/51.jpg)
Reliability ISA Settings:Reliability ISA Settings:Separate Inbound and OutboundSeparate Inbound and OutboundSeparate Inbound and Outbound ServersSeparate Inbound and Outbound ServersInbound ServersInbound Servers– Web Publishing and Web Publishing and
MemoryMemory– Server publishing Server publishing
performanceperformance
Outbound ServersOutbound Servers– Authentication traffic and Authentication traffic and
performanceperformance– Active caching and trafficActive caching and traffic
BandwidthBandwidth– Kill bandwidth rulesKill bandwidth rules
![Page 52: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/52.jpg)
Reliability ISA Settings:Reliability ISA Settings:Backing UpBacking Up
Integrated Backup ToolIntegrated Backup Tool– Who need’s ‘em?Who need’s ‘em?
Import/Export ScriptImport/Export Script– Different IP address publishing/filters (IP specific)Different IP address publishing/filters (IP specific)
ISAinfo script (better know everything ISAinfo script (better know everything before before you you need to restore)need to restore)Disk ImagingDisk Imaging– Careful of different hardwareCareful of different hardware
Using VMware ImagesUsing VMware Images– Works great – performance Works great – performance
issuesissues
![Page 53: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/53.jpg)
Reliability ISA Settings:Reliability ISA Settings:Caching ArrayCaching Array
Caching ArrayCaching Array– Not fault tolerance schemeNot fault tolerance scheme– Load balancing v. load sharingLoad balancing v. load sharing– The miracle of wpad and autodiscoveryThe miracle of wpad and autodiscovery
![Page 54: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/54.jpg)
Reliability ISA Settings: Reliability ISA Settings: Autoconfiguration and AutodetectionAutoconfiguration and Autodetection
WpadWpad– DHCPDHCP– DNSDNS
Group PolicyGroup Policy
IEAKIEAK
Registry fileRegistry file
Firewall client Firewall client installationinstallation
![Page 55: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/55.jpg)
Reliability HotfixesReliability Hotfixes
ISA Server Service Pack 1ISA Server Service Pack 1– http://www.microsoft.com/http://www.microsoft.com/isaserverisaserver
/downloads/ sp1.asp/downloads/ sp1.asp
ISA Server 2000 Hotfix for Rules Engine and ISA Server 2000 Hotfix for Rules Engine and Potential Web Proxy Service CrashPotential Web Proxy Service Crash – http://www.microsoft.com/downloads/details.aspx? http://www.microsoft.com/downloads/details.aspx?
displaylang=en&FamilyID=235B14FB-CDB4-4FCE-displaylang=en&FamilyID=235B14FB-CDB4-4FCE-BE10-E25F869DD40EBE10-E25F869DD40E
Flaw In ISA Server DNS Intrusion Detection Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of ServiceFilter Can Cause Denial Of Service – http://www.microsoft.com/technet/treeview/http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/bulletin/MS03-default.asp?url=/technet/security/bulletin/MS03-009.asp009.asp
![Page 56: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/56.jpg)
Reliability HotfixesReliability Hotfixes
Flaw In Winsock Proxy Service And ISA Flaw In Winsock Proxy Service And ISA Firewall Service Can Cause Denial Of Firewall Service Can Cause Denial Of ServiceService– http://www.microsoft.com/technet/treeview/ http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/bulletin/ default.asp?url=/technet/security/bulletin/ MS03-012.asp MS03-012.asp
Update Rollup for ISA Server Services Update Rollup for ISA Server Services – http://support.microsoft.com/default.aspx? http://support.microsoft.com/default.aspx?
