Documente Academic
Documente Profesional
Documente Cultură
Lab Manual
Lab Summary
Contents
There are nine modules in this lab. You can complete each of these lab
modules independent of the other modules.
The monitor icons ( ) indicate which virtual machines are needed.
The 06 code indicates exercises that are specific to ISA Server 2006.
The EE code indicates exercises that are specific to ISA Server Enterprise
Edition.
The up arrow ( ) indicates exercises that depend on the previous exercise .
Den Par Flo Fir Ist Lab Summary ...............................................................................................2
Module A: Introduction to ISA Server ........................................................6
Exercise 1 Exploring the User Interface .....................................................6
Exercise 2 Ease of Use: Multiple Networks ...............................................7
Exercise 3 Ease of Use: Single Rule Base ................................................9
Exercise 4 Ease of Use: Monitoring .........................................................10
Module B: Configuring Outbound Internet Access .................................11
Exercise 1 Allowing Outbound Web Access from Client Computers........11
Exercise 2 Enabling the Use of the Ping command from Client Computers
......................................................................................................................14
06 Exercise 3 Allowing Outbound Access from the ISA Server ....................15
Exercise 4 Configuring ISA Server 2006 for Flood Resiliency .................17
Module C: Publishing Web Servers and Other Servers ..........................20
Exercise 1 Publishing a Web Server in the Internal Network ...................20
Exercise 2 Publishing the Web Server on the ISA Server Computer .......22
06
Exercise 3 Performing Link Translation on a Published Web Server .......25
06
Exercise 4 Using Cross-Site Link Translation to Publish SharePoint
Server ...........................................................................................................26
Exercise 5 Publishing a Web Farm for Load Balancing ...........................28
Exercise 6 Publishing Multiple Terminal Servers .....................................33
06
Module D: Publishing an Exchange Server .............................................37
Exercise 1 Publishing Exchange Web Access - Certificate Management 37
Exercise 2 Publishing an Exchange Server for SMTP and POP3 ............41
Exercise 3 Publishing an Exchange Server for Outlook (RPC) ................42
Exercise 4 Publishing an Exchange Server for RPC over HTTP .............44
Module E: Enabling VPN Connections .....................................................50
Exercise 1 Configuring ISA Server to Accept Incoming VPN Connections
......................................................................................................................50
Exercise 2 Configuring a Client Computer to Establish a VPN Connection
......................................................................................................................52
Exercise 3 Allowing Internal Network Access for VPN Clients .................54
Exercise 4 Configuring VPN Quarantine on ISA Server...........................55
06
Exercise 5 Creating and Distributing a Connection Manager Profile........58
Exercise 6 Using VPN Quarantine on the Client Computer .....................62
06
Module F: ISA Server 2006 as Branch Office Gateway ...........................65
06
Exercise 1 Configuring HTTP Compression to Reduce Bandwidth Usage
......................................................................................................................65
EE
Exercise 2 Configuring ISA Server to Cache BITS Content .....................69
EE
Exercise 3 Configuring DiffServ Settings to Prioritize Network Traffic .....71
2 de 106
EE Module G: Enterprise Management of ISA Servers ................................73
Exercise 1 Enterprise Policies and Array Policies ....................................73
EE Exercise 2 Remote Management and Role-based Administration ...........77
EE Exercise 3 Working with Configuration Storage Servers (Optional) .........81
EE Module H: Configuring Load Balancing ...................................................84
EE Exercise 1 Configuring Network Load Balancing (NLB) ...........................84
Exercise 2 Examining Details on NLB......................................................88
Exercise 3 Using CARP to Distribute Cache Content ..............................94
Exercise 4 Using CARP and Scheduled Content Download Jobs ...........98
Module I: Using Monitoring, Alerting and Logging ............................... 102
Exercise 1 Monitoring the ISA Server .................................................... 102
Exercise 2 Checking Connectivity from the ISA Server ......................... 103
Exercise 3 Logging Client Computer Access ......................................... 105
Lab Setup
Lab Computers
The lab uses five computers in virtual machines.
Denver.contoso.com (green) is domain controller for the contoso.com domain on the Internal
network. Denver runs DNS, RADIUS, Exchange 2003 SP1, SharePoint Services 2.0 and is
also Certification Authority (CA).
Istanbul.fabrikam.com (purple) is Web server and client computer on the External network
(Internet). Istanbul runs Outlook 2003. Istanbul is not member of a domain.
Paris (red) runs ISA Server 2006 Standard Edition. Paris has three network adapters, which
connect to the Internal network, the Perimeter network and the External network (Internet).
The Perimeter network is not used in this lab.
Florence (red) and Firenze (red) run ISA Server 2006 Enterprise Edition. Both computers
have three network adapters. Florence and Firenze are in an array named Italy. Only
Florence runs Configuration Storage server (CSS).
4 de 106
The computers cannot communicate with the host computer.
To allow you to examine and understand the traffic on the network, in each virtual machine Microsoft
Network Monitor 5.2, which is part of Windows Server 2003, is installed.
Note that the steps in this exercise and the other exercises in this module, do not enable, configure or
test the functionality of ISA Server. In later modules, the functionality is configured and used in
scenarios.
1. On the Paris computer, a. On the Paris computer, on the Start menu, click
explore the task pane. All Programs, click Microsoft ISA Server, and then click
ISA Server Management.
b. In the ISA Server console, in the left pane, expand Paris,
expand Configuration, and then select Add-ins.
c. Drag the vertical divider between the tree pane (left) and the
details pane, to make the details pane area larger or smaller.
d. On the vertical divider between the details pane and the task
pane, click the arrow button.
e. Click the arrow button again.
f. Ensure that in the left pane, the Add-ins node is selected, and
then in the right pane, on the Web Filters tab, select (for
example) RADIUS Authentication Filter.
g. In the right pane, right-click RADIUS Authentication Filter.
h. In the task pane, select the Help tab.
i. In the task pane, select the Tasks tab.
The following task is related to the use of Virtual PC.
2. Explore how you can a. Drag the bottom right corner of the Paris window, to make the
make the Virtual PC window larger or smaller.
window larger, or switch b. Press the Ctrl-key, and then drag the bottom right corner of
to full-screen mode. the Virtual PC window, to snap the window size to standard
resolutions, such as 800x600.
c. Press <right>Alt-Enter.
d. If a warning message box appears, click Continue to confirm
that you can press <right>Alt-Enter again to return from full-
screen mode.
e. Press <right>Alt-Enter again to return from full-screen mode.
3. Explore the main nodes a. In the ISA Server console, in the left pane, select
in the ISA Server Configuration.
console: b. In the left pane, select Networks.
6 de 106
- Configuration c. In the left pane, select Firewall Policy.
- Networks d. If the task pane is closed, click the arrow button to open the
- Firewall Policy task pane.
- Monitoring
e. In the task pane, on the Toolbox tab, click the Protocols
heading, and then click Common Protocols.
f. In the task pane, on the Toolbox tab, click the Users heading,
and then click New.
g. Click Cancel to close the New User Set Wizard.
h. In the left pane, select Monitoring.
i. On the Dashboard tab, click the Sessions summary box
header.
4. Explore the Export and a. In the ISA Server console, in the left pane, right-click Paris.
Import configuration
commands.
8 de 106
Exercise 3: Ease of Use: Single Rule Base
In this exercise, you will explore how ISA Server uses a single list of firewall rules.
1. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
explore the single pane, select Firewall Policy.
firewall policy rule list. b. In the right pane, on the Firewall Policy tab, select Default
rule.
Create an access rule:
c. In the task pane, on the Tasks tab, click Create Access Rule.
Name: Allow Web d. In the New Access Rule Wizard dialog box, in the
traffic to Internet Access rule name text box, type Allow Web traffic to
Internet, and then click Next.
Applies to: HTTP e. On the Rule Action page, select Allow, and then click Next.
f. On the Protocols page, in the This rule applies to list box,
From network: Internal select Selected protocols, and then click Add.
To network: External
g. In the Add Protocols dialog box,
click Web, click HTTP, and click Add,
and then click Close to close the Add Protocols dialog box.
h. On the Protocols page, click Next.
i. On the Access Rule Sources page, click Add.
j. In the Add Network Entities dialog box,
click Networks, click Internal, and click Add,
and then click Close to close the Add Network Entities dialog
box.
k. On the Access Rule Sources page, click Next.
l. On the Access Rule Destinations page, click Add.
m. In the Add Network Entities dialog box,
click Networks, click External, and click Add,
and then click Close to close the Add Network Entities dialog
box.
n. On the Access Rule Destinations page, click Next.
o. On the User Sets page, click Next.
p. On the Completing the New Access Rule Wizard page, click
Finish.
q. Do NOT click Apply to apply the new rule.
2. Add the HTTPS and a. In the task pane, on the Toolbox tab, in the Protocols
FTP protocol to the section, click Web.
Allow Web traffic to b. Drag HTTPS from the Toolbox to HTTP in the Protocols
Internet access rule. column of the Allow Web traffic to Internet access rule.
c. Drag FTP from the Toolbox to HTTP/HTTPS in the Protocols
column of the Allow Web traffic to Internet access rule.
d. Click the box with the minus-sign in front of the
Allow Web traffic to Internet access rule to display the
access rule with multiple protocols on a single line.
3. Explore the properties a. Right-click the Allow Web traffic to Internet access rule, and
of the Allow Web then click Properties.
traffic to Internet b. In the Allow Web traffic to Internet Properties dialog box, on
access rule. the Protocols tab, click Add.
c. In the Add Protocols dialog box, click Common Protocols.
d. Click Close to close the Add Protocols dialog box.
e. On the To tab, click Add.
f. Click Close to close the Add Network Entities dialog box.
g. On the From tab, click Add.
h. In the Add Network Entities dialog box, click Networks.
i. Click Close to close the Add Network Entities dialog box.
j. Click Cancel to close the Allow Web traffic to Internet
Properties dialog box.
4. Explore the HTTP a. Right-click the Allow Web traffic to Internet access rule, and
protocol scanning then click Configure HTTP.
features of the Allow b. In the Configure HTTP policy for rule dialog box, examine the
Web traffic to Internet five tabs with the HTTP filter settings.
access rule.
c. On the Signatures tab, click Add.
For demonstration d. In the Signature dialog box, complete the following
purposes, configure the information:
rule to block HTTP Name: MSN Messenger traffic
traffic from Search in: Request headers
MSN Messenger. HTTP Header: User-Agent
Signature: MSMSGS
HTTP Header: and then click OK.
- User-Agent: MSMSGS e. Click OK to close the Configure HTTP policy for rule dialog
box.
5. Explore the a. In the left pane, ensure that Firewall Policy is selected.
System Policy Rules b. In the task pane, on the Tasks tab, click Show System
in the Firewall Policy. Policy Rules.
c. In the task pane, on the Tasks tab, click Edit System Policy.
d. Click Cancel to close the System Policy Editor dialog box.
e. In the task pane, on the Tasks tab, click Hide System Policy
Rules.
6. Discard the Allow Web a. In the right pane, click Discard to remove the unsaved Allow
traffic to Internet Web traffic to Internet access rule.
access rule. b. Click Yes to confirm that you want to discard the changes.
1. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
explore the new pane, expand Paris, and then select Monitoring.
Monitoring features in b. Select the Alerts tab.
ISA Server.
c. Select the Sessions tab.
d. Select the Services tab.
e. Select the Reports tab.
f. Select the Connectivity Verifiers tab.
g. Select the Logging tab.
h. In the task pane, on the Tasks tab, click
Configure Firewall Logging.
i. Click Cancel to close the Firewall Logging Properties dialog
box.
j. Close the ISA Server console.
10 de 106
Module B: Configuring Outbound Internet
Access
2. On the Paris computer, a. On the Paris computer, on the Start menu, click
create a new access All Programs, click Microsoft ISA Server, and then click ISA
rule. Server Management.
b. In the ISA Server console, expand Paris, and then select
Name: Allow Firewall Policy.
outbound Web traffic
c. In the right pane, on the Firewall Policy tab, select Default
rule.
Applies to: HTTP,
HTTPS, FTP d. In the task pane, on the Tasks tab, click Create Access Rule.
e. In the New Access Rule Wizard dialog box, in the
From network: Internal Access rule name text box, type Allow outbound Web
To network: External traffic, and then click Next.
f. On the Rule Action page, select Allow, and then click Next.
g. On the Protocols page, in the This rule applies to list box,
select Selected protocols, and then click Add.
h. In the Add Protocols dialog box,
click Common Protocols, click HTTP, and click Add,
click HTTPS, and click Add,
click Web, click FTP, and click Add,
and then click Close to close the Add Protocols dialog box.
i. On the Protocols page, click Next.
j. On the Access Rule Sources page, click Add.
k. In the Add Network Entities dialog box,
click Networks, click Internal, and click Add,
and then click Close to close the Add Network Entities dialog
box.
l. On the Access Rule Sources page, click Next.
m. On the Access Rule Destinations page, click Add.
n. In the Add Network Entities dialog box,
click Networks, click External, and click Add,
and then click Close to close the Add Network Entities dialog
box.
o. On the Access Rule Destinations page, click Next.
p. On the User Sets page, click Next.
q. On the Completing the New Access Rule Wizard page, click
Finish.
3. Apply the changes. a. Click Apply to apply the new rule, and then click OK.
4. Examine the network a. In the left pane, expand Configuration, and then select
rule for connectivity Networks.
between the Internal b. In the right pane, on the Network Rules tab, select the rule
network and the that defines the connectivity between the Internal network and
External network. the External network.
5. Examine the Web a. On the Networks tab, right-click Internal, and then click
Proxy settings of the Properties.
Internal network. b. In the Internal Properties dialog box, select the Web Proxy
tab.
c. Click Cancel to close the Internal Properties dialog box.
Perform the following steps on the Denver computer.
7. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
create a new Computer pane, select Firewall Policy.
Set rule element. b. In the task pane, on the Toolbox tab, in the Network Objects
section, right-click Computer Sets, and then click New
Name: Restricted Computer Set.
Internal Computers
c. In the New Computer Set Rule Element dialog box, in the
Name text box, type Restricted Internal Computers.
Included in the set:
10.1.1.5-10.1.1.8 d. Click Add, and then click Address Range.
(Domain Controllers) e. In the New Address Range Rule Element dialog box, complete
the following information:
12 de 106
Name: Domain Controllers
Start Address: 10.1.1.5
End Address: 10.1.1.8
Description: DCs on the internal network
and then click OK.
f. Click OK to close the New Computer Set Rule Element dialog
box.
8. Create a new access a. In the Firewall Policy list, select the Allow outbound Web
rule. traffic rule.
b. In the task pane, on the Tasks tab, click Create Access Rule.
Name: Deny restricted
c. In the New Access Rule Wizard dialog box, in the
computers
Access rule name text box, type
Deny restricted computers, and then click Next.
Action: Deny
d. On the Rule Action page, select Deny, and then click Next.
Applies to: All e. On the Protocols page, in the This rule applies to list box,
outbound traffic select All outbound traffic, and then click Next.
f. On the Access Rule Sources page, click Add.
From: Restricted
Internal Computers g. In the Add Network Entities dialog box,
To network: External click Computer Sets, click Restricted Internal
Computers, and click Add,
and then click Close to close the Add Network Entities dialog
box.
h. On the Access Rule Sources page, click Next.
i. On the Access Rule Destinations page, click Add.
j. In the Add Network Entities dialog box,
click Networks, click External, and click Add,
and then click Close to close the Add Network Entities dialog
box.
k. On the Access Rule Destinations page, click Next.
l. On the User Sets page, click Next.
m. On the Completing the New Access Rule Wizard page, click
Finish.
n. Click Apply to apply the new rule, and then click OK.
