Beruflich Dokumente
Kultur Dokumente
Cita 375
By Mathew
Contents
Section 1: Demilitarized Zone.........................................................................................................5
1.1 Microsoft ISA Servers 2006 ACL.....................................................................................5
Overview......................................................................................................................................5
Procedures....................................................................................................................................5
1.2 Visio Diagram...................................................................................................................5
1.3 ACL Rules.........................................................................................................................5
1.4 Web Site Redirect..............................................................................................................5
Errors, Difficulties, and Observations.........................................................................................6
Best Practices...............................................................................................................................6
Reference:....................................................................................................................................6
Section 2: Demilitarized Zone PIX 501...........................................................................................6
2.1 PIX....................................................................................................................................6
Take away points.........................................................................................................................6
Configuration...................................................................................................................................6
2.2 Internal PIX configuration.....................................................................................................6
2.3 External PIX configuration....................................................................................................6
2.4 Web server configuration.......................................................................................................7
2.5 DMZ router PIX Configuration.............................................................................................7
2.6 Internal PIX Configuration....................................................................................................8
2.7 Network Diagram..................................................................................................................9
Section 3: Web caching....................................................................................................................9
3.0 ISA Servers 2006 Web caching server..............................................................................9
Overview......................................................................................................................................9
Procedures..................................................................................................................................10
3.1 Visio Diagram...................................................................................................................10
3.2 Setting up clients.............................................................................................................10
3.2.1 Setting Proxy Settings...................................................................................................11
3.3 Setting up ISA server......................................................................................................12
3.3.1 Setting Rules............................................................................................................12
3.3.2 Monitoring tools......................................................................................................13
3.4.1 Web Chaining....................................................................................................................14
3.4.2 Web Chaining Visio..........................................................................................................15
3.4.3 Initial Configuration.........................................................................................................15
3.4.4 Setting up web chaining....................................................................................................15
Errors, Difficulties, and Observations.......................................................................................17
Best Practices.............................................................................................................................18
Reference:..................................................................................................................................18
Section 4: Caching server..............................................................................................................18
4.1 Linux Ubuntu caching server..........................................................................................18
Overview....................................................................................................................................18
Procedures..................................................................................................................................18
4.2 Visio Diagram.................................................................................................................18
4.2 Installation and configuration of squid...........................................................................18
4.3 ACL Rules.......................................................................................................................19
4.3.1 Block client address.................................................................................................19
4.3.2 Block web address........................................................................................................20
4.4 Web Caching...................................................................................................................20
Errors, Difficulties, and Observations.......................................................................................21
Best Practices.............................................................................................................................21
Reference:..................................................................................................................................21
Section 5: Application Proxy Server SSL POP3 embedded..........................................................21
5.1 Windows ISA server........................................................................................................21
Overview....................................................................................................................................21
Procedures..................................................................................................................................21
5.2 Visio Diagram.................................................................................................................21
5.3 Installing exchange 2003...............................................................................................21
5.4 Configuring SSL for POP3.............................................................................................23
5.6 Installing ISA..................................................................................................................29
5.7 Setting up access rules....................................................................................................29
Section 6: ISA 2006 VPN connection............................................................................................31
6.1 Requirements..................................................................................................................31
6.2 Network Map..................................................................................................................31
6.3 Pre-Configuration............................................................................................................31
6.4 Main ISA Server Setup...................................................................................................33
6.5 Branch ISA Server Setup................................................................................................39
6.6 Testing Connection..........................................................................................................40
Errors, Difficulties, and Observations.......................................................................................40
Best Practices.............................................................................................................................40
Reference:..................................................................................................................................40
Section 7: Linux site to site VPN (Webmin).................................................................................41
Overview....................................................................................................................................41
Procedures..................................................................................................................................41
7.1 Visio Diagram.................................................................................................................41
7.2 Installing Webmin openVPN module.............................................................................41
7.3 Configure Firewall allow settings...................................................................................43
7.4 Webmin symmetrical key VPN configuration................................................................43
7.5 Transfer keys to the second server..................................................................................44
7.6 Starting the VPN and checking the logs.........................................................................45
7.7 Setting enabling Routes and IP Forwarding....................................................................45
7.8 Testing the VPN..............................................................................................................46
7.9 Errors, Difficulties, and Observations.............................................................................46
7.10 Best Practices............................................................................................................47
7.11 Reference:..................................................................................................................47
Section 1: Demilitarized Zone
1.1 Microsoft ISA Servers 2006 ACL
Overview
In this lab we will setup an ISA server with two clients that will have service that we will deny.
