ISA 2006 Lab Manual

ISA Server 2006
Lab Manual
Lab Summary
Contents
There are nine modules in this lab. You can complete each of these lab
modules independent of the other modules.
 The monitor icons ( ) indicate which virtual machines are needed.
 The 06 code indicates exercises that are specific to ISA Server 2006.
 The EE code indicates exercises that are specific to ISA Server Enterprise
Edition.
 The up arrow (  ) indicates exercises that depend on the previous exercise .
Den Par Flo Fir Ist Lab Summary ...............................................................................................2
Module A: Introduction to ISA Server ........................................................6
Exercise 1 Exploring the User Interface .....................................................6
Exercise 2 Ease of Use: Multiple Networks ...............................................7
Exercise 3 Ease of Use: Single Rule Base ................................................9
Exercise 4 Ease of Use: Monitoring .........................................................10
Module B: Configuring Outbound Internet Access .................................11
Exercise 1 Allowing Outbound Web Access from Client Computers........11
Exercise 2 Enabling the Use of the Ping command from Client Computers
......................................................................................................................14
06 Exercise 3 Allowing Outbound Access from the ISA Server ....................15
Exercise 4 Configuring ISA Server 2006 for Flood Resiliency .................17
Module C: Publishing Web Servers and Other Servers ..........................20
 Exercise 1 Publishing a Web Server in the Internal Network ...................20
 Exercise 2 Publishing the Web Server on the ISA Server Computer .......22
06
Exercise 3 Performing Link Translation on a Published Web Server .......25
06
Exercise 4 Using Cross-Site Link Translation to Publish SharePoint
Server ...........................................................................................................26
Exercise 5 Publishing a Web Farm for Load Balancing ...........................28
Exercise 6 Publishing Multiple Terminal Servers .....................................33
06
Module D: Publishing an Exchange Server .............................................37
Exercise 1 Publishing Exchange Web Access - Certificate Management 37
Exercise 2 Publishing an Exchange Server for SMTP and POP3 ............41
Exercise 3 Publishing an Exchange Server for Outlook (RPC) ................42
Exercise 4 Publishing an Exchange Server for RPC over HTTP .............44
Module E: Enabling VPN Connections .....................................................50
 Exercise 1 Configuring ISA Server to Accept Incoming VPN Connections
 ......................................................................................................................50
 Exercise 2 Configuring a Client Computer to Establish a VPN Connection
 ......................................................................................................................52
 Exercise 3 Allowing Internal Network Access for VPN Clients .................54
Exercise 4 Configuring VPN Quarantine on ISA Server...........................55
06
Exercise 5 Creating and Distributing a Connection Manager Profile........58
Exercise 6 Using VPN Quarantine on the Client Computer .....................62
06 
Module F: ISA Server 2006 as Branch Office Gateway ...........................65
06 
Exercise 1 Configuring HTTP Compression to Reduce Bandwidth Usage
......................................................................................................................65
EE
Exercise 2 Configuring ISA Server to Cache BITS Content .....................69
EE
Exercise 3 Configuring DiffServ Settings to Prioritize Network Traffic .....71
2 de 106
EE Module G: Enterprise Management of ISA Servers ................................73
Exercise 1 Enterprise Policies and Array Policies ....................................73
EE Exercise 2 Remote Management and Role-based Administration ...........77
EE  Exercise 3 Working with Configuration Storage Servers (Optional) .........81
EE Module H: Configuring Load Balancing ...................................................84
EE  Exercise 1 Configuring Network Load Balancing (NLB) ...........................84
Exercise 2 Examining Details on NLB......................................................88
Exercise 3 Using CARP to Distribute Cache Content ..............................94
Exercise 4 Using CARP and Scheduled Content Download Jobs ...........98
Module I: Using Monitoring, Alerting and Logging ............................... 102
Exercise 1 Monitoring the ISA Server .................................................... 102
Exercise 2 Checking Connectivity from the ISA Server ......................... 103
Exercise 3 Logging Client Computer Access ......................................... 105
Lab Setup
To complete each lab module, you need to review the following:

Virtual PC
This lab makes use of Microsoft Virtual PC 2004, which is an application that allows you to run
multiple virtual computers on the same physical hardware. During the lab you will switch between
different windows, each of which contains a separate virtual machine running Windows Server
2003.
Before you start the lab, familiarize yourself with the following basics of Virtual PC:
To issue the Ctrl-Alt-Del keyboard combination inside a virtual machine, use the <right>Alt-
Del instead.
To enlarge the size of the virtual machine window,
drag the right bottom corner of the window.
To switch to full-screen mode, and to return from
full-screen mode, press <right>Alt-Enter.
Lab Computers
The lab uses five computers in virtual machines.
Denver.contoso.com (green) is domain controller for the contoso.com domain on the Internal
network. Denver runs DNS, RADIUS, Exchange 2003 SP1, SharePoint Services 2.0 and is
also Certification Authority (CA).
Istanbul.fabrikam.com (purple) is Web server and client computer on the External network
(Internet). Istanbul runs Outlook 2003. Istanbul is not member of a domain.
Paris (red) runs ISA Server 2006 Standard Edition. Paris has three network adapters, which
connect to the Internal network, the Perimeter network and the External network (Internet).
The Perimeter network is not used in this lab.
Florence (red) and Firenze (red) run ISA Server 2006 Enterprise Edition. Both computers
have three network adapters. Florence and Firenze are in an array named Italy. Only
Florence runs Configuration Storage server (CSS).
4 de 106
The computers cannot communicate with the host computer.
To allow you to examine and understand the traffic on the network, in each virtual machine Microsoft
Network Monitor 5.2, which is part of Windows Server 2003, is installed.
To start the lab

Before you can do any of the lab modules, you need to start the virtual
machines, and then you need to log on to the computers.
In each exercise you only have to start the virtual machines that are needed.
To start any virtual machine:

1. On the desktop, double-click the shortcut Open ISA 2006 Lab Folder.
2. In the lab folder, double-click any of the Start computer scripts.
(For example: double-click Start Paris to start the Paris computer.)
3. When the logon dialog box has appeared, log on to the computer.
To log on to a computer in a virtual machine:

1. Press <right>Alt-Del (instead of Ctrl-Alt-Del) to open the logon dialog box.
2. Type the following information:
 User name: Administrator
 Password: password
and then click OK.
3. You can now start with the exercises in this lab manual.
Enjoy the lab!
Comments and feedback

Please send any comments, feedback or corrections regarding the virtual
machines or the lab manual to:
Module A: Introduction to ISA
Server
Exercise 1: Exploring the User Interface

In this exercise, you will explore the user interface of ISA Server.
Note that the steps in this exercise and the other exercises in this module, do not enable, configure or
test the functionality of ISA Server. In later modules, the functionality is configured and used in
scenarios.
Tasks Detailed steps
 Perform the following steps on the Paris computer.
1. On the Paris computer, a. On the Paris computer, on the Start menu, click
explore the task pane. All Programs, click Microsoft ISA Server, and then click
ISA Server Management.
b. In the ISA Server console, in the left pane, expand Paris,
expand Configuration, and then select Add-ins.
c. Drag the vertical divider between the tree pane (left) and the
details pane, to make the details pane area larger or smaller.
d. On the vertical divider between the details pane and the task
pane, click the arrow button.
e. Click the arrow button again.
f. Ensure that in the left pane, the Add-ins node is selected, and
then in the right pane, on the Web Filters tab, select (for
example) RADIUS Authentication Filter.
g. In the right pane, right-click RADIUS Authentication Filter.
h. In the task pane, select the Help tab.
i. In the task pane, select the Tasks tab.
 The following task is related to the use of Virtual PC.
2. Explore how you can a. Drag the bottom right corner of the Paris window, to make the
make the Virtual PC window larger or smaller.
window larger, or switch b. Press the Ctrl-key, and then drag the bottom right corner of
to full-screen mode. the Virtual PC window, to snap the window size to standard
resolutions, such as 800x600.
c. Press <right>Alt-Enter.
d. If a warning message box appears, click Continue to confirm
that you can press <right>Alt-Enter again to return from full-
screen mode.
e. Press <right>Alt-Enter again to return from full-screen mode.
3. Explore the main nodes a. In the ISA Server console, in the left pane, select
in the ISA Server Configuration.
console: b. In the left pane, select Networks.
6 de 106
- Configuration c. In the left pane, select Firewall Policy.
- Networks d. If the task pane is closed, click the arrow button to open the
- Firewall Policy task pane.
- Monitoring
e. In the task pane, on the Toolbox tab, click the Protocols
heading, and then click Common Protocols.
f. In the task pane, on the Toolbox tab, click the Users heading,
and then click New.
g. Click Cancel to close the New User Set Wizard.
h. In the left pane, select Monitoring.
i. On the Dashboard tab, click the Sessions summary box
header.
4. Explore the Export and a. In the ISA Server console, in the left pane, right-click Paris.
Import configuration
commands.
Exercise 2: Ease of Use: Multiple Networks

In this exercise, you will explore how ISA Server uses multiple networks.