Perform the following steps on the Denver computer.
10. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
move the Allow pane, select Firewall Policy.
outbound Web traffic b. In the right pane, right-click the Allow outbound Web traffic
rule, before the Deny rule (order 2), and then click Move Up.
restricted computers
c. Click Apply to save the changes, and then click OK.
rule.
Perform the following steps on the Denver computer.
11. On the Denver a. On the Denver computer, open Internet Explorer. In the
computer, test your Address box, type http://istanbul.fabrikam.com, and then
connectivity again by press Enter.
opening
Internet Explorer and
connecting to http://
istanbul.fabrikam.com
.
Perform the following steps on the Paris computer.
12. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
delete the Deny pane, select Firewall Policy.
restricted computers b. In the right pane, right-click the Deny restricted computers
access rule. rule, and then click Delete.
c. Click Yes to confirm that you want to delete the rule.
d. Click Apply to save the changes, and then click OK.
2. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
create a new access pane, select Firewall Policy.
rule. b. In the right pane, select the first rule to indicate where the new
rule is added to the rule list.
Name: Allow
c. In the task pane, on the Tasks tab, click Create Access Rule.
outbound Ping traffic
d. In the New Access Rule Wizard dialog box, in the
Applies to: PING Access rule name text box, type
Allow outbound Ping traffic, and then click Next.
From network: Internal e. On the Rule Action page, click Allow, and then click Next.
To network: External f. On the Protocols page, in the This rule applies to list box,
select Selected protocols, and then click Add.
g. In the Add Protocols dialog box,
click Common Protocols, click PING, and click Add,
and then click Close to close the Add Protocols dialog box.
h. On the Protocols page, click Next.
i. On the Access Rule Sources page, click Add.
j. In the Add Network Entities dialog box,
click Networks, click Internal, and click Add,
and then click Close to close the Add Network Entities dialog
box.
k. On the Access Rule Sources page, click Next.
l. On the Access Rule Destinations page, click Add.
m. In the Add Network Entities dialog box,
14 de 106
click Networks, click External, and click Add,
and then click Close to close the Add Network Entities dialog
box.
n. On the Access Rule Destinations page, click Next.
o. On the User Sets page, click Next.
p. On the Completing the New Access Rule Wizard page, click
Finish.
q. Click Apply to apply the new rule, and then click OK.
3. Examine the PING a. In the task pane, on the Toolbox tab, in the Protocols
protocol definition. section, expand Common Protocols, right-click PING, and
then click Properties.
b. In the PING Properties dialog box, select the Parameters tab.
c. Click Cancel to close the PING Properties dialog box.
Perform the following steps on the Denver computer.
1. On the Paris computer, a. On the Paris computer, open a Command Prompt window.
test your connectivity by b. At the command prompt, type ftp istanbul.fabrikam.com,
attempting to establish and then press Enter.
an FTP session with
c. At the ftp> prompt, type quit, and then press Enter.
istanbul.fabrikam.com
. d. Close the Command Prompt window.
2. Create a new access a. In the ISA Server console, in the left pane, select
rule. Firewall Policy.
b. In the right pane, select the first rule to indicate where the new
Name: Allow FTP from rule is added to the rule list.
firewall
c. In the task pane, on the Tasks tab, click Create Access Rule.
Applies to: FTP d. In the New Access Rule Wizard dialog box, in the
Access rule name text box, type Allow FTP from firewall,
From network: Local and then click Next.
Host e. On the Rule Action page, click Allow, and then click Next.
To network: External f. On the Protocols page, in the This rule applies to list box,
select Selected protocols, and then click Add.
g. In the Add Protocols dialog box,
click Web, click FTP, and click Add,
and then click Close to close the Add Protocols dialog box.
h. On the Protocols page, click Next.
i. On the Access Rule Sources page, click Add.
j. In the Add Network Entities dialog box,
click Networks, click Local Host, and click Add,
and then click Close to close the Add Network Entities dialog
box.
k. On the Access Rule Sources page, click Next.
l. On the Access Rule Destinations page, click Add.
m. In the Add Network Entities dialog box,
click Networks, click External, and click Add,
and then click Close to close the Add Network Entities dialog
box.
n. On the Access Rule Destinations page, click Next.
o. On the User Sets page, click Next.
p. On the Completing the New Access Rule Wizard page, click
Finish.
q. Click Apply to apply the new rule, and then click OK.
3. Test your connectivity a. Open a Command Prompt window.
again by establishing b. At the command prompt, type ftp istanbul.fabrikam.com,
an FTP session with and then press Enter.
istanbul.fabrikam.com
c. Type Ctrl-C to close the FTP session.
.
d. If the ftp> prompt appears, type quit, and then press Enter.
e. Close the Command Prompt window.
4. Show the a. In the ISA Server console, in the left pane, select
System Policy Rules Firewall Policy.
in the Firewall Policy. b. In the task pane, on the Tasks tab, click Show System
Policy Rules.
5. Test your connectivity a. Open Internet Explorer. In the Address box, type
by opening http://istanbul.fabrikam.com, and then press Enter.
Internet Explorer and b. Close Internet Explorer.
connecting to http://
c. Open a Command Prompt window.
istanbul.fabrikam.com
and by using the Ping d. At the command prompt, type ping istanbul.fabrikam.com,
command to and then press Enter.
istanbul.fabrikam.com e. At the command prompt, type ping denver.contoso.com,
and to and then press Enter.
denver.contoso.com. f. Close the Command Prompt window.
6. Hide the a. In the ISA Server console, in the left pane, select
System Policy Rules Firewall Policy.
in the Firewall Policy. b. In the task pane, on the Tasks tab, click Hide System Policy
Rules.
c. Close the ISA Server console.
16 de 106
Exercise 4: Configuring ISA Server 2006 for Flood Resiliency
In this exercise, you will configure ISA Server to block a large number of TCP connections from the
same IP address.
1. On the Paris computer, a. On the Paris computer, on the Start menu, click
examine the flood All Programs, click Microsoft ISA Server, and then click ISA
mitigation settings. Server Management.
b. In the ISA Server console, in the left pane, expand Paris,
expand Configuration, and then select General.
c. In the right pane, under Additional Security Policy, click
Configure Flood Mitigation Settings.
d. In the Flood Mitigation dialog box, on the Flood Mitigation
tab, click the second Edit button.
e. Click Cancel to close the Flood Mitigation Settings dialog box.
f. In the Flood Mitigation dialog box, select the IP Exceptions
tab.
2. Disable the logging of a. In the Flood Mitigation dialog box, select the Flood Mitigation
network traffic blocked tab.
by flood mitigation b. Clear the Log traffic blocked by flood mitigation settings
settings. check box.
c. Click OK to close the Flood Mitigation dialog box.
3. Create a new access a. In the left pane, select Firewall Policy.
rule. b. In the right pane, select the first rule, or select Default rule if
no other rule exists, to indicate where the new rule is added to
Name: Allow Web the rule list.
access (Flood)
c. In the task pane, on the Tasks tab, click Create Access Rule.
Applies to: HTTP d. In the New Access Rule Wizard dialog box, in the
Access rule name text box, type Allow Web access (Flood),
From network: Internal and then click Next.
To network: External e. On the Rule Action page, select Allow, and then click Next.
f. On the Protocols page, in the This rule applies to list box,
select Selected protocols, and then click Add.
g. In the Add Protocols dialog box,
click Common Protocols, click HTTP, click Add,
and then click Close to close the Add Protocols dialog box.
h. On the Protocols page, click Next.
i. On the Access Rule Sources page, click Add.
j. In the Add Network Entities dialog box,
click Networks, click Internal, click Add,
and then click Close to close the Add Network Entities dialog
box.
k. On the Access Rule Sources page, click Next.
l. On the Access Rule Destinations page, click Add.
m. In the Add Network Entities dialog box,
click Networks, click External, click Add,
and then click Close to close the Add Network Entities dialog
box.
n. On the Access Rule Destinations page, click Next.
o. On the User Sets page, click Next.
p. On the Completing the New Access Rule Wizard page, click
Finish.
4. Apply the changes. a. Click Apply to apply the changes, and then click OK.
Perform the following steps on the Denver computer.
5. On the Denver a. On the Denver computer, open Internet Explorer.
computer, configure b. In Internet Explorer, on the Tools menu, click Internet
Internet Explorer not to Options.
use a proxy server.
c. In the Internet Options dialog box, on the Connections tab,
click LAN Settings.
d. In the Local Area Network (LAN) Settings dialog box, clear the
Use a proxy server for your LAN check box, and then click
OK.
e. Click OK to close the Internet Options dialog box.
6. Use Internet Explorer to a. In Internet Explorer, in the Address bar, type
connect to http:// http://istanbul.fabrikam.com/web.asp, and then press
istanbul.fabrikam.com Enter.
/ b. Do not close Internet Explorer.
web.asp
7. Use the a. Use Windows Explorer (or My Computer) to open the
C:\Tools\tcpflooder.vb C:\Tools folder.
s tool to create 200 b. Right-click tcpflooder.vbs, and then click Open.
concurrent TCP
c. Click Yes to confirm that you want to start TCP Flooder.
connections.
d. Press OK to acknowledge that 200 TCP connections are
created.
e. Close the Tools folder.
8. In Internet Explorer, a. In the Internet Explorer windows, on the toolbar, click the
refresh the existing Refresh button.
Web page, and attempt b. On the Start menu, click All Programs, and then click
to create a second Internet Explorer.
connection to http://
c. In Internet Explorer, in the Address box, type
istanbul.fabrikam.com
http://istanbul.fabrikam.com/web.asp, and then press
/
Enter.
web.asp
d. Close the Internet Explorer windows.
Perform the following steps on the Paris computer.
9. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
examine the flooding pane, select Monitoring.
alert. b. In the right pane, select the Alerts tab.
c. In the task pane, on the Tasks tab, click Refresh Now.
d. In the alert list, expand the Concurrent TCP Connections
from One IP Address Limit Exceeded alert, and then select
the alert line below that.
10. Configure the log a. In the right pane, select the Logging tab.
viewer filter conditions: b. In the task pane, on the Tasks tab, click Edit Filter.
Log Time: Last Hour
c. In the Edit Filter dialog box, in the conditions list, select the
Log Time - Live condition.
Client IP:
Equals 10.1.1.5 d. In the Condition drop-down list box, select Last Hour, and
then click Update.
Destination IP: e. Complete the following information:
Greater or Equal Filter by: Client IP
42.1.0.0 Condition: Equals
Value: 10.1.1.5
and then click Add To List.
18 de 106
f. Complete the following information:
Filter by: Destination IP
Condition: Greater or Equal
Value: 42.1.0.0
and then click Add To List.
g. Click Start Query to close the Edit Filter dialog box.
h. Scroll to the top of the list of log entries.
11. Restore the log viewer a. In the task pane, on the Tasks tab, click Edit Filter.
filter conditions: b. In the Edit Filter dialog box, in the conditions list, select
Log Time - Last Hour.
Log Time: Live
c. In the Condition drop-down list box, select Live, and then
click Update.
Client IP: (remove)
d. In the conditions list, select the Destination IP condition, and
Destination IP: then click Remove.
(remove) e. In the conditions list, select the Client IP condition, and then
click Remove.
f. Click Start Query to close the dialog box.
g. In the task pane, on the Tasks tab, click Stop Query.
Perform the following steps on the Denver computer.
1. On the Paris computer, a. On the Paris computer, on the Start menu, click
create a new Web All Programs, click Microsoft ISA Server, and then click ISA
listener. Server Management.
b. In the ISA Server console, expand Paris, and then select
Name: External Web Firewall Policy.
80
c. In the task pane, on the Toolbox tab, in the Network Objects
section, right-click Web Listeners, and then click New Web
SSL: disable
Listener.
Network: External d. In the New Web Listener Definition Wizard dialog box, in the
Compression: disable Web listener name text box, type External Web 80, and then
click Next.
Authentication: none e. On the Client Connection Security page, select
Do not require SSL secured connections with clients, and
then click Next.
f. On the Web Listener IP Addresses page, complete the
following information:
Listen on network: External
ISA Server will compress content: disable
and then click Next.
g. On the Authentication Settings page, in the drop-down list box,
select No Authentication, and then click Next.
h. On the Single Sign On Settings page, click Next.
i. On the Completing the New Web Listener Wizard page, click
Finish.
j. Click Apply to save the changes, and then click OK.
2. Examine the effect of a. Open a Command Prompt window.
the Web listener b. At the command prompt, type netstat -ano | find ":80",
definition on the and then press Enter.
listening ports.
c. Close the Command Prompt window.
3. Create a Web a. In the ISA Server console, in the left pane, select
publishing rule. Firewall Policy.
b. In the right pane, select the first rule, or select Default rule if
Name: Web Home no other rule exists, to indicate where the new rule is added to
Page (on Denver) the rule list.
c. In the task pane, on the Tasks tab, click Publish Web Sites.
Publishing type:
single Web site d. In the New Web Publishing Rule Wizard dialog box, in the
Web publishing rule name text box, type
20 de 106
Internal site name: Web Home Page (on Denver), and then click Next.
denver.contoso.com e. On the Select Rule Action page, select Allow, and then click
Next.
Public name:
f. On the Publishing Type page, select Publish a single Web
www.contoso.com
site, and then click Next.
Web listener: g. On the Server Connection Security page, select Use
External Web 80 non-secured connections to connect to the published
Web server, and then click Next.
Delegation: none h. On the Internal Publishing Details page, complete the
following information:
Internal site name: denver.contoso.com
Use a computer name or IP address: disable (is default)
and then click Next.
i. On the next Internal Publishing Details page, complete the
following information:
Path: (leave empty)
Forward the original host header: disable (is default)
and then click Next.
j. On the Public Name Details page, complete the following
information:
Accept requests for: This domain name (type below):
Public name: www.contoso.com
Path: (leave empty)
and then click Next.
k. On the Select Web Listener page, in the Web listener
drop-down list box, select External Web 80, and then click
Next.
l. On the Authentication Delegation page, select No delegation,
and client cannot authenticate directly, and then click Next.
m. On the User Sets page, click Next.
n. On the Completing the New Web Publishing Rule Wizard
page, click Finish.
o. Click Apply to apply the new rule, and then click OK.
4. Examine the effect of a. Open a Command Prompt window.
the Web publishing rule b. At the command prompt, type netstat -ano | find ":80",
on the listening ports. and then press Enter.
c. At the command prompt, type tasklist /svc | find "nnnn",
and then press Enter. (Replace nnnn with the actual process
ID displayed in output of the previous step.)
d. Close the Command Prompt window.
5. Examine the network a. In the ISA Server console, the left pane, expand
rule for connectivity Configuration, and then select Networks.
between the External b. In the right pane, on the Network Rules tab, select the rule
network and the that defines the connectivity between the Internal network and
Internal network. the External network.
Perform the following steps on the Istanbul computer.
8. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
add the 39.1.1.1 public pane, select Firewall Policy.
name to the Web b. In the right pane, select the Web Home Page (on Denver)
Home Page (on Web publishing rule.
Denver) Web
c. In the task pane, on the Tasks tab, click Edit Selected Rule.
publishing rule.
d. In the Web Home Page (on Denver) Properties dialog box, on
the Public Name tab, click Add.
e. In the Public Name dialog box, type 39.1.1.1, and then click
OK.
f. Click OK to close the Web Home Page (on Denver) Properties
dialog box.
g. Click Apply to apply the changed rule, and then click OK.
