Table of Contents
Virtual Lab Express: Introduction to ISA Server ..................................................................... 1
Exercise 1 Ease of Use: Single Rule Base .....................................................................................................................2
Exercise 2 Ease of Use: Monitoring ..............................................................................................................................5
Virtual Lab Express: Introduction to ISA Server 2006
The password for the Administrator account on this computer is: password.
Page 1 of 6
Virtual Lab Express: Introduction to ISA Server 2006
Exercise 1
Ease of Use: Single Rule Base
Scenario
In this exercise, you will explore how ISA Server uses a single list of firewall rules.
Page 2 of 6
Virtual Lab Express: Introduction to ISA Server 2006
Tasks Detailed Steps
Internet access rule. b. Drag HTTPS from the Toolbox to HTTP in the Protocols column of the
Allow Web traffic to Internet access rule.
Note: The HTTPS protocol is added to the access rule.
c. Drag FTP from the Toolbox to HTTP/HTTPS in the Protocols column of the
Allow Web traffic to Internet access rule.
Note: The FTP protocol is added to the access rule.
d. Click the box with the minus-sign in front of the Allow Web traffic to Internet
access rule to display the access rule with multiple protocols on a single line.
Note: Instead of dragging protocols from the toolbox to configure a firewall policy
rule, you can also right-click on the rule, and select Properties, as is shown in the next
task.
3. Explore the a. Right-click the Allow Web traffic to Internet access rule, and then click
properties of the Properties.
Allow Web traffic to b. In the Allow Web traffic to Internet Properties dialog box, on the Protocols tab,
Internet access rule. click Add.
c. In the Add Protocols dialog box, click Common Protocols.
Note: You can add any TCP/UDP protocol to the access rule. You can also add non-
TCP/UDP protocols, such as Ping (ICMP) to the access rule.
d. Click Close to close the Add Protocols dialog box.
e. On the To tab, click Add.
Note: Instead of applying the access rule to traffic to all destinations on the External
network, you can limit access to specific destinations by using any of the other
network entities (Computers, Address Ranges, Subnets, Domain Name Sets, URL Sets
and Computer Sets).
f. Click Close to close the Add Network Entities dialog box.
g. On the From tab, click Add.
h. In the Add Network Entities dialog box, click Networks.
Note: The Local Host network (representing the ISA Server computer) can be used as
the source network in an access rule.
i. Click Close to close the Add Network Entities dialog box.
j. Click Cancel to close the Allow Web traffic to Internet Properties dialog box.
4. Explore the HTTP a. Right-click the Allow Web traffic to Internet access rule, and then click
protocol scanning Configure HTTP.
features of the Allow b. In the Configure HTTP policy for rule dialog box, examine the five tabs with the
Web traffic to HTTP filter settings.
Internet access rule.
Note: ISA Server examines the contents of all HTTP traffic. This is called application
level filtering, or content filtering. HTTP packets that do not meet the specifications on
For demonstration the General tab are blocked.
purposes, configure
Note: Many applications use HTTP as their transport protocol or even as tunnel
the rule to block
protocol, because the HTTP port 80 is configured to be allowed through most
HTTP traffic from
firewalls. Application level filtering can block HTTP traffic that does not conform to
MSN Messenger.
the protocol specification or unwanted HTTP applications or content.
These settings, such as limiting the maximum URL length, would have blocked the
HTTP Header: exploitation of vulnerabilities described in more than 40 different Microsoft Security
- User-Agent: Bulletins, between MS98-003 and now.
MSMSGS
c. On the Signatures tab, click Add.
d. In the Signature dialog box, complete the following information:
• Name: MSN Messenger traffic
• Search in: Request headers
Page 3 of 6
Virtual Lab Express: Introduction to ISA Server 2006
Tasks Detailed Steps
• HTTP Header: User-Agent
• Signature: MSMSGS
and then click OK.
e. Click OK to close the Configure HTTP policy for rule dialog box.
Note: The Allow Web traffic to Internet access rule will allow HTTP traffic from a
Web browser, but it will block HTTP traffic from MSN Messenger.
5. Explore the a. In the left pane, ensure that Firewall Policy is selected.
System Policy Rules b. In the task pane, on the Tasks tab, click Show System Policy Rules.
in the Firewall
Note: In the right pane, 30 predefined access rules to or from the Local Host network
Policy. (ISA Server computer) are shown. These are called System Policy Rules.
Note: ISA Server 2006 Enterprise Edition has four more system policies rules (31 to
34) which specifically apply to traffic to and from ISA Server arrays.
c. In the task pane, on the Tasks tab, click Edit System Policy.
Note: The System Policy Editor dialog box appears. You can only make minimal
changes to the system policy rules, but you can enable or disable most system policy
rules.
d. Click Cancel to close the System Policy Editor dialog box.
e. In the task pane, on the Tasks tab, click Hide System Policy Rules.
Note: The following task is needed to avoid conflicts with other lab exercises.
6. Discard the Allow a. In the right pane, click Discard to remove the unsaved Allow Web traffic to
Web traffic to Internet access rule.
Internet access rule. b. Click Yes to confirm that you want to discard the changes.
c. If you clicked Apply during this exercise, the access rule is saved. Right-click the
access rule, click Delete, and then click Apply and OK to delete the access rule
again.
Page 4 of 6
Virtual Lab Express: Introduction to ISA Server 2006
Exercise 2
Ease of Use: Monitoring
Scenario
In this exercise, you will explore how ISA Server uses monitoring.
Page 5 of 6
Virtual Lab Express: Introduction to ISA Server 2006
Tasks Detailed Steps
i. Click Cancel to close the Firewall Logging Properties dialog box.
Note: The Logging tab also has a Live display mode that allows you to see the log
entries from the ISA Server log files on the screen, immediately after they are written
to the log files. If you want to limit the log entries that are displayed to simplify finding
specific information in the log files, you can create a filter.
j. Close the ISA Server console.
Page 6 of 6