ISA Server 2006

Secure Application Publishing Lab Manual

HOL392: Secure Application Publishing and Web Access Protection Exercise 1 Publishing Exchange Web Access - Certificate Management Exercise 2 Using Cross-Site Link Translation to Publish SharePoint Server Exercise 3 Publishing a Web Farm for Load Balancing Exercise 4 Configuring ISA Server 2006 for Flood Resiliency Lab version 3.0f 4 11 15 23

HOL392: Secure Application Publishing and Web Access Protection

Lab Setup
To complete each lab module, you need to review the following: Virtual Server This lab makes use of Microsoft Virtual Server 2005 R2 SP1, which is an application that allows you to run multiple virtual computers on the same physical hardware. During the lab you will switch between different windows, each of which contains a separate virtual machine running Windows Server 2003. Before you start the lab, familiarize yourself with the following basics of Virtual PC or Virtual Server:

To issue the Ctrl-Alt-Del keyboard combination inside a virtual machine, use the <right>Alt-Del instead. Lab Computers

The lab uses five computers in virtual machines.

Denver.contoso.com (green) is domain controller for the contoso.com domain on the Internal network. Denver runs DNS, RADIUS, Exchange 2003 SP1, SharePoint Services 2.0 and is also Certification Authority (CA). Istanbul.fabrikam.com (purple) is Web server and client computer on the External network (Internet). Istanbul runs Outlook 2003. Istanbul is not member of a domain. Paris (red) runs ISA Server 2006 Standard Edition. Paris has three network adapters, which connect to the Internal network, the Perimeter network and the External network (Internet). The Perimeter network is not used in this lab.

The computers cannot communicate with the host computer. To allow you to examine and understand the traffic on the network, in each virtual machine Microsoft Network Monitor 5.2, which is part of Windows Server 2003, is installed.

HOL392: Secure Application Publishing and Web Access Protection

To start the lab Before you can do any of the lab modules, you need to log on to the computers. To log on to a computer in a virtual machine: 1. 2. Press <right>Alt-Del (instead of Ctrl-Alt-Del) to open the logon dialog box. Type the following information: User name: Administrator Password: password and then click OK. You can now start with the exercises in this lab manual.

3.

Enjoy the lab!

Comments and feedback Please send any comments, feedback or corrections regarding the virtual machines or the lab manual to: Ronald Beekelaar v-ronb@microsoft.com Lab version 3.0f

HOL392: Secure Application Publishing and Web Access Protection

HOL392: Secure Application Publishing and Web Access Protection

Exercise 1 Publishing Exchange Web Access - Certificate Management
In this exercise, you will enable access to the Exchange Server for clients that use Outlook Web Access (OWA). You configure ISA Server to use SSL Bridging, because you want to encrypt the connection with the SSL protocol (HTTPS), but you also want to inspect the traffic at the ISA Server computer. This exercise also demonstrates the new certificate management functionality of ISA Server 2006. Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers. Perform the following steps on the Denver computer. 1. On the Denver computer, import the denver.contoso.com Web server certificate from the C:\Tools\Certs folder. a. On the Denver computer, use Windows Explorer (or My Computer) to open the C:\Tools\Certs folder. The Certs folder contains a Web server certificate for denver.contoso.com, and a script to import the certificate and private key in the local machine store. b. In the Certs folder, right-click denver-certload.vbs, and then click Open. c. Click Yes to confirm that you want to import the certificate. d. Click OK to acknowledge that the import of the certificate is complete. e. Close the Certs folder. a. On the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager. The IIS Manager console opens. b. In the IIS Manager console, expand DENVER (local computer), expand Web Sites, right-click Default Web Site, and then click Properties. c. In the Default Web Site Properties dialog box, on the Directory Security tab, click Server Certificate. d. In the Welcome to the Web Server Certificate Wizard dialog box, click Next. e. On the Server Certificate page, select Assign an existing certificate, and then click Next. f. On the Available Certificates page, select the certificate for denver.contoso.com that has the intended purpose of Server Authentication

2. Configure IIS to use the denver.contoso.com Web server certificate.

HOL392: Secure Application Publishing and Web Access Protection (do not select a certificate with another intended purpose), and then click Next. g. On the SSL Port page, in the SSL port this web site should use text box, type 443, and then click Next. h. On the Certificate Summary page, click Next. i. On the Completing the Web Server Certificate Wizard page, click Finish. The Default Web Site on Denver can now use the denver.contoso.com Web server certificate for HTTPS connections. j. Click OK to close the Default Web Site Properties dialog box. k. Close the IIS Manager console. Perform the following steps on the Paris computer. 3. On the Paris computer, import the mail.contoso.com Web server certificate from the C:\Tools\Certs folder. a. On the Paris computer, use Windows Explorer (or My Computer) to open the C:\Tools\Certs folder. The Certs folder contains a Web server certificate for mail.contoso.com, and a script to import the certificate and private key in the local machine store. b. In the Certs folder, right-click mail-certload.vbs, and then click Open. c. Click Yes to confirm that you want to import the certificate. d. Click OK to acknowledge that the import of the certificate is complete. a. In the Certs folder, open the Invalid folder. The Invalid folder contains certificates that demonstrate a few common mistakes with using certificates on ISA Server, and a script to import the certificates. b. In the Invalid folder, right-click certload-invalid-Paris.vbs, and then click Open. c. Click Yes to confirm that you want to import the certificates. d. Click OK to acknowledge that the import of the certificates is complete. Later in this exercise, you will see how ISA Server helps identify the invalid certificates. e. Close the Invalid folder.

4. For demonstration purposes, import invalid certificates from the C:\Tools\Certs\Invalid folder.

Note: On ISA Server 2006 Enterprise Edition, when you configure a Server Authentication certificate to create SSL connections, the same certificate (same name) must be installed on all array members. 5. Create a new Web listener. a. On the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. The ISA Server console opens. b. In the ISA Server console, expand Paris, and then select Firewall Policy. c. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Web Listeners, and then click New Web Listener. d. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 443, and then click Next. e. On the Client Connection Security page, select Require SSL secured connections with clients, and then click Next. f. On the Web Listener IP Addresses page, complete the following information: Listen on network: External ISA Server will compress content: disable and then click Next. g. On the Listener SSL Certificates page, click Select Certificate. By default, the Select Certificate dialog box only shows the Web server certificates that are installed correctly.

