BEST ISA SERVER CONFIGURATION FOR A CABLE NET OPERATOR

Install Windows 2000 Server or Advanced Server and install the following too: 1.Internet Explorer 6 SP1 or Later. 2.Service Pack 4 or Later. 3.Updated Antivirus (Norton Antivirus Corporate Edition recommended because it is light and effective). 4.Update Windows with all critical updates. 5.Install a third party firewall (Sygate Personal Firewall Pro recommended because it has the functionality to block the communication on MAC address basis and effective firewall). I recommend this step for advanced users only as wrong configuration leads you to services not working. 6.Install a bandwidth monitor like DU Meter or configure MRTG for your Internet connection. (I have both). As ISA Server could be installed on domain controller as well as on standalone pc here is the first tip for a LAN administrator: dont use a domain unless you want to run logon scripts on users accounts (you will save too many resources when installing ISA Server on standalone server ). Installing ISA Server is not discussed here but for those who cant do that too just press next next till you finish the setup. When setup ends it will start the wizard for ISA Server configuration just press the finish button without configuring through Wizard. After that go to tools bar and click on view then select advanced (doing this will change the gui on right side of the ISA Server Management). I have created/edited some scripts to make configuration of ISA Server much easier and faster thanks to people like Jim Harrison and others on www.toolzz.com . Im uploading these scripts too but if you want to download it then go to http://207.226.41.252:83/scripts.zip . These scripts are as follow : 1.Create content group (to make a complete content group for downloads blocking). 2.Set Application Settings (to block KAZAA type applications , block multi msn and some spy ware applications, which wastes bandwidth). 3.Java Sites (to make a destination set for some always allowed downloading destinations like web sms sites and yahoo games and chat rooms). 4.Mail Sites (to make a destination set for some sites to not cache to guarantee its content freshness). 5.Enable Routing (to make cache response faster in peek hours). 6.Disable Routing (to back to normal to keep cache contents fresh). Close ISA Server Management and run top four scripts (Create content group, Set Application Settings, Java Sites and Mail Sites). Now open ISA Management again and do these fast steps: 1.Go to Access Policy and expand it and right click on Protocol Rules and select New then Rule.. A new protocol wizard will start name it ALLOW ALL and press next next till the wizard ends. Now right click on Site and Content Rule and select new rule and name it ALLOW ALL (if there is any previous rule remove it) then press next and tick on Allow then press next next till wizard ends. Now right click on IP Packet Filters and select properties, a new window will open , remove the check from Enable Packet Filtering , press apply and the OK. 2.Under server s and arrays you will see your server name , right click on it and select properties. Go to Outgoing Web Requests and tick on Configure listeners individually per IP address . Then put check mark on Enable SSL listeners, above this check mark you will see a button captioned Add.. press it. A new window will open , select your server name from the server combo box and select LAN IP address for your server from the IP address combo box. Remove the check from integrated a warning message will be there just press OK and repeat these steps again but this time with loop back IP Address (127.0.0.1) in IP address combo box. After pressing OK you will see two IP addresses in the space above Add.. button. Now get out of it by applying and pressing OK. 3.Go to Client Configuration , you will see Web Browser and Fire Wall Client on your right. Double click on Web Browser then in place of DNS name put your Server s IP address and press OK. Now double click on Fire Wall Client and tick on IP Address rather than DNS name. Press OK. 4.Right click on H.323 Gatekeepers and select Add gatekeeper.. a new window will open , press OK. 5.Go to Network Configuration and expand it , right click on Local Address Table and select Construct LAT.. a new window will open , remove the first check and put check on local area interface IP address and press OK. Now right click on routing and select New then Rule.. a new window will open , set the routing rule name as Other Sites and press next , then select from combo box All Destinations Except Selected Set and below that there is another combo box ,select Mail Sites from it, press next ,Request Action window will appear ,leave it as default and press next , Cache Retrieval Configuration window will appear , select the second option (any version of the object) press next ,Cache Content Configuration window

