ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not...
-
Upload
aurelio-riva -
Category
Documents
-
view
239 -
download
0
Transcript of ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not...
![Page 1: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/1.jpg)
ISA Server for the ISA Server for the EnterpriseEnterprise
![Page 2: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/2.jpg)
ClientsClients
![Page 3: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/3.jpg)
Client OverviewClient Overview
InternetInternet
ISA ServerISA Server
SecureNAT ClientDo not require you to deploy client
software or configure client computers.
SecureNAT ClientDo not require you to deploy client
software or configure client computers.
Firewall ClientAllow Internet access only for
authenticated users.
Firewall ClientAllow Internet access only for
authenticated users.
Web Proxy ClientImprove the performance of Web requests for
internal clients.
Web Proxy ClientImprove the performance of Web requests for
internal clients.
![Page 4: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/4.jpg)
Configuring Web Proxy ClientsConfiguring Web Proxy Clients
Select the Use a proxy server check box.
Type the port number in the Port box, and then click OK.
1133
Local Area Network (LAN) Settings
Automatic configuration
OK Cancel
Automatic configuration may override manual settings. To ensurethe use of manual settings, disable automatic configuration.
Automatically detect settings
Use automatic configuration script
192.168.1.200 8080
Proxy Server
Use a proxy server
Address: Port:
Bypass proxy server for local addresses
Type the IP address or name of the ISA Server computer in the Address box.
22
![Page 5: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/5.jpg)
Installing and Configuring Installing and Configuring Firewall ClientsFirewall Clients
MSPClnt\Setup.exeMSPClnt\Setup.exe
Client ComputerClient Computer
Webinst/default.htmWebinst/default.htm
ISA ServerISA Server
Group PolicyGroup Policy
![Page 6: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/6.jpg)
Client typesClient types
SecureNATSecureNAT Nessun client software nè configurazioneNessun client software nè configurazione Gestito dal firewall serviceGestito dal firewall service
Richieste HTTP ridirezionate al web proxy service Richieste HTTP ridirezionate al web proxy service se è abilitato il servizio redirectorse è abilitato il servizio redirector
Firewall clientFirewall client Gestito dal firewall serviceGestito dal firewall service
Richieste HTTP ridirezionate al web proxy service Richieste HTTP ridirezionate al web proxy service se è abilitato il servizio redirectorse è abilitato il servizio redirector
Web proxy clientWeb proxy client Gestito dal web proxy serviceGestito dal web proxy service
![Page 7: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/7.jpg)
AuthenticationAuthentication
SecureNATSecureNAT Nessuna user authentication; posso usare Nessuna user authentication; posso usare
solo l’indirizzo IP per gestire gli utentisolo l’indirizzo IP per gestire gli utenti
Firewall clientFirewall client Inoltra le credenziali utenteInoltra le credenziali utente Si autentica per tutti i protocolliSi autentica per tutti i protocolli C’è un’eccezioneC’è un’eccezione
Web proxy clientWeb proxy client Inoltra le credenziali utenteInoltra le credenziali utente
![Page 8: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/8.jpg)
Firewall client authenticationFirewall client authentication
ExemptionExemption ScenarioScenario
Utente è SOLO FW clientUtente è SOLO FW client HTTP redirector filter è attivatoHTTP redirector filter è attivato
Manda le richieste HTTP dei FW client al web Manda le richieste HTTP dei FW client al web proxyproxy
Le credenziali Utente sono perseLe credenziali Utente sono perse Firewall service non le inoltraFirewall service non le inoltra Nei Logs vedo “anonymous ID”Nei Logs vedo “anonymous ID”
SoluzioneSoluzione Configurare redirector perchè rifiuti richieste Configurare redirector perchè rifiuti richieste
HTTP da FW e SecureNAT clientHTTP da FW e SecureNAT client
![Page 9: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/9.jpg)
Firewall clientFirewall client
Intercetta tutte le chiamate WinSock: le Intercetta tutte le chiamate WinSock: le chiamate a un indirizzo esterno sono chiamate a un indirizzo esterno sono ridirezionate a ISA Serverridirezionate a ISA Server