Name: External Web 443 SSL: enable Network: External Compression: disable Certificate: mail.contoso.com Authentication: HTTP Authentication - Basic

HOL392: Secure Application Publishing and Web Access Protection h. In the Select Certificate dialog box, disable Show only valid certificates. To help you troubleshoot common certificate mistakes, ISA Server lists imported certificates that are not valid. The certificates named cert2.contoso.com to cert5.contoso.com are the invalid certificates that you imported earlier in the exercise. i. In the certificates list, select each of the certificates cert2.contoso.com to cert5.contoso.com to see the problem with the certificate. ISA Server can identify the following problems with certificates: cert2.contoso.com - The certificate is installed in the current user store, instead of the local machine store. cert3.contoso.com - The certificate is installed without private key. cert4.contoso.com - The certificate has expired. cert5.contoso.com - The certificate is not yet valid. On ISA Server 2006 Enterprise Edition, there is one more certificate problem that is identified: The certificate is not imported on all array members. j. In the certificates list, select mail.contoso.com, and then click Select. k. On the Listener SSL Certificates page, click Next. l. On the Authentication Settings page, complete the following information: Authentication method: HTTP Authentication (is default) Basic: enable Digest: disable (is default) Integrated: disable (is default) and then click Next. m. On the Single Sign On Settings page, click Next. n. On the Completing the New Web Listener Wizard page, click Finish. A new Web listener (port 443 on the IP address on the adapter on the External network) with the name External Web 443 is created.

6. Create an OWA mail server a. In the right pane, select the first rule, or select Default rule if no other publishing rule: rule exists, to indicate where the new rule is added to the rule list. b. In the task pane, on the Tasks tab, click Name: Publish mail (OWA) Publish Exchange Web Client Access. c. In the New Exchange Publishing Rule Wizard dialog box, in the Version: Exchange Publishing rule name text box, type Publish mail (OWA), and Exchange Server 2003 then click Next. d. On the Select Services page, complete the following information: Internal site name: Exchange version: Exchange Server 2003 (is default) denver.contoso.com Outlook Web Access: enable (is default) Public name: Leave the other check boxes disabled (is default) mail.contoso.com and then click Next. e. On the Publishing Type page, select Publish a single Web site, and then Web listener: click Next. External Web 443 f. On the Server Connection Security page, select Use SSL to connect to the published Web server, and then click Next. Delegation: g. On the Internal Publishing Details page, in the Internal site name text Basic Authentication box, type denver.contoso.com, and then click Next. The specified name of the Web mail server must match exactly the name in the certificate on the Denver Web server. Otherwise Internet Explorer on the client computers fails to connect, and displays an error message (500 Internal Server Error - The target principal name is incorrect). h. On the Public Name Details page, complete the following information: Accept requests for: This domain name (type below):

HOL392: Secure Application Publishing and Web Access Protection Public name: mail.contoso.com and then click Next. The specified public name must match exactly the name in the certificate on Paris. Otherwise the connecting client computers will display a security alert message (The name on the security certificate is invalid.). i. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 443, and then click Next. j. On the Authentication Delegation page, select Basic Authentication, and then click Next. k. On the User Sets page, click Next. l. On the Completing the New Exchange Publishing Rule Wizard page, click Finish. A new Web publishing rule is created, which publishes the three OWA virtual directories on the Web site denver.contoso.com as mail.contoso.com on the External network. 7. Examine the new OWA mail server publishing rule named Publish mail (OWA). a. In the right pane, right-click Publish mail (OWA), and then click Properties. b. In the Publish mail (OWA) Properties dialog box, select the To tab. OWA requires that the original host headers (https://mail.contoso.com) are forwarded to the published server (Denver). c. Select the Traffic tab. The OWA publishing rule only allows HTTPS access, not HTTP access. d. Select the Paths tab. The OWA publishing rule only allows access to the three virtual directories needed for OWA (/public, /exchweb and /exchange). e. Select the Listener tab. The certificate name (mail.contoso.com) exactly matches the name on the Public Name tab. f. Select the Bridging tab. ISA Server redirects incoming requests to the SSL port. It will create a new SSL connection from the ISA Server to Denver. The name on the To tab exactly matches the name in the certificate on Denver. g. Click Cancel to close the Publish mail (OWA) Properties dialog box. 8. Apply the new rule. h. Click Apply to apply the new rule, and then click OK. The new Publish mail (OWA) rule is applied.

Perform the following steps on the Denver computer. 9. On the Denver computer, a. On the Denver computer, on the Start menu, click configure IIS to require SSL on the Administrative Tools, and then click virtual directories used by OWA: Internet Information Services (IIS) Manager. /Exchange /ExchWeb /Public The IIS Manager console opens. b. In the IIS Manager console, expand Default Web Site, right-click Exchange, and then click Properties. /Exchange, /ExchWeb and /Public are the three virtual directories used by Outlook Web Access (OWA). c. In the Exchange Properties dialog, on the Directory Security tab, in the Secure communications box, click Edit. d. In the Secure Communications box, enable Require secure channel (SSL), and then click OK. Now that IIS has a Web server certificate configured, only secure access (HTTPS) to the OWA virtual directories should be allowed.

HOL392: Secure Application Publishing and Web Access Protection e. Click OK to close the Exchange Properties dialog box.

Repeat the same configuration step for the /ExchWeb virtual directory. f. Right-click ExchWeb, and then click Properties. g. In the ExchWeb Properties dialog box, on the Directory Security tab, in the Secure communications box, click Edit. h. In the Secure Communications box, enable Require secure channel (SSL), and then click OK. i. Click OK to close the ExchWeb Properties dialog box. Repeat the same configuration step for the /Public virtual directory. j. Right-click Public, and then click Properties. k. In the ExchWeb Properties dialog box, on the Directory Security tab, in the Secure communications box, click Edit. l. In the Secure Communications box, enable Require secure channel (SSL), and then click OK. m. Click OK to close the Public Properties dialog box. n. Close the IIS Manager console. Perform the following steps on the Istanbul computer. 10. On the Istanbul computer, use Internet Explorer to securely connect to https://mail.contoso.com /exchange a. On the Istanbul computer, open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter. An authentication dialog box for mail.contoso.com appears.