Perform the following steps on the Istanbul computer.
5. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
create a Web pane, select Firewall Policy.
publishing rule. b. In the right pane, select the first rule to indicate where the new
rule is added to the rule list.
Name: Public Web
c. In the task pane, on the Tasks tab, click Publish Web Sites.
Site (on Paris)
d. In the New Web Publishing Rule Wizard dialog box, in the
Publishing type: Web publishing rule name text box, type
single Web site Public Web Site (on Paris), and then click Next.
e. On the Select Rule Action page, select Allow, and then click
Internal site name: Next.
Paris f. On the Publishing Type page, select Publish a single Web
IP address: 10.1.1.1 site, and then click Next.
Path: publicweb/*
g. On the Server Connection Security page, select Use
Port: 81
non-secured connections to connect to the published
Web server, and then click Next.
Public name:
public.contoso.com h. On the Internal Publishing Details page, complete the
following information:
Web listener: Internal site name: Paris
External Web 80 Use a computer name or IP address: enable
Computer name or IP address: 10.1.1.1
Delegation: none and then click Next.
i. On the next Internal Publishing Details page, complete the
following information:
Path: publicweb/*
Forward the original host header: disable (is default)
and then click Next.
j. On the Public Name Details page, complete the following
information:
Accept requests for: This domain name (type below):
Public name: public.contoso.com
Path: (remove /publicweb/*, and leave empty)
and then click Next.
k. On the Select Web Listener page, in the Web listener
drop-down list box, select External Web 80, and then click
Next.
l. On the Authentication Delegation page, select No delegation,
and client cannot authenticate directly, and then click Next.
m. On the User Sets page, click Next.
n. On the Completing the New Web Publishing Rule Wizard
page, click Finish.
o. In the right pane, select the Public Web Site (on Paris) Web
publishing rule, and then in the task pane, on the Tasks tab,
click Edit Selected Rule.
p. In the Public Web Site (on Paris) Properties dialog box, select
the Paths tab.
q. On the Bridging tab, in the Redirect requests to HTTP port
text box, type 81.
r. Click OK to close the Public Web Site (on Paris) Properties
dialog box.
s. Click Apply to apply the new rule, and then click OK.
Perform the following steps on the Istanbul computer.
6. On the Istanbul a. On the Istanbul computer, open Internet Explorer. In the
computer, connect to Address box, type http://public.contoso.com, and then
the published Web press Enter.
servers on b. Close Internet Explorer.
public.contoso.com.
24 de 106
Exercise 3: Performing Link Translation on a Published Web Server
In this exercise, you will configure ISA Server to enable link translation for a published Web site.
The portal Web site contains links to other Web servers. By using cross-site link translation, you can
access the links from the published portal Web site.
2. On the Paris computer, a. On the Paris computer, on the Start menu, click
create a new Web All Programs, click Microsoft ISA Server, and then click ISA
listener. Server Management.
b. In the ISA Server console, expand Paris, and then select
Name: External Web Firewall Policy.
80
c. In the task pane, on the Toolbox tab, in the Network Objects
section, expand Web Listeners (if possible).
SSL: disable
d. If a Web listener named External Web 80 does not exist, then
Network: External right-click Web Listeners, and then click New Web Listener.
Compression: disable e. In the New Web Listener Definition Wizard dialog box, in the
Web listener name text box, type External Web 80, and then
Authentication: none click Next.
f. On the Client Connection Security page, select
(If this is not done Do not require SSL secured connections with clients, and
already) then click Next.
g. On the Web Listener IP Addresses page, complete the
following information:
Listen on network: External
ISA Server will compress content: disable
and then click Next.
h. On the Authentication Settings page, in the drop-down list box,
select No Authentication, and then click Next.
i. On the Single Sign On Settings page, click Next.
j. On the Completing the New Web Listener Wizard page, click
26 de 106
Finish.
3. Create a Web a. In the right pane, select the first rule, or select Default rule if
publishing rule to no other rule exists, to indicate where the new rule is added to
publish a SharePoint the rule list.
server. b. In the task pane, on the Tasks tab, click
Publish SharePoint Sites.
Name: Portal Web Site
c. In the New SharePoint Publishing Rule Wizard dialog box, in
the SharePoint publishing rule name text box, type Portal
Publishing type:
Web Site, and then click Next.
single Web site
d. On the Publishing Type page, select Publish a single Web
Internal site name: site, and then click Next.
portal e. On the Server Connection Security page, select Use
non-secured connections to connect to the published
Public name: Web server, and then click Next.
portal.contoso.com f. On the Internal Publishing Details page, in the
Internal site name text box, type portal, and then click Next.
Web listener:
g. On the Public Name Details page, in the Public name text
External Web 80
box, type portal.contoso.com, and then click Next.
Delegation: none h. On the Select Web Listener page, in the Web listener drop-
down list box, select External Web 80, and then click Next.
i. On the Authentication Delegation page, select No delegation,
and client cannot authenticate directly, and then click Next.
j. On the Alternate Access Mapping Configuration page, select
SharePoint AAM is not yet configured, and then click Next.
k. On the User Sets page, click Next.
l. On the Completing the New SharePoint Publishing Rule
Wizard page, click Finish
4. Apply the changes. a. Click Apply to apply the changes, and then click OK.
Perform the following steps on the Istanbul computer.
6. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
create a Web pane, select Firewall Policy.
publishing rule. b. In the right pane, select the first rule to indicate where the new
rule is added.
Name: Server1 Web
c. In the task pane, on the Tasks tab, click Publish Web Sites.
Site
d. In the New Web Publishing Rule Wizard dialog box, in the
Publishing type: Web publishing rule name, type Server1 Web Site, and
single Web site then click Next.
e. On the Select Rule Action page, select Allow, and then click
Internal site name: Next.
server1 f. On the Publishing Type page, select Publish a single Web
site, and then click Next.
Public name:
g. On the Server Connection Security page, select Use
web1.contoso.com
non-secured connections to connect to the published
Web server, and then click Next.
Web listener:
External Web 80 h. On the Internal Publishing Details page, in the
Internal site name text box, type server1, and then click
Delegation: none Next.
i. On the next Internal Publishing Details page, leave the Path
text box empty, and then click Next.
j. On the Public Name Details page, in the Public name text
box, type web1.contoso.com, and then click Next.
k. On the Select Web Listener page, in the Web listener drop-
down list box, select External Web 80, and then click Next.
l. On the Authentication Delegation page, select No delegation,
and client cannot authenticate directly, and then click Next.
m. On the User Sets page, click Next.
n. On the Completing the New Web Publishing Rule Wizard
page, click Finish.
7. Apply the changes. a. Click Apply to apply the changes, and then click OK.
8. Examine the list of a. In the left pane, expand Configuration, and then click
per-server link General.
translation mappings. b. In the right pane, click Configure Global Link Translation.
c. Select the Global Mappings tab.
d. Click Cancel to close the Link Translation dialog box.
Perform the following steps on the Istanbul computer.
The exercise uses both Cookie-Based Load Balancing and Source-IP Based Load Balancing.
1. On the Paris computer, a. On the Paris computer, on the Start menu, click
create a new Web All Programs, click Microsoft ISA Server, and then click ISA
listener. Server Management.
b. In the ISA Server console, expand Paris, and then select
Name: External Web Firewall Policy.
80
c. In the task pane, on the Toolbox tab, in the Network Objects
28 de 106
section, expand Web Listeners (if possible).
SSL: disable d. If a Web Listener named External Web 80 does not exist,
then right-click Web Listeners, and then click New Web
Network: External Listener.
Compression: disable
e. In the New Web Listener Definition Wizard dialog box, in the
Web listener name text box, type External Web 80, and then
Authentication: none
click Next.
(If this is not done f. On the Client Connection Security page, select
already) Do not require SSL secured connections with clients, and
then click Next.
g. On the Web Listener IP Addresses page, complete the
following information:
Listen on network: External
ISA Server will compress content: disable
and then click Next.
h. On the Authentication Settings page, in the drop-down list box,
select No Authentication, and then click Next.
i. On the Single Sign On Settings page, click Next.
j. On the Completing the New Web Listener Wizard page, click
Finish.
2. Create a new Server a. In the task pane, on the Toolbox, in the Network Objects
Farm network element. section, right-click Server Farms, and then click New Server
Farm.
Name: Shop Web b. In the New Server Farm Definition Wizard dialog box, in the
Servers Server farm name text box, type Shop Web Servers, and
then click Next.
Addresses:
c. On the Servers page, click Add.
- 10.1.1.21
- 10.1.1.22 d. In the Server Details dialog box, complete the following
information:
Monitoring: http://*/ Computer name or IP address: 10.1.1.21
Description: Shopping Web Server 1
and then click OK.
e. On the Servers page, click Add again.
f. In the Server Details dialog box, complete the following
information:
Computer name or IP address: 10.1.1.22
Description: Shopping Web Server 2
and then click OK.
g. On the Servers page, click Next.
h. On the Server Farm Connectivity Monitoring page, complete
the following information:
Send an HTTP/HTTPS GET request: enable (is default)
Current URL: http://*/ (is default)
and then click Next.
i. On the Completing the New Server Farm Wizard page, click
Finish.
j. In the HTTP Connectivity Verification dialog box, click Yes to
confirm that you want the connectivity verifiers system policy
to be enabled.
3. Create a new Web a. In the right pane, select the first rule, or select Default rule if
publishing rule. no other rule exists, to indicate where the new rule is added to
the rule list.
Name: Sales Web Site b. In the task pane, on the Tasks tab, click Publish Web Sites.
c. In the New Publishing Rule Wizard dialog box, in the
Type: Publish server
Web publishing rule name text box, type Sales Web Site,
farm
and then click Next.
d. On the Select Rule Action page, select Allow, and then click
Internal name: Next.
store.contoso.com/sh e. On the Publishing Type page, select
op Publish a server farm of load balanced Web servers, and
then click Next.
Server farm:
f. On the Server Connection Security page, select Use
Shop Web Servers
non-secured connections to connect to the published
Web server or server farm, and then click Next.
Load balance
mechanism: g. On the Internal Publishing Details page, in the
Cookie-based Internal site name text box, type store.contoso.com, and
then click Next.
Public name: h. On the next Internal Publishing Details page, complete the
www.contoso.com/sh following information:
op Path: shop/*
Forward the original host header: disable (default)
Web listener: and then click Next.
External Web 80
i. On the Specify Server Farm page, complete the following
information:
Delegation: none
Select the server farm (drop-down list box): Shop Web
Servers
Cookie-based Load Balancing: enable (is default)
and then click Next.
j. On the Public Name Details page, complete the following
information:
Accept request for: This domain name (type below)
Public name: www.contoso.com
Path (optional): /shop/* (automatic)
and then click Next.
k. On the Select Web Listener page, in the Web listener drop-
down list box, select External Web 80, and then click Next.
l. On the Authentication Delegation page, in the drop-down list
box, select No delegation, and client cannot authenticate
directly, and then click Next.
m. On the User Sets page, click Next.
n. On the Completing the New Web Publishing Rule Wizard
page, click Finish.
4. Apply the changes. a. Click Apply to apply the changes, and then click OK.
5. Examine the a. In the ISA Server console, in the left pane, select Monitoring.
connectivity verifiers for b. In the right pane, select the Connectivity Verifiers tab.
the Shop Web Servers
c. Right-click the first Farm: Shop Web Servers connectivity
farm.
verifier, and then click Properties.
d. In the Farm: Shop Web Servers Properties dialog box, select
the Connectivity Verification tab.
e. Click Cancel to close the Farm: Shop Web Servers Properties
dialog box.
Perform the following steps on the Istanbul computer.
10. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
examine the pane, select Monitoring.
connectivity verifier and b. In the right pane, select the Connectivity Verifiers tab.
the alert for the
c. In the right pane, select the Alerts tab.
connection to 10.1.1.21.
d. In the task pane, on the Tasks tab, click Refresh Now.
e. In the right pane, expand the No Connectivity alert, and then
select the lower No Connectivity line.
f. Right-click the lower No Connectivity line, and then click
Reset.
g. Click Yes to confirm that you want to reset the No Connectivity
alert.
Perform the following steps on the Denver computer.
11. On the Denver a. On the Denver computer, in the IIS Manager console, right-
computer, start the click Server1 Web Site, and then click Start.
Server1 Web Site.
Perform the following steps on the Istanbul computer.
12. On the Istanbul a. On the Istanbul computer, switch to any of the Internet
computer, refresh the Explorer windows that currently displays the web.asp page
Web page from from 10.1.1.22 (Server2).
10.1.1.22, and create a b. On the toolbar, click the Refresh button to refresh the content
new connection to of the Web page.
http://www.contoso.c
c. On the Start menu, click All Programs, and then click
om/
Internet Explorer.
shop/web.asp.
d. Wait 20 seconds, and then in Internet Explorer, in the
Address box, type http://www.contoso.com/shop/web.asp,
and press Enter.
e. Close all Internet Explorer windows.
Perform the following steps on the Paris computer.
13. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
change the load pane, select Firewall Policy.
balancing mechanism b. In the right pane, right-click the Sales Web Site rule, and then
for the Sales Web Site click Properties.
rule to
c. In the Sales Web Site Properties dialog box, on the Web
Source-IP based.
Farm tab, in the Load Balancing Mechanism section, select
Source-IP based.
d. Click OK to close the Sales Web Site Properties dialog box.
14. Apply the changes. a. Click Apply to apply the changes, and then click OK.
Perform the following steps on the Istanbul computer.
15. On the Istanbul a. On the Istanbul computer, on the Start menu, click
computer, create two All Programs, and then click Internet Explorer.
new Internet Explorer b. In Internet Explorer, in the Address box, type
sessions, and connect http://www.contoso.com/shop/web.asp, and then press
to Enter.
http://www.contoso.c
c. On the toolbar, click the Refresh button to refresh the content
om/
of the Web page.
shop/web.asp
d. On the Start menu, click All Programs, and then click
Internet Explorer.
e. In Internet Explorer, in the Address box, type
http://www.contoso.com/shop/web.asp, and then press
Enter.
Perform the following steps on the Denver computer.
16. On the Denver a. On the Denver computer, in the IIS Manager console, right-
computer, stop the click Server2 Web Site, and then click Stop.
Server2 Web Site to
simulate a connectivity
problem with the Web
server on 10.1.1.22.
Perform the following steps on the Istanbul computer.
17. On the Istanbul a. On the Istanbul computer, switch to one of the Internet
computer, attempt to Explorer windows that currently displays the web.asp page
refresh the content of from 10.1.1.22 (Server2).
the Web page that was b. On the toolbar, click the Refresh button to refresh the content
from 10.1.1.22 of the Web page.
(Server2).
c. Wait 20 seconds, and then on the toolbar, click the Refresh
button again.
Perform the following steps on the Denver computer.
18. On the Denver a. On the Denver computer, in the IIS Manager console, right-
computer, start the click Server2 Web Site, and then click Start.
32 de 106
Server2 Web Site. b. Close the IIS Manager console.
Perform the following steps on the Istanbul computer.
19. On the Istanbul a. On the Istanbul computer, switch to the Internet Explorer
computer, attempt to window that currently displays the web.asp page from
refresh the content of 10.1.1.21 (Server1).
the Web page that was b. On the toolbar, click the Refresh button to refresh the content
from 10.1.1.21 of the Web page.