Layered service provider; lavora con tutti i Layered service provider; lavora con tutti i protocolli IPprotocolli IP
Supporta l’autenticazione utente; puo Supporta l’autenticazione utente; puo settare permission per protocollo e portasettare permission per protocollo e porta Non è necessario gestire gli indirizziNon è necessario gestire gli indirizzi
![Page 10: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/10.jpg)
Firewall client operationFirewall client operation
Establishing a connectionEstablishing a connection
InternetServer
77.1.1.2
WS app
WSPWinsockProvider
ISAServer
10.1.1.2
connect to 77.1.1.2:23
[OK - 10.1.1.2:1200]
WinSock
connect {77.1.1.2:23}
connect {10.1.1.2:1200}
![Page 11: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/11.jpg)
Firewall client operationFirewall client operation
Porte usatePorte usate 1745/TCP: refresh della configurazione1745/TCP: refresh della configurazione
MSPCLNT.INI e MSPLAT.TXTMSPCLNT.INI e MSPLAT.TXT
1745/UDP: controllo della connessione1745/UDP: controllo della connessione Negoziazione del data channelNegoziazione del data channel
Porta: data connectionPorta: data connection
![Page 12: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/12.jpg)
Risoluzione DNSRisoluzione DNS
SecureNATSecureNAT Deve accedere al server DNS server — ISA Deve accedere al server DNS server — ISA
Server non “proxa” la risoluzione DNSServer non “proxa” la risoluzione DNS E’ necessaria una protocol rule DNSE’ necessaria una protocol rule DNS
Firewall clientFirewall client La risoluzione DNS è effettuata da ISA Server La risoluzione DNS è effettuata da ISA Server
o dal cliento dal client Depende dalle impostazioni in MSPCLNT.INIDepende dalle impostazioni in MSPCLNT.INI
Web proxy clientWeb proxy client La risoluzione DNS è effettuata da ISA ServerLa risoluzione DNS è effettuata da ISA Server
![Page 13: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/13.jpg)
Configurazione del DNSConfigurazione del DNS
E’ necessario E’ necessario configurare correttamente il configurare correttamente il DNSDNS Sulla scheda esterna di ISA Server se non Sulla scheda esterna di ISA Server se non
abilito il DNS forwardingabilito il DNS forwarding Sulla scheda interna se un DNS server Sulla scheda interna se un DNS server
interno (LAT) può forwardare in Internetinterno (LAT) può forwardare in Internet La scheda con impostato il DNS deve essere La scheda con impostato il DNS deve essere
“Bindata” come prima “Bindata” come prima
I Firewall clients sono “speciali”…I Firewall clients sono “speciali”…
![Page 14: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/14.jpg)
DNS configurationDNS configuration
Firewall clientFirewall client La risoluzione dipende dalle impostazioni per ogni La risoluzione dipende dalle impostazioni per ogni
applicazione in MSPCLNT.INI o in applicazione in MSPCLNT.INI o in Wspcfg.iniWspcfg.ini Locale o proxiedLocale o proxied Wspcfg.ini, è messo nella cartella Wspcfg.ini, è messo nella cartella
dell’applicazione e NON viene sovrascritta da dell’applicazione e NON viene sovrascritta da ISAISA
““Common configuration” è localeCommon configuration” è locale Come il SecureNATCome il SecureNAT
Error 14120Error 14120 Avviene se il FW client accede un server pubblicato:Avviene se il FW client accede un server pubblicato:
Il traffico esce e rientra in ISA ServerIl traffico esce e rientra in ISA Server
![Page 15: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/15.jpg)
Demo: gestione di un ArrayDemo: gestione di un Array
![Page 16: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/16.jpg)
Benefici di ISA Server Benefici di ISA Server Enterprise EditionEnterprise Edition
ScalabilitàScalabilità Permette di scalare le funzionalità di ISA Server usando gli array, Network Load Balancing, e CARP. Permette di scalare le funzionalità di ISA Server usando gli array, Network Load Balancing, e CARP.
Cache Distribuita e gerarchica
Cache Distribuita e gerarchica
Aumenta le performance e la fault tolerance della cache. Aumenta le performance e la fault tolerance della cache.
Active DirectoryActive Directory
Policy Policy
Contiene la configurazione e le informazioni sulle policy e viene usata per applicare i controlli di accesso a utenti e gruppi.
Contiene la configurazione e le informazioni sulle policy e viene usata per applicare i controlli di accesso a utenti e gruppi.
Permette di creare policy a livello di array e enterprise. Permette di creare policy a livello di array e enterprise.