This will be meant to demonstrate a DMZ. We will be setting up all the servers and clients in
virtual box using a
Procedures
1.2Visio Diagram
Client 1
Allow all accept ICMP
AOL
10.0.01
ISA Server
The Internet
10.0.0.2
10.0.0.4
1.3ACL Rules
1.3.1 AOL TRAFFIC
• If we wanted to block this traffic we would need to invoke a new rule this rule
would
1.3.2 IGMP
•
1.3.3 Other
We will first need to install IIS to allow for specific internal servers to access the company
website.
Configuration
2.2 Internal PIX configuration
Configured PIX with internal DHCP
Configured PIX to receive external IP address
Set up ACL- allowed web traffic
Set up NAT
2.3 External PIX configuration
Configured PIX with internal DHCP
Configured PIX to receive external IP address
Set up ACL – allow ICMP and http traffic, deny access to
internal network
Set up static routes to web server
Set up NAT
2 Cloud
Access -lists
Access-lists 2 Firewall
access-list internet permit tcp any host 136.204.170.15 eq www access-list 100 permit tcp any host 10.1.1.4 eq www
access-list internet permit icmp any any 2 PC
1 Master.20
IP: 192.168.1.X
Client 2
Corporate
The Internet
Network
DMZ
PIXdmz PIXPrivate
IP:136.204.X.X outside:136.204.X.X inside:192.168.1.1 Client 1
inside: 10.1.1.1 outside : 10.1.1.X IP: 192.168.1.X
IP: 10.1.1.2
Section 3: Web caching
30ISA Servers 2006 Web caching server
Overview
In this lab we will setup an ISA Web caching with one client that will have specific websites that
will be cached for his viewing purposes. Then we will use CACHEDIR.exe which can be found
on Microsoft’s site. This will be meant to demonstrate a web caching using ISA 2006. We will be
setting up all the servers and clients in virtual box.
Procedures
3.1 Visio Diagram
ISA server cache 100MB
Cache Site rules:
http://www.worldofwarcraft.com/index.xml
http://www.myspace.com/lastra511
Firewall rules
Permit all
192.168.1.0
• Once you have your server set up you will what to click define cache drive
this will allow us to define the parameters of our web drive which we will use
all default settings and set a 100mb drive size
To Primary
Web Caching
Server
Offsite Web
Primary Web
Caching Server
Caching Server
To Internet
Web Chaining
IN ACTION
• In the next tab, select the what destinations you want chained to the main
site, for this we selected all external networks, so everything going outside
will be chained
• The next page gives you the options for what the ISA server does with the
requests to the previously set destination, here we select redirect requests to
a specified upstream server
• The next page describes the address that you will send the requests to; this
will either be the IP address of the FQDN of the upstream (main site) server.
• The login and password are the credentials for the main site server, for the
username goes in a <SERVERNAME>\<ACCOUNT NAME> format, such as
mainsite\administrator
• For the type of authentication, select “integrated windows”
• The next section describes the action the ISA server takes if it can’t access
the main ISA server, in this instance we chose to retrieve requests directly
from the specified destination aka. Going out to the internet to get the
website.
• All that’s left to do is click next a few times, and apply the changes and web
chaining is yours!