1. On the Paris computer, a. On the Paris computer, in the ISA Server console, in the left
explore how ISA Server pane, expand Paris, expand Configuration, and then select
uses multiple networks Networks.
with b. In the right pane, on the (lower) Networks tab, right-click
IP address ranges, Internal, and then click Properties.
instead of the concept
c. In the Internal Properties dialog box, select the Addresses
of a
tab.
Local Address Table
(LAT). d. Click Cancel to close the Internal Properties dialog box.
e. On the Network Sets tab, right-click All Protected Networks
and then click Properties.
f. In the All Protected Networks Properties dialog box, select the
Networks tab.
g. Click Cancel to close the All Protected Networks Properties
dialog box.
h. On the Start menu, click Control Panel, and then click
Network Connections.
i. Click the Start button again to close the Start menu.
2. Explore how a. In the ISA Server console, in the left pane, ensure that
Network Rules define Networks is selected.
Network Address b. In the right pane, select the Network Rules tab.
Translation (NAT) or
c. In the task pane, on the Tasks tab, click
routing of IP packets
Create a Network Rule.
between networks.
d. In the New Network Rule Wizard dialog box, in the
For demonstration Network rule name text box, type VPN Perimeter Access,
purposes, create and and then click Next.
discard a new network e. On the Network Traffic Sources page, click Add.
rule. f. In the Add Network Entities dialog box,
click Networks, click VPN Clients, and click Add,
and then click Close to close the Add Network Entities dialog
box.
g. On the Network Traffic Sources page, click Next.
h. On the Network Traffic Destinations page, click Add.
i. In the Add Network Entities dialog box,
click Networks, click Perimeter, and click Add,
box.
j. On the Network Traffic Destinations page, click Next.
k. On the Network Relationship page, select Route, and then
click Next.
l. On the Completing the New Network Rule Wizard page, click
Finish.
m. On the top of the right pane, click Discard to remove the
unsaved changes, such as the new VPN Perimeter Access
rule.
n. Click Yes to confirm that you want to discard the changes.
a. In the ISA Server console, in the left pane, ensure that

3. Explore how Networks is selected
network templates are b. In the task pane, select the Templates tab.
used to configure c. On the Templates tab, click 3-Leg Perimeter.
network rules
d. In the Network Template Wizard dialog box, click Next.
and firewall policy rules.
e. On the Export the ISA Server Configuration page, click Next.
f. On the Internal Network IP Addresses page, click Next.
g. On the Perimeter Network IP Addresses page, click Next.
h. On the Select a Firewall Policy page, in the Select a firewall
policy list box, select Allow limited Web access, allow
access to network services on Perimeter network.
i. In the Description list box, scroll to the end of the text to see
a description of the firewall policy rules that are created, if this
firewall policy is selected.
j. On the Select a Firewall Policy page, click Next.
k. On the Completing the Network Template Wizard page, click
CANCEL (do NOT click Finish).
4. Explore the client a. In the ISA Server console, in the left pane, ensure that
support configuration Networks is selected, and then in the right pane, select the
settings per network. (lower) Networks tab.
b. Right-click Internal, and then click Properties.
c. In the Internal Properties dialog box, select the Firewall Client
tab.
d. Select the Web Proxy tab.
e. Click Cancel to close the Internal Properties dialog box.
8 de 106
Exercise 3: Ease of Use: Single Rule Base
In this exercise, you will explore how ISA Server uses a single list of firewall rules.
explore the single pane, select Firewall Policy.
firewall policy rule list. b. In the right pane, on the Firewall Policy tab, select Default
rule.
Create an access rule:
c. In the task pane, on the Tasks tab, click Create Access Rule.
Name: Allow Web d. In the New Access Rule Wizard dialog box, in the
traffic to Internet Access rule name text box, type Allow Web traffic to
Internet, and then click Next.
Applies to: HTTP e. On the Rule Action page, select Allow, and then click Next.
f. On the Protocols page, in the This rule applies to list box,
From network: Internal select Selected protocols, and then click Add.
To network: External
g. In the Add Protocols dialog box,
click Web, click HTTP, and click Add,
and then click Close to close the Add Protocols dialog box.
h. On the Protocols page, click Next.
i. On the Access Rule Sources page, click Add.
j. In the Add Network Entities dialog box,
click Networks, click Internal, and click Add,
box.
k. On the Access Rule Sources page, click Next.
l. On the Access Rule Destinations page, click Add.
m. In the Add Network Entities dialog box,
click Networks, click External, and click Add,
box.
n. On the Access Rule Destinations page, click Next.
o. On the User Sets page, click Next.
p. On the Completing the New Access Rule Wizard page, click
Finish.
q. Do NOT click Apply to apply the new rule.
2. Add the HTTPS and a. In the task pane, on the Toolbox tab, in the Protocols
FTP protocol to the section, click Web.
Allow Web traffic to b. Drag HTTPS from the Toolbox to HTTP in the Protocols
Internet access rule. column of the Allow Web traffic to Internet access rule.
c. Drag FTP from the Toolbox to HTTP/HTTPS in the Protocols
column of the Allow Web traffic to Internet access rule.
d. Click the box with the minus-sign in front of the
Allow Web traffic to Internet access rule to display the
access rule with multiple protocols on a single line.
3. Explore the properties a. Right-click the Allow Web traffic to Internet access rule, and
of the Allow Web then click Properties.
traffic to Internet b. In the Allow Web traffic to Internet Properties dialog box, on
access rule. the Protocols tab, click Add.
c. In the Add Protocols dialog box, click Common Protocols.
d. Click Close to close the Add Protocols dialog box.
e. On the To tab, click Add.
f. Click Close to close the Add Network Entities dialog box.
g. On the From tab, click Add.
h. In the Add Network Entities dialog box, click Networks.
i. Click Close to close the Add Network Entities dialog box.
j. Click Cancel to close the Allow Web traffic to Internet
Properties dialog box.
4. Explore the HTTP a. Right-click the Allow Web traffic to Internet access rule, and
protocol scanning then click Configure HTTP.
features of the Allow b. In the Configure HTTP policy for rule dialog box, examine the
Web traffic to Internet five tabs with the HTTP filter settings.
access rule.
c. On the Signatures tab, click Add.
For demonstration d. In the Signature dialog box, complete the following
purposes, configure the information:
rule to block HTTP Name: MSN Messenger traffic
traffic from Search in: Request headers
MSN Messenger. HTTP Header: User-Agent
Signature: MSMSGS
HTTP Header: and then click OK.
- User-Agent: MSMSGS e. Click OK to close the Configure HTTP policy for rule dialog
box.
5. Explore the a. In the left pane, ensure that Firewall Policy is selected.
System Policy Rules b. In the task pane, on the Tasks tab, click Show System
in the Firewall Policy. Policy Rules.
c. In the task pane, on the Tasks tab, click Edit System Policy.
d. Click Cancel to close the System Policy Editor dialog box.
e. In the task pane, on the Tasks tab, click Hide System Policy
Rules.
6. Discard the Allow Web a. In the right pane, click Discard to remove the unsaved Allow
traffic to Internet Web traffic to Internet access rule.
access rule. b. Click Yes to confirm that you want to discard the changes.
Exercise 4: Ease of Use: Monitoring

In this exercise, you will explore how ISA Server uses monitoring.
explore the new pane, expand Paris, and then select Monitoring.
Monitoring features in b. Select the Alerts tab.
ISA Server.
c. Select the Sessions tab.
d. Select the Services tab.
e. Select the Reports tab.
f. Select the Connectivity Verifiers tab.
g. Select the Logging tab.
h. In the task pane, on the Tasks tab, click
Configure Firewall Logging.
i. Click Cancel to close the Firewall Logging Properties dialog
box.
j. Close the ISA Server console.
10 de 106
Module B: Configuring Outbound Internet
Access
Exercise 1: Allowing Outbound Web Access from Client