Note: On Istanbul, mail.contoso.com resolves to 39.1.1.1 (Paris). b. In the Connect to mail.contoso.com dialog box, complete the following Send an e-mail to Administrator information: to test the secure OWA connection User name: Administrator to ISA Server. Password: password Remember my password: disable (is default) and then click OK. Internet Explorer displays the Outlook Web Access Inbox of the Administrator. The yellow lock icon at the bottom of the screen indicates that the connection uses SSL. Note: The root certificate of Denver CA is already installed as trusted root certificate on Istanbul. c. On the OWA toolbar, click New. d. In the new message window, complete the following information: To: Administrator Subject: Test mail through Secure OWA - 1 (Message): Publish Exchange using Secure OWA and then click Send. Internet Explorer sends the message. After a few moments a new message appears in the Inbox. This result shows that Internet Explorer successfully connected to the Exchange Server on Denver, by using a secure OWA connection to ISA Server. e. After a few moments, in the left pane, click Inbox to refresh the display of the Inbox contents. f. Close Internet Explorer.

HOL392: Secure Application Publishing and Web Access Protection

Note: In the following steps, HTML Form Authentication is configured. The advantage of using HTML Form Authentication is that the authentication credentials are not cached on the client computer. This is especially important when users are connecting from public computers. The credential information is kept in a (temporary) session-cookie while the OWA connection is open. Perform the following steps on the Paris computer. 11. On the Paris computer, configure the External Web 443 Web listener to use HTML Form Authentication. a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners, right-click External Web 443, and then click Properties. c. In the External Web 443 Properties dialog box, on the Authentication tab, in the Client Authentication Method drop-down list box, select HTML Form Authentication. d. On the Forms tab, click Advanced. The HTML Form Authentication allows you to specify idle session timeout values for client browsers on public computers and client browsers on private computers. e. Click Cancel to close the Advanced Form Options dialog box. f. Click OK to close the External Web 443 Properties dialog box. The Web listener is now configured to use HTML Form Authentication. g. Click Apply to save the changes, and then click OK. Perform the following steps on the Istanbul computer. 12. On the Istanbul computer, use Internet Explorer to securely connect to https://mail.contoso.com /exchange again. a. On the Istanbul computer, open Internet Explorer. In the Address box, type https://mail.contoso.com/exchange, and then press Enter. The Office Outlook Web Access authentication Web page appears. b. In the Office Outlook Web Access page, complete the following information: Security: This is a private computer Use Outlook Web Access Light: disable (is default) Domain\user name: contoso\administrator Password: password and then click Log On. When using HTML Form Authentication, the user indicates whether the client browser is on a public computer or on a private computer. c. Internet Explorer displays the Outlook Web Access Inbox. Close Internet Explorer.

Note: The following task is needed to avoid conflicts with other lab exercises. Perform the following steps on the Paris computer. 13. On the Paris computer, configure the External Web 443 Web listener to use Basic authentication. a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy. b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners, right-click External Web 443, and then click Properties. c. In the External Web 443 Properties dialog box, on the Authentication tab, complete the following information: Client Authentication Method: HTTP Authentication Basic: enable Digest: disable (is default) Integrated: disable (is default)

10

HOL392: Secure Application Publishing and Web Access Protection and then click OK to close the External Web 443 Properties dialog box. The Web listener is now configured to use Basic HTTP authentication. d. Click Apply to save the changes, and then click OK.

HOL392: Secure Application Publishing and Web Access Protection

11

Exercise 2 Using Cross-Site Link Translation to Publish SharePoint Server

In this exercise, you will configure ISA Server to publish a SharePoint Server. The portal Web site contains links to other Web servers. By using cross-site link translation, you can access the links from the published portal Web site. Note: This exercise applies to new functionality in ISA Server 2006. Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers. Perform the following steps on the Denver computer. 1. On the Denver computer, connect to http://portal, and examine the links on the Project-D Portal Web site. a. On the Denver computer, open Internet Explorer. In the Address box, type http://portal, and then press Enter. Internet Explorer displays a sample Project-D Portal Web site, which runs on Denver on IP address 10.1.1.10. b. In the portal Web site, under Shared Documents, move the mouse pointer over Agenda (do not click). In the status bar, notice that the Agenda.doc link refers to http://portal. c. Click Agenda. d. In the File Download dialog box, click Open to confirm that you want to open the Agenda.doc file. WordPad opens the Agenda.doc file. e. Close WordPad. f. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click). In the status bar, notice that the Research Web Site link refers to http://server1. It is very common that SharePoint sites contain links to other servers on the internal network. g. Click Research Web Site. Internet Explorer opens the research.htm file on server1. Server1 is a Web site running on Denver on IP address 10.1.1.21. h. On the toolbar, click the Back button. i. Close Internet Explorer Perform the following steps on the Paris computer. 2. On the Paris computer, create a new Web listener. Name: External Web 80 SSL: disable a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. The ISA Server console opens. b. In the ISA Server console, expand Paris, and then select Firewall Policy.

12

HOL392: Secure Application Publishing and Web Access Protection c. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible). Note: If a Web Listener named External Web 80 is already created in an earlier exercise, then you can skip the rest of this task. d. If a Web listener named External Web 80 does not exist, then right-click Web Listeners, and then click New Web Listener. e. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80, and then click Next. f. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next. g. On the Web Listener IP Addresses page, complete the following information: Listen on network: External ISA Server will compress content: disable and then click Next. h. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next. i. On the Single Sign On Settings page, click Next. j. On the Completing the New Web Listener Wizard page, click Finish. A new Web listener (port 80 on the IP address on the adapter on the External network) with the name External Web 80 is created.

Network: External Compression: disable Authentication: none (If this is not done already)

3. Create a Web publishing a. In the right pane, select the first rule, or select Default rule if no other rule to publish a SharePoint server. rule exists, to indicate where the new rule is added to the rule list. b. In the task pane, on the Tasks tab, click Publish SharePoint Sites. Name: Portal Web Site c. In the New SharePoint Publishing Rule Wizard dialog box, in the SharePoint publishing rule name text box, type Portal Web Site, and then Publishing type: click Next. single Web site d. On the Publishing Type page, select Publish a single Web site, and then click Next. Internal site name: portal e. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server, and then click Next. Public name: f. On the Internal Publishing Details page, in the Internal site name text portal.contoso.com box, type portal, and then click Next. g. On the Public Name Details page, in the Public name text box, type Web listener: portal.contoso.com, and then click Next. External Web 80 h. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80, and then click Next. Delegation: none i. On the Authentication Delegation page, select No delegation, and client cannot authenticate directly, and then click Next. j. On the Alternate Access Mapping Configuration page, select SharePoint AAM is not yet configured, and then click Next. ISA Server forwards the public name (portal.contoso.com) to the SharePoint site. If SharePoint limits which names can be used to access the site, then you have to add portal.contoso.com to the Extranet URL list (Alternate Access Mapping list) on the SharePoint site. k. On the User Sets page, click Next. l. On the Completing the New SharePoint Publishing Rule Wizard page, click Finish. A new Web publishing rule is created, which publishes the SharePoint site portal as portal.contoso.com on the External network. 4. Apply the changes. a. Click Apply to apply the changes, and then click OK.