scid=kb;EN-US;810493 scid=kb;EN-US;810493
![Page 57: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/57.jpg)
Key ReferencesKey References
Shinder ISA Server 2000 SectionShinder ISA Server 2000 Section– www.isaserver.org/shinder www.isaserver.org/shinder
Jim Harrison’s ISAtools SiteJim Harrison’s ISAtools Site– www.isatools.org www.isatools.org
ISA Server Performance Best PracticesISA Server Performance Best Practices– http://www.microsoft.com/technet/security/ http://www.microsoft.com/technet/security/
prodtech/ISA/ISAPrfBP.asp?frame=true prodtech/ISA/ISAPrfBP.asp?frame=true
![Page 58: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/58.jpg)
PerformancePerformance
Windows ConfigurationWindows Configuration
ISA ConfigurationISA Configuration
![Page 59: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/59.jpg)
Performance; Windows SettingsPerformance; Windows Settings
IP Stack configurationIP Stack configuration– TcpTimedWaitDelay & StrictTimeWaitSeqCheckTcpTimedWaitDelay & StrictTimeWaitSeqCheck– Remove QOS when not using ISA Bandwidth ControlRemove QOS when not using ISA Bandwidth Control
Page FilePage File– Separate physical driveSeparate physical drive– Not compressed/encrypted volumeNot compressed/encrypted volume
Physical memoryPhysical memory– 1024 Meg Minimum1024 Meg Minimum– 3072 Meg Maximum3072 Meg Maximum– /3GB switch – Reverse Web Cache only/3GB switch – Reverse Web Cache only
![Page 60: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/60.jpg)
Performance; Windows SettingsPerformance; Windows Settings
Disk subsystem – Only for Web CacheDisk subsystem – Only for Web Cache– RAID 0 if using RAIDRAID 0 if using RAID
NICNIC– Server class, 64-bit PCI-XServer class, 64-bit PCI-X– Multiprocessor - HW Interrupt PartitioningMultiprocessor - HW Interrupt Partitioning
SSL/IPSec AcceleratorsSSL/IPSec Accelerators– Good only for large number of HTTPS connectionsGood only for large number of HTTPS connections
Processors (class / quantity)Processors (class / quantity)– Do not use the ISA server as a workstationDo not use the ISA server as a workstation
![Page 61: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/61.jpg)
Performance; Windows SettingsPerformance; Windows Settings
Domain TopologyDomain Topology– Large number of NTLM authentication Large number of NTLM authentication
requestsrequests– DNSDNS
Logical NetworkLogical Network– Single Default Gateway on ISA ServerSingle Default Gateway on ISA Server
![Page 62: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/62.jpg)
Performance; ISA SettingsPerformance; ISA Settings
Rule elements – Less granularRule elements – Less granular– Rule processing increases linearlyRule processing increases linearly– Small number of Rules with large Destination SetsSmall number of Rules with large Destination Sets
Enable Kernel Mode Data Pump – IP RoutingEnable Kernel Mode Data Pump – IP Routing– Significant increase to most capacity intensive Significant increase to most capacity intensive
ProtocolsProtocols– Disable filtering of IP fragmentsDisable filtering of IP fragments
Firewall & Web Proxy service DNS CacheFirewall & Web Proxy service DNS Cache– By default, services hold last 3000 DNS recordsBy default, services hold last 3000 DNS records
for 6 hours, regardless of TTLfor 6 hours, regardless of TTL
![Page 63: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/63.jpg)
Performance; ISA SettingsPerformance; ISA Settings
Server PublishingServer Publishing– Non RPCNon RPC– RPCRPC
Web PublishingWeb Publishing– Fewer Rules with large Destination Sets. Faster, less Fewer Rules with large Destination Sets. Faster, less
secure.secure.– More Rules with small Destination Sets. Slower, More Rules with small Destination Sets. Slower,
more secure.more secure.– Skip name resolutionSkip name resolution
Memory UsageMemory Usage– Firewall ServiceFirewall Service– Web ServiceWeb Service
![Page 64: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/64.jpg)
Performance; ISA SettingsPerformance; ISA Settings
Split purposeSplit purpose– Web ProxyWeb Proxy– Web PublishingWeb Publishing– FirewallFirewall
LoggingLogging– Ideal is Off. Not going to happenIdeal is Off. Not going to happen– Logging Fails, ISA stops serving contentLogging Fails, ISA stops serving content– FileFile– DatabaseDatabase
ReportingReporting– DisableDisable
![Page 65: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/65.jpg)
Performance; ISA ClientsPerformance; ISA Clients
OutboundOutbound– Use Remote WinSock (RWS) client where Use Remote WinSock (RWS) client where
possiblepossible– Set web browsers to use ISA server as Web Set web browsers to use ISA server as Web
ProxyProxy– Streaming media clients Streaming media clients
![Page 66: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/66.jpg)
Performance; Registry Re-CapPerformance; Registry Re-Cap