Computers
In this exercise, you will configure ISA Server to allow outbound Web access for client computers on
the internal network.
 Perform the following steps on the Denver computer.
1. On the Denver a. On the Denver computer, open Internet Explorer. In the

computer, test your Address box, type http://istanbul.fabrikam.com, and then
connectivity by opening press Enter.
Internet Explorer and 
attempting to connect to
b. Look at the bottom of the Web page and view the reason why
http://
the Web page cannot be displayed.
istanbul.fabrikam.com
c. Close Internet Explorer.
create a new access All Programs, click Microsoft ISA Server, and then click ISA
rule. Server Management.
b. In the ISA Server console, expand Paris, and then select
Name: Allow Firewall Policy.
outbound Web traffic
c. In the right pane, on the Firewall Policy tab, select Default
rule.
Applies to: HTTP,
HTTPS, FTP d. In the task pane, on the Tasks tab, click Create Access Rule.
e. In the New Access Rule Wizard dialog box, in the
From network: Internal Access rule name text box, type Allow outbound Web
To network: External traffic, and then click Next.
f. On the Rule Action page, select Allow, and then click Next.
g. On the Protocols page, in the This rule applies to list box,
select Selected protocols, and then click Add.
h. In the Add Protocols dialog box,
click Common Protocols, click HTTP, and click Add,
click HTTPS, and click Add,
click Web, click FTP, and click Add,
i. On the Protocols page, click Next.
j. On the Access Rule Sources page, click Add.
k. In the Add Network Entities dialog box,
box.
l. On the Access Rule Sources page, click Next.
m. On the Access Rule Destinations page, click Add.
n. In the Add Network Entities dialog box,
box.
o. On the Access Rule Destinations page, click Next.
p. On the User Sets page, click Next.
q. On the Completing the New Access Rule Wizard page, click
Finish.
3. Apply the changes. a. Click Apply to apply the new rule, and then click OK.
4. Examine the network a. In the left pane, expand Configuration, and then select
rule for connectivity Networks.
between the Internal b. In the right pane, on the Network Rules tab, select the rule
network and the that defines the connectivity between the Internal network and
External network. the External network.
5. Examine the Web a. On the Networks tab, right-click Internal, and then click
Proxy settings of the Properties.
Internal network. b. In the Internal Properties dialog box, select the Web Proxy
tab.
c. Click Cancel to close the Internal Properties dialog box.

connectivity again by press Enter.
opening b. In Internet Explorer, on the Tools menu, click
Internet Explorer and Internet Options.
connecting to http://
c. In the Internet Options dialog box, on the Connections tab,
click LAN Settings.
and by establishing an
FTP session with d. Click Cancel to close the Local Area Network (LAN) Settings
istanbul.fabrikam.com dialog box.
. e. Click Cancel to close the Internet Options dialog box.
f. Close Internet Explorer.
g. Open a Command Prompt window.
h. At the command prompt, type ftp istanbul.fabrikam.com,
and then press Enter.
i. Type Ctrl-C to close the FTP session.
j. If the ftp> prompt appears, type quit, and then press Enter.
k. Close the Command Prompt window.
create a new Computer pane, select Firewall Policy.
Set rule element. b. In the task pane, on the Toolbox tab, in the Network Objects
section, right-click Computer Sets, and then click New
Name: Restricted Computer Set.
Internal Computers
c. In the New Computer Set Rule Element dialog box, in the
Name text box, type Restricted Internal Computers.
Included in the set:
10.1.1.5-10.1.1.8 d. Click Add, and then click Address Range.
(Domain Controllers) e. In the New Address Range Rule Element dialog box, complete
the following information:
12 de 106
Name: Domain Controllers
Start Address: 10.1.1.5
End Address: 10.1.1.8
Description: DCs on the internal network
and then click OK.
f. Click OK to close the New Computer Set Rule Element dialog
box.
8. Create a new access a. In the Firewall Policy list, select the Allow outbound Web
rule. traffic rule.
b. In the task pane, on the Tasks tab, click Create Access Rule.
Name: Deny restricted
c. In the New Access Rule Wizard dialog box, in the
computers
Access rule name text box, type
Deny restricted computers, and then click Next.
Action: Deny
d. On the Rule Action page, select Deny, and then click Next.
Applies to: All e. On the Protocols page, in the This rule applies to list box,
outbound traffic select All outbound traffic, and then click Next.
f. On the Access Rule Sources page, click Add.
From: Restricted
Internal Computers g. In the Add Network Entities dialog box,
To network: External click Computer Sets, click Restricted Internal
Computers, and click Add,
box.
h. On the Access Rule Sources page, click Next.
i. On the Access Rule Destinations page, click Add.
box.
k. On the Access Rule Destinations page, click Next.
l. On the User Sets page, click Next.
m. On the Completing the New Access Rule Wizard page, click
Finish.
n. Click Apply to apply the new rule, and then click OK.

opening b. Close Internet Explorer.
Internet Explorer and
attempting to connect to
http://
.
move the Allow pane, select Firewall Policy.
outbound Web traffic b. In the right pane, right-click the Allow outbound Web traffic
rule, before the Deny rule (order 2), and then click Move Up.
restricted computers
c. Click Apply to save the changes, and then click OK.
rule.
opening
Internet Explorer and
.
delete the Deny pane, select Firewall Policy.
restricted computers b. In the right pane, right-click the Deny restricted computers
access rule. rule, and then click Delete.
c. Click Yes to confirm that you want to delete the rule.
d. Click Apply to save the changes, and then click OK.
Exercise 2: Enabling the Use of the Ping command from Client

Computers
In this exercise, you will configure ISA Server to allow ICMP network traffic, used by the Ping
command, from client computers on the internal network.
1. On the Denver a. On the Denver computer, open a Command Prompt window.

computer, use the Ping b. At the command prompt, type ping istanbul.fabrikam.com,
command to test and then press Enter.
connectivity with
c. Close the Command Prompt window.
create a new access pane, select Firewall Policy.
rule. b. In the right pane, select the first rule to indicate where the new
rule is added to the rule list.
Name: Allow
outbound Ping traffic
d. In the New Access Rule Wizard dialog box, in the
Applies to: PING Access rule name text box, type
Allow outbound Ping traffic, and then click Next.
From network: Internal e. On the Rule Action page, click Allow, and then click Next.
To network: External f. On the Protocols page, in the This rule applies to list box,
click Common Protocols, click PING, and click Add,
box.
14 de 106
box.
Finish.
q. Click Apply to apply the new rule, and then click OK.
3. Examine the PING a. In the task pane, on the Toolbox tab, in the Protocols
protocol definition. section, expand Common Protocols, right-click PING, and
then click Properties.
b. In the PING Properties dialog box, select the Parameters tab.
c. Click Cancel to close the PING Properties dialog box.

computer, use the Ping b. At the command prompt, type ping istanbul.fabrikam.com,
command to test and then press Enter.
connectivity with
again.
 Perform the following steps on the Istanbul computer.
5. On the Istanbul a. On the Istanbul computer, open a Command Prompt window.

computer, use the Ping b. At the command prompt, type ping 39.1.1.1, and then press
command to test Enter.
connectivity with the
ISA Server.
Exercise 3: Allowing Outbound Access from the ISA Server