HOL392: Secure Application Publishing and Web Access Protection Perform the following steps on the Istanbul computer. 5. On the Istanbul computer, connect to http://portal.contoso.com, and examine the links on the Project-D Portal Web site. a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://portal.contoso.com, and then press Enter. Internet Explorer displays the sample Project-D Portal Web site. This result demonstrates that you have successfully published the SharePoint site. b. In the portal Web site, under Shared Documents, move the mouse pointer over Agenda (do not click). In the status bar, notice that the Agenda.doc link refers to http://portal.contoso.com.

13

The SharePoint publishing rule wizard configured the Web publishing rule to forward the original host header (http://portal.contoso.com) to the SharePoint site. SharePoint uses that information to create URLs that refer to the host name (portal.contoso.com) that the client can use. c. Click Agenda. d. In the File Download dialog box, click Open to confirm that you want to open the Agenda.doc file. WordPad opens the Agenda.doc file. You can access documents on the published SharePoint Web site, in the same way you can access them on the internal network when connecting to http://portal. e. Close WordPad. f. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click). In the status bar, notice that the Research Web Site link refers to http://server1. g. Click Research Web Site. Internet Explorer on Istanbul is not able to resolve the name server1 name to connect to the Web server on the internal network. h. On the toolbar, click the Back button. i. Close Internet Explorer. Perform the following steps on the Paris computer. 6. On the Paris computer, create a Web publishing rule. Name: Server1 Web Site Publishing type: single Web site Internal site name: server1 Public name: web1.contoso.com Web listener: External Web 80 Delegation: none a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy. b. In the right pane, select the first rule to indicate where the new rule is added. c. In the task pane, on the Tasks tab, click Publish Web Sites. d. In the New Web Publishing Rule Wizard dialog box, in the Web publishing rule name, type Server1 Web Site, and then click Next. e. On the Select Rule Action page, select Allow, and then click Next. f. On the Publishing Type page, select Publish a single Web site, and then click Next. g. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server, and then click Next. h. On the Internal Publishing Details page, in the Internal site name text box, type server1, and then click Next. i. On the next Internal Publishing Details page, leave the Path text box empty, and then click Next. j. On the Public Name Details page, in the Public name text box, type

14

HOL392: Secure Application Publishing and Web Access Protection web1.contoso.com, and then click Next. k. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80, and then click Next. l. On the Authentication Delegation page, select No delegation, and client cannot authenticate directly, and then click Next. m. On the User Sets page, click Next. n. On the Completing the New Web Publishing Rule Wizard page, click Finish. A new Web publishing rule is created, which publishes the Web site server1 as web1.contoso.com on the External network.

7.

Apply the changes.

a. a. b.

Click Apply to apply the changes, and then click OK. In the left pane, expand Configuration, and then click General. In the right pane, click Configure Global Link Translation.

8. Examine the list of per-server link translation mappings.

ISA Server 2006 maintains a per-server (or per-array) list of URL text replacement mappings that are applied to the content of HTTP response packets through any Web publishing rule in the array. c. Select the Global Mappings tab. The mappings are created automatically based on the internal site name and the public name of existing Web publishing rules, but you can also add custom mappings. The mapping to replace http://server1/ with http://web1.contoso.com/ is based on the new Server1 Web Site rule, and will be used by the Portal Web Site rule. d. Click Cancel to close the Link Translation dialog box.

Note: On ISA Server 2006 Enterprise Edition, you can enable link translation across arrays. This means that an array can use link translation entries from other arrays in the same Enterprise. Perform the following steps on the Istanbul computer. 9. On the Istanbul computer, connect to http://portal.contoso.com, and examine the links on the Project-D Portal Web site. a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://portal.contoso.com, and then press Enter. Internet Explorer displays the sample Project-D Portal Web site. The site is published through the Portal Web Site publishing rule. b. In the portal Web site, under Links, move the mouse pointer over Research Web Site (do not click). In the status bar, notice that the Research Web Site link refers to http://web1.contoso.com. The Portal Web Site rule used the link translation entry from the Server1 Web Site rule. c. Click Research Web Site. Internet Explorer displays the Research Web page from Server1. The site is published through the Server1 Web Site publishing rule. d. On the toolbar, click the Back button. e. Close Internet Explorer.

HOL392: Secure Application Publishing and Web Access Protection

15

Exercise 3 Publishing a Web Farm for Load Balancing

In this exercise, you will publish two Web servers (10.1.1.21 and 10.1.1.22) as a Web farm. ISA Server load balances Web requests to servers in a Web farm. The exercise uses both Cookie-Based Load Balancing and Source-IP Based Load Balancing. Note: This exercise applies to new functionality in ISA Server 2006. Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers. Perform the following steps on the Paris computer. 1. On the Paris computer, create a new Web listener. Name: External Web 80 SSL: disable Network: External Compression: disable Authentication: none (If this is not done already) a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. The ISA Server console opens. b. In the ISA Server console, expand Paris, and then select Firewall Policy. c. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible). Note: If a Web Listener named External Web 80 is already created in an earlier exercise, then you can skip the rest of this task. d. If a Web Listener named External Web 80 does not exist, then right-click Web Listeners, and then click New Web Listener. e. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type External Web 80, and then click Next. f. On the Client Connection Security page, select Do not require SSL secured connections with clients, and then click Next. g. On the Web Listener IP Addresses page, complete the following information: Listen on network: External ISA Server will compress content: disable and then click Next. h. On the Authentication Settings page, in the drop-down list box, select No Authentication, and then click Next. i. On the Single Sign On Settings page, click Next. j. On the Completing the New Web Listener Wizard page, click Finish. A new Web listener (port 80 on the IP address on the adapter on the External network) with the name External Web 80 is created. 2. Create a new Server Farm network element. Name: Shop Web Servers Addresses: - 10.1.1.21 - 10.1.1.22 a. In the task pane, on the Toolbox, in the Network Objects section, right-click Server Farms, and then click New Server Farm. The New Server Farm Definition Wizard opens. b. In the New Server Farm Definition Wizard dialog box, in the Server farm name text box, type Shop Web Servers, and then click Next. c. On the Servers page, click Add. d. In the Server Details dialog box, complete the following information: Computer name or IP address: 10.1.1.21