• Remember that you may need to configure access permissions on the main
site ISA server to allow access from the offsite if you have access lists set up
Best Practices
• Document as you build your lab
Reference:
Internal network
External Netowrk
Block myspace
Block facebook
NET
Visible_hostname WebProxy
• Then we will need to edit what port the proxy will listen in on the default port
is TCP port 3128 but we will change it to port 8080
• We will need to restart the services for these changes to take affect we can
do that by using the following
• These files allow you to see what has been cached where is was cached and
what ACL events have occurred
• The Store.log is to show what website have been logged and when and if
they have been updated
• The cache.log shows what squid is doing and how it starts if there is an error
and what files are opened and used when it is running.
• The access.log file is used to show what the ACLs are doing if the cache is
being retrieved or if it is redirecting traffic out the website.
• The actual cached files can be found in the /var/spool/squid directory
Reference:
Procedures
5.2 Visio Diagram
Mail traffic
Client Server
IP address 10.0.0.10 /8 IP address 10.0.0.1
Running outlook Running:
AD
DNS
Exchange 2003
Certificate Services
ISA 2006
In this configuration, all of these services were placed on a single host, however in a production
level environment you would not want to do this.
Exchange has a checklist of what is needed for a successful installation when you run the
installer, before it actually starts installing.
• On the first page, select Deploy the First Exchange 2003 server
• After setup completes, you will have successfully installed exchange 2003!
• To get exchange working however, you have to go enable the different
protocols that your clients will use to connect to your server
○ Go to Start Administrative Tools Services and enable POP3
and SNMP (or whatever protocols you are going to use).
○ Exchange should now function without SSL
• Click on the certificate button, this will start the wizard to generate your
certificate
○ We will want to create a new certificate
○ We will Prepare the request now, but send it later
○ On the next page, choose a name for the certificate, all the other stuff
can be left default
○ Choose the organization and organization unit, these can be whatever
you feel like naming them (they should be relevant to your cirt)
○ Choose the FQDN of your mail server, we used mail.lark.local (mail is
the server name, lark.local is our domain)
○ Set up the location of your server
○ Finally choose where to save the file, by default it is saved in the c:\
drive
○ With this the first step of creating your certificate is complete!
• Now open IE and navigate to http://<servername>/certsrv
○ <servername> should be the name of your certificate server, we used
http://localhost/certsrv
• This brings you to this web page, and the part where you will need the
certificate request that we created earlier through exchange 2003
○ Open that document (located by default under c:\ and named
certreq.txt) and copy the entire contents into the certificate request
area
○ Then select web server from the dropdown menu under certificate
template, and you are good to submit
○ A page should appear telling you that your certificate request has been
issued, on this page select download certificate
○ Save the certificate to your desktop
• We finally reach the part where we issue the certificate to the mail server!
• Go back to the exchange management console, open up the access tab and
click certificates, you should see a window similar to this
• On the next slide, choose the certificate that we downloaded to our desktop
• It should show a summary of the certificate you are installing then finish
• Now, on the access tab of POP3 properties, click on authentication, and check all
of the boxes
• After applying that, click on communication (under secure communication) and
check the require secure channel checkbox
• To test email, go to outlook, create a user profile using default, with the POP3
server and SMTP server the FQDN of your exchange server, then create an email
to yourself
○ (your email address is <accountname>@<domainname> by default in
AD, you can change this through users and computers in AD)
○ You should receive an error
○ This is because SSL isn’t set up on outlook, to do this;
Navigate Tools Accounts mail tab properties
advanced and check the box for requiring SSL for POP3 (it should
change the port to 995)
• You should now be able to use SSL, accept the certificate when it prompts (after
you attempt to send mail again)
• We will allow pop3 secure port and SMTP then click next
• Next we will enter the IP of our server and specify what external addresses
will be allowed to access our client. As seen below
• next
• After we apply the changes which will have created the following rule. Which
stated that secure pop3 port traffic will we allowed through the firewall to the
outside but all other traffic will be blocked.