DiskDisk– Disable short name creation. Disable short name creation. HKLM\SYSTEM\HKLM\SYSTEM\
CurrentControlSet\Control\ CurrentControlSet\Control\ Filesystem DWord Filesystem DWord “NtfsDiable8dot3NameCreation” “NtfsDiable8dot3NameCreation” 0x10x1
– Disable last access update. Disable last access update. HKLM\SYSTEM\HKLM\SYSTEM\CurrentControlSet\Control\ CurrentControlSet\Control\ Filesystem Filesystem DWord“NtfsDsiableLastAccessUpdate” DWord“NtfsDsiableLastAccessUpdate” 0x10x1
– Multiprocessor only - Bypassing I/O Counters. Multiprocessor only - Bypassing I/O Counters. HKLM\SYSTEM\CurrentControlSet\Control\Session HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\I/O System DWord Manager\I/O System DWord “CounterOperations” “CounterOperations” 0x00x0
![Page 67: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/67.jpg)
Performance; Registry Re-CapPerformance; Registry Re-CapNTLM AuthenticationNTLM Authentication– HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\
Parameters DWord “MaxConcurrentApi” 0x3 through Parameters DWord “MaxConcurrentApi” 0x3 through 0x60x6
ISAISA– Internal DNS CacheInternal DNS Cache
Web Proxy: HKLM\SOFTWARE\Microsoft\Fpc\Web Proxy: HKLM\SOFTWARE\Microsoft\Fpc\Arrays\{Array GUID}\ArrayPolicy\WebProxy DWord Arrays\{Array GUID}\ArrayPolicy\WebProxy DWord "msFPCDnsCacheSize“ & "msFPCDnsCacheTtl" "msFPCDnsCacheSize“ & "msFPCDnsCacheTtl" Firewall: HKLM\SOFTWARE\Microsoft\Fpc\Arrays\Firewall: HKLM\SOFTWARE\Microsoft\Fpc\Arrays\{Array GUID}\ArrayPolicy\Proxy-WSP DWord {Array GUID}\ArrayPolicy\Proxy-WSP DWord "msFPCDnsCacheSize“ & "msFPCDnsCacheTtl"msFPCDnsCacheSize“ & "msFPCDnsCacheTtl““
![Page 68: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/68.jpg)
Performance; Registry Re-CapPerformance; Registry Re-Cap
ISAISA– Maximum backlog for incoming TCP Maximum backlog for incoming TCP
connectionsconnectionsNon RPC – HKLM\System\CurrentControlSet\Non RPC – HKLM\System\CurrentControlSet\Services\ FWSRV\Parameters Services\ FWSRV\Parameters “ServerMappingBlacklog” DWord key. For “ServerMappingBlacklog” DWord key. For Exchange server 0x50, Web server 0xA0.Exchange server 0x50, Web server 0xA0.RPC – HKLM\Software\Microsoft\FPC\PluginRPC RPC – HKLM\Software\Microsoft\FPC\PluginRPC “ServerMappingBlacklog” and ”InterfacesBacklog”. “ServerMappingBlacklog” and ”InterfacesBacklog”. For Exchange RPC “ServerMappingBlacklog” = For Exchange RPC “ServerMappingBlacklog” = 0xA0 and ”InterfacesBacklog” = 0x50.0xA0 and ”InterfacesBacklog” = 0x50.
![Page 69: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/69.jpg)
Performance; Registry Re-CapPerformance; Registry Re-Cap
ISAISA– Bypass Name ResolutionBypass Name Resolution
HKLM\SYSTEM\CurrentControlSet\Services\ HKLM\SYSTEM\CurrentControlSet\Services\ W3Proxy\Parameters\ W3Proxy\Parameters\ SkipNameResolutionForPublishingRules DWord SkipNameResolutionForPublishingRules DWord “SkipNameResolutionForPublishingRules” 0x1“SkipNameResolutionForPublishingRules” 0x1HKLM\SYSTEM\CurrentControlSet\Services\ HKLM\SYSTEM\CurrentControlSet\Services\ W3Proxy\Parameters\ W3Proxy\Parameters\ SkipNameResolutionForAccessAndRoutingRules SkipNameResolutionForAccessAndRoutingRules DWord DWord “SkipNameResolutionForAccessAndRoutingRules” “SkipNameResolutionForAccessAndRoutingRules” 0x10x1
![Page 70: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/70.jpg)
Performance; ReferencesPerformance; References
WindowsWindowsDiskDisk
http://www.microsoft.com/http://www.microsoft.com/technet/prodtechnoltechnet/prodtechnol/ windows2000serv/reskit/serverop/part2/ sopch08.as/ windows2000serv/reskit/serverop/part2/ sopch08.aspp
System System
http://http://support.microsoft.com/default.aspxsupport.microsoft.com/default.aspx? ? scidscid=kb;en-us;171793=kb;en-us;171793
http://www.microsoft.com/http://www.microsoft.com/technet/prodtechnoltechnet/prodtechnol/ windows2000serv/reskit/serverop/part2/ sopch10.as/ windows2000serv/reskit/serverop/part2/ sopch10.aspp
![Page 71: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/71.jpg)
Performance; ReferencesPerformance; ReferencesISAISA
http://www.microsoft.com/technet/security/ http://www.microsoft.com/technet/security/
prodtech/ISA/ISAPrfBP.aspprodtech/ISA/ISAPrfBP.asp
http://www.isaserver.org/tutorials/ISA_Clients__ http://www.isaserver.org/tutorials/ISA_Clients__
Part_1__General_ISA_Server_Configuration.htmlPart_1__General_ISA_Server_Configuration.html
http://support.microsoft.com/default.aspx? http://support.microsoft.com/default.aspx?
scid=kb;en-us;326040scid=kb;en-us;326040
http://support.microsoft.com/default.aspx? http://support.microsoft.com/default.aspx?
scid=kb;en-us;291427scid=kb;en-us;291427
http://support.microsoft.com/default.aspx? http://support.microsoft.com/default.aspx?
scid=kb;en-us;292018scid=kb;en-us;292018
![Page 72: ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d885503460f94a6ca75/html5/thumbnails/72.jpg)
Q & AQ & A