will appear ,leave it as default and press next then press finish. We have to make another routing rule for Mail Sites , so right click on Routing and select New then Rule and name it Mail Sites ,press next then select from combo box Specified Destination Set , a new combo box will appear below ,select Mail Sites from it and press next next till wizard ends. 6.Go to Extensions and expand it then left click on Application Filters , some filters will appear on the right ,right click on SOCKS V4 Filter and select Disable, then right click on HTTP Redirector Filter, a new window will appear select options tab then tick on the last option (Reject HTTP requests from.) and press OK. 7.Go to Monitoring Configuration and expand it, then right click on Report Jobs and select New then Report Job , a new window will appear , select schedule , under Start Report Generation select At tomorrows date and set a suitable time like 12:00 , below Recurrence Pattern select Generate every day , If ISA Server installed on a Domain Controller then set the credentials by selecting Credentials tab and entering Administrator ID and Password and domain name. 8.Go to Cache Configuration and expand it then select Drives , you will see server name and cache size on your right , double click on it and set the cache size minimum of 1GB.(tip : try to build cache on a separate drive (physically) means hard drive other than the one which has the operating system on it and build cache as large as you can).After setting the cache size right click on Cache Configuration and select properties, a new window will appear , select HTTP tab , put check on Enable HTTP caching and tick on fourth option (Set Time To Live..) and enter 999 in This percentage of content age , and set 2 hours in No less than combo box and 6 hours in No more than combo box , Select FTP tab , and put check on enable FTP caching and set the time to live for all objects to 2 Days (you can increase the time), Select Active Caching and enable Active Caching and tick on Less frequently , and in last tab Advanced you have four check boxes , put checks on second and fourth boxes and remember to remove the checks from the first and third boxes. Press OK. 9.Go to Policy Elements and expand it and right click on Client Address Sets and select New then Set and name it LAN and enter IP range of your LAN (like 192.168.0.1-192.168.0.254). Make another set and name it VIP and enter an IP address (the IP addresses which are allowed to download all the time, first of all put server s IP address). 10.Right click on Schedule and make a schedule suitable for your network (in my own network I blocked the downloads from 6PM-1AM and all Sundays). 11.Right click on Bandwidth Priorities and select New then Bandwidth Priority.. name it Messengers and enter Outbound and Inbound bandwidth as 200 and press OK , make another one with the name of Browsing and set both Out and Inbound to 100 , then edit the Default Bandwidth Priority and set it to 1 , press OK. 12.Go to Bandwidth Rules and right click on it and select New then Rule and name it Messengers, press next , from Apply this rule to combo box select selected protocols and put checks on all your favorite messengers (like AOL,MSN,ICQ etc..) press next , leave the Schedule as default and press next ,leave Client Type as default and press next ,leave Destination Set as default and press next ,leave Content Group as default and press next, in Bandwidth Priority window tick on custom and select Messengers from Name combo box and press next then Finish. We have to make Bandwidth Rules for Downloading and Browsing too so make another Bandwidth Rule and name it Browsing and select these protocols (HTTP,HTTPS) and in HTTP contents select (Documents, HTML Documents, Images and Text) and set the bandwidth priority to Browsing , leave all unmentioned tabs as default. And finally make Another Bandwidth Rule and name it Downloading and select these protocols (All HTTP and FTP protocols) and in HTTP Contents select (Downloads) and set the bandwidth priority to Default Bandwidth Priority and press finish. 13.Now we have to block Downloading (as scheduled) , go to Access Policy and then make a new Site and Content Rule , name this rule as Block DL and press next , tick on fourth option (custom) and press next, select from Apply this rule to: combo box All destinations except selected set and select Java Sites from Name combo box , press next ,in Schedule window select the schedule you have set in Policy Elements, press next, in Client Type window select second option (Specified Computers..) , press next ,in Clients Sets windows press Add button then add LAN and press OK then next, in Content Group window tick on Only the following content types: and put check on Downloads , and press next and finish. Double click on the crated rule and select Applies to tab and below in Exceptions add VIP then press OK and OK again.