In this exercise, you will configure ISA Server to allow outbound access from the ISA Server computer.
1. On the Paris computer, a. On the Paris computer, open a Command Prompt window.
test your connectivity by b. At the command prompt, type ftp istanbul.fabrikam.com,
attempting to establish and then press Enter.
an FTP session with
c. At the ftp> prompt, type quit, and then press Enter.
. d. Close the Command Prompt window.
2. Create a new access a. In the ISA Server console, in the left pane, select
rule. Firewall Policy.
b. In the right pane, select the first rule to indicate where the new
Name: Allow FTP from rule is added to the rule list.
firewall
Applies to: FTP d. In the New Access Rule Wizard dialog box, in the
Access rule name text box, type Allow FTP from firewall,
From network: Local and then click Next.
Host e. On the Rule Action page, click Allow, and then click Next.
To network: External f. On the Protocols page, in the This rule applies to list box,
click Web, click FTP, and click Add,
click Networks, click Local Host, and click Add,
box.
box.
Finish.
3. Test your connectivity a. Open a Command Prompt window.
again by establishing b. At the command prompt, type ftp istanbul.fabrikam.com,
an FTP session with and then press Enter.
c. Type Ctrl-C to close the FTP session.
.
d. If the ftp> prompt appears, type quit, and then press Enter.
e. Close the Command Prompt window.
4. Show the a. In the ISA Server console, in the left pane, select
System Policy Rules Firewall Policy.
in the Firewall Policy. b. In the task pane, on the Tasks tab, click Show System
Policy Rules.
5. Test your connectivity a. Open Internet Explorer. In the Address box, type
by opening http://istanbul.fabrikam.com, and then press Enter.
Internet Explorer and b. Close Internet Explorer.
c. Open a Command Prompt window.
and by using the Ping d. At the command prompt, type ping istanbul.fabrikam.com,
command to and then press Enter.
istanbul.fabrikam.com e. At the command prompt, type ping denver.contoso.com,
and to and then press Enter.
denver.contoso.com. f. Close the Command Prompt window.
6. Hide the a. In the ISA Server console, in the left pane, select
System Policy Rules Firewall Policy.
in the Firewall Policy. b. In the task pane, on the Tasks tab, click Hide System Policy
Rules.
c. Close the ISA Server console.
16 de 106
Exercise 4: Configuring ISA Server 2006 for Flood Resiliency
In this exercise, you will configure ISA Server to block a large number of TCP connections from the
same IP address.
examine the flood All Programs, click Microsoft ISA Server, and then click ISA
mitigation settings. Server Management.
b. In the ISA Server console, in the left pane, expand Paris,
expand Configuration, and then select General.
c. In the right pane, under Additional Security Policy, click
Configure Flood Mitigation Settings.
d. In the Flood Mitigation dialog box, on the Flood Mitigation
tab, click the second Edit button.
e. Click Cancel to close the Flood Mitigation Settings dialog box.
f. In the Flood Mitigation dialog box, select the IP Exceptions
tab.
2. Disable the logging of a. In the Flood Mitigation dialog box, select the Flood Mitigation
network traffic blocked tab.
by flood mitigation b. Clear the Log traffic blocked by flood mitigation settings
settings. check box.
c. Click OK to close the Flood Mitigation dialog box.
3. Create a new access a. In the left pane, select Firewall Policy.
rule. b. In the right pane, select the first rule, or select Default rule if
no other rule exists, to indicate where the new rule is added to
Name: Allow Web the rule list.
access (Flood)
Applies to: HTTP d. In the New Access Rule Wizard dialog box, in the
Access rule name text box, type Allow Web access (Flood),
From network: Internal and then click Next.
To network: External e. On the Rule Action page, select Allow, and then click Next.
click Common Protocols, click HTTP, click Add,
click Networks, click Internal, click Add,
box.
click Networks, click External, click Add,
box.
Finish.
4. Apply the changes. a. Click Apply to apply the changes, and then click OK.
5. On the Denver a. On the Denver computer, open Internet Explorer.
computer, configure b. In Internet Explorer, on the Tools menu, click Internet
Internet Explorer not to Options.
use a proxy server.
click LAN Settings.
d. In the Local Area Network (LAN) Settings dialog box, clear the
Use a proxy server for your LAN check box, and then click
OK.
e. Click OK to close the Internet Options dialog box.
6. Use Internet Explorer to a. In Internet Explorer, in the Address bar, type
connect to http:// http://istanbul.fabrikam.com/web.asp, and then press
istanbul.fabrikam.com Enter.
/ b. Do not close Internet Explorer.
web.asp
7. Use the a. Use Windows Explorer (or My Computer) to open the
C:\Tools\tcpflooder.vb C:\Tools folder.
s tool to create 200 b. Right-click tcpflooder.vbs, and then click Open.
concurrent TCP
c. Click Yes to confirm that you want to start TCP Flooder.
connections.
d. Press OK to acknowledge that 200 TCP connections are
created.
e. Close the Tools folder.
8. In Internet Explorer, a. In the Internet Explorer windows, on the toolbar, click the
refresh the existing Refresh button.
Web page, and attempt b. On the Start menu, click All Programs, and then click
to create a second Internet Explorer.
connection to http://
c. In Internet Explorer, in the Address box, type
http://istanbul.fabrikam.com/web.asp, and then press
/
Enter.
web.asp
d. Close the Internet Explorer windows.
examine the flooding pane, select Monitoring.
alert. b. In the right pane, select the Alerts tab.
c. In the task pane, on the Tasks tab, click Refresh Now.
d. In the alert list, expand the Concurrent TCP Connections
from One IP Address Limit Exceeded alert, and then select
the alert line below that.
10. Configure the log a. In the right pane, select the Logging tab.
viewer filter conditions: b. In the task pane, on the Tasks tab, click Edit Filter.
Log Time: Last Hour
c. In the Edit Filter dialog box, in the conditions list, select the
Log Time - Live condition.
Client IP:
Equals 10.1.1.5 d. In the Condition drop-down list box, select Last Hour, and
then click Update.
Destination IP: e. Complete the following information:
Greater or Equal Filter by: Client IP
42.1.0.0 Condition: Equals
Value: 10.1.1.5
and then click Add To List.
18 de 106
f. Complete the following information:
Filter by: Destination IP
Condition: Greater or Equal
Value: 42.1.0.0
and then click Add To List.
g. Click Start Query to close the Edit Filter dialog box.
h. Scroll to the top of the list of log entries.
11. Restore the log viewer a. In the task pane, on the Tasks tab, click Edit Filter.
filter conditions: b. In the Edit Filter dialog box, in the conditions list, select
Log Time - Last Hour.
Log Time: Live
c. In the Condition drop-down list box, select Live, and then
click Update.
Client IP: (remove)
d. In the conditions list, select the Destination IP condition, and
Destination IP: then click Remove.
(remove) e. In the conditions list, select the Client IP condition, and then
click Remove.
f. Click Start Query to close the dialog box.
g. In the task pane, on the Tasks tab, click Stop Query.

computer, configure b. In Internet Explorer, on the Tools menu, click Internet
Internet Explorer to use Options.
a proxy server.
click LAN Settings.
d. In the Local Area Network (LAN) Settings dialog box,
complete the following information:
Use a proxy server for your LAN: enable
Address: 10.1.1.1
Port: 8080
Bypass proxy server for local address: enable
and then click OK to close the Local Area Network (LAN)
Settings dialog box.
Module C: Publishing Web Servers and
Other Servers
Exercise 1: Publishing a Web Server in the Internal Network

In this exercise, you will configure ISA Server to publish a Web server on the internal network to client
computers on the Internet.
create a new Web All Programs, click Microsoft ISA Server, and then click ISA
listener. Server Management.
Name: External Web Firewall Policy.
80
c. In the task pane, on the Toolbox tab, in the Network Objects
section, right-click Web Listeners, and then click New Web
SSL: disable
Listener.
Network: External d. In the New Web Listener Definition Wizard dialog box, in the
Compression: disable Web listener name text box, type External Web 80, and then
click Next.
Authentication: none e. On the Client Connection Security page, select
Do not require SSL secured connections with clients, and
then click Next.
f. On the Web Listener IP Addresses page, complete the
following information:
Listen on network: External
ISA Server will compress content: disable
and then click Next.
g. On the Authentication Settings page, in the drop-down list box,
select No Authentication, and then click Next.
h. On the Single Sign On Settings page, click Next.
i. On the Completing the New Web Listener Wizard page, click
Finish.
j. Click Apply to save the changes, and then click OK.
2. Examine the effect of a. Open a Command Prompt window.
the Web listener b. At the command prompt, type netstat -ano | find ":80",
definition on the and then press Enter.
listening ports.
3. Create a Web a. In the ISA Server console, in the left pane, select
publishing rule. Firewall Policy.
b. In the right pane, select the first rule, or select Default rule if
Name: Web Home no other rule exists, to indicate where the new rule is added to
Page (on Denver) the rule list.
c. In the task pane, on the Tasks tab, click Publish Web Sites.
Publishing type:
single Web site d. In the New Web Publishing Rule Wizard dialog box, in the
Web publishing rule name text box, type
20 de 106
Internal site name: Web Home Page (on Denver), and then click Next.
denver.contoso.com e. On the Select Rule Action page, select Allow, and then click
Next.
Public name:
f. On the Publishing Type page, select Publish a single Web
www.contoso.com
site, and then click Next.
Web listener: g. On the Server Connection Security page, select Use
External Web 80 non-secured connections to connect to the published
Web server, and then click Next.
Delegation: none h. On the Internal Publishing Details page, complete the
Internal site name: denver.contoso.com
Use a computer name or IP address: disable (is default)
i. On the next Internal Publishing Details page, complete the
Path: (leave empty)
Forward the original host header: disable (is default)
j. On the Public Name Details page, complete the following
information:
Accept requests for: This domain name (type below):
Public name: www.contoso.com
Path: (leave empty)
k. On the Select Web Listener page, in the Web listener
drop-down list box, select External Web 80, and then click
Next.
l. On the Authentication Delegation page, select No delegation,
and client cannot authenticate directly, and then click Next.
m. On the User Sets page, click Next.
n. On the Completing the New Web Publishing Rule Wizard
page, click Finish.
o. Click Apply to apply the new rule, and then click OK.
the Web publishing rule b. At the command prompt, type netstat -ano | find ":80",
on the listening ports. and then press Enter.
c. At the command prompt, type tasklist /svc | find "nnnn",
and then press Enter. (Replace nnnn with the actual process
ID displayed in output of the previous step.)
d. Close the Command Prompt window.
5. Examine the network a. In the ISA Server console, the left pane, expand
rule for connectivity Configuration, and then select Networks.
between the External b. In the right pane, on the Network Rules tab, select the rule
network and the that defines the connectivity between the Internal network and
Internal network. the External network.