![Page 17: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/17.jpg)
Installazione di ISA Server in un Installazione di ISA Server in un Array Array
Run Setup + modifica dello Schema di ADRun Setup + modifica dello Schema di AD
Installa ISA Server come ArrayInstalla ISA Server come Array
Crea l’ArrayCrea l’Array
Seleziona l’impostazione delleEnterprise Policy Setting Seleziona l’impostazione delleEnterprise Policy Setting
Seleziona l’impostazione delle Custom PolicySeleziona l’impostazione delle Custom Policy FinishFinishFinishFinish
StartStartStartStart
![Page 18: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/18.jpg)
Demo: gestione di un ArrayDemo: gestione di un Array
![Page 19: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/19.jpg)
Gestione delle Network Gestione delle Network ConnectionConnection Overview del RoutingOverview del Routing Configurazione del Routing per le Configurazione del Routing per le
richieste dai Web Proxy Clientrichieste dai Web Proxy Client Configurazione del Routing per le Configurazione del Routing per le
richieste dai Firewall Client e SecureNAT richieste dai Firewall Client e SecureNAT ClientClient
Automatic DiscoveryAutomatic Discovery
![Page 20: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/20.jpg)
Routing OverviewRouting Overview
Corporate OfficeCorporate Office
Overseas Branch OfficeOverseas Branch Office
ISA ServerISA Server
Overseas ISPOverseas ISP
Array 1Array 1
Array 2Array 2
Array 3Array 3
Local Requests
![Page 21: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/21.jpg)
Demo: gestione delle regole Demo: gestione delle regole di Routingdi Routing
![Page 22: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/22.jpg)
Automatic DiscoveryAutomatic Discovery
Client contatta il DNS o il DHCP per ottenere informazionei su ISA.
11Una entry WPAD sul DHCP o sul DNS Server punta a ISA Server.
22
Il Client ritrova le informazioni di configurazione da ISA Server.
33
DNS or DHCPServer
DNS or DHCPServer
Il Client inoltra le richieste Internet a ISA Server basandosi sulle informazioni di configurazione.
44
Alias Name FQDNWPAD isa.domain.msft
ISA Serverisa.domain.msft
ISA Serverisa.domain.msft
ClientClient
![Page 23: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/23.jpg)
Understanding CARPUnderstanding CARP
InternetInternet
array.dll?Get.Info.v1
Web Proxy ClientWeb Proxy Client
Server 2Server 2
Server 1Server 1
Server 3Server 3
Server 4Server 4
Server 5Server 5
Server 1Server 2Server 3Server 4Server 5
Array Membership ListArray Membership List
![Page 24: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/24.jpg)
Configuring CARPConfiguring CARPLONDON Properties
OK Cancel
Add…Add…
Apply
General Outgoing Web Requests Incoming Web RequestsPolicies Auto Discovery Performance Security
Use the same listener configuration for all internal IP addresses.
Configure listeners individually per IP address
Identification
Enable SSL listeners
Server IP Address Display N… Authentic… Server C…LONDON <All inter… Integrated
RemoveRemove Edit…Edit…
TCP port: 8080
SSL port: 8443
Configure…Ask unauthenticated users for identification
Resolve requests within array before routing
ConnectionsConnection settings
Select to enable CARP.
LONDON Properties
OK Cancel Apply
General Array Memberships
Use this IP address for intra-array communication:Intra-array communication
131 . 107 . 3 . 1 Find…
Specify the load factor for this server. This number indicates the relative cache availability of this server compared to the rest of the array members:
Load Factor
100
Type a number to set the load factor.
![Page 25: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/25.jpg)
Understanding Understanding Network Load Network Load Balancing Balancing
InternetInternet
Cache
Cache
ISA Server ArrayISA Server Array
Published ServerPublished Server
Cache
![Page 26: ISA Server for the Enterprise. Clients Client Overview Internet ISA Server SecureNAT Client Do not require you to deploy client software or configure.](https://reader035.fdocuments.in/reader035/viewer/2022062307/5542eb4b497959361e8b7a1a/html5/thumbnails/26.jpg)
Connettere una Rete Connettere una Rete Remota a Remota a una Rete Locale una Rete Locale
VPN Tunnel
ISA MILANO
Remote NetworkRemote Network
InternetInternet
Local NetworkLocal Network
ISA TORINO
131.0.0.80131.0.0.180
172.16.0.200
172.16.0.0
10.4.100.200