16

HOL392: Secure Application Publishing and Web Access Protection Description: Shopping Web Server 1 and then click OK. e. On the Servers page, click Add again. f. In the Server Details dialog box, complete the following information: Computer name or IP address: 10.1.1.22 Description: Shopping Web Server 2 and then click OK. Note: The Denver computer runs two Web sites at addresses 10.1.1.21 and 10.1.122. g. On the Servers page, click Next. h. On the Server Farm Connectivity Monitoring page, complete the following information: Send an HTTP/HTTPS GET request: enable (is default) Current URL: http://*/ (is default) and then click Next. ISA Server will monitor the connectivity to the servers in the Shop Web Servers farm by connecting to each of the Web servers (using GET http://10.1.1.21/, and GET http://10.1.1.22/) every 30 seconds. i. On the Completing the New Server Farm Wizard page, click Finish. j. In the HTTP Connectivity Verification dialog box, click Yes to confirm that you want the connectivity verifiers system policy to be enabled. The wizard enables system policy 19 to allow the HTTP GET request from the ISA Server to the Web servers in the Shop Web Servers farm.

Monitoring: http://*/

3. Create a new Web publishing rule. Name: Sales Web Site Type: Publish server farm Internal name: store.contoso.com/shop Server farm: Shop Web Servers Load balance mechanism: Cookie-based Public name: www.contoso.com/shop Web listener: External Web 80 Delegation: none

a. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list. b. In the task pane, on the Tasks tab, click Publish Web Sites. c. In the New Publishing Rule Wizard dialog box, in the Web publishing rule name text box, type Sales Web Site, and then click Next. d. On the Select Rule Action page, select Allow, and then click Next. The Publishing Type page has three choices: Publish a single Web site - You create a single rule for a single Web site. Publish a server farm - You create a single rule for multiple Web sites with identical content. ISA Server load balances requests. Publish multiple Web sites - You create a separate rule for each published Web site with only a single run of the wizard. e. On the Publishing Type page, select Publish a server farm of load balanced Web servers, and then click Next. f. On the Server Connection Security page, select Use non-secured connections to connect to the published Web server or server farm, and then click Next. g. On the Internal Publishing Details page, in the Internal site name text box, type store.contoso.com, and then click Next. Note: When you publish a server farm, ISA Server does not use the internal site name (store.contoso.com) to find the published servers. Instead, later in the wizard you specify the Server Farm network element, which lists the addresses of the servers in the farm. The internal site name is used as host header when connecting to the farm servers, and it is used in automatic Link Translation mappings. h. On the next Internal Publishing Details page, complete the following information: Path: shop/* Forward the original host header: disable (default) and then click Next.

HOL392: Secure Application Publishing and Web Access Protection i. On the Specify Server Farm page, complete the following information: Select the server farm (drop-down list box): Shop Web Servers Cookie-based Load Balancing: enable (is default) and then click Next.

17

ISA Server can use two different methods to load balance request to the servers in the farm: Cookie-based Load Balancing - ISA Server uses round-robin to distribute new connections to the Web servers. It sends a temporary session cookie to each client that connects, so that client session affinity to the selected Web server is maintained. Source-IP based Load Balancing - ISA Server uses a hash value of the client's IP address to distribute connections to the Web servers. All requests from the same client IP address go the same Web server. Note: For load balancing Outlook Web Access or SharePoint access, both of which use Internet Explorer, the Cookie-based Load Balancing is the recommended solution. For load balancing Outlook RPC over HTTP access, you need to use Source-IP based Load Balancing. Outlook cannot work with HTTP cookies. j. On the Public Name Details page, complete the following information: Accept request for: This domain name (type below) Public name: www.contoso.com Path (optional): /shop/* (automatic) and then click Next. k. On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80, and then click Next. l. On the Authentication Delegation page, in the drop-down list box, select No delegation, and client cannot authenticate directly, and then click Next. m. On the User Sets page, click Next. n. On the Completing the New Web Publishing Rule Wizard page, click Finish. A new Web publishing rule named Sales Web Site is created. The icon with the four small servers indicates that this rule publishes a server farm. 4. Apply the changes. a. a. b. Click Apply to apply the changes, and then click OK. In the ISA Server console, in the left pane, select Monitoring. In the right pane, select the Connectivity Verifiers tab. 5. Examine the connectivity verifiers for the Shop Web Servers farm.

Note: You may (temporarily) need to close the task pane in order to see the Connectivity Verifiers tab. c. Right-click the first Farm: Shop Web Servers connectivity verifier, and then click Properties. d. In the Farm: Shop Web Servers Properties dialog box, select the Connectivity Verification tab. Every 30 seconds, ISA Server connects to the published Web servers (using GET http://10.1.1.21/, and GET http://10.1.1.22/). If the Web server responds with HTTP code 200 (OK) within 5 seconds, ISA Server considers the Web server to be available, and load balances requests to the Web server. Note: For the GET http://*/ request to succeed, the Web server must accept anonymous access to the root, and must have a default document available. Otherwise, the connectivity verifier fails to connect. e. Click Cancel to close the Farm: Shop Web Servers Properties dialog box. When the Web servers are available, the connectivity verifier icon contains a green check mark, and the Result column displays the observed response time.

18

HOL392: Secure Application Publishing and Web Access Protection Perform the following steps on the Istanbul computer.

6. On the Istanbul computer, use Internet Explorer to connect to http://www.contoso.com/ shop/web.asp

a. On the Istanbul computer, open Internet Explorer. In the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter. Internet Explorer displays the web.asp page from Web server 10.1.1.21 (Server1). The client did not include a cookie in the Web request. Note: Due to the round-robin nature of the Cookie-based Load Balancing, and depending on earlier Web requests that you may have done, it is possible that the Web page in this task is returned from 10.1.1.22. In that case, close the Internet Explorer window, and connect to the Web address again. b. On the toolbar, click the Refresh button to refresh the content of the Web page. The same Web server handles the Web request. For the second and the subsequent requests, the client includes the session cookie (starting with ISAWPLB), which it received in the response of the first request. The cookie text contains a Global Unique Identifier (GUID) that ISA Server uses to identify which Web server it should send the Web request to. This ensures the session affinity with the same Web server. (ISAWPLB stands for ISA Web Publishing Load Balancing.) Note: In the response, ISA Server also forwards an ASP Session cookie from the Web server to the client computer.

