Microsoft Virtual Labs

Virtual Lab Express:

Introduction to ISA Server
2006
Virtual Lab Express: Introduction to ISA Server 2006

Table of Contents
Virtual Lab Express: Introduction to ISA Server ..................................................................... 1
Exercise 1 Ease of Use: Single Rule Base .....................................................................................................................2
Exercise 2 Ease of Use: Monitoring ..............................................................................................................................5
Virtual Lab Express: Introduction to ISA Server 2006

Virtual Lab Express: Introduction to ISA

Server
After completing this lab, you will have a better understanding of:
Objectives
How ISA Server uses a single list of firewall rules.

How ISA Server uses monitoring.

Estimated Time to 20 Minutes

Complete This Lab
Denver
Computer used in this Lab
Paris
Istanbul

The password for the Administrator account on this computer is: password.

Page 1 of 6
Virtual Lab Express: Introduction to ISA Server 2006

Exercise 1
Ease of Use: Single Rule Base

Scenario
In this exercise, you will explore how ISA Server uses a single list of firewall rules.

Tasks Detailed Steps

Complete the following 6 Note: Perform the following steps on the Paris computer.
tasks on: a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall
Policy.
Paris Note: ISA Server uses a single rule list for access rules and publishing rules.
1. On the Paris b. In the right pane, on the Firewall Policy tab, select Default rule.
computer, explore Note: New rules are added to the rule list before the currently selected rule. Although
the single firewall it does not make a difference when only the default rule exists, it is a good practice to
policy rule list. always explicitly select an existing rule, before creating a new rule.
c. In the task pane, on the Tasks tab, click Create Access Rule.
Create an access
d. In the New Access Rule Wizard dialog box, in the Access rule name text box,
rule:
type Allow Web traffic to Internet, and then click Next.
Name: Allow Web e. On the Rule Action page, select Allow, and then click Next.
traffic to Internet f. On the Protocols page, in the This rule applies to list box, select
Selected protocols, and then click Add.
Applies to: HTTP Note: The Add Protocols dialog box appears.
g. In the Add Protocols dialog box, click Web, click HTTP, and click Add, and then
From network:
click Close to close the Add Protocols dialog box.
Internal
To network: External h. On the Protocols page, click Next.
i. On the Access Rule Sources page, click Add.
Note: The Add Network Entities dialog box appears.
j. In the Add Network Entities dialog box, click Networks, click Internal, and click
Add, and then click Close to close the Add Network Entities dialog box.
k. On the Access Rule Sources page, click Next.
l. On the Access Rule Destinations page, click Add.
Note: The Add Network Entities dialog box appears again.
m. In the Add Network Entities dialog box, click Networks, click External, and click
Add, and then click Close to close the Add Network Entities dialog box.
n. On the Access Rule Destinations page, click Next.
o. On the User Sets page, click Next.
p. On the Completing the New Access Rule Wizard page, click Finish.
Note: A new firewall policy rule is created that allows the HTTP protocol from the
Internal network to the External network for all users. The External network
represents the Internet.
Note: Notice that the new rule has not been applied yet.
q. Do NOT click Apply to apply the new rule.
2. Add the HTTPS and a. In the task pane, on the Toolbox tab, in the Protocols section, click Web.
FTP protocol to the Note: The Web protocol list opens up. The list includes HTTPS and FTP.
Allow Web traffic to

Page 2 of 6
Virtual Lab Express: Introduction to ISA Server 2006
Tasks Detailed Steps
Internet access rule. b. Drag HTTPS from the Toolbox to HTTP in the Protocols column of the
Allow Web traffic to Internet access rule.
Note: The HTTPS protocol is added to the access rule.
c. Drag FTP from the Toolbox to HTTP/HTTPS in the Protocols column of the
Allow Web traffic to Internet access rule.
Note: The FTP protocol is added to the access rule.
d. Click the box with the minus-sign in front of the Allow Web traffic to Internet
access rule to display the access rule with multiple protocols on a single line.
Note: Instead of dragging protocols from the toolbox to configure a firewall policy
rule, you can also right-click on the rule, and select Properties, as is shown in the next
task.
3. Explore the a. Right-click the Allow Web traffic to Internet access rule, and then click
properties of the Properties.
Allow Web traffic to b. In the Allow Web traffic to Internet Properties dialog box, on the Protocols tab,
Internet access rule. click Add.
c. In the Add Protocols dialog box, click Common Protocols.
Note: You can add any TCP/UDP protocol to the access rule. You can also add non-
TCP/UDP protocols, such as Ping (ICMP) to the access rule.
d. Click Close to close the Add Protocols dialog box.
e. On the To tab, click Add.
Note: Instead of applying the access rule to traffic to all destinations on the External
network, you can limit access to specific destinations by using any of the other
network entities (Computers, Address Ranges, Subnets, Domain Name Sets, URL Sets
and Computer Sets).
f. Click Close to close the Add Network Entities dialog box.
g. On the From tab, click Add.
h. In the Add Network Entities dialog box, click Networks.
Note: The Local Host network (representing the ISA Server computer) can be used as
the source network in an access rule.
i. Click Close to close the Add Network Entities dialog box.
j. Click Cancel to close the Allow Web traffic to Internet Properties dialog box.
4. Explore the HTTP a. Right-click the Allow Web traffic to Internet access rule, and then click
protocol scanning Configure HTTP.
features of the Allow b. In the Configure HTTP policy for rule dialog box, examine the five tabs with the
Web traffic to HTTP filter settings.
Internet access rule.
Note: ISA Server examines the contents of all HTTP traffic. This is called application
level filtering, or content filtering. HTTP packets that do not meet the specifications on
For demonstration the General tab are blocked.
purposes, configure
Note: Many applications use HTTP as their transport protocol or even as tunnel
the rule to block
protocol, because the HTTP port 80 is configured to be allowed through most
HTTP traffic from
firewalls. Application level filtering can block HTTP traffic that does not conform to
MSN Messenger.
the protocol specification or unwanted HTTP applications or content.
These settings, such as limiting the maximum URL length, would have blocked the
HTTP Header: exploitation of vulnerabilities described in more than 40 different Microsoft Security
- User-Agent: Bulletins, between MS98-003 and now.
MSMSGS
c. On the Signatures tab, click Add.
d. In the Signature dialog box, complete the following information:
• Name: MSN Messenger traffic
• Search in: Request headers