(Server1).
c. Wait 20 seconds, and then on the toolbar, click the Refresh
button again.
d. Close all Internet Explorer windows.
Perform the following steps on the Paris computer.
20. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
delete the pane, select Firewall Policy.
Sales Web Site rule, b. In the right pane, right-click the Sales Web Site rule, and then
and delete the click Delete.
Shop Web Servers
c. Click Yes to confirm that you want to delete Sales Web Site.
farm.
d. In the task pane, on the Toolbox tab, in the Network Objects
section, expand Server Farms.
e. Under Server Farms, right-click Shop Web Servers, and then
click Delete.
f. Click Yes to confirm that you want to delete Shop Web
Servers.
21. Apply the changes. a. Click Apply to apply the changes, and then click OK.
2. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
create a server pane, select Firewall Policy.
publishing rule: b. In the right pane, select the first rule, or select Default rule if
no other rule exists, to indicate where the new rule is added
Name: to the rule list.
Publish RDP (on
c. In the task pane, on the Tasks tab, click
Denver)
Publish Non-Web Server Protocols.
Server: 10.1.1.5 d. In the New Server Publishing Rule Wizard dialog box, in the
Server publishing rule name text box, type
Protocols: RDP Publish RDP (on Denver), and then click Next.
(Terminal Services) e. On the Select Server page, in the Server IP address text
Server box, type 10.1.1.5, and then click Next.
f. On the Select Protocol page, in the Selected protocol
drop-down list box, select RDP (Terminal Services) Server,
and then click Next.
g. On the Network Listener IP Addresses page, select
External, and then click Next.
h. On the Completing the New Server Publishing Rule Wizard
page, click Finish.
i. Click Apply to apply the new rule, and then click OK.
3. Use the a. Open a Command Prompt window.
C:\Tools\fwengmon / b. At the command prompt, type netstat -ano | find ":3389",
C command to examine and then press Enter.
the active creation
c. Type cd \tools, and then press Enter.
objects.
d. Type fwengmon /?, and then press Enter.
e. Type fwengmon /C, and then press Enter.
f. Do not close the Command Prompt window.
Perform the following steps on the Istanbul computer.
7. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
change the pane, select Firewall Policy.
Publish RDP (on Denv b. In the right pane, right-click Publish RDP (on Denver), and
er) rule. then click Properties.
c. In the Publish RDP (on Denver) Properties dialog box, on the
Requests appear to
To tab, select
come from:
Requests appear to come from the ISA Server computer.
ISA Server computer
d. Click OK to close the Publish RDP (on Denver) Properties
dialog box.
e. Click Apply to save the changes, and then click OK.
34 de 106
Perform the following steps on the Istanbul computer.
8. On the Istanbul a. On the Istanbul computer, on the Start menu, click
computer, create a Remote Desktop Connection.
remote desktop b. In the Remote Desktop Connection dialog box, in the
connection to 39.1.1.1 Computer text box, type 39.1.1.1, and then click Connect.
(Paris)
c. In the Log On to Windows dialog box, complete the following
information:
User name: Administrator
Password: password
and then click OK.
9. Use the netstat a. In the remote desktop connection to Denver, open a
command to examine Command Prompt window.
the client IP address of b. At the command prompt, type netstat -ano | find ":3389",
the remote desktop and then press Enter.
connection.
c. Close the Command Prompt window.
10. Log off the remote a. In the remote desktop connection to Denver, on the Start
desktop connection. menu, click Log Off.
b. Click Log Off to confirm that you are sure you want to log
off.
Perform the following steps on the Paris computer.
11. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
change the pane, select Firewall Policy.
Publish RDP (on Denv b. In the right pane, right-click Publish RDP (on Denver), and
er) rule. then click Properties.
c. In the Publish RDP (on Denver) Properties dialog box, on the
Publish on port: 3390
Traffic tab, click Ports.
d. In the Ports dialog box, complete the following information:
Publish on this port instead of the default port: 3390
and then click OK.
e. Click OK to close the Publish RDP (on Denver) Properties
dialog box.
f. Click Apply to save the changes, and then click OK.
12. Use the a. In a Command Prompt window in the C:\Tools folder, type
C:\Tools\fwengmon / fwengmon /C, and then press Enter.
C command to examine
the active creation
objects.
Perform the following steps on the Istanbul computer.
13. On the Istanbul a. On the Istanbul computer, on the Start menu, click
computer, create a Remote Desktop Connection.
remote desktop b. In the Remote Desktop Connection dialog box, in the
connection to Computer text box, type 39.1.1.1:3390, and then click
39.1.1.1:3390 (Paris) Connect.
c. Click Cancel to close the Log On to Windows dialog box.
d. Click Close to close the Remote Desktop Connection dialog
box.
Perform the following steps on the Paris computer.
14. On the Paris computer, a. On the Paris computer, on the Start menu, click
use System properties Control Panel, and then click System.
to enable remote b. In the System Properties dialog box, on the Remote tab,
desktop. enable Enable Remote Desktop on this computer.
c. Click OK to acknowledge that remote connection accounts
must have passwords, and that the correct port must be
open for remote connections.
d. Click OK to close the System Properties dialog box.
15. Use the netstat a. In a Command Prompt window, type
command, and the netstat -ano | find ":3389", and then press Enter.
C:\Tools\fwengmon / b. At the command prompt, type tasklist /svc | find "nnnn",
C command to examine and then press Enter. (Replace nnnn with the actual
the effect of enabling process ID displayed in the output of the previous step.)
remote desktop.
c. At the command prompt, in the C:\Tools folder, type
fwengmon /C, and then press Enter.
16. Create a server a. In the ISA Server console, in the left pane, select
publishing rule: Firewall Policy.
b. In the right pane, select the first rule to indicate where the
Name: new rule is added to the rule list.
Publish RDP
c. In the task pane, on the Tasks tab, click
(on Paris)
Publish Non-Web Server Protocols.
Server: 10.1.1.1 d. In the New Server Publishing Rule Wizard dialog box, in the
Server publishing rule name text box, type
Protocols: RDP Publish RDP (on Paris), and then click Next.
(Terminal Services) e. On the Select Server page, in the Server IP address text
Server box, type 10.1.1.1, and then click Next.
f. On the Select Protocol page, in the Selected protocol
drop-down list box, select RDP (Terminal Services) Server,
and then click Next.
g. On the Network Listener IP Addresses page, select
External, and then click Next.
h. On the Completing the New Server Publishing Rule Wizard
page, click Finish.
i. Click Apply to apply the new rule, and then click OK.
17. Use the netstat a. In a Command Prompt window, type
command, and the netstat -ano | find ":3389", and then press Enter.
C:\Tools\fwengmon / b. At the command prompt, in the C:\Tools folder, type
C command to examine fwengmon /C, and then press Enter.
the effect of enabling
remote desktop.
Perform the following steps on the Istanbul computer.
18. On the Istanbul a. On the Istanbul computer, on the Start menu, click
computer, create a Remote Desktop Connection.
remote desktop b. In the Remote Desktop Connection dialog box, in the
connection to 39.1.1.1 Computer text box, type 39.1.1.1, and then click Connect.
(Paris)
c. Click Cancel to close the Log On to Windows dialog box.
d. Click Close to close the Remote Desktop Connection dialog
box.
Perform the following steps on the Denver computer.
19. On the Denver a. On the Denver computer, on the Start menu, click
computer, use System Control Panel, and then click System.
properties to disable b. In the System Properties dialog box, on the Remote tab, in
remote desktop. the Remote Desktop box, clear Enable Remote Desktop
to this computer.
c. Click OK to close the System Properties dialog box.
Perform the following steps on the Paris computer.
20. On the Paris computer, a. On the Paris computer, on the Start menu, click
use System properties Control Panel, and then click System.
to disable remote b. In the System Properties dialog box, on the Remote tab, in
desktop. the Remote Desktop box, clear Enable Remote Desktop
to this computer.
c. Click OK to close the System Properties dialog box.
36 de 106
Module D: Publishing an Exchange Server
This exercise also demonstrates the new certificate management functionality of ISA Server 2006.
3. On the Paris computer, a. On the Paris computer, use Windows Explorer (or My
import the Computer) to open the C:\Tools\Certs folder.
mail.contoso.com b. In the Certs folder, right-click mail-certload.vbs, and then
Web server certificate click Open.
from the
c. Click Yes to confirm that you want to import the certificate.
C:\Tools\Certs folder.
d. Click OK to acknowledge that the import of the certificate is
complete.
4. For demonstration a. In the Certs folder, open the Invalid folder.
purposes, import invalid b. In the Invalid folder, right-click certload-invalid-Paris.vbs,
certificates from the and then click Open.
C:\Tools\Certs\Invalid
c. Click Yes to confirm that you want to import the certificates.
folder.
d. Click OK to acknowledge that the import of the certificates is
complete.
e. Close the Invalid folder.
5. Create a new Web a. On the Start menu, click All Programs, click
listener. Microsoft ISA Server, and then click ISA Server
Management.
Name: External Web b. In the ISA Server console, expand Paris, and then select
443 Firewall Policy.
c. In the task pane, on the Toolbox tab, in the Network Objects
SSL: enable
section, right-click Web Listeners, and then click New Web
Listener.
Network: External
Compression: disable d. In the New Web Listener Definition Wizard dialog box, in the
Web listener name text box, type External Web 443, and
Certificate: then click Next.
mail.contoso.com e. On the Client Connection Security page, select
Require SSL secured connections with clients, and then
Authentication: click Next.
HTTP Authentication f. On the Web Listener IP Addresses page, complete the
- Basic following information:
Listen on network: External
ISA Server will compress content: disable
and then click Next.
g. On the Listener SSL Certificates page, click Select
Certificate.
h. In the Select Certificate dialog box, disable
Show only valid certificates.
i. In the certificates list, select each of the certificates
cert2.contoso.com to cert5.contoso.com to see the
problem with the certificate.
j. In the certificates list, select mail.contoso.com, and then click
Select.
k. On the Listener SSL Certificates page, click Next.
l. On the Authentication Settings page, complete the following
information:
Authentication method: HTTP Authentication (is default)
Basic: enable
Digest: disable (is default)
Integrated: disable (is default)
and then click Next.
m. On the Single Sign On Settings page, click Next.
n. On the Completing the New Web Listener Wizard page, click
Finish.
6. Create an OWA mail a. In the right pane, select the first rule, or select Default rule if
server publishing rule: no other rule exists, to indicate where the new rule is added to
the rule list.
Name: b. In the task pane, on the Tasks tab, click
38 de 106
Publish mail (OWA) Publish Exchange Web Client Access.
c. In the New Exchange Publishing Rule Wizard dialog box, in
Version: the Exchange Publishing rule name text box, type
Exchange Server 2003 Publish mail (OWA), and then click Next.
d. On the Select Services page, complete the following
Internal site name:
information:
denver.contoso.com
Exchange version: Exchange Server 2003 (is default)
Public name: Outlook Web Access: enable (is default)
mail.contoso.com Leave the other check boxes disabled (is default)
and then click Next.
Web listener: e. On the Publishing Type page, select Publish a single Web
External Web 443 site, and then click Next.
f. On the Server Connection Security page, select
Delegation: Use SSL to connect to the published Web server, and then
Basic Authentication click Next.
g. On the Internal Publishing Details page, in the
Internal site name text box, type denver.contoso.com, and
then click Next.
h. On the Public Name Details page, complete the following
information:
Accept requests for: This domain name (type below):
Public name: mail.contoso.com
and then click Next.
i. On the Select Web Listener page, in the Web listener
drop-down list box, select External Web 443, and then click
Next.
j. On the Authentication Delegation page, select
Basic Authentication, and then click Next.
k. On the User Sets page, click Next.
l. On the Completing the New Exchange Publishing Rule Wizard
page, click Finish.
7. Examine the new OWA a. In the right pane, right-click Publish mail (OWA), and then
mail server publishing click Properties.
rule named b. In the Publish mail (OWA) Properties dialog box, select the To
Publish mail (OWA). tab.
c. Select the Traffic tab.
d. Select the Paths tab.
e. Select the Listener tab.
f. Select the Bridging tab.
g. Click Cancel to close the Publish mail (OWA) Properties
dialog box.
8. Apply the new rule. h. Click Apply to apply the new rule, and then click OK.
Perform the following steps on the Denver computer.
9. On the Denver a. On the Denver computer, on the Start menu, click
computer, configure IIS Administrative Tools, and then click
to require SSL on the Internet Information Services (IIS) Manager.
virtual directories used b. In the IIS Manager console, expand Default Web Site, right-
by OWA: click Exchange, and then click Properties.
c. In the Exchange Properties dialog, on the Directory Security
/Exchange
tab, in the Secure communications box, click Edit.
/ExchWeb
/Public d. In the Secure Communications box, enable
Require secure channel (SSL), and then click OK.
e. Click OK to close the Exchange Properties dialog box.
f. Right-click ExchWeb, and then click Properties.
g. In the ExchWeb Properties dialog box, on the Directory
Security tab, in the Secure communications box, click Edit.
h. In the Secure Communications box, enable
Require secure channel (SSL), and then click OK.
i. Click OK to close the ExchWeb Properties dialog box.
j. Right-click Public, and then click Properties.
k. In the ExchWeb Properties dialog box, on the Directory
Security tab, in the Secure communications box, click Edit.
l. In the Secure Communications box, enable
Require secure channel (SSL), and then click OK.
m. Click OK to close the Public Properties dialog box.
n. Close the IIS Manager console.
Perform the following steps on the Istanbul computer.
10. On the Istanbul a. On the Istanbul computer, open Internet Explorer. In the
computer, use Internet Address box, type https://mail.contoso.com/exchange, and
Explorer to securely then press Enter.
connect to b. In the Connect to mail.contoso.com dialog box, complete the
https://mail.contoso.c following information:
om User name: Administrator
/exchange Password: password
Remember my password: disable (is default)
Send an e-mail to
and then click OK.
Administrator to test
the secure OWA c. On the OWA toolbar, click New.
connection to ISA d. In the new message window, complete the following
Server. information:
To: Administrator
Subject: Test mail through Secure OWA - 1
(Message): Publish Exchange using Secure OWA
and then click Send.
e. After a few moments, in the left pane, click Inbox to refresh
the display of the Inbox contents.
f. Close Internet Explorer.
Perform the following steps on the Paris computer.
11. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
configure the pane, select Firewall Policy
External Web 443 Web b. In the task pane, on the Toolbox tab, in the Network Objects
listener to use HTML section, expand Web Listeners, right-click External Web
Form Authentication. 443, and then click Properties.
c. In the External Web 443 Properties dialog box, on the
Authentication tab, in the Client Authentication Method
drop-down list box, select HTML Form Authentication.
d. On the Forms tab, click Advanced.
e. Click Cancel to close the Advanced Form Options dialog box.
f. Click OK to close the External Web 443 Properties dialog box.
g. Click Apply to save the changes, and then click OK.
Perform the following steps on the Istanbul computer.
12. On the Istanbul a. On the Istanbul computer, open Internet Explorer. In the
computer, use Internet Address box, type https://mail.contoso.com/exchange, and
Explorer to securely then press Enter.
connect to b. In the Office Outlook Web Access page, complete the
https://mail.contoso.c following information:
om Security: This is a private computer
/exchange again. Use Outlook Web Access Light: disable (is default)
Domain\user name: contoso\administrator
Password: password
40 de 106
and then click Log On.
c. Close Internet Explorer.
Perform the following steps on the Paris computer.
13. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
configure the pane, select Firewall Policy.