Once this is set up, apply the configuration changes in ISA and wait a few minutes for it to
update the rules. Then you should be able to see under the logging when you send an email to
yourself (or any other email) and which access rule is allowing it.
It should be noted that in a configuration where you use a different server for ISA and exchange,
you will have to set up MX pointers under DNS to point to the outside address of your ISA
server.
• You will be creating a range of IP addresses in your internal network that will be reserved
for the VPN connection. If you are going to be using a DHCP server, you don’t need to
do this step
• Then go to the addresses tab, you should see something similar to this below (note, this
class A address subnetted to a class C address)
• What we are going to do is break this address range up a little bit so that there are
addresses left over in the same address range that ISA can use to assign to the VPN
connections.
• Click Edit and shorten your range to .0 - .50 for your host side (so I will be doing
10.0.1.0 – 10.0.1.50)
• This will leave the address from .51 to .254 as possible VPN connections (really you
could only leave two or so addresses for the VPN connection, but this is easier)
• Now, we will go to arrays <server name> Virtual Private Networks (VPN) and
click on Define Address Assignments
• This is where we set the static IP address assignments for incoming VPN connections
• On the address assignment tab, click Add
○ then select the server name, and for the address range, type .51 - .100 for your
range (mine is 10.0.1.51 – 10.0.1.100) and click ok
• This will open the VPN wizard, where you will have to select a site to site
network name.
○ Unlike most other wizards that come with ISA, this name actually
matters, a user account is going to have to be created with that same
name
• Next is the page where you select your protocol, L2TP has the potential to be
very secure with certifications, but doesn’t actually require them right off the
bat, so we’ll choose that
• For the connection owner, you should only have 1 option (your server’s
name) choose that
• For the remote site VPN server, enter either the ip address or the FQDN of the
other ISA server, in our case we will add 192.168.1.11 here
• For remote authentication, this will be the user account that is set up on the
remote server, it would be wise to write this information down
○ For the domain, enter either the server name of your remote ISA
server, or the FQDN that you would use to log ONTO YOUR REMOTE
SERVER
• For setting up authentication, choose pre-shared key, and enter a secure key,
you should also write this down
• This step is important in that you should be sure you are using the correct
addresses here, this will be the address range of your remote sites
internal network, this won’t work at all if you use your local address range
• Since we aren’t performing NLB, uncheck the box on that page
• This is a pretty cool feature that was implemented in ISA 2006 that lets you
create network rules right within the wizard, since you would have to
anyways for this to work, you can leave the default values, and click next
• Select “all outbound traffic” to allow all traffic through your VPN connection
• And you’re finished with the wizard! Review this information to make sure it’s
right, and click finish
• Now we have to create a user account for the Dial-In account
○ To do this, go to start right click on my computer click manage
go to the users tab right click and select new user
• Fill out the information, make sure to keep this handy, because if will be used
later when setting up the account on the remote site
○ Click create
• Once the account is created right click and go to the Dial-In tab
○ Select allow access, and click apply
• This should be good for the main site setup
You can view the tunnel session being created in the isa server, under monitoring sessions
Procedures
7.1 Visio Diagram
OpenVPN Server 1 IP: 192.168.1.71 IP: 192.168.1.70 OpenVPN Server 2 IP: 10.0.0.1
IP: 10.0.1.1
XP Client 2
XP client 1
IP 10.0.0.2
IP: 10.0.1.2
http://www.openit.it/index.php/openit_en/content/download/3566/14487/file/openvpn-2.5.wbm.gz
• Once you have downloaded the module we will log in to Webmin through
the browser which for most people will be https://localhost:10000/ . once
logged in we will want to click Webmin=>Webmin
configuration=>Webmin Modules
• Once you click module u will need to browse for the module if for some
reason something messes up you can click the delete tab to delete the
module. Once you find the file click save and the Webmin module should
install a restart will allow it so show in the servers tab as seen above.