7. Create two new Internet Explorer sessions, and connect to http://www.contoso.com/ shop/web.asp

a. On the Start menu, click All Programs, and then click Internet Explorer. A second Internet Explorer window opens. b. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter. The new Web request does not contain a session cookie. Therefore ISA Server forwards the request to the other Web server 10.1.1.22 (Server2), and includes a new cookie in the response. c. On the toolbar, click the Refresh button to refresh the content of the Web page. The second Internet Explorer session uses a different cookie. d. On the Start menu, click All Programs, and then click Internet Explorer again. A third Internet Explorer window opens. e. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter. ISA Server load balances the third session to Web server 10.1.1.21 (Server1) again.

Perform the following steps on the Denver computer. 8. On the Denver computer, stop the Server1 Web Site to simulate a connectivity problem with the Web server on 10.1.1.21. a. On the Denver computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager. The IIS Manager console opens. b. In the IIS Manager console, expand DENVER (local computer), expand Web Sites, and then select Server1 Web Site. c. Right-click Server1 Web Site, and then click Properties. d. e. Notice that Server1 Web Site is listening on IP address 10.1.1.21. Click Cancel to close the Server1 Web Site Properties dialog box. Right-click Server1 Web Site, and then click Stop. The Web site at 10.1.1.21 is no longer responding to Web requests.

HOL392: Secure Application Publishing and Web Access Protection Perform the following steps on the Istanbul computer. 9. On the Istanbul computer, attempt to refresh the content of the Web pages that were from 10.1.1.21 (Server1). a. On the Istanbul computer, switch to one of the Internet Explorer windows that currently displays the web.asp page from 10.1.1.21 (Server1). b. On the toolbar, click the Refresh button to refresh the content of the Web page. Internet Explorer displays an error message: Bad request (invalid hostname). c. Wait 20 seconds, and then on the toolbar, click the Refresh button again. Internet Explorer displays the web.asp page from 10.1.1.22 (Server2). ISA Server has forwarded the Web request to the remaining Web server in the farm. Note: Because ISA Server checks the connectivity to the 10.1.1.21 Web server every 30 seconds, and then waits for the timeout for another 5 seconds, on average it takes 15+5 seconds after the Web server is no longer available, before ISA Server forwards all the Web requests to the other Web server. Due the way http.sys works on the Denver computer, it still returned a response (Bad request) when connecting to 10.1.1.21. d. Switch to the other Internet Explorer window that displays the web.asp page from 10.1.1.21 (Server1). e. On the toolbar, click the Refresh button. Internet Explorer immediately displays the web.asp page from 10.1.1.22 (Server2). Perform the following steps on the Paris computer. 10. On the Paris computer, examine the connectivity verifier and the alert for the connection to 10.1.1.21. a. On the Paris computer, in the ISA Server console, in the left pane, select Monitoring. b. In the right pane, select the Connectivity Verifiers tab. Notice that the icon for the connectivity verifier to 10.1.1.21 contains a red mark, indicating a connectivity issue. c. In the right pane, select the Alerts tab. d. In the task pane, on the Tasks tab, click Refresh Now. e. In the right pane, expand the No Connectivity alert, and then select the lower No Connectivity line. The alert information describes that the connection to 10.1.1.21 failed. f. Right-click the lower No Connectivity line, and then click Reset. g. Click Yes to confirm that you want to reset the No Connectivity alert. Perform the following steps on the Denver computer. 11. On the Denver computer, start the Server1 Web Site. a. On the Denver computer, in the IIS Manager console, right-click Server1 Web Site, and then click Start. The Web site at 10.1.1.21 is available again.

19

Perform the following steps on the Istanbul computer. 12. On the Istanbul computer, refresh the Web page from 10.1.1.22, and create a new connection to http://www.contoso.com/ shop/web.asp. a. On the Istanbul computer, switch to any of the Internet Explorer windows that currently displays the web.asp page from 10.1.1.22 (Server2). b. On the toolbar, click the Refresh button to refresh the content of the Web page. ISA Server continues to forward the Web requests to 10.1.1.22 (Server2), even though 10.1.1.21 is available again. All current sessions already use a cookie that contains the GUID of Server2, and will stay on this

20

HOL392: Secure Application Publishing and Web Access Protection Web server. This is referred to as client stickiness. c. On the Start menu, click All Programs, and then click Internet Explorer. A new Internet Explorer session opens. d. Wait 20 seconds, and then in Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and press Enter. Internet Explorer displays the web.asp page from 10.1.1.21 (Server1). ISA Server load balances all new connections. Note: It may take 30+5 seconds before ISA Server detects that the Web server at 10.1.1.21 is available again. If the web.asp page is returned from 10.1.1.22, then close the Internet Explorer window, wait a few seconds, and try again. e. Close all Internet Explorer windows. Perform the following steps on the Paris computer.

13. On the Paris computer, change the load balancing mechanism for the Sales Web Site rule to Source-IP based.

a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy. b. In the right pane, right-click the Sales Web Site rule, and then click Properties. c. In the Sales Web Site Properties dialog box, on the Web Farm tab, in the Load Balancing Mechanism section, select Source-IP based. ISA Server will no longer send cookies to manage load balancing Web requests, but will use a hash of the source IP address instead. d. Click OK to close the Sales Web Site Properties dialog box.

14.

Apply the changes.

a.

Click Apply to apply the changes, and then click OK.

Perform the following steps on the Istanbul computer. 15. On the Istanbul computer, create two new Internet Explorer sessions, and connect to http://www.contoso.com/ shop/web.asp a. On the Istanbul computer, on the Start menu, click All Programs, and then click Internet Explorer. b. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter. Internet Explorer displays the web.asp page from Web server 10.1.1.22 (Server2). c. On the toolbar, click the Refresh button to refresh the content of the Web page. In the response to the first Web request, ISA Server did not include an ISAWPLB cookie, but instead only forwarded the ASP Session cookie that the Web server provides. d. On the Start menu, click All Programs, and then click Internet Explorer. A second Internet Explorer window opens. e. In Internet Explorer, in the Address box, type http://www.contoso.com/shop/web.asp, and then press Enter. The new Web request is also handled by the same Web server 10.1.1.22 (Server2). Unlike cookie-based load balancing, ISA Server does not round-robin the Web requests to the Web servers, but uses the hash of the client IP address (39.1.1.7). All Web requests from the Istanbul computer will go to the same Web server. Perform the following steps on the Denver computer. 16. On the Denver computer, stop the Server2 Web Site to simulate a connectivity problem a. On the Denver computer, in the IIS Manager console, right-click Server2 Web Site, and then click Stop.