computer, verify that b. At the command prompt type ping www.contoso.com, and
www.contoso.com then press Enter.
resolves to 39.1.1.1.
7. Connect to the a. Open Internet Explorer. In the Address box, type
published Web server http://www.contoso.com, and then press Enter.
on www.contoso.com, b. In the Address box, type http://39.1.1.1, and then press
and attempt to connect Enter.
to 39.1.1.1.
add the 39.1.1.1 public pane, select Firewall Policy.
name to the Web b. In the right pane, select the Web Home Page (on Denver)
Home Page (on Web publishing rule.
Denver) Web
c. In the task pane, on the Tasks tab, click Edit Selected Rule.
publishing rule.
d. In the Web Home Page (on Denver) Properties dialog box, on
the Public Name tab, click Add.
e. In the Public Name dialog box, type 39.1.1.1, and then click
OK.
f. Click OK to close the Web Home Page (on Denver) Properties
dialog box.
g. Click Apply to apply the changed rule, and then click OK.
9. On the Istanbul a. On the Istanbul computer, in Internet Explorer, ensure that

computer, connect to http://39.1.1.1 is in the Address box, and then click the
the published Web Refresh button.
server on 39.1.1.1. b. Close Internet Explorer.
Exercise 2: Publishing the Web Server on the ISA Server Computer

In this exercise, you will configure ISA Server to publish a Web server on the ISA Server to client

configure the default Administrative Tools, and then click
Web site to use port 81, Internet Information Services (IIS) Manager.
and then start the Web b. In the IIS Manager console, expand PARIS (local computer),
site. expand Web Sites, right-click Default Web Site (Stopped),
c. In the Default Web Site (Stopped) Properties dialog box, on
the Web Site tab, in the TCP port text box, type 81, and then
click OK.
d. Right-click Default Web Site (Stopped), and then click Start.
e. Close the IIS Manager console.
starting the default Web b. At the command prompt, type netstat -ano | find ":81",
site on the listening and then press Enter.
ports.
c. At the command prompt, type
tasklist /svc | find "mmmm", and then press Enter.
(Replace mmmm with the actual process ID displayed in
output of the previous step.)
3. Create a Web a. In the ISA Server console, in the left pane, select
publishing rule. Firewall Policy.
Name: Products Web rule is added to the rule list.
Site (on Paris)
Publishing type: d. In the New Web Publishing Rule Wizard dialog box, in the
22 de 106
single Web site Web publishing rule name text box, type
Products Web Site (on Paris), and then click Next.
Internal site name: e. On the Select Rule Action page, select Allow, and then click
Paris Next.
IP address: 10.1.1.1
f. On the Publishing Type page, select Publish a single Web
Port: 81
Public name: g. On the Server Connection Security page, select Use
www.contoso.com non-secured connections to connect to the published
/products Web server, and then click Next.
h. On the Internal Publishing Details page, complete the
Web listener: following information:
External Web 80 Internal site name: Paris
Use a computer name or IP address: enable
Delegation: none Computer name or IP address: 10.1.1.1
Path: (leave empty)
information:
Path: products
Next.
page, click Finish.
o. In the right pane, select the Products Web Site (on Paris)
Web publishing rule, and then in the task pane, on the Tasks
tab, click Edit Selected Rule.
p. In the Products Web Site (on Paris) Properties dialog box,
select the Paths tab.
q. Select the Listener tab.
r. On the Bridging tab, in the Redirect requests to HTTP port
text box, type 81.
s. Click OK to close the Products Web Site (on Paris) Properties
dialog box.
t. Click Apply to apply the new rule, and then click OK.
4. On the Istanbul a. On the Istanbul computer, open Internet Explorer. In the
computer, connect to Address box, type http://www.contoso.com/products, and
the published Web then press Enter.
servers on b. In the Address box, type http://www.contoso.com, and then
www.contoso.com press Enter.
/products
and
www.contoso.com.
create a Web pane, select Firewall Policy.
publishing rule. b. In the right pane, select the first rule to indicate where the new
Name: Public Web
Site (on Paris)
d. In the New Web Publishing Rule Wizard dialog box, in the
Publishing type: Web publishing rule name text box, type
single Web site Public Web Site (on Paris), and then click Next.
e. On the Select Rule Action page, select Allow, and then click
Internal site name: Next.
Paris f. On the Publishing Type page, select Publish a single Web
IP address: 10.1.1.1 site, and then click Next.
Path: publicweb/*
g. On the Server Connection Security page, select Use
Port: 81
non-secured connections to connect to the published
Public name:
public.contoso.com h. On the Internal Publishing Details page, complete the
Web listener: Internal site name: Paris
External Web 80 Use a computer name or IP address: enable
Computer name or IP address: 10.1.1.1
Delegation: none and then click Next.
Path: publicweb/*
information:
Public name: public.contoso.com
Path: (remove /publicweb/*, and leave empty)
Next.
page, click Finish.
o. In the right pane, select the Public Web Site (on Paris) Web
publishing rule, and then in the task pane, on the Tasks tab,
click Edit Selected Rule.
p. In the Public Web Site (on Paris) Properties dialog box, select
the Paths tab.
q. On the Bridging tab, in the Redirect requests to HTTP port
text box, type 81.
r. Click OK to close the Public Web Site (on Paris) Properties
dialog box.
s. Click Apply to apply the new rule, and then click OK.
computer, connect to Address box, type http://public.contoso.com, and then
the published Web press Enter.
servers on b. Close Internet Explorer.
public.contoso.com.
24 de 106
Exercise 3: Performing Link Translation on a Published Web Server
In this exercise, you will configure ISA Server to enable link translation for a published Web site.

computer, connect to Address box, type http://www.contoso.com/links.htm, and
the Web page then press Enter.
www.contoso.com b. Hold the mouse pointer over the Translated link for pic1.jpg
/links.htm. URL.
c. Right-click on the displayed image (pic1.jpg), and then click
Properties.
d. Click Cancel to close the Properties dialog box.
e. Do not close Internet Explorer.
examine the pane, expand Configuration, and then select Add-ins.
Link Translation Filter b. In the right pane, select the Web Filters tab..
Web filter.
3. Examine the current a. In the left pane, select Firewall Policy, and then in the right
link translation pane, select the Web Home Page (on Denver) Web
mappings for the Web publishing rule.
Home Page (on b. In the task pane, on the Tasks tab, click Edit Selected Rule.
Denver) Web
c. In the Web Home Page (on Denver) Properties dialog box,
publishing rule.
select the Link Translation tab.
d. On the Link Translation tab, click Mappings.
e. Close Internet Explorer.
f. Click Cancel to close the Web Home Page (on Denver)
4. Create a new global link a. In the left pane, select General.
translation mapping: b. In the right pane, under Global HTTP Policy Settings, click
Configure Global Link Translation.
Replace this text:
c. In the Link Translation dialog box, select the Global
http://ronsbox
Mappings tab.
With this text: d. On the Global Mappings tab, click Add.
http://www.contoso.c e. In the Add Mapping dialog box, complete the following
om information:
Internal URL: http://ronsbox
Translated URL: http://www.contoso.com
and then click OK.
f. Click OK to close Link Translation dialog box.
g. Click Apply to save the changes, and then click OK.
5. On the Istanbul a. On the Istanbul computer, in Internet Explorer, ensure that the
computer, refresh the http://www.contoso.com/links.htm Web page is opened.
content of the Web b. Hold the Ctrl-key, and then click the Refresh button on the
page at toolbar, to refresh the content of the Web page.
www.contoso.com
/links.htm again, by
pressing Ctrl-F5 or
Ctrl-Refresh.
Exercise 4: Using Cross-Site Link Translation to Publish SharePoint
Server
In this exercise, you will configure ISA Server to publish a SharePoint Server.
The portal Web site contains links to other Web servers. By using cross-site link translation, you can
access the links from the published portal Web site.