7.3 Configure Firewall allow settings
• NOTE is must be done on server 1 & 2
• To edit the firewall we will need to allow UDP traffic through port 1194
because this is the default port used for openVPN. It should be noted that
in a production environment a different port should be used.
• sudo ufw allow proto udp from any to any port 1194
• you can use sudo ufw status to see if the port was opened this my require you to
reboot to take effect.
• If you have a router or other firewall you will need to do the same.
• If at the end you see that you have configured everything and you still cant ping its
because you don’t have ICMP allowed you can disable the firewall to see if that is the
issue of not but its not recommended
• Ufw disable (this will require a reboot)
• We will then click new VPN with symmetrical key which will bring us to the
following
• When you first make the server it will ask you to name it I happened to
name it test and I left the port as default for simplicity
• It is important that you look at the ifconfig addresses these are going to
be your virtual addresses for your tunnel they cannot match our eth0 IPs
all we have to do is choose to addresses that are in the same subnet as
our eth0 interfaces for example the way I did it is server 1 address is .71
so I chose .72 for its tunnel address and on server 2 our eth0 address is 70
so we are making its tunnel address .69 then for the remote IP we will
need to put the IP of the remote server the above is the configuration for
server 1 the addresses will change respectively for server 2. We will need
to change the user and group to root I did this because the logs when
started told me I didn’t have permissions to execute the VPN.
• All these settings can be found in the /etc/openVPN/directory. The file
that is made when you save is test.ovpn in my case because that’s what I
named the server. But there will also be a test.key which will hold your
2048bit encryption key. It will also make a test.conf which seems to be a
backup for the test.ovpn if we were to open up the test.ovpn and compare
it to the Webmin gui we can see how they relate.
• There are other options that are set by default that I didn’t go into but a quick
google search would tell you what they do.
• This means that your keys don’t match and you need to export and transfer is
again.
• We will be using VSFTP to transfer our file but a pen drive will do if you have
one.
• I will leave it up to you to figure out how to set up a ftp I used this tut
http://linux.about.com/od/ubusrv_doc/a/ubusg20t03.htm
• Once downloaded to server 2 we can copy the .key file to the openVPN dir.
○ Sudo cp –i /home/bob/Desktop/test.key /etc/openVPN/
• Just click the red start under actions if test under the name field stays red
after you start the server then you have set something wrong in the config
file so go back in and double check your settings. If when you click start it
brings you to a ERROR screen, at least for me it was that openVPN was
already started and the gui didn’t register is use the ps –a command to check
this and you can use kill –s 9 PID to end the openVPN service. Once is starts
we should check the log to see what it is doing when starting up. If all goes
as planned you will see the following
• As you can see it encrypted the channel created a tun0 assigned it a address,
looked for the remote server and connected with it. Most errors will show up
here like the unauthorized key error of if you set the tunnel IPs the same as
eth0 on both servers “which gives you a ip address used inconsistently error.”
• He we can see that we have all the routes that can be accessed by the
compter
• We can use the following command to add a route for the other network we
are trying to get to
○ Sudo route add -net 10.0.1.0 netmask 255.255.255.0 tun0
• This is only a on the fly fix you will need to edit some files to have it be
permanent which I will leave up to u to find out.
• Next we need to enable IP Forwarding. Which we can check to see if its
enabled by using the following command
○ Sysctl status
• This will show u a 0 which mains it’s not enabled if it is a one then you can
skip this part.
○ Sudo Sysctl -w net.IPV4.ip_forward=1
• This is also a on the fly fix and you will need to edit some files to have it be
permanent. Use the sysctl status to check to see if the changes took. What
the forwarding does is turns your linux box in to a router so this will need to
be done on both sides.
7.11 Reference:
A lot