External Web 443 Web b. In the task pane, on the Toolbox tab, in the Network Objects
listener to use Basic section, expand Web Listeners, right-click External Web
authentication. 443, and then click Properties.
c. In the External Web 443 Properties dialog box, on the
Authentication tab, complete the following information:
Client Authentication Method: HTTP Authentication
Basic: enable
Digest: disable (is default)
Integrated: disable (is default)
and then click OK to close the External Web 443 Properties
dialog box.
d. Click Apply to save the changes, and then click OK.
2. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
create a mail server pane, select Firewall Policy.
publishing rule: b. In the right pane, select the first rule, or select Default rule if
no other rule exists, to indicate where the new rule is added to
Name: Publish mail the rule list.
c. In the task pane, on the Tasks tab, click Publish Mail
Protocols: SMTP,
Servers.
POP3
d. In the New Mail Server Publishing Rule Wizard dialog box, in
Server: 10.1.1.5 the Mail Server Publishing rule name text box, type Publish
mail, and then click Next.
e. On the Select Access Type page, select
Client access: RPC, IMAP, POP3, SMTP, and then click
Next.
f. On the Select Services page, complete the following
information:
POP3 (standard port): enable
SMTP (standard port): enable
Leave all other check boxes disabled
and then click Next.
g. On the Select Server page, in the Server IP address text box,
type 10.1.1.5, and then click Next.
h. On the Network Listener IP Addresses page, select External,
and then click Next.
i. On the Completing the New Mail Server Publishing Rule
Wizard page, click Finish.
3. Apply the changes. a. Click Apply to apply the new rules, and then click OK.
Perform the following steps on the Istanbul computer.
1. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
create a mail server pane, select Firewall Policy.
publishing rule: b. In the right pane, select the first rule, or select Default rule if
no other rule exists, to indicate where the new rule is added to
Name: Publish mail the rule list.
c. In the task pane, on the Tasks tab, click Publish Mail
Protocols: Outlook
Servers.
(RPC)
d. In the New Mail Server Publishing Rule Wizard dialog box, in
Server: 10.1.1.5 the Mail Server Publishing rule name text box, type Publish
mail, and then click Next.
e. On the Select Access Type page, select
Client access: RPC, IMAP, POP3, SMTP, and then click
Next.
f. On the Select Services page, complete the following
information:
Outlook (RPC) (standard port): enable
Leave all other check boxes disabled
and then click Next.
42 de 106
g. On the Select Server page, in the Server IP address text box,
type 10.1.1.5, and then click Next.
h. On the Network Listener IP Addresses page, select External,
and then click Next.
i. On the Completing the New Mail Server Publishing Rule
Wizard page, click Finish.
2. Examine the RPC Filter a. In the left pane, expand Configuration, and then select Add-
application filter. ins.
b. In the right pane, on the Application Filters tab, select RPC
Filter.
3. Examine the new mail a. In the left pane, select Firewall Policy.
server publishing rule b. In the right-pane, select Publish mail Exchange RPC Server,
named Publish mail and then in the task pane, on the Tasks tabs, click Edit
Exchange RPC Server Selected Rule.
.
c. In the Publish mail Exchange RPC Server Properties dialog
box, select the Traffic tab.
d. On the Traffic tab, click Properties.
e. In the Exchange RPC Server Properties dialog box, select the
Interfaces tab.
f. Click Cancel to close the Exchange RPC Server Properties
dialog box.
g. Click Cancel to close the Publish mail Exchange RPC Server
Properties dialog box.
4. Apply the new rule. a. In the right pane, click Apply to apply the new rule, and then
click OK.
Perform the following steps on the Istanbul computer.
1. On the Paris computer, a. On the Paris computer, on the Start menu, click
examine the status of Administrative Tools, and then click
the Routing and Remote Access.
Routing and Remote b. In the Routing and Remote Access console, select
Access service. PARIS (local).
2. Use the ISA Server a. On the Start menu, click All Programs, click
console to configure Microsoft ISA Server, and then click, ISA Server
VPN address ranges. Management.
b. In the ISA Server console, expand Paris, and then select
IP address ranges: Virtual Private Networks (VPN).
- 10.3.1.1 - 10.3.1.120
c. In the right pane, ensure that the VPN Clients tab is selected.
d. In the task pane, on the Tasks tab, click
Define Address Assignments.
e. In the Virtual Private Networks (VPN) Properties dialog box,
on the Address Assignment tab, select Static address pool,
and then click Add.
f. In the Server IP Address Range Properties dialog box,
complete the following information:
Start address: 10.3.1.1
End address: 10.3.1.120
and then click OK.
g. Click OK to close the Virtual Private Networks (VPN)
Properties dialog box.
3. Enable and configure a. On the Tasks tab, click Enable VPN Client Access.
VPN client access. b. On the Tasks tab, click Configure VPN Client Access.
50 de 106
c. In the VPN Client Properties dialog box, on the General tab, in
- Maximum clients: 100 the Maximum number of VPN clients allowed text box,
leave the default value 100.
- Protocols: PPTP d. On the Protocols tab, ensure that only Enable PPTP is
selected.
e. Click OK to close the VPN Clients Properties dialog box.
4. Examine the VPN a. In the left pane, right-click Virtual Private Networks (VPN),
connection settings. and then click Properties.
b. In the Virtual Private Networks (VPN) Properties dialog box,
Access networks: select the Access Networks tab.
External
c. Select the Authentication tab.
Authentication: d. Click OK to close the Virtual Private Networks (VPN)
MS-CHAPv2 Properties dialog box.
5. On the Paris computer, a. On the Paris computer, open a Command Prompt window.
52 de 106
use the Ping command b. At the command prompt, type ping 10.3.1.2 (or the higher
to test the connection to 10.3.1.x IP address assigned to Istanbul), and then press
the VPN client Enter.
computer (10.3.1.2 or c. Close the Command Prompt window.
higher).
d. In the ISA Server console, select Firewall Policy.
e. In the task pane, on the Tasks tab, click Show System
Policy Rules.
f. In the task pane, on the Tasks tab, click Hide System Policy
Rules.
6. Create a new access a. In the right pane, select the first rule., or select Default rule if
rule. no other rule exists, to indicate where the new rule is added to
the rule list.
Name: Allow Ping b. In the task pane, on the Tasks tab, click Create Access Rule.
from VPN clients
c. In the New Access Rule Wizard dialog box, in the
Access rule name text box, type
Applies to: PING
Allow Ping from VPN clients, and then click Next.
From network: d. On the Rule Action page, select Allow, and then click Next.
VPN Clients e. On the Protocols page, in the This rule applies to list box,
To network: Local Host select Selected protocols, and then click Add.
f. In the Add Protocols dialog box,
click Common Protocols, click PING, and click Add,
and then click Close to close the Add Protocols dialog box.
g. On the Protocols page, click Next.
h. On the Access Rule Sources page, click Add.
i. In the Add Network Entities dialog box,
click Networks, click VPN Clients, and click Add,
and then click Close to close the Add Network Entities dialog
box.
j. On the Access Rule Sources page, click Next.
k. On the Access Rule Destinations page, click Add.
l. In the Add Network Entities dialog box,
click Networks, click Local Host, and click Add,
and then click Close to close the Add Network Entities dialog
box.
m. On the Access Rule Destinations page, click Next.
n. On the User Sets page, click Next.
o. On the Completing the New Access Rule Wizard page, click
Finish.
p. Click Apply to apply the new rule, and then click OK.
Perform the following steps on the Istanbul computer.
7. On the Istanbul a. On the Istanbul computer, at the command prompt, type
computer, use the Ping ping 10.3.1.1, and then press Enter.
command again to test b. Close the Command Prompt window.
connectivity to the VPN
tunnel end-point at the
ISA Server computer
(10.3.1.1).
Exercise 3: Allowing Internal Network Access for VPN Clients
In this exercise, you will configure ISA Server so that client computers on the Internet, are allowed
access to the internal network, by establishing a VPN connection.
1. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
examine the network pane, expand Configuration, and then select Networks.
rule for connectivity b. In the right pane, on the Network Rules tab, select the rule
between the VPN that defined the connectivity between the VPN Clients
Clients network and network and the Internal network.
the Internal network.
2. Create a new access a. In the ISA Server console, in the left pane, select
rule: Firewall Policy.
b. In the right pane, select the first rule to indicate where the new
Name: Allow access rule is added to the rule list.
from VPN clients to
c. In the task pane, on the Tasks tab, click Create Access Rule.
Internal
d. In the New Access Rule Wizard dialog box, in the
Applies to: PING, Access rule name text box, type
Microsoft CIFS (TCP) Allow access from VPN clients to Internal, and then click
Next.
From network: e. On the Rule Action page, select Allow, and then click Next.
VPN Clients f. On the Protocols page, in the This rule applies to list box,
To network: Internal select Selected protocols, and then click Add.
g. In the Add Protocols dialog box,
click Common Protocols, click PING, and click Add,
click All protocols, click Microsoft CIFS (TCP), and click
Add,
and then click Close to close the Add Protocols dialog box.
h. On the Protocols page, click Next.
i. On the Access Rule Sources page, click Add.
j. In the Add Network Entities dialog box,
click Networks, click VPN Clients, and click Add,
and then click Close to close the Add Network Entities dialog
box.
k. On the Access Rule Sources page, click Next.
l. On the Access Rule Destinations page, click Add.
m. In the Add Network Entities dialog box,
click Networks, click Internal, and click Add,
and then click Close to close the Add Network Entities dialog
box.
n. On the Access Rule Destinations page, click Next.
o. On the User Sets page, click Next.
p. On the Completing the New Access Rule Wizard page, click
Finish.
q. Click Apply to apply the new rule, and then click OK.
Perform the following steps on the Istanbul computer.
1. On the Paris computer, a. On the Paris computer, use Windows Explorer (or My
in the C:\Tools folder, Computer) to open the C:\Tools folder.
examine the b. Right-click the RQScript.vbs file, and then click Edit (do not
RQScript.vbs script file click Open).
that is used to check
c. Maximize the RQScript.vbs - Notepad, if that is not done
the security
already.
configuration of the
VPN client computer. d. Close Notepad.
e. Close the Tools folder.
2. Install the Remote a. On the Start menu, click Control Panel, and then click
Access Quarantine Add or Remove Programs.
Agent service b. In the Add or Remove Programs window, click
(RQS.exe). Add/Remove Windows Components.
c. On the Windows Components page, select the
Networking Services component (do NOT select the check
box), and then click Details.
d. In the Networking Services dialog box, select the
Remote Access Quarantine Service check box, and then
click OK.
e. On the Windows Components page, click Next.
f. On the Completing the Windows Components Wizard page,
click Finish.
g. Close the Add or Remove Programs window.
3. Configure the RQS.exe a. On the Start menu, click Run.
service: b. In the Run dialog box, type regedit.exe, and then click OK.
c. In the Registry Editor window, select the
AllowedSet:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
RQVersion3
Services\rqs key.
Authenticator: d. In the right pane, right-click the AllowedSet value, and then
vpnplgin.dll click Modify.
e. In the Edit Multi-String dialog box, delete the current value,
and then type RQVersion3, and click OK.
f. Right-click the rqs key, click New, and then click String
Value.
g. In the New Value #1 text box, replace the text by typing
Authenticator, and then press Enter.
h. Right-click the Authenticator value, and then click Modify.
i. In the Edit String dialog box, type
C:\Program Files\Microsoft ISA Server\vpnplgin.dll, and
then click OK.
j. Close the Registry Editor window.
k. On the Start menu, click Administrative Tools, and then click
Services.
l. In the Services console, in the right pane, right-click
Remote Access Quarantine Agent, and then click
Properties.
m. Click Cancel to close the Remote Access Quarantine Agent
Properties dialog box.
n. Close the Services console.
4. Create a new protocol a. In the ISA Server console, in the left pane, select
definition: Firewall Policy.
b. In the task pane, on the Toolbox tab, in the Protocols
Name: RQS - Network section, on the New menu, click Protocol.
Quarantine
c. In the New Protocol Definition Wizard dialog box, in the
Direction: Outbound
Protocol definition name text box, type RQS -
Port: TCP 7250
Network Quarantine, and then click Next.
d. On the Primary Connection Information page, click New.
e. In the New/Edit Protocol Connection dialog box, complete the
following information:
Protocol type: TCP
Direction: Outbound
Port Range From: 7250
Port Range To: 7250
and then click OK.
f. On the Primary Connection Information page, click Next.
g. On the Secondary Connections page, select No, and then
click Next.
h. On the Completing the New Protocol Definition Wizard page,
click Finish.
5. Create a new access a. In the right pane, select the first rule to indicate where the new
rule: rule is added to the rule list.
b. In the task pane, on the Tasks tab, click Create Access Rule.
Name: Allow RQS
c. In the New Access Rule Wizard dialog box, in the
network quarantine
Access rule name text box, type
notification
Allow RQS network quarantine notification, and then click
Next.
Applies to: RQS -
Network Quarantine d. On the Rule Action page, select Allow, and then click Next.
e. On the Protocols page, in the This rule applies to list box,
From network: select Selected protocols, and then click Add.
Quarantined VPN Clie f. In the Add Protocols dialog box,
nts click User-Defined, click RQS - Network Quarantine, and
To network: Local Host
56 de 106
click Add,
and then click Close to close the Add Protocols dialog box.
g. On the Protocols page, click Next.
h. On the Access Rule Sources page, click Add.
i. In the Add Network Entities dialog box,
click Networks, click Quarantined VPN Clients, and click
Add,
and then click Close to close the Add Network Entities dialog
box.
j. On the Access Rule Sources page, click Next.
k. On the Access Rule Destinations page, click Add.
l. In the Add Network Entities dialog box,
click Networks, click Local Host, and click Add,
and then click Close to close the Add Network Entities dialog
box.
m. On the Access Rule Destinations page, click Next.
n. On the User Sets page, click Next.
o. On the Completing the New Access Rule Wizard page, click
Finish.
6. In the C:\Tools\ISA a. Use Windows Explorer (or My Computer) to open the
folder, examine the C:\Tools\ISA folder.
ConfigureRQSForISA b. Right-click the ConfigureRQSForISA.vbs file, and then click
.vbs script file. Edit (do NOT click Open).
c. Maximize the ConfigureRQSForISA.vbs - Notepad window if
that is not done already.
d. Close Notepad.
e. Close the Windows Explorer window.
7. Configure ISA Server to a. In the ISA Server console, in the left pane, select Networks.
enable quarantine: b. In the right pane, on the Networks tab, right-click the
Quarantined VPN Clients network, and then click
Type: Use ISA Server Properties.
Disconnect quarantine:
c. In the Quarantined VPN Clients Properties dialog box, on the
60 seconds
Quarantine tab, select Enable Quarantine Control.
d. In the message box, click OK to acknowledge that enabling
quarantine control requires configuration on both the ISA
Server and VPN client computers.
e. On the Quarantine tab, complete the following information:
Enable Quarantine Control: enable (done in previous step)
Quarantine according to ISA Server policies: enable (is
default)
Disconnect quarantine users after (seconds): 60
and then click OK.
f. Click Apply to save the changes, and then click OK.
Exercise 5: Creating and Distributing a Connection Manager Profile
In this exercise, you will create and distribute a Connection Manager profile, for use with network
access quarantine. The profile is made available through an extranet distribution point.
1. On the Paris computer, a. On the Paris computer, on the Start menu, click
install the Connection Control Panel, and then click Add or Remove Programs.