HOL392: Secure Application Publishing and Web Access Protection with the Web server on 10.1.1.22. The Web site at 10.1.1.22 is no longer responding to Web requests.

21

Perform the following steps on the Istanbul computer. 17. On the Istanbul computer, attempt to refresh the content of the Web page that was from 10.1.1.22 (Server2). a. On the Istanbul computer, switch to one of the Internet Explorer windows that currently displays the web.asp page from 10.1.1.22 (Server2). b. On the toolbar, click the Refresh button to refresh the content of the Web page. Internet Explorer displays an error message: Bad request (invalid hostname). c. Wait 20 seconds, and then on the toolbar, click the Refresh button again. Internet Explorer displays the web.asp page from 10.1.1.21 (Server1). ISA Server has forwarded the Web request to the remaining Web server in the farm. Perform the following steps on the Denver computer. 18. On the Denver computer, start the Server2 Web Site. a. On the Denver computer, in the IIS Manager console, right-click Server2 Web Site, and then click Start. b. The Web site at 10.1.1.22 is available again. Close the IIS Manager console.

Perform the following steps on the Istanbul computer. 19. On the Istanbul computer, attempt to refresh the content of the Web page that was from 10.1.1.21 (Server1). a. On the Istanbul computer, switch to the Internet Explorer window that currently displays the web.asp page from 10.1.1.21 (Server1). b. On the toolbar, click the Refresh button to refresh the content of the Web page. ISA Server may still forward the Web request to 10.1.1.21. After an average of 20 seconds, the connectivity verifier on ISA Server detects that Web server 10.1.1.22 is available again. c. Wait 20 seconds, and then on the toolbar, click the Refresh button again. Internet Explorer displays the web.asp page from 10.1.1.22 (Server2). Note: With cookie-based load balancing, ISA Server continues to forward requests to the same Web server, after the original Web server is available again - called client stickiness. With source-IP based load balancing, ISA Server falls back to forwarding Web request to the original Web server. There is no client stickiness. d. Close all Internet Explorer windows. Note: The following tasks are needed to avoid conflicts with other lab exercises. Perform the following steps on the Paris computer. 20. On the Paris computer, delete the Sales Web Site rule, and delete the Shop Web Servers farm. a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy. b. In the right pane, right-click the Sales Web Site rule, and then click Delete. c. Click Yes to confirm that you want to delete Sales Web Site. The Sales Web Site rule is deleted. d. In the task pane, on the Toolbox tab, in the Network Objects section, expand Server Farms. e. Under Server Farms, right-click Shop Web Servers, and then click

22

HOL392: Secure Application Publishing and Web Access Protection Delete. f. Click Yes to confirm that you want to delete Shop Web Servers. The Shop Web Servers farm and the two related connectivity verifiers are deleted.

21.

Apply the changes.

a.

Click Apply to apply the changes, and then click OK.

HOL392: Secure Application Publishing and Web Access Protection

23

Exercise 4 Configuring ISA Server 2006 for Flood Resiliency

In this exercise, you will configure ISA Server to block a large number of TCP connections from the same IP address. Note: This exercise applies to new functionality in ISA Server 2006. Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers. Perform the following steps on the Paris computer. 1. On the Paris computer, examine the flood mitigation settings. a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. The ISA Server console opens. b. In the ISA Server console, in the left pane, expand Paris, expand Configuration, and then select General. c. In the right pane, under Additional Security Policy, click Configure Flood Mitigation Settings. ISA Server 2006 can help stop the flooding of connections from three different kind of attacks: Worm propagation - A computer on the internal network starts sending out network packets to different IP addresses on the Internet. TCP denial-of-service attack - An attacker sends out TCP packets in order to use up all the resources at the firewall, or server behind the firewall. HTTP denial-of-service attack - A computer on the internal network sends a very large number of HTTP request over the same connection. In all these cases, the Firewall Engine component of ISA Server limits the number of connections, connection requests, and half-open connections per minute, or per rule, from a particular IP address. d. In the Flood Mitigation dialog box, on the Flood Mitigation tab, click the second Edit button. As an example of a limit, ISA Server allows a maximum of 160 concurrent TCP connections from the same IP address. There is also a custom limit (400) that applies to a set of exception IP addresses. e. Click Cancel to close the Flood Mitigation Settings dialog box. f. In the Flood Mitigation dialog box, select the IP Exceptions tab. You can specify the IP addresses of computers to which the custom limit applies. 2. Disable the logging of network traffic blocked by flood mitigation settings. a. b. In the Flood Mitigation dialog box, select the Flood Mitigation tab. Clear the Log traffic blocked by flood mitigation settings check box.

To avoid overwhelming the log file with identical block entries, after the flood mitigation settings have blocked an attack, you can disable the logging of those blocked network connections. c. Click OK to close the Flood Mitigation dialog box. a. In the left pane, select Firewall Policy.

3.

Create a new access rule.

24

HOL392: Secure Application Publishing and Web Access Protection b. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access Rule. d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (Flood), and then click Next. e. On the Rule Action page, select Allow, and then click Next. f. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add. g. In the Add Protocols dialog box, click Common Protocols, click HTTP, click Add, and then click Close to close the Add Protocols dialog box. h. On the Protocols page, click Next. i. On the Access Rule Sources page, click Add. j. In the Add Network Entities dialog box, click Networks, click Internal, click Add, and then click Close to close the Add Network Entities dialog box. k. On the Access Rule Sources page, click Next. l. On the Access Rule Destinations page, click Add. m. In the Add Network Entities dialog box, click Networks, click External, click Add, and then click Close to close the Add Network Entities dialog box. n. On the Access Rule Destinations page, click Next. o. On the User Sets page, click Next. p. On the Completing the New Access Rule Wizard page, click Finish. A new firewall policy rule is created that allows the HTTP protocol from the Internal network to the External network.

Name: Allow Web access (Flood) Applies to: HTTP From network: Internal To network: External

4.

Apply the changes.

a.

Click Apply to apply the changes, and then click OK.