Page 3 of 6
Virtual Lab Express: Introduction to ISA Server 2006
Tasks Detailed Steps
• HTTP Header: User-Agent
• Signature: MSMSGS
and then click OK.
e. Click OK to close the Configure HTTP policy for rule dialog box.
Note: The Allow Web traffic to Internet access rule will allow HTTP traffic from a
Web browser, but it will block HTTP traffic from MSN Messenger.
5. Explore the a. In the left pane, ensure that Firewall Policy is selected.
System Policy Rules b. In the task pane, on the Tasks tab, click Show System Policy Rules.
in the Firewall
Note: In the right pane, 30 predefined access rules to or from the Local Host network
Policy. (ISA Server computer) are shown. These are called System Policy Rules.
Note: ISA Server 2006 Enterprise Edition has four more system policies rules (31 to
34) which specifically apply to traffic to and from ISA Server arrays.
c. In the task pane, on the Tasks tab, click Edit System Policy.
Note: The System Policy Editor dialog box appears. You can only make minimal
changes to the system policy rules, but you can enable or disable most system policy
rules.
d. Click Cancel to close the System Policy Editor dialog box.
e. In the task pane, on the Tasks tab, click Hide System Policy Rules.
Note: The following task is needed to avoid conflicts with other lab exercises.
6. Discard the Allow a. In the right pane, click Discard to remove the unsaved Allow Web traffic to
Web traffic to Internet access rule.
Internet access rule. b. Click Yes to confirm that you want to discard the changes.
c. If you clicked Apply during this exercise, the access rule is saved. Right-click the
access rule, click Delete, and then click Apply and OK to delete the access rule
again.

Page 4 of 6
Virtual Lab Express: Introduction to ISA Server 2006

Exercise 2
Ease of Use: Monitoring

Scenario
In this exercise, you will explore how ISA Server uses monitoring.

Tasks Detailed Steps

Complete the following Note: Perform the following steps on the Paris computer.
task on: a. On the Paris computer, in the ISA Server console, in the left pane, expand Paris,
and then select Monitoring.
Paris Note: The Monitoring node has multiple tabs that allow you to monitor, control,
1. On the Paris investigate, troubleshoot and plan firewall operations.
computer, explore Note: On the first tab (Dashboard), five of the other tabs are represented by summary
the new Monitoring boxes. By clicking the header of a summary box, you can go to the corresponding tab
features in to see more details.
ISA Server. b. Select the Alerts tab.
Note: The Alerts tab lists events that ISA Server informs you about. You can configure
for which types of events ISA Server creates an alert.
c. Select the Sessions tab.
Note: The Sessions tab shows the current SecureNAT, Firewall client, Web Proxy
client and VPN client sessions. You can also disconnect client sessions on this tab.
d. Select the Services tab.
Note: The Services tab displays the status of the Microsoft Firewall service and other
related services.
If you enable the ISA Server for VPN connections, then the
Routing and Remote Access service status is also displayed.
For ISA Server 2006 Enterprise Edition, if you enable NLB integration, then the
Network Load Balancing driver status is also displayed.
e. Select the Reports tab.
Note: The Reports tab lists the defined usage reports. Reports show you ISA Server
activity over time, such as performance and security information. You can also create
new reports on this tab.
f. Select the Connectivity Verifiers tab.
Note: The Connectivity Verifiers tab allows you to define Connectivity Verifiers. A
connectivity verifier periodically connects from the ISA Server to a computer that you
specify, to test current connectivity by using either an HTTP GET request, a Ping
request, or by attempting to establish a TCP connection to a port that you specify. ISA
Server can use connectivity verifiers to alert you if a network connection fails.
g. Select the Logging tab.
Note: You may (temporarily) need to close the task pane in order to see the Logging
tab.
Note: The Logging tab is used to configure the Firewall Server log files, and to view
the contents of the log files online.
h. In the task pane, on the Tasks tab, click Configure Firewall Logging.
Note: ISA Server 2006 logging supports three log storage formats: MSDE Database
(*.mdf), SQL Database (ODBC) or File (*.w3c, text).

Page 5 of 6
Virtual Lab Express: Introduction to ISA Server 2006
Tasks Detailed Steps
i. Click Cancel to close the Firewall Logging Properties dialog box.
Note: The Logging tab also has a Live display mode that allows you to see the log
entries from the ISA Server log files on the screen, immediately after they are written
to the log files. If you want to limit the log entries that are displayed to simplify finding
specific information in the log files, you can create a filter.
j. Close the ISA Server console.

Page 6 of 6