Manager b. In the Add or Remove Programs window, click
Administration Kit Add/Remove Windows Components.
(CMAK).
c. On the Windows Components page, select the
Management and Monitoring Tools component (do NOT
clear or select the check box), and then click Details.
d. In the Management and Monitoring Tools dialog box, select
the Connection Manager Administration Kit check box, and
then click OK.
e. On the Windows Components page, click Next.
f. On the Completing the Windows Components Wizard page,
click Finish.
g. Close the Add or Remove Programs window.
2. Use CMAK to create a a. On the Start menu, click Administrative Tools, and then click
new Connection Connection Manager Administration Kit.
Manager profile. b. On the Welcome to the Connection Manager Administration
Kit Wizard page, click Next.
- Service name: VPN to
c. On the Service Profile Selection page, select New profile, and
Contoso (CM)
then click Next.
- File name: VPN_RQ
VPN server: 39.1.1.1 d. On the Service and File Names page, complete the following
information:
- Custom post-connect Service name: VPN to Contoso (CM)
action: File name: VPN_RQ
C:\Tools\RQScript.vbs and then click Next.
%TunnelRasEntry% e. On the Realm Name page, select
%Domain% Do not add a realm name to the user name, and then click
%UserName% Next.
f. On the Merging Profile Information page, click Next.
- Additional files:
C:\Program Files\ g. On the VPN Support page, complete the following information:
cmak\support\rqc.ex Phone book from this profile: enable
e Always use the same VPN server: 39.1.1.1
and then click Next.
h. On the VPN Entries page, select VPN to Contoso (CM)
Tunnel, and then click Next.
i. On the Phone Book page, CLEAR the
Automatically download phone book updates check box,
and then click Next.
j. On the Dial-up Networking Entries page, select
VPN to Contoso (CM), and then click Next.
k. On the Routing Table Update page, select
Do not change the routing tables, and then click Next.
l. On the Automatic Proxy Configuration page, select
Do not configure proxy settings, and then click Next.
m. On the Custom Actions page, click New.
n. In the New Custom Action dialog box, complete the following
information:
58 de 106
Description: Quarantine policy checking
Program to run: c:\tools\RQScript.vbs
Parameters:
%TunnelRasEntry% %Domain% %UserName%
Action type: Post-connect
Run this custom action for: All connections (is default)
Include the custom action program: enable
Program interacts with the user: enable (is default)
and then click OK.
o. On the Custom Actions page, click Next.
p. On the Logon Bitmap page, select Default graphic, and then
click Next.
q. On the Phone Book Bitmap page, select Default graphic, and
then click Next.
r. On the Icons page, select Default icons, and then click Next.
s. On the Notification Area Shortcut Menu page, click Next.
t. On the Help File page, select Default Help file, and then click
Next.
u. On the Support Information page, click Next.
v. On the Connection Manager Software page, select
Install Connection Manager 1.3, and then click Next.
w. On the License Agreement page, click Next.
x. On the Additional Files page, click Add.
y. In the Browse dialog box, in the
C:\Program Files\cmak\support folder, select the rqc.exe
file, and then click Open.
z. On the Additional Files page, click Next.
aa. On the Ready to Build the Service Profile page, do NOT select
Advanced customization, and then click Next.
bb. On the Completing the Connection Manager Administration Kit
Wizard page, click Finish.
3. Create a new folder a. Use Windows Explorer (or My Computer) to open the
C:\Inetpub\Extranet. C:\Program Files\cmak\Profiles\VPN_RQ folder.
b. Right-click the VPN_RQ.exe file, and then click Copy.
Copy VPN_RQ.exe to
c. In the Windows Explorer window, open the C:\Inetpub folder.
the Extranet folder.
d. Right-click in the empty area of the Inetpub folder, click New,
and then click Folder.
e. In the New Folder text box, replace the text by typing
Extranet, and then press Enter.
f. Open the Extranet folder.
g. In the empty area of the Extranet folder, click Paste.
h. Close the Extranet folder.
4. Configure the default a. On the Start menu, click Administrative Tools, and then click
Web site to use port 81, Internet Information Services (IIS) Manager.
and then start the Web b. In the IIS Manager console, expand PARIS (local computer),
site. expand Web Sites, right-click Default Web Site, and then
click Properties.
(If this is not done
c. In the Default Web Site Properties dialog box, on the
already).
Web Site tab, ensure that the TCP port text box is set to 81,
and then click OK.
d. If the Default Web Site is not started, then right-click
Default Web Site (Stopped), and then click Start.
5. Create a new virtual a. In the IIS Manager console, in the left pane, expand Default
directory for the default Web Site.
Web site: b. Right-click Default Web Site, click New, and then click
Virtual Directory.
Alias: extranet c. In the Virtual Directory Creation Wizard dialog box, click Next.
d. On the Virtual Directory Alias page, in the Alias text box, type
Path:
extranet, and then click Next.
C:\Inetpub\Extranet
e. On the Web Site Content Directory page, in the Path text box,
Permissions: type C:\Inetpub\Extranet, and then click Next.
Read and Browse. f. On the Virtual Directory Access Permissions page, complete
the following information:
Read: enable (is default)
Run scripts: disable (is default)
Execute: disable (is default)
Write: disable (is default)
Browse: ENABLE
and then click Next.
g. On the Completing the Virtual Directory Creation Wizard page,
click Finish.
h. Close the IIS Manager console.
6. Create a new Web a. In the ISA Server console, in the left pane, select
listener. Firewall Policy.
b. In the task pane, on the Toolbox tab, in the Network Objects
Name: External Web section, expand Web Listeners (if possible).
80
c. If a Web listener named External Web 80 does not exist, then
right-click Web Listeners, and then click New Web Listener.
SSL: disable
d. In the New Web Listener Definition Wizard dialog box, in the
Network: External Web listener name text box, type External Web 80, and then
Compression: disable click Next.
e. On the Client Connection Security page, select
Authentication: none Do not require SSL secured connections with clients, and
then click Next.
(If this is not done f. On the Web Listener IP Addresses page, complete the
already) following information:
Listen on network: External
ISA Server will compress content: disable
and then click Next.
g. On the Authentication Settings page, in the drop-down list box,
select No Authentication, and then click Next.
h. On the Single Sign On Settings page, click Next.
i. On the Completing the New Web Listener Wizard page, click
Finish.
7. Create a Web a. In the left pane, select Firewall Policy.
publishing rule. b. In the right pane, select the first rule to indicate where the new
rule is added to the rule list.
Name: Extranet Web
c. In the task pane, on the Tasks tab, click Publish Web Sites.
Site
d. In the New Web Publishing Rule Wizard dialog box, in the
Publishing type: Web publishing rule name text box, type Extranet Web Site,
single Web site and then click Next.
e. On the Select Rule Action page, select Allow, and then click
Internal site name: Next.
Paris f. On the Publishing Type page, select Publish a single Web
IP address: 10.1.1.1 site, and then click Next.
Path: /extranet
g. On the Server Connection Security page, select Use
Port: 81
non-secured connections to connect to the published
Web server, and then click Next.
Public name:
www.contoso.com h. On the Internal Publishing Details page, complete the
/extranet following information:
Internal site name: Paris
60 de 106
Web listener: Use a computer name or IP address: enable
External Web 80 Computer name or IP address: 10.1.1.1
and then click Next.
Delegation: none i. On the next Internal Publishing Details page, complete the
following information:
Path: extranet/*
Forward the original host header: enable
and then click Next.
j. On the Public Name Details page, complete the following
information:
Accept requests for: This domain name (type below):
Public name: www.contoso.com
Path: /extranet/*
and then click Next.
k. On the Select Web Listener page, in the Web listener
drop-down list box, select External Web 80, and then click
Next.
l. On the Authentication Delegation page, select No delegation,
and client cannot authenticate directly, and then click Next.
m. On the User Sets page, click Next.
n. On the Completing the New Web Publishing Rule Wizard
page, click Finish.
o. In the right pane, select the Extranet Web Site Web
publishing rule, and then in the task pane, on the Tasks tab,
click Edit Selected Rule.
p. In the Extranet Web Site Properties dialog box, on the
Bridging tab, in the Redirect requests to HTTP port text
box, type 81.
q. Click OK to close the Products Web Site (on Paris) Properties
dialog box.
r. Click Apply to apply the new rule, and then click OK.
Perform the following steps on the Istanbul computer.
2. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
create a new access pane, select Firewall Policy.
rule. b. In the right pane, select the first rule to indicate where the new
rule is added to the rule list.
Name: Allow Ping
c. In the task pane, on the Tasks tab, click Create Access Rule.
from Quarantined
VPN clients d. In the New Access Rule Wizard dialog box, in the
Access rule name text box, type
Applies to: PING Allow Ping from Quarantined VPN clients, and then click
Next.
From network: e. On the Rule Action page, select Allow, and then click Next.
Quarantined VPN Clie f. On the Protocols page, in the This rule applies to list box,
nts select Selected protocols, and then click Add.
To network: Local Host
g. In the Add Protocols dialog box,
click Common Protocols, click PING, and click Add,
and then click Close to close the Add Protocols dialog box.
h. On the Protocols page, click Next.
i. On the Access Rule Sources page, click Add.
j. In the Add Network Entities dialog box,
click Networks, click Quarantined VPN Clients, and click
Add,
and then click Close to close the Add Network Entities dialog
box.
k. On the Access Rule Sources page, click Next.
l. On the Access Rule Destinations page, click Add.
62 de 106
m. In the Add Network Entities dialog box,
click Networks, click Local Host, and click Add,
and then click Close to close the Add Network Entities dialog
box.
n. On the Access Rule Destinations page, click Next.
o. On the User Sets page, click Next.
p. On the Completing the New Access Rule Wizard page, click
Finish.
q. Click Apply to apply the new rule, and then click OK.
Perform the following steps on the Istanbul computer.
3. On the Istanbul a. On the Istanbul computer, in the Reconnect message box,
computer, use the Ping click Yes.
command to test the b. In the VPN to Contoso (CM) connection dialog box, ensure
connection to the that the User name and Password information is still present,
VPN tunnel end-point and then click Connect.
(10.3.1.1) and the
c. Click OK to close the Remote Access Quarantine message
Internal network
box.
(10.1.1.5).
d. At the command prompt, type ping 10.3.1.1, and then press
Enter.
e. At the command prompt, type ping 10.1.1.5, and then press
Enter.
f. If the Reconnect message box appears, click No to close the
message box.
4. Enable Windows a. On the Start menu, click Control Panel, and then click
Firewall. Windows Firewall.
b. In the Windows Firewall message box, click Yes to confirm
that you want to start the Windows Firewall/ICS service.
c. After the Windows Firewall/ICS service has started, in the
Windows Firewall dialog box, on the General tab, select On,
and then click OK.
5. Use the a. In the Network Connections window, under
VPN to Contoso (CM) Connection Manager, right-click VPN to Contoso (CM), and
connection, to establish then click Connect.
a VPN connection to b. In the VPN to Contoso (CM) connection dialog box, ensure
the ISA Server again. that the User name and Password information is still present,
and then click Connect.
c. Click OK to close the Remote Access Quarantine message
box.
Perform the following steps on the Paris computer.
6. On the Paris computer, a. On the Paris computer, on the Start menu, click
start the Remote Administrative Tools, and then click Services.
Access Quarantine b. In the Services console, in the right pane, right-click
Agent (RQS.exe) Remote Access Quarantine Agent, and then click Start.
service.
c. Close the Services console.
Perform the following steps on the Istanbul computer.
64 de 106
Module F: ISA Server 2006 as Branch
Office Gateway
3. On the Paris computer, a. On the Paris computer, on the Start menu, click
create a new access All Programs, click Microsoft ISA Server, and then click
rule. ISA Server Management.
b. In the left pane, expand Paris, and then select
Name: Allow Web Firewall Policy.
access (Branch)
c. In the right pane, select the first rule, or select Default rule if
no other rule exists, to indicate where the new rule is added to
Applies to: HTTP
the rule list.
From network: Internal d. In the task pane, on the Tasks tab, click Create Access Rule.
To network: External e. In the New Access Rule Wizard dialog box, in the
Access rule name text box, type
Allow Web access (Branch), and then click Next.
f. On the Rule Action page, select Allow, and then click Next.
g. On the Protocols page, in the This rule applies to list box,
select Selected protocols, and then click Add.
h. In the Add Protocols dialog box,
click Common Protocols, click HTTP, click Add,
and then click Close to close the Add Protocols dialog box.
i. On the Protocols page, click Next.
j. On the Access Rule Sources page, click Add.
k. In the Add Network Entities dialog box,
click Networks, click Internal, click Add,
and then click Close to close the Add Network Entities dialog
box.
l. On the Access Rule Sources page, click Next.
m. On the Access Rule Destinations page, click Add.
n. In the Add Network Entities dialog box,
click Networks, click External, click Add,
and then click Close to close the Add Network Entities dialog
box.
o. On the Access Rule Destinations page, click Next.
p. On the User Sets page, click Next.
q. On the Completing the New Access Rule Wizard page, click
Finish.
4. Apply the changes. a. Click Apply to apply the new rule, and then click OK.
Perform the following steps on the Denver computer.
5. On the Denver a. On the Denver computer, use Windows Explorer (or My
computer, open the Computer) to open the C:\Tools folder.
C:\Tools\ b. In the Tools folder, right-click Perfmon-received.msc, and
Perfmon- then click Open.
received.msc console.
c. Close the C:\Tools folder.
6. Use Internet Explorer to a. Open Internet Explorer. In the Address box, type
connect to http:// http://istanbul.fabrikam.com/content.htm, and then press
istanbul.fabrikam.com Enter.
/
content.htm
7. Examine the peak bytes a. Switch to the Performance - Bytes Received console.
received per second in
the Performance
console.
Perform the following steps on the Istanbul computer.
68 de 106
c. Close the IIS Manager console.
Perform the following steps on the Paris computer.
25. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
disable HTTP pane, select General.
Compression. b. In the right pane, click Define HTTP Compression
Preferences.
c. In the HTTP Compression dialog box, on the
Return Compressed Data tab, select Internal, and then click
Remove.
d. On the Request Compressed Data tab, select External, and
then click Remove.
e. Click OK to close the HTTP Compression dialog box.
f. Click Apply to apply the changes, and then click OK.
Perform the following steps on the Denver computer.
26. Close the Performance a. Close the Performance - Bytes Received console.
console and close b. Close Internet Explorer.
Internet Explorer.
10. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
stop the log viewer. pane, select Monitoring.
b. In the right pane, select the Logging tab.
c. In the task pane, on the Tasks tab, click Stop Query.
72 de 106
11. Add the a. In the right pane, right-click the Log Time column header (or
Filter Information another column header), and then click
column to the list of Add/Remove Columns.
displayed columns. b. In the Add/Remove Columns dialog box, in the Available
columns list box, select Filter Information, and then click
Add.
c. In the Displayed columns list, select Filter Information, and
then click Move Up, so that the new column is not last in the
list.
d. Click OK to close the Add/Remove Columns dialog box.
12. Examine the contents a. In the right pane, scroll the list of log field columns, so that you
of the can see the Filter Information column near the end of the list.
Filter Information log b. In the column headers, double-click the small line between the
field. Filter Information column, and the next column.
c. Scroll the list of log entries until you see text in the
Filter Information field.
76 de 106
Exercise 2: Remote Management and Role-based Administration
In this exercise, you will configure ISA Server to allow remote management.
You can connect remotely to manage ISA Server using the ISA Server console, or using a Remote
Desktop connection.