Perform the following steps on the Denver computer. 5. On the Denver computer, configure Internet Explorer not to use a proxy server. a. On the Denver computer, open Internet Explorer. b. In Internet Explorer, on the Tools menu, click Internet Options. c. In the Internet Options dialog box, on the Connections tab, click LAN Settings. d. In the Local Area Network (LAN) Settings dialog box, clear the Use a proxy server for your LAN check box, and then click OK. When you configure Internet Explorer to use a proxy server, all HTTP connections to the ISA Server use the same connection to the Web Proxy TCP port 8080. In this exercise, you use two Internet Explorer windows, which should count as two separate connections. e. Click OK to close the Internet Options dialog box. 6. Use Internet Explorer to connect to http:// istanbul.fabrikam.com/ web.asp 7. Use the C:\Tools\tcpflooder.vbs tool to create 200 concurrent TCP connections. a. In Internet Explorer, in the Address bar, type http://istanbul.fabrikam.com/web.asp, and then press Enter. Internet Explorer displays the content of the web.asp page from Istanbul. This is a single TCP connection from the Denver computer. b. Do not close Internet Explorer. a. Use Windows Explorer (or My Computer) to open the C:\Tools folder. The Tools folder contains a script named tcpflooder.vbs, which attempts to set up 200 connections to IP addresses 42.1.0.0 through 42.1.19.9. Note: By default, ISA Server allows a maximum of 160 concurrent TCP connections from the same IP address. b. Right-click tcpflooder.vbs, and then click Open. c. Click Yes to confirm that you want to start TCP Flooder.

HOL392: Secure Application Publishing and Web Access Protection Please wait 10 seconds while TCP Flooder attempts to set up the 200 TCP connections. Note: The IP addresses on the 42.1.0.0 network do not exist in the lab environment, but Denver will set up a maximum of 160 TCP connections with ISA Server. ISA Server blocks the remaining 40 TCP connections. d. Press OK to acknowledge that 200 TCP connections are created. e. Close the Tools folder. 8. In Internet Explorer, refresh the existing Web page, and attempt to create a second connection to http:// istanbul.fabrikam.com/ web.asp a. In the Internet Explorer windows, on the toolbar, click the Refresh button. If the Internet Explorer connection did not time out yet, then the Server time on the Web page is changed. That is an indication that the page refreshed successfully. Even though ISA Server has blocked connections from Denver (10.1.1.5), existing connections, such as the one in the Internet Explorer window can still be used. b. On the Start menu, click All Programs, and then click Internet Explorer. A second Internet Explorer window opens. c. In Internet Explorer, in the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter. ISA Server blocks new connections from 10.1.1.5. After a few moments, Internet Explorer displays an error page to indicate that it cannot display the page. d. Close the Internet Explorer windows.

25

Note: ISA Server blocks traffic based on the flood mitigation settings for 60 seconds. To avoid the situation where an attacker uses a large number of network packets with a spoofed sender IP address to intentionally block another computer, ISA Server will first complete a TCP three-way handshake to verify that the sender IP address is not spoofed. Perform the following steps on the Paris computer. 9. On the Paris computer, examine the flooding alert. a. On the Paris computer, in the ISA Server console, in the left pane, select Monitoring. b. In the right pane, select the Alerts tab. c. In the task pane, on the Tasks tab, click Refresh Now. d. In the alert list, expand the Concurrent TCP Connections from One IP Address Limit Exceeded alert, and then select the alert line below that. Notice in the Alert Information description that ISA Server identifies which IP address (10.1.1.5) exceeded the configured limit of concurrent TCP connections. This information allows you to further investigate the cause of the high number of connection attempts. 10. Configure the log viewer filter conditions: Log Time: Last Hour Client IP: Equals 10.1.1.5 Destination IP: Greater or Equal 42.1.0.0 a. In the right pane, select the Logging tab. Note: You may (temporarily) need to close the task pane in order to see the Logging tab. b. In the task pane, on the Tasks tab, click Edit Filter. c. In the Edit Filter dialog box, in the conditions list, select the Log Time - Live condition. d. In the Condition drop-down list box, select Last Hour, and then click Update. The condition is changed to Log Time - Last Hour. e. Complete the following information: Filter by: Client IP Condition: Equals Value: 10.1.1.5

26

HOL392: Secure Application Publishing and Web Access Protection and then click Add To List. f. Complete the following information: Filter by: Destination IP Condition: Greater or Equal Value: 42.1.0.0 and then click Add To List. g. Click Start Query to close the Edit Filter dialog box. After a few moments, the log viewer displays all log entries from 10.1.1.5 to the 42.1.0.0 network from the last hour. The most recent log entry is listed first. h. Scroll to the top of the list of log entries. Notice that the most recent log entry is for the connection to an IP address that is a close to 42.1.15.9. That is a exactly 160 concurrent TCP connections. The last IP address may be a little lower, if ISA Server had existing connections, or may be a little higher if ISA Server closed a few TCP connections already. To avoid overwhelming the log file with identical block entries, you configured Flood Mitigation to not log traffic that is blocked by the flood mitigation settings (all connections to IP address close to 42.1.16.0 through 42.1.19.9). Note: The following tasks are needed to avoid conflicts with other lab exercises.

11. Restore the log viewer filter a. In the task pane, on the Tasks tab, click Edit Filter. conditions: b. In the Edit Filter dialog box, in the conditions list, select Log Time - Last Hour. Log Time: Live c. In the Condition drop-down list box, select Live, and then click Update. Client IP: (remove) The condition is changed to Log Time - Live. Destination IP: (remove) d. In the conditions list, select the Destination IP condition, and then click Remove. e. In the conditions list, select the Client IP condition, and then click Remove. f. Click Start Query to close the dialog box. g. In the task pane, on the Tasks tab, click Stop Query. Perform the following steps on the Denver computer. 12. On the Denver computer, configure Internet Explorer to use a proxy server. a. On the Denver computer, open Internet Explorer. b. In Internet Explorer, on the Tools menu, click Internet Options. c. In the Internet Options dialog box, on the Connections tab, click LAN Settings. d. In the Local Area Network (LAN) Settings dialog box, complete the following information: Use a proxy server for your LAN: enable Address: 10.1.1.1 Port: 8080 Bypass proxy server for local address: enable and then click OK to close the Local Area Network (LAN) Settings dialog box. e. Click OK to close the Internet Options dialog box. f. Close Internet Explorer.