computer, connect to Address box, type http://portal, and then press Enter.
http://portal, and b. In the portal Web site, under Shared Documents, move the
examine the links on mouse pointer over Agenda (do not click).
the Project-D Portal
c. Click Agenda.
Web site.
d. In the File Download dialog box, click Open to confirm that
you want to open the Agenda.doc file.
e. Close WordPad.
f. In the portal Web site, under Links, move the mouse pointer
over Research Web Site (do not click).
g. Click Research Web Site.
h. On the toolbar, click the Back button.
i. Close Internet Explorer
80
section, expand Web Listeners (if possible).
SSL: disable
d. If a Web listener named External Web 80 does not exist, then
Network: External right-click Web Listeners, and then click New Web Listener.
Compression: disable e. In the New Web Listener Definition Wizard dialog box, in the
Web listener name text box, type External Web 80, and then
Authentication: none click Next.
f. On the Client Connection Security page, select
(If this is not done Do not require SSL secured connections with clients, and
already) then click Next.
g. On the Web Listener IP Addresses page, complete the
h. On the Authentication Settings page, in the drop-down list box,
i. On the Single Sign On Settings page, click Next.
j. On the Completing the New Web Listener Wizard page, click
26 de 106
Finish.
3. Create a Web a. In the right pane, select the first rule, or select Default rule if
publishing rule to no other rule exists, to indicate where the new rule is added to
publish a SharePoint the rule list.
server. b. In the task pane, on the Tasks tab, click
Publish SharePoint Sites.
Name: Portal Web Site
c. In the New SharePoint Publishing Rule Wizard dialog box, in
the SharePoint publishing rule name text box, type Portal
Publishing type:
Web Site, and then click Next.
single Web site
d. On the Publishing Type page, select Publish a single Web
Internal site name: site, and then click Next.
portal e. On the Server Connection Security page, select Use
Public name: Web server, and then click Next.
portal.contoso.com f. On the Internal Publishing Details page, in the
Internal site name text box, type portal, and then click Next.
Web listener:
g. On the Public Name Details page, in the Public name text
External Web 80
box, type portal.contoso.com, and then click Next.
Delegation: none h. On the Select Web Listener page, in the Web listener drop-
down list box, select External Web 80, and then click Next.
i. On the Authentication Delegation page, select No delegation,
j. On the Alternate Access Mapping Configuration page, select
SharePoint AAM is not yet configured, and then click Next.
k. On the User Sets page, click Next.
l. On the Completing the New SharePoint Publishing Rule
Wizard page, click Finish

computer, connect to Address box, type http://portal.contoso.com, and then
http://portal.contoso.c press Enter.
om, and examine the b. In the portal Web site, under Shared Documents, move the
links on the Project-D mouse pointer over Agenda (do not click).
Portal Web site.
c. Click Agenda.
d. In the File Download dialog box, click Open to confirm that
you want to open the Agenda.doc file.
e. Close WordPad.
f. In the portal Web site, under Links, move the mouse pointer
over Research Web Site (do not click).
g. Click Research Web Site.
h. On the toolbar, click the Back button.
i. Close Internet Explorer.
create a Web pane, select Firewall Policy.
rule is added.
Name: Server1 Web
Site
Publishing type: Web publishing rule name, type Server1 Web Site, and
single Web site then click Next.
server1 f. On the Publishing Type page, select Publish a single Web
Public name:
web1.contoso.com
Web listener:
External Web 80 h. On the Internal Publishing Details page, in the
Internal site name text box, type server1, and then click
Delegation: none Next.
i. On the next Internal Publishing Details page, leave the Path
text box empty, and then click Next.
j. On the Public Name Details page, in the Public name text
box, type web1.contoso.com, and then click Next.
k. On the Select Web Listener page, in the Web listener drop-
page, click Finish.
8. Examine the list of a. In the left pane, expand Configuration, and then click
per-server link General.
translation mappings. b. In the right pane, click Configure Global Link Translation.
c. Select the Global Mappings tab.
d. Click Cancel to close the Link Translation dialog box.

computer, connect to Address box, type http://portal.contoso.com, and then
http://portal.contoso.c press Enter.
om, and examine the b. In the portal Web site, under Links, move the mouse pointer
links on the Project-D over Research Web Site (do not click).
Portal Web site.
c. Click Research Web Site.
d. On the toolbar, click the Back button.
Exercise 5: Publishing a Web Farm for Load Balancing

In this exercise, you will publish two Web servers (10.1.1.21 and 10.1.1.22) as a Web farm. ISA Server
load balances Web requests to servers in a Web farm.
The exercise uses both Cookie-Based Load Balancing and Source-IP Based Load Balancing.
80
28 de 106
section, expand Web Listeners (if possible).
SSL: disable d. If a Web Listener named External Web 80 does not exist,
then right-click Web Listeners, and then click New Web
Network: External Listener.
Compression: disable
e. In the New Web Listener Definition Wizard dialog box, in the
Web listener name text box, type External Web 80, and then
Authentication: none
click Next.
(If this is not done f. On the Client Connection Security page, select
already) Do not require SSL secured connections with clients, and
then click Next.
g. On the Web Listener IP Addresses page, complete the
h. On the Authentication Settings page, in the drop-down list box,
i. On the Single Sign On Settings page, click Next.
j. On the Completing the New Web Listener Wizard page, click
Finish.
2. Create a new Server a. In the task pane, on the Toolbox, in the Network Objects
Farm network element. section, right-click Server Farms, and then click New Server
Farm.
Name: Shop Web b. In the New Server Farm Definition Wizard dialog box, in the
Servers Server farm name text box, type Shop Web Servers, and
then click Next.
Addresses:
c. On the Servers page, click Add.
- 10.1.1.21
- 10.1.1.22 d. In the Server Details dialog box, complete the following
information:
Monitoring: http://*/ Computer name or IP address: 10.1.1.21
Description: Shopping Web Server 1
and then click OK.
e. On the Servers page, click Add again.
f. In the Server Details dialog box, complete the following
information:
Computer name or IP address: 10.1.1.22
Description: Shopping Web Server 2
and then click OK.
g. On the Servers page, click Next.
h. On the Server Farm Connectivity Monitoring page, complete
Send an HTTP/HTTPS GET request: enable (is default)
Current URL: http://*/ (is default)
i. On the Completing the New Server Farm Wizard page, click
Finish.
j. In the HTTP Connectivity Verification dialog box, click Yes to
confirm that you want the connectivity verifiers system policy
to be enabled.
3. Create a new Web a. In the right pane, select the first rule, or select Default rule if
publishing rule. no other rule exists, to indicate where the new rule is added to
the rule list.
Name: Sales Web Site b. In the task pane, on the Tasks tab, click Publish Web Sites.
c. In the New Publishing Rule Wizard dialog box, in the
Type: Publish server
Web publishing rule name text box, type Sales Web Site,
farm
d. On the Select Rule Action page, select Allow, and then click
Internal name: Next.
store.contoso.com/sh e. On the Publishing Type page, select
op Publish a server farm of load balanced Web servers, and
then click Next.
Server farm:
f. On the Server Connection Security page, select Use
Shop Web Servers
Web server or server farm, and then click Next.
Load balance
mechanism: g. On the Internal Publishing Details page, in the
Cookie-based Internal site name text box, type store.contoso.com, and
then click Next.
Public name: h. On the next Internal Publishing Details page, complete the
www.contoso.com/sh following information:
op Path: shop/*
Forward the original host header: disable (default)
Web listener: and then click Next.
External Web 80
i. On the Specify Server Farm page, complete the following
information:
Delegation: none
Select the server farm (drop-down list box): Shop Web
Servers
Cookie-based Load Balancing: enable (is default)
information:
Accept request for: This domain name (type below)
Path (optional): /shop/* (automatic)
k. On the Select Web Listener page, in the Web listener drop-
l. On the Authentication Delegation page, in the drop-down list
box, select No delegation, and client cannot authenticate
directly, and then click Next.
page, click Finish.
5. Examine the a. In the ISA Server console, in the left pane, select Monitoring.
connectivity verifiers for b. In the right pane, select the Connectivity Verifiers tab.
the Shop Web Servers
c. Right-click the first Farm: Shop Web Servers connectivity
farm.
verifier, and then click Properties.
d. In the Farm: Shop Web Servers Properties dialog box, select
the Connectivity Verification tab.
e. Click Cancel to close the Farm: Shop Web Servers Properties
dialog box.