1. On the Florence a. On the Florence computer, in the ISA Server console, in the
computer, add the left pane, expand Enterprise, and then select
Denver computer Enterprise Policies.
(10.1.1.5) to the b. In the task pane, on the Toolbox tab, in the Network Objects
Enterprise Remote section, expand Computer Sets.
Management
c. Right-click Enterprise Remote Management Computers,
Computers computer
and then click Properties.
set.
d. In the Enterprise Remote Management Computers Properties
dialog box, click Add, and then click Computer.
e. In the New Computer Rule Element dialog box, complete the
following information:
Name: Denver
Computer IP Address: 10.1.1.5
and then click OK.
f. Click OK to close the Enterprise Remote Management
Computers Properties dialog box.
2. For the ITALY array, a. In the left pane, select Firewall Policy (ITALY).
examine the Remote b. In the task pane, on the Toolbox tab, in the Network Objects
Management section, expand Computer Sets.
Computers computer
c. Right-click Enterprise Remote Management Computers,
set.
and then click Properties.
d. Click Cancel to close the Enterprise Remote Management
Computers Properties dialog box.
e. Right-click Remote Management Computers, and then click
Properties.
f. Click Cancel to close the Remote Management Computers
Properties dialog box.
3. Examine the system a. In the task pane, on the Tasks tab, click
policy rules that are Show System Policy Rules.
used by the remote b. In the System Policy Rules list, select system policy rule 2.
management
c. In the task pane, on the Tasks tab, click
computers:
Hide System Policy Rules.
System policy rules:
2 - 3 - 4 - 11 - 20 - 32
4. Use System properties a. On the Start menu, click Control Panel, and then click
to enable remote System.
desktop. b. In the System Properties dialog box, on the Remote tab, in
the Remote Desktop box, select Enable Remote Desktop
on this computer.
c. Click OK to acknowledge that remote connection accounts
must have passwords, and that the correct port must be open
for remote connections.
d. Click OK to close the System Properties dialog box.
5. Create a new user a. On the Start menu, click Administrative Tools, and then click
account. Computer Management.
b. In the Computer Management console, in the left pane,
Name: David expand Local Users and Groups, and then select Users.
c. Right-click Users, and then click New User.
Password: Password2
Change password at d. In the New User dialog box, complete the following
next logon: disable information:
User name: David
Member of: Password: Password2
Remote Desktop User Confirm password: Password2
s User must change password at next logon: disable
and then click Create.
e. Click Close to close the New User dialog box.
f. Right-click David, and then click Properties.
g. In the David Properties dialog box, on the Member Of tab,
click Add.
h. In the Select Groups dialog box, type
Remote Desktop Users, and then click OK.
i. Click OK to close the David Properties dialog box.
j. Close the Computer Management console.
Perform the following steps on the Firenze computer.
7. On the Florence a. On the Florence computer, in the ISA Server console, in the
computer, assign array left pane, right-click ITALY, and then click Properties.
administrative roles: b. In the ITALY Properties dialog box, on the Assign Roles tab,
click the top Add button.
Array Administrator:
c. In the Administration Delegation dialog box, complete the
FLORENCE\David
following information:
Group or User: FLORENCE\David
Mirrored monitor
account: Role: ISA Server Array Administrator
David and then click OK.
d. Click OK to acknowledge that you must assign this role to the
mirrored account.
e. Click the bottom Add button.
f. In the Administration Delegation dialog box, complete the
following information:
Group or User: David
Role: ISA Server Array Administrator
78 de 106
and then click OK.
g. Click OK to close the ITALY Properties dialog box.
8. Examine the enterprise a. In the left pane, right-click Enterprise, and then click
administrative roles. Properties.
b. In the Enterprise Properties dialog box, select the
Assign Roles tab.
c. Click Cancel to close the Enterprise Properties dialog box.
9. Start the Array Status a. Use Windows Explorer (or My Computer) to open the
Monitor to quickly see C:\Tools\Status folder.
the current CSS status. b. In the Status folder, right-click ArrayStatus.hta, and then click
Open.
File:
c. Close the Status folder.
C:\Tools\Status\
ArrayStatus.hta
10. Apply the changes. a. Click Apply to save the changes, and then click OK. Use the
Array Status Monitor to wait until the CSS status is Synced.
Perform the following steps on the Denver computer.
11. On the Denver a. On the Denver computer, on the Start menu, click
computer, use ISA All Programs, click Microsoft ISA Server, and then click
Server console to ISA Server Management.
connect to ITALY. b. In the ISA Server console, in the left pane, select Microsoft
Internet Security and Acceleration Server 2006, and then in
CSS: Florence the task pane, on the Tasks tab, click
Connect to Configuration Storage Server.
CSS credentials:
c. In the Configuration Storage Server Connection Wizard dialog
David / Password2
box, click Next.
Monitor credentials: d. On the Configuration Storage Server Location page, in the
David / Password2 On remote computer (remote management) text box, type
Florence, and then click Next.
e. On the Configuration Storage Server Credentials page,
complete the following information:
Credentials of the following user: enable
User name: David
Password: Password2
and then click Next.
f. On the Array Connection Credentials page, select
The same credentials used to connect to the
Configuration Storage Server, and then click Next.
g. On the Completing the Connection Wizard page, click Finish.
12. Attempt to create a new a. In the ISA Server console, in the left pane, expand
enterprise policy. Enterprise.
b. Right-click Enterprise Policies, click New, and then click
Enterprise Policy.
c. Click OK to acknowledge that you do not have necessary
permissions.
13. Examine the services a. In the left pane, expand Arrays.
information for the array b. Expand ITALY, and then select Monitoring.
members.
c. In the right pane, select the Services tab.
14. Disconnect from the a. In the left pane, select Microsoft Internet Security and
enterprise, and close Acceleration Server 2006.
the ISA Server console. b. In the task pane, on the Tasks tab, click
Disconnect from Enterprise.
c. Click Yes to confirm that you want to disconnect from the
enterprise.
d. Close the ISA Server console.
15. Create a remote a. On the Start menu, click All Programs, click Accessories,
desktop connection to click Communications, and then click
Florence. Remote Desktop Connection.
b. In the Remote Desktop Connection dialog box, in the
Log on: Computer text box, type Florence, and then click Connect.
- User name: David
c. In the Log On to Windows dialog box, complete the following
- Password:
information:
Password2
User name: David
Password: Password2
and then click OK.
16. Use the ISA Server a. On the Start menu, click All Programs, click
console to examine the Microsoft ISA Server, and then click
permissions of David. ISA Server Management.
b. In the ISA Server console, expand Arrays.
c. Expand ITALY, and then select Monitoring.
d. In the right pane, select the Services tab.
e. Close the ISA Server console.
17. Log off from the remote a. On the Start menu, click Log Off.
desktop connection. b. Click Log Off to confirm that you want to log off.
Perform the following steps on the Florence computer.
18. On the Florence a. On the Florence computer, on the Start menu, click
computer, use System Control Panel, and then click System.
properties to disable b. In the System Properties dialog box, on the Remote tab, in
remote desktop. the Remote Desktop box, CLEAR the Enable Remote
Desktop on this computer check box.
c. Click OK to close the System Properties dialog box.
80 de 106
Exercise 3: Working with Configuration Storage Servers (Optional)
In this exercise, you will examine details on how ISA Server uses a Configuration Storage server
(CSS) to save configuration data.
6. Apply the changes and a. In the ISA Server console, click Apply to save the changes.
restart the Firewall b. In the ISA Server Warning dialog box, CHANGE the current
service. selection, and select
Save the changes and restart the services, and then click
OK.
c. Click OK to close the Saving Configuration Changes dialog
box.
d. Use the Array Status Monitor to wait until the CSS status is
Synced, and the NLB status is Running. This may take 5 to
10 minutes.
86 de 106
h. Click Apply to apply the changes, and then click OK. Wait
until the CSS status is Synced, and the NLB status is
Running.
14. Refresh the ISA Server a. In the left pane, right-click Firewall Policy (ITALY), and then
console, so that the click Refresh.
new virtual IP address
is shown in the user
interface.
15. Create a new Web a. In the left pane, select Firewall Policy (ITALY).
listener. b. In the task pane, on the Toolbox tab, in the Network Objects
section, right-click Web Listeners, and then click
Name: New Web Listener.
External Web 80 NLB
c. In the New Web Listener Definition Wizard dialog box, in the
Web listener name text box, type External Web 80 NLB, and
SSL: disable
then click Next.
Network: d. On the Client Connection Security page, select
External - 39.1.1.3 Do not require SSL secured connections with clients, and
Compression: disable then click Next.
e. On the Web Listener IP Addresses page, select the External
Authentication: none check box, and then click Select IP Addresses.
f. In the External Network Listener IP Selection dialog box,
select the Specified IP addresses option, and then in the
Available IP Addresses list, select 39.1.1.3, and click Add.
g. Click OK to close the External Network Listener IP Selection
dialog box.
h. On the Web Listener IP Addresses page, clear
ISA Server will compress content, and then click Next.
i. On the Authentication Settings page, in the drop-down list box,
select No Authentication, and then click Next.
j. On the Single Sign On Settings page, click Next.
k. On the Completing the New Web Listener Wizard page, click
Finish.
16. Create a Web a. In the right pane, select the first rule in the
publishing rule. Firewall Policy Rules list to indicate where the new rule is
added to the rule list.
Name: b. In the task pane, on the Tasks tab, click Publish Web Sites.
Web Home Page NLB
c. In the New Web Publishing Rule Wizard dialog box, in the
Web publishing rule name text box, type
Publishing type:
Web Home Page NLB, and then click Next.
single Web site
d. On the Select Rule Action page, select Allow, and then click
Internal site name: Next.
denver.contoso.com e. On the Publishing Type page, select Publish a single Web
site, and then click Next.
Public name: f. On the Server Connection Security page, select Use
shop.contoso.com non-secured connections to connect to the published
Web server, and then click Next.
Web listener:
External Web 80 NLB g. On the Internal Publishing Details page, complete the
following information:
Delegation: none Internal site name: denver.contoso.com
Use a computer name or IP address: disable (is default)
and then click Next.
h. On the next Internal Publishing Details page, complete the
following information:
Path: (leave empty)
Forward the original host header: disable (is default)
and then click Next.
i. On the Public Name Details page, complete the following
information:
Accept requests for: This domain name (type below):
Public name: shop.contoso.com
Path: (leave empty)
and then click Next.
j. On the Select Web Listener page, in the Web listener
drop-down list box, select External Web 80 NLB, and then
click Next.
k. On the Authentication Delegation page, select No delegation,
and client cannot authenticate directly, and then click Next.
l. On the User Sets page, click Next.
m. On the Completing the New Web Publishing Rule Wizard
page, click Finish.
n. Click Apply to apply the new rule, and then click OK. Wait
until the CSS status is Synced, and the NLB status is
Running.
Perform the following steps on the Istanbul computer.
17. On the Istanbul a. On the Istanbul computer, open a Command Prompt window.
computer, verify the IP b. At the command prompt, type ping shop.contoso.com, and
address of the press Enter.
shop.contoso.com,
c. Open Internet Explorer. In the Address box, type
and then connect to
http://shop.contoso.com/web.asp, and then press Enter.
http://shop.contoso.c
om/ d. Close Internet Explorer.
web.asp
(Step 1)
23. Disable NLB on all a. In the left pane, select Networks, and in the right pane, select
networks. the Networks tab.
b. In the task pane, on the Tasks tab, click
Networks: Configure Load Balanced Networks.
Internal
c. In the Network Load Balancing Wizard dialog box, click Next.
External
d. On the Select Load Balanced Networks page, clear the check
(Step 2) boxes of all networks, and then click Next.
e. On the Completing the Load Balanced Networks Wizard page,
click Finish.
24. Apply the changes. a. Click Apply to save the changes, and then click OK. Wait until
the CSS status is Synced, and the NLB status is Not
(Step 3) configured.
25. Use nlb query, and a. In a Command Prompt window, type nlb query, and then
ipconfig /all to press Enter.
examine the network b. At the command prompt, type ipconfig /all, and then press
configuration. Enter.
c. Close the Command Prompt window.
26. Disable NLB a. In the ISA Server console, in the left pane, select Networks,
integration. and in the right pane, select the Networks tab.
b. In the task pane, on the Tasks tab, click
Apply the changes and Disable Network Load Balancing Integration.
restart the Firewall
c. Click OK to confirm that you want to disable NLB integration.
service.
d. In the left pane, select Monitoring, and in the right pane,
(Step 4) select the Services tab.
e. Click Apply to save the changes.
f. In the ISA Server Warning dialog box, CHANGE the current
selection, and select
Save the changes and restart the services, and then click
OK.
g. Click OK to close the Saving Configuration Changes dialog
box.
h. Wait until the CSS status is Synced.
Perform the following steps on the Denver computer.
27. On the Denver a. On the Denver computer, in Internet Explorer, on the Tools
computer, configure menu, click Internet Options.
Internet Explorer to use b. In the Internet Options dialog box, on the Connections tab,
proxy server click LAN Settings.
10.1.1.1:8080, and
c. In the Local Area Network (LAN) Settings dialog box,
change the default
complete the following information:
gateway to 10.1.1.1.
Use a proxy server for your LAN: enable
Address: 10.1.1.1
Port: 8080
Bypass proxy server for local addresses: enable
and then click OK.
d. Click OK to close the Internet Options dialog box.
e. Close Internet Explorer.
f. On the Start menu, click Control Panel, click
Network Connections, right-click Local Area Connection,
and then click Properties.
g. In the Local Area Connection Properties dialog box, select
Internet Protocol (TCP/IP) (do NOT clear the check box), and
then click Properties.
h. In the Internet Protocol (TCP/IP) Properties dialog box,
complete the following information:
Default gateway: 10.1.1.1
and then click OK.
i. Click Close to close the Local Area Connection Properties
dialog box.
You will also explore the CARP algorithm in the automatic configuration script that is used by Internet
Explorer.
1. On the Florence a. On the Florence computer, in the ISA Server console, in the
computer, verify that left pane, select Networks.
ISA Server listens for b. In the right pane, on the Networks tab, right-click Internal,
Web Proxy client and then click Properties.
requests on the
c. In the Internal Properties dialog box, on the Web Proxy tab,
Internal network.
ensure that
Enable Web Proxy client connections on this network is
enabled, and that HTTP port is 8080.
d. Select the CARP tab. (Do NOT enable CARP).
e. Click OK to close the Internal Properties dialog box.
2. Create a new access a. In the left pane, select Firewall Policy (ITALY).
rule. b. In the right pane, select the first rule in the Firewall Policy
Rules list, or select Default rule if no other rule exists, to
Name: Allow Web indicate where the new rule is added to the rule list.
access (CARP)
c. In the task pane, on the Tasks tab, click Create Access Rule.
Applies to: HTTP d. In the New Access Rule Wizard dialog box, in the
Access rule name text box, type
From network: Internal Allow Web access (CARP), and then click Next.
To network: External e. On the Rule Action page, select Allow, and then click Next.
f. On the Protocols page, in the This rule applies to list box,
select Selected protocols, and then click Add.
g. In the Add Protocols dialog box,
click Common Protocols, click HTTP, and click Add,
and then click Close to close the Add Protocols dialog box.
h. On the Protocols page, click Next.
i. On the Access Rule Sources page, click Add.
j. In the Add Network Entities dialog box,
click Networks, click Internal, click Add,
and then click Close to close the Add Network Entities dialog
box.
k. On the Access Rule Sources page, click Next.
l. On the Access Rule Destinations page, click Add.
m. In the Add Network Entities dialog box,
94 de 106
click Networks, click External, click Add,
and then click Close to close the Add Network Entities dialog
box.
n. On the Access Rule Destinations page, click Next.
o. On the User Sets page, click Next.
p. On the Completing the New Access Rule Wizard page, click
Finish.
q. Click Apply to apply the new rule, and then click OK. Wait
until the CSS status is Synced.