14.Right click on Protocol Rules and make a new rule and name it Block FTP , set the action to deny, and protocols to all FTP protocols, set the schedule as you set it in Policy Elements and set the Applies To: to LAN with Exceptions to VIP as We did in Block DL rule Now we have completed the configuration still we have to schedule to run scripts (Enable Routing , Disable Routing) on regular basis . First copy these scripts to a safe location then go to schedule tasks in control panel and add tasks as follows: Enable Routing.vbs at 12:00 every day Disable Routing.vbs at 18:00 every day Enable Routing.vbs at 21:00 every day Disable Routing.vbs at 04:00 every day This is what I found the best configuration a cable net operator could have as Im running it on my network I rarely found An un satisfied user , I will be waiting for comments from all of you and we will continue to discuss why,what,where of this Configuration . I tried to make the walkthrough easier for new users of ISA Server and It looks like a mess but anyway it was best of mine. Hunaid Haroon Al Qureshi A-42 Block 16 Federal B Area Karachi , Pakistan. Tel:-6622962, 0333 2219022 munnobhai@hotmail.com

Sugessions For Above Steps

Hunaid, I would like to commend you for taking the initiative to help out cablenet operators in Pakistan. There are though, a few flaws in your methods. I'll just go over two of them, the rest when I find some more time. 1. Allow all protocols: You have effectively opened up all P2P applications. Even though you have blocked kazaa using the firewall client, all I need to do is rename the executable to, say, hearts.exe and I'll be able to run the app without you ever being able to block it with your current configuration . Try this out on one of your client's computers, you'll be unpleasantly surprised. The same though slightly different method for Kazaalite. You rename the kazaalite.kpp file to something like hunaid.kpp and make the necessary registry adjustment and you'll have it up and running in no time. Same goes for almost all apps. 2. Bandwidth Priorities While people in your area might prefer messenger usage, hence your bandwidth priorities, people here would rather have faster browsing. And I do have downloading opened... late at night. I've taught all my clients how to schedule their downloads so their files are all ready when they wake up in the morning. I also have nearly all the most popular downloads already on my server for clients to pick up. CableNet use, especially in Karachi, depends on where you're located. My area has a lot of savvy computer users who are adept at finding the most obscure holes in the firewall to try and bypass it. You just have to keep a step ahead with constant monitoring. I've had more than two year's experience playing this cat and mouse game. The biggest threat I face is HTTP Tunnelling which I've so far managed to thwart. There are other issues which I feel that you may need to do some reading on, especially IP Routing and packet filters. Oh, and you don't need special routing rules for email websites. Just disable dynamic content caching and your email sites will run fine (no opening up of someone elses account on your machine). Regards, Imran P.S. More issues later....
[ November 08, 2003, 06:24 PM: Message edited by: I m r a n ]

Well done Hunaid ,i do really appericiate your concern and efforts for cablenet operators in karachi,well i would like to add some enhencements in your settings : If u specify the pipe of ur bandwith in bandwith rule (by right clicking it and specifying the total bandwith in kilobits)it will be more efficient. Regarding the drawbacks in your settings(I am sorry to say they are alot)but as an initial step your article is really remarkable(As u know i am ur old fan ) And one critical information that u missed is the security of ur isa u did not discussed it well at least u can count on microsoft for this(click on computer in server and arrays and right click ur server name ECS- SERVER in my case and click secure) select the option approprate to ur settings. Regarding sygate firewall it is not stable ur clients will come through a situation " Isa Server unreachable" while u will see everything working perfect on the server (Specially on a server 24 hours on.) As discussed by sajid Allow all protocols is the biggest drawback in ur settings,it should not be there (u r loosing control).U annot count on firewall to block applications. Well thats all from me i would appericiate anyone out there to be daring as Hunaid to guide us. Sincerely, For ECS Cablenet(Simply THE BEST ), Saqib Ali ecscablenet@hotmail.com 021-66050

Reply
Hunaid, As your friends have already suggested to you before... do not allow all protocols. Just the ones that you need and make new ones for apps that need other uncommon ports to be opened. You'll need to do a bit of monitoring for that. Do this and you'll have control over all applications. Regards, Imran

Reply
Thanks Saqib, Well about the security of server ... I never liked ISA server as a firewall (secured wall) because, it is missing lot of features thats as a cable operator we like to see , so I do prefer third party firewalls (Sygate in this case). This Configuration is doing things very well like: 1. It will run (almost) every thing on client side like chat rooms,games etc.. 2. It blocks downloads (whole of it) when required. 3. Cache performance is quite good. I appericiate the comments on this walkthrough , Now what I want here is to reach to a configuration that will solve all issues and do not effect the client apps.