computer, use Internet Address box, type http://www.contoso.com/shop/web.asp,
Explorer to connect to and then press Enter.
http://www.contoso.c b. On the toolbar, click the Refresh button to refresh the content
om/ of the Web page.
shop/web.asp
7. Create two new Internet a. On the Start menu, click All Programs, and then click
Explorer sessions, and Internet Explorer.
connect to b. In Internet Explorer, in the Address box, type
http://www.contoso.c http://www.contoso.com/shop/web.asp, and then press
om/
30 de 106
shop/web.asp Enter.
c. On the toolbar, click the Refresh button to refresh the content
of the Web page.
d. On the Start menu, click All Programs, and then click
Internet Explorer again.
e. In Internet Explorer, in the Address box, type
http://www.contoso.com/shop/web.asp, and then press
Enter.
8. On the Denver a. On the Denver computer, on the Start menu, click

computer, stop the Administrative Tools, and then click
Server1 Web Site to Internet Information Services (IIS) Manager.
simulate a connectivity b. In the IIS Manager console, expand
problem with the Web DENVER (local computer), expand Web Sites, and then
server on 10.1.1.21. select Server1 Web Site.
c. Right-click Server1 Web Site, and then click Properties.
d. Click Cancel to close the Server1 Web Site Properties dialog
box.
e. Right-click Server1 Web Site, and then click Stop.
9. On the Istanbul a. On the Istanbul computer, switch to one of the Internet

computer, attempt to Explorer windows that currently displays the web.asp page
refresh the content of from 10.1.1.21 (Server1).
the Web pages that b. On the toolbar, click the Refresh button to refresh the content
were from 10.1.1.21 of the Web page.
(Server1).
c. Wait 20 seconds, and then on the toolbar, click the Refresh
button again.
d. Switch to the other Internet Explorer window that displays the
web.asp page from 10.1.1.21 (Server1).
e. On the toolbar, click the Refresh button.

examine the pane, select Monitoring.
connectivity verifier and b. In the right pane, select the Connectivity Verifiers tab.
the alert for the
c. In the right pane, select the Alerts tab.
connection to 10.1.1.21.
d. In the task pane, on the Tasks tab, click Refresh Now.
e. In the right pane, expand the No Connectivity alert, and then
select the lower No Connectivity line.
f. Right-click the lower No Connectivity line, and then click
Reset.
g. Click Yes to confirm that you want to reset the No Connectivity
alert.
11. On the Denver a. On the Denver computer, in the IIS Manager console, right-
computer, start the click Server1 Web Site, and then click Start.
Server1 Web Site.
12. On the Istanbul a. On the Istanbul computer, switch to any of the Internet
computer, refresh the Explorer windows that currently displays the web.asp page
Web page from from 10.1.1.22 (Server2).
10.1.1.22, and create a b. On the toolbar, click the Refresh button to refresh the content
new connection to of the Web page.
http://www.contoso.c
c. On the Start menu, click All Programs, and then click
om/
Internet Explorer.
shop/web.asp.
d. Wait 20 seconds, and then in Internet Explorer, in the
Address box, type http://www.contoso.com/shop/web.asp,
and press Enter.
e. Close all Internet Explorer windows.
change the load pane, select Firewall Policy.
balancing mechanism b. In the right pane, right-click the Sales Web Site rule, and then
for the Sales Web Site click Properties.
rule to
c. In the Sales Web Site Properties dialog box, on the Web
Source-IP based.
Farm tab, in the Load Balancing Mechanism section, select
Source-IP based.
d. Click OK to close the Sales Web Site Properties dialog box.
15. On the Istanbul a. On the Istanbul computer, on the Start menu, click
computer, create two All Programs, and then click Internet Explorer.
new Internet Explorer b. In Internet Explorer, in the Address box, type
sessions, and connect http://www.contoso.com/shop/web.asp, and then press
to Enter.
http://www.contoso.c
c. On the toolbar, click the Refresh button to refresh the content
om/
of the Web page.
shop/web.asp
d. On the Start menu, click All Programs, and then click
Internet Explorer.
e. In Internet Explorer, in the Address box, type
http://www.contoso.com/shop/web.asp, and then press
Enter.
computer, stop the click Server2 Web Site, and then click Stop.
Server2 Web Site to
simulate a connectivity
problem with the Web
server on 10.1.1.22.
17. On the Istanbul a. On the Istanbul computer, switch to one of the Internet
computer, attempt to Explorer windows that currently displays the web.asp page
refresh the content of from 10.1.1.22 (Server2).
the Web page that was b. On the toolbar, click the Refresh button to refresh the content
from 10.1.1.22 of the Web page.
(Server2).
button again.
computer, start the click Server2 Web Site, and then click Start.
32 de 106
Server2 Web Site. b. Close the IIS Manager console.
19. On the Istanbul a. On the Istanbul computer, switch to the Internet Explorer
computer, attempt to window that currently displays the web.asp page from
refresh the content of 10.1.1.21 (Server1).
the Web page that was b. On the toolbar, click the Refresh button to refresh the content
from 10.1.1.21 of the Web page.
(Server1).
button again.
d. Close all Internet Explorer windows.
delete the pane, select Firewall Policy.
Sales Web Site rule, b. In the right pane, right-click the Sales Web Site rule, and then
and delete the click Delete.
Shop Web Servers
c. Click Yes to confirm that you want to delete Sales Web Site.
farm.
d. In the task pane, on the Toolbox tab, in the Network Objects
section, expand Server Farms.
e. Under Server Farms, right-click Shop Web Servers, and then
click Delete.
f. Click Yes to confirm that you want to delete Shop Web
Servers.
Exercise 6: Publishing Multiple Terminal Servers

In this exercise, you will configure ISA Server to publish a terminal server (remote desktop) on the
Internal network and publish a terminal server on the ISA Server computer.

computer, use System Control Panel, and then click System.
properties to enable b. In the System Properties dialog box, on the Remote tab,
remote desktop. enable Enable Remote Desktop on this computer.
c. Click OK to acknowledge that remote connection accounts
must have passwords, and that the correct port must be
open for remote connections.
d. Click OK to close the System Properties dialog box.
create a server pane, select Firewall Policy.
publishing rule: b. In the right pane, select the first rule, or select Default rule if
no other rule exists, to indicate where the new rule is added
Name: to the rule list.
Publish RDP (on
Denver)
Publish Non-Web Server Protocols.
Server: 10.1.1.5 d. In the New Server Publishing Rule Wizard dialog box, in the
Server publishing rule name text box, type
Protocols: RDP Publish RDP (on Denver), and then click Next.
(Terminal Services) e. On the Select Server page, in the Server IP address text
Server box, type 10.1.1.5, and then click Next.
f. On the Select Protocol page, in the Selected protocol
drop-down list box, select RDP (Terminal Services) Server,
g. On the Network Listener IP Addresses page, select
External, and then click Next.
h. On the Completing the New Server Publishing Rule Wizard
page, click Finish.
i. Click Apply to apply the new rule, and then click OK.
3. Use the a. Open a Command Prompt window.
C:\Tools\fwengmon / b. At the command prompt, type netstat -ano | find ":3389",
C command to examine and then press Enter.
the active creation
c. Type cd \tools, and then press Enter.
objects.
d. Type fwengmon /?, and then press Enter.
e. Type fwengmon /C, and then press Enter.
f. Do not close the Command Prompt window.