Perform the following steps on the Denver computer.
4. On the Florence a. On the Florence computer, in the ISA Server console, in the
computer, enable left pane, select Cache.
caching and configure b. In the right pane, on the Cache Drives tab, select Florence.
cache settings and
c. In the task pane, on the Tasks tab, click
cache rules.
Define Cache Drives (Enable Caching).
(Step 1) d. Click Cancel to close the Florence Properties dialog box.
e. Select the Cache Rules tab.
f. In the task pane, on the Tasks tab, click
Configure Cache Settings.
g. In the Cache Settings dialog box, select the Advanced tab.
h. Click Cancel to close the Cache Settings dialog box.
i. In the right pane, right-click Default rule, and then click
Properties.
j. Click Cancel to close the Default rule Properties dialog box.
5. Create a new domain a. In the left pane, select Firewall Policy (ITALY).
name set for CARP b. In the task pane, on the Toolbox tab, in the Network Objects
exceptions: section, right-click Domain Name Sets, and then click
New Domain Name Set.
Name:
c. In the New Domain Name Set Policy Element dialog box, in
CARP Exception Web
the Name text box, type CARP Exception Web Sites, and
Sites
then click Add.
Computer: d. In the New Domain text box, replace the text by typing
download.contoso.co download.contoso.com, and then press Enter.
m e. Click OK to close the New Domain Name Set Policy Element
dialog box.
6. Enable CARP on the a. In the left pane, select Networks.
Internal network.
b. In the right pane, on the Networks tab, right-click Internal,
Add the new domain and then click Properties.
name set as CARP c. In the Internal Properties dialog box, on the CARP tab, select
exceptions. Enable CARP on this network.
d. In the CARP Exceptions box, click Add.
(Step 2)
e. In the Add Domain Name Sets dialog box,
click CARP Exception Web Sites, and click Add,
and then click Close to close the Add Domain Name Sets
dialog box.
f. Select the NLB tab.
g. Click OK to close the Internal Properties dialog box.
7. Configure a a. In the left pane, select Servers.
CARP load factor for b. In the right pane, right-click Florence, and then click
each array member. Properties.
c. In the Florence Properties tab, select the CARP tab.
(Step 3)
8. Configure the network a. In the Florence Properties dialog box, select the
used for intra-array Communication tab.
communication b. Click Cancel to close the Florence Properties dialog box.
(Perimeter) to listen for
c. In the left pane, select Networks.
Web Proxy client
requests. d. In the right pane, on the Networks tab, right-click Perimeter,
and then click Properties.
(Step 4) e. In the Perimeter Properties dialog box, on the Web Proxy tab,
complete the following information:
Enable Web Proxy clients: enable
Enable HTTP: enable (is default)
HTTP port: 8080 (is default)
Enable SSL: disable (is default)
and then click OK.
9. Apply the changes. a. Click Apply to apply the changes, and then click OK. Wait
until the CSS status is Synced.
Perform the following steps on the Denver computer.
10. On the Denver a. On the Denver computer, in Internet Explorer, on the toolbar,
computer, refresh the click the Refresh button.
Web page
http://
istanbul.fabrikam.com
/
web.asp
11. On the Florence a. On the Florence computer, in the ISA Server console, in the
computer, examine the left pane, select Networks.
URL of the CARP b. In the right pane, on the Networks tab, right-click Internal,
calculation script. and then click Properties.
c. In the Internal Properties dialog box, select the Firewall Client
tab.
d. Select the Web Browser tab.
e. Click Cancel to close the Internal Properties dialog box.
96 de 106
Perform the following steps on the Denver computer.
12. On the Denver a. On the Denver computer, in Internet Explorer, on the Tools
computer, configure menu, click Internet Options.
Internet Explorer to use b. In the Internet Options dialog box, on the Connections tab,
an automatic click LAN Settings.
configuration script.
c. In the Local Area Network (LAN) Settings dialog box, in the
Automatic configuration box, complete the following
Address:
information:
http://
10.1.1.1:8080/array.dll Use automatic configuration script: enable
? Address:
Get.Routing.Script http://10.1.1.1:8080/array.dll?Get.Routing.Script
and then click OK.
d. Click OK to close the Internet Options dialog box.
13. Refresh the Web page a. On the toolbar, click the Refresh button.
http:// b. In the Address box, type
istanbul.fabrikam.com http://ankara.fabrikam.com/web.asp, and then press Enter.
/
c. Close Internet Explorer.
web.asp
and connect to
http://
ankara.fabrikam.com/
web.asp
Use configuration
script.
14. Use Internet Explorer to a. Open Internet Explorer. In the Address box, type
save a copy of the http://10.1.1.1:8080/array.dll?Get.Routing.Script, and then
configuration script to press Enter.
C:\Tools\array.Script.t b. In the File Download dialog box, click Save.
xt
c. In the Save As dialog box, browse to the C:\Tools folder, and
then in the File name text box, type array.Script.txt, and click
Save.
15. Examine the contents a. Use Windows Explorer (or My Computer) to open the
of C:\Tools folder.
C:\Tools\array.Script.t b. In the Tools folder, right-click array.Script.txt, and then click
xt in Notepad. Open.
c. Scroll to the end of the script.
d. Close Notepad.
e. Close the Tools folder.
16. Use a. Open a Command Prompt window.
C:\Tools\carpdemo.js b. At the command prompt, type cd \tools, and then press
to calculate the Enter.
selected proxy server
c. Type dir, and then press Enter.
for:
d. Type carpdemo istanbul.fabrikam.com/web.asp, and then
istanbul.fabrikam.com press Enter.
/ e. Click OK. Type
web.asp carpdemo istanbul.fabrikam.com/yourname (replace
yourname by your own name), and then press Enter.
istanbul.fabrikam.com f. Click OK. Type carpdemo ankara.fabrikam.com, and then
/ press Enter.
<yourname>
g. Click OK. Type carpdemo izmir, and then press Enter.
ankara.fabrikam.com h. Click OK to close the CARP Routing Script demo message
box.
izmir i. Close the Command Prompt window.
18. On the Florence a. On the Florence computer, in the ISA Server console, in the
computer, disable left pane, select Networks.
CARP on the Internal b. In the right pane, on the Networks tab, right-click Internal,
network. and then click Properties.
c. In the Internal Properties dialog box, on the CARP tab,
CLEAR the Enable CARP on this network check box.
d. Click OK to close the Internal Properties dialog box.
e. Click Apply to save the changes, and then click OK. Wait until
the CSS status is Synced.
and
ankara.fabrikam.com
economy.htm
Perform the following steps on the Florence computer.
12. On the Florence a. On the Florence computer, in the ISA Server console, in the
computer, start the log left pane, select Monitoring, and in the right pane select the
viewer. Logging tab.
b. In the task pane, on the Tasks tab, click Start Query.
13. Start the a. In the left pane, select Cache, and in the right-pane select the
Fabrikam News Site Content Download Jobs tab.
content download job b. In the right pane, select the Fabrikam News Site job.
now.
c. In the task pane, on the Tasks tab, click
Start Selected Jobs Now.
d. After a few seconds, on the Tasks tab, click Refresh Now.
14. Stop the log viewer, a. In the left pane, select Monitoring, and in the right pane
and examine the Web select the Logging tab.
Proxy log entries. b. After a few seconds, in the task pane, on the Tasks tab, click
Stop Query.
15. Edit the log viewer filter: a. In the left pane, select Monitoring, and then in the right-pane,
select the Logging tab.
Log Record Type: b. In the task pane, on the Tasks tab, click Edit Filter.
Firewall or Web Proxy
c. In the Edit Filter dialog box, in the conditions list, select the
Filter
existing Log Record Type condition.
d. In the Value list box, select Firewall or Web Proxy Filter, and
then click Update.
e. Click Start Query to close the Edit Filter dialog box.
100 de 106
f. On the Tasks tab, click Stop Query.
16. Delete the a. In the left pane, select Cache.
Fabrikam News Site b. In the right pane, on the Content Download Jobs tab, right-
content download job. click the Fabrikam News Site job, and then click Delete.
c. Click Yes to confirm that you want to delete the Fabrikam
News Site job.
d. Wait until the CSS status is Synced.
17. Disable a. In the left pane, select Networks.
Web Proxy clients and b. In the right pane, on the Networks tab, right-click Local Host,
CARP on the and then click Properties.
Local Host network.
c. In the Local Host Properties dialog box, on the Web Proxy
tab, CLEAR the Enable Web Proxy clients check box.
d. On the CARP tab, CLEAR the Enable CARP on this network
check box.
e. Click OK to close the Local Host Properties dialog box.
18. Disable a. On the Networks tab, right-click Perimeter, and then click
Web Proxy clients on Properties.
the network used for b. In the Perimeter Properties dialog box, on the Web Proxy tab,
intra-array CLEAR the Enable Web Proxy clients check box.
communication
c. Click OK to close the Perimeter Properties dialog box.
(Perimeter).
19. Disable system policy a. In the left pane, select Firewall Policy (ITALY).
rule 29. b. In the task pane, on the Tasks tab, click
Show System Policy Rules.
c. In the right pane, right-click system policy rule 29, and then
click Edit System Policy.
d. In the System Policy Editor dialog box, in the
Configuration Groups list, ensure that
Scheduled Download Jobs is selected, and then CLEAR the
Enable check box.
e. Click OK to close the System Policy Editor dialog box.
1. On the Paris computer, a. On the Paris computer, on the Start menu, click
examine the alert All Programs, click Microsoft ISA Server, and then click,
definition for the ISA Server Management.
Service Shutdown b. In the ISA Server console, in the left pane, expand Paris, and
event. then select Monitoring.
c. In the right pane, select the Dashboard tab.
d. Select the Alerts tab.
e. In the task pane, on the Tasks tab, click Configure Alert
Definitions.
f. In the Alert Properties dialog box, select the
Service Shutdown line (do not clear the check box for
Service Shutdown), and then click Edit.
g. In the Service Shutdown Properties dialog box, select the
Events tab.
h. Select the Actions tab.
i. Click Cancel to close the Service Shutdown Properties dialog
box.
j. Click Cancel to close the Alerts Properties dialog box.
2. Use the Services a. On the Start menu, click Administrative Tools, and then click
console to stop the Services.
Microsoft ISA Server b. In the Services console, in the right pane, right-click
Job Scheduler service Microsoft ISA Server Job Scheduler service, and then click
to simulate an Stop.
unexpected shutdown
c. Close the Services console.
of the service.
3. Examine how an alert a. In the ISA Server console, on the Alerts tab, wait for
shows up on the Alerts 30 seconds for the new alert (Service Shutdown) to show up,
tab, and the or in the task pane, on the Tasks tab, click Refresh Now.
Dashboard tab. b. Select the Dashboard tab. Wait for 30 seconds, or in the task
pane, on the Tasks tab, click Refresh Now.
4. Investigate the a. On the Dashboard tab, click the heading of the Alerts
Service Shutdown summary box to return to the Alerts tab.
alert and resolve the b. On the Alerts tab, select the Service Shutdown alert, and
issue by starting the then expand the Service Shutdown alert.
ISA Server Job
c. Select the second Service Shutdown alert line.
Scheduler service on
the Services tab. d. In the task pane, on the Tasks tab, click Acknowledge
Selected Alerts.
e. Select the Services tab, and then in the task pane, on the
102 de 106
Tasks tab, click Refresh Now.
f. In the right pane, select Microsoft ISA Server Job Schedule,
and then in the task pane, on the Tasks tab, click
Start Selected Service.
g. On the Alerts tab, select the second acknowledged Service
Shutdown alert line.
h. In the task pane, on the Tasks tab, click
Reset Selected Alerts.
i. Click Yes to confirm that you want to reset Service Shutdown.
5. Examine the intrusion a. In the ISA Server console, in the left pane, expand
detection options. Configuration, and then select General.
b. In the right pane, click Enable Intrusion Detection and DNS
Attack Detection.
c. Click Cancel to close the dialog box.
6. Examine the a. On the Start menu, click All Programs, click
performance monitoring Microsoft ISA Server, and then click
options. ISA Server Performance Monitor.
b. Close the ISA Server Performance Monitor console.
c. If a message box appears, click No to confirm that you do not
want to save console settings to msisaprf.msc.
1. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
create two new pane, select Monitoring.
connectivity verifiers: b. In the right pane, select the Connectivity Verifiers tab.
c. In the task pane, on the Tasks tab, click
Name: Istanbul (ping)
Create New Connectivity Verifier.
Server: 39.1.1.7
Method: Ping d. In the New Connectivity Verifier Wizard dialog box, in the
Connectivity Verifier name text box, type Istanbul (ping),
Name: Istanbul (http) and then click Next.
Server: 39.1.1.7 e. On the Connectivity Verification Details, complete the
Method: HTTP "GET" following information:
Monitor connectivity to this server or URL: 39.1.1.7
Group type used to categorize: Web (Internet)
Verification method: Send a Ping request
and then click Next.
f. On the Completing the Connectivity Verifier Wizard page, click
Finish.
g. In the task pane, on the Tasks tab, click
Create New Connectivity Verifier.
h. In the New Connectivity Verifier Wizard dialog box, in the
Connectivity Verifier name text box, type Istanbul (http),
and then click Next.
i. On the Connectivity Verification Details, complete the
following information:
Monitor connectivity to this server or URL: 39.1.1.7
Group type used to categorize: Web (Internet)
Verification method: Send an HTTP "GET" request
and then click Next.
j. On the Completing the Connectivity Verifier Wizard page, click
Finish.
k. If the Enable HTTP Connectivity Verification message box
appears, click Yes to confirm that a system policy rule is
enabled.
2. Examine the System a. In the left pane, select Firewall Policy.
policy rules used by the b. In the task pane, on the Tasks tab, click Show System
connectivity verifiers. Policy Rules.
6. On the Paris computer, a. On the Paris computer, on the Connectivity Verifiers tab,
wait for the failure state wait one minute, and then in the task pane, on the Tasks tab,
of the Istanbul (http) click Refresh Now.
connectivity verifier.
Perform the following steps on the Istanbul computer.
7. On the Istanbul a. On the Istanbul computer, in the IIS Manager console, right-
computer, start the click Default Web Site (Stopped), and then click Start.
Default Web Site b. Close the IIS Manager console.
again.
Perform the following steps on the Paris computer.
8. On the Paris computer, a. On the Paris computer, on the Connectivity Verifiers tab,
wait for the success wait one minute, and then in the task pane, on the Tasks tab,
state of the click Refresh Now.
Istanbul (http)
connectivity verifier.
9. Delete the two a. Right-click the Istanbul (http) connectivity verifier, and then
connectivity verifiers for click Delete.
Istanbul. b. Click Yes to confirm that you want to delete the connectivity
verifier.
c. Right-click the Istanbul (ping) connectivity verifier, and then
click Delete.
d. Click Yes to confirm that you want to delete the connectivity
verifier.
e. Click Apply to save the changes, and then click OK.
104 de 106
Exercise 3: Logging Client Computer Access
In this exercise, you will explore the logging functions of ISA Server.
106 de 106