Reply
Well Imran, Maybe you heared of viruses/trojans like msblast and DoS attacks on server s of all ISPs and cable nets too which effected in degrading the performance of service and these trojans has reached the clients PCs as well .... but on my network it does not effect on any PC .... can you guess why ???

Reply
Well Hunaid, No need to get cocky now. Myself and I'm sure a number of other cablenet operators were not affected by the MsBlast or DOS attacks. 1. I have a good antivirus policy implemented on my LAN using NAV CE server . All clients have their virus definitions simultaneously updated. 2. My server doesn not register on any outside port scans. My machine has to be visible first before I can face a DOS attack. Maybe you should take a trip to https://grc.com/x/ne.dll?bh0bkyd2 and scan your own server to make sure.

3. Disallowing a vaste range of ports from being opened protects my server from trojans to cause harm on my network. Lastly.. I get this done and more without the use of a second firewall. Reasons you may not have been affected by the virus/trojan. 1. Second firewall 2. Good antivirus policy 3. You were lucky! Regards, Imran

Reply
Oh Sure I'm not. What do you say regard MAC address restriction ... Sygate firewall has this feature !

Reply
And what does that do for you except just add another layer of restrictions for completely blocking a client's internet access and adds one more level to your ever-growing ego. The vast majority of us do the same with blocking IP addresses. Those using AD just block the users. And perhaps you haven't heard of the simplest solution when it comes to blocking clients (which either haven't paid or no longer want to be on your network).... take their wire out! MAC address blocking really doesn't impress me. And please.. learn to take a bit of criticism. Imran

Reply
Hye Guys, most of you complaining about that why dont he discus security issues here. The answer is that this conf is for those cable net admins who dont know the complete features of isa server related to web proxy server not firewall. The primary task for cable net admins by using isa server is how to speed up their internet speed and monitor the traffic passing through it. In my view these are the basic reason author dont discus firewall feature of isa . Another drawback of isa is it dont filters traffic on MAC basis thats why he suggest to use a good firewall for security and MAC. By the way by applying all patches and hotfixes and by implementing a good av you already protected by almost allkinds of attacks. By invisibility you can protect yourself from external attacks but what about internal attacks. Azfar Hashmi Email : azfarhashmi@hotmail.com

Reply
Afzar, Thats why you need a good antivirus policy on your LAN. As for patches, I have all patches/ service packs that have been released for Win2k/XP and few necessary ones for 98, all available to my clients. All my clients have their systems patched and in case of problems where a complete system re-install is required... I have SP4 integrated Win2k as well as SP1 integrated WinXP cds configured for unattented installations with all available patches/hotfixes and enhancements. Take a look at the guides at msfn.org for more details on the above. You'll find them to be excellent timesavers. As for internal DOS attacks... they are hardly a problem with proper port management and since they are localized to just your LAN, are very easy to detect if they ever do occur. As for someone remotely using one of my LAN computers as a 'zombie' machine... they have to get in first don't they.. Imran

Reply
Hunaid add these sites to ur java sites ,thanks to Azfar Hashmi (Ufone and paktel sms not working with ur settings). *.smspaktel.com *.chat.mobilinksms.com *.instasms.com *.orion.vectracom.net *.smspk.com *.ufone.com *.vectracom.net *.vega.vectracom.net *.web.icq.com/sms http://orion.vectracom.net /* http://vega.vectracom.net /* http://web.icq.com/sms /* http://www.smspaktel.com /* http://chat.mobilinksms.com /* http://www.instasms.com /* Good contribution Azfar Hashmi keep it up. Sincerely, For ECS Cablenet(Simply THE BEST ), Saqib Ali ecscablenet@hotmail.com 021-6605096

Reply