computer, create a All Programs, click Accessories, click Communications,
remote desktop and then right-click Remote Desktop Connection, and click
connection to 39.1.1.1 Pin to Start menu.
(Paris) b. On the Start menu, click Remote Desktop Connection.
c. In the Remote Desktop Connection dialog box, in the
Computer text box, type 39.1.1.1, and then click Connect.
d. In the Log On to Windows dialog box, complete the following
information:
User name: Administrator
Password: password
and then click OK
5. Use the netstat a. In the remote desktop connection to Denver, open a
command to examine Command Prompt window.
the client IP address of b. At the command prompt, type netstat -ano | find ":3389",
the remote desktop and then press Enter.
connection.
6. Log off the remote a. In the remote desktop connection to Denver, on the Start
desktop connection. menu, click Log Off.
b. Click Log Off to confirm that you are sure you want to log
off.
change the pane, select Firewall Policy.
Publish RDP (on Denv b. In the right pane, right-click Publish RDP (on Denver), and
er) rule. then click Properties.
c. In the Publish RDP (on Denver) Properties dialog box, on the
Requests appear to
To tab, select
come from:
Requests appear to come from the ISA Server computer.
ISA Server computer
d. Click OK to close the Publish RDP (on Denver) Properties
dialog box.
e. Click Apply to save the changes, and then click OK.
34 de 106
computer, create a Remote Desktop Connection.
remote desktop b. In the Remote Desktop Connection dialog box, in the
connection to 39.1.1.1 Computer text box, type 39.1.1.1, and then click Connect.
(Paris)
c. In the Log On to Windows dialog box, complete the following
information:
Password: password
and then click OK.
9. Use the netstat a. In the remote desktop connection to Denver, open a
command to examine Command Prompt window.
the client IP address of b. At the command prompt, type netstat -ano | find ":3389",
the remote desktop and then press Enter.
connection.
10. Log off the remote a. In the remote desktop connection to Denver, on the Start
desktop connection. menu, click Log Off.
b. Click Log Off to confirm that you are sure you want to log
off.
change the pane, select Firewall Policy.
Publish RDP (on Denv b. In the right pane, right-click Publish RDP (on Denver), and
er) rule. then click Properties.
c. In the Publish RDP (on Denver) Properties dialog box, on the
Publish on port: 3390
Traffic tab, click Ports.
d. In the Ports dialog box, complete the following information:
Publish on this port instead of the default port: 3390
and then click OK.
e. Click OK to close the Publish RDP (on Denver) Properties
dialog box.
f. Click Apply to save the changes, and then click OK.
12. Use the a. In a Command Prompt window in the C:\Tools folder, type
C:\Tools\fwengmon / fwengmon /C, and then press Enter.
C command to examine
the active creation
objects.
connection to Computer text box, type 39.1.1.1:3390, and then click
39.1.1.1:3390 (Paris) Connect.
c. Click Cancel to close the Log On to Windows dialog box.
d. Click Close to close the Remote Desktop Connection dialog
box.
use System properties Control Panel, and then click System.
to enable remote b. In the System Properties dialog box, on the Remote tab,
desktop. enable Enable Remote Desktop on this computer.
must have passwords, and that the correct port must be
open for remote connections.
15. Use the netstat a. In a Command Prompt window, type
command, and the netstat -ano | find ":3389", and then press Enter.
C:\Tools\fwengmon / b. At the command prompt, type tasklist /svc | find "nnnn",
C command to examine and then press Enter. (Replace nnnn with the actual
the effect of enabling process ID displayed in the output of the previous step.)
remote desktop.
c. At the command prompt, in the C:\Tools folder, type
fwengmon /C, and then press Enter.
16. Create a server a. In the ISA Server console, in the left pane, select
publishing rule: Firewall Policy.
b. In the right pane, select the first rule to indicate where the
Name: new rule is added to the rule list.
Publish RDP
(on Paris)
Publish Non-Web Server Protocols.
Server: 10.1.1.1 d. In the New Server Publishing Rule Wizard dialog box, in the
Server publishing rule name text box, type
Protocols: RDP Publish RDP (on Paris), and then click Next.
(Terminal Services) e. On the Select Server page, in the Server IP address text
Server box, type 10.1.1.1, and then click Next.
f. On the Select Protocol page, in the Selected protocol
drop-down list box, select RDP (Terminal Services) Server,
g. On the Network Listener IP Addresses page, select
External, and then click Next.
h. On the Completing the New Server Publishing Rule Wizard
page, click Finish.
i. Click Apply to apply the new rule, and then click OK.
17. Use the netstat a. In a Command Prompt window, type
command, and the netstat -ano | find ":3389", and then press Enter.
C:\Tools\fwengmon / b. At the command prompt, in the C:\Tools folder, type
C command to examine fwengmon /C, and then press Enter.
the effect of enabling
remote desktop.
connection to 39.1.1.1 Computer text box, type 39.1.1.1, and then click Connect.
(Paris)
c. Click Cancel to close the Log On to Windows dialog box.
d. Click Close to close the Remote Desktop Connection dialog
box.
properties to disable b. In the System Properties dialog box, on the Remote tab, in
remote desktop. the Remote Desktop box, clear Enable Remote Desktop
to this computer.
c. Click OK to close the System Properties dialog box.
use System properties Control Panel, and then click System.
to disable remote b. In the System Properties dialog box, on the Remote tab, in
desktop. the Remote Desktop box, clear Enable Remote Desktop
to this computer.
36 de 106
Module D: Publishing an Exchange Server
Exercise 1: Publishing Exchange Web Access - Certificate

Management
In this exercise, you will enable access to the Exchange Server for clients that use Outlook Web
Access (OWA). You configure ISA Server to use SSL Bridging, because you want to encrypt the
connection with the SSL protocol (HTTPS), but you also want to inspect the traffic at the ISA Server
computer.
This exercise also demonstrates the new certificate management functionality of ISA Server 2006.

1. On the Denver a. On the Denver computer, use Windows Explorer (or My
computer, import the Computer) to open the C:\Tools\Certs folder.
denver.contoso.com b. In the Certs folder, right-click denver-certload.vbs, and then
Web server certificate click Open.
from the
c. Click Yes to confirm that you want to import the certificate.
C:\Tools\Certs folder.
d. Click OK to acknowledge that the import of the certificate is
complete.
e. Close the Certs folder.
2. Configure IIS to use the a. On the Start menu, click Administrative Tools, and then click
denver.contoso.com Internet Information Services (IIS) Manager.
Web server certificate. b. In the IIS Manager console, expand DENVER (local
computer), expand Web Sites, right-click Default Web Site,
c. In the Default Web Site Properties dialog box, on the
Directory Security tab, click Server Certificate.
d. In the Welcome to the Web Server Certificate Wizard dialog
box, click Next.
e. On the Server Certificate page, select Assign an existing
certificate, and then click Next.
f. On the Available Certificates page, select the certificate for
denver.contoso.com that has the intended purpose of
Server Authentication (do not select a certificate with
another intended purpose), and then click Next.
g. On the SSL Port page, in the SSL port this web site should
use text box, type 443, and then click Next.
h. On the Certificate Summary page, click Next.
i. On the Completing the Web Server Certificate Wizard page,
click Finish.
j. Click OK to close the Default Web Site Properties dialog box.
k. Close the IIS Manager console.
3. On the Paris computer, a. On the Paris computer, use Windows Explorer (or My
import the Computer) to open the C:\Tools\Certs folder.
mail.contoso.com b. In the Certs folder, right-click mail-certload.vbs, and then
from the
complete.
4. For demonstration a. In the Certs folder, open the Invalid folder.
purposes, import invalid b. In the Invalid folder, right-click certload-invalid-Paris.vbs,
certificates from the and then click Open.
C:\Tools\Certs\Invalid
c. Click Yes to confirm that you want to import the certificates.
folder.
d. Click OK to acknowledge that the import of the certificates is
complete.
e. Close the Invalid folder.
5. Create a new Web a. On the Start menu, click All Programs, click
listener. Microsoft ISA Server, and then click ISA Server
Management.
Name: External Web b. In the ISA Server console, expand Paris, and then select
443 Firewall Policy.
SSL: enable
section, right-click Web Listeners, and then click New Web
Listener.
Network: External
Compression: disable d. In the New Web Listener Definition Wizard dialog box, in the
Web listener name text box, type External Web 443, and
Certificate: then click Next.
mail.contoso.com e. On the Client Connection Security page, select
Require SSL secured connections with clients, and then
Authentication: click Next.
HTTP Authentication f. On the Web Listener IP Addresses page, complete the
- Basic following information:
g. On the Listener SSL Certificates page, click Select
Certificate.
h. In the Select Certificate dialog box, disable
Show only valid certificates.
i. In the certificates list, select each of the certificates
cert2.contoso.com to cert5.contoso.com to see the
problem with the certificate.
j. In the certificates list, select mail.contoso.com, and then click
Select.
k. On the Listener SSL Certificates page, click Next.
l. On the Authentication Settings page, complete the following
information:
Authentication method: HTTP Authentication (is default)
Basic: enable
Digest: disable (is default)
Integrated: disable (is default)
m. On the Single Sign On Settings page, click Next.
n. On the Completing the New Web Listener Wizard page, click
Finish.
6. Create an OWA mail a. In the right pane, select the first rule, or select Default rule if
server publishing rule: no other rule exists, to indicate where the new rule is added to
the rule list.
Name: b. In the task pane, on the Tasks tab, click
38 de 106
Publish mail (OWA) Publish Exchange Web Client Access.
c. In the New Exchange Publishing Rule Wizard dialog box, in
Version: the Exchange Publishing rule name text box, type
Exchange Server 2003 Publish mail (OWA), and then click Next.
d. On the Select Services page, complete the following
Internal site name:
information:
denver.contoso.com
Exchange version: Exchange Server 2003 (is default)
Public name: Outlook Web Access: enable (is default)
mail.contoso.com Leave the other check boxes disabled (is default)
Web listener: e. On the Publishing Type page, select Publish a single Web
External Web 443 site, and then click Next.
f. On the Server Connection Security page, select
Delegation: Use SSL to connect to the published Web server, and then
Basic Authentication click Next.
g. On the Internal Publishing Details page, in the
Internal site name text box, type denver.contoso.com, and
then click Next.
h. On the Public Name Details page, complete the following
information:
Public name: mail.contoso.com
i. On the Select Web Listener page, in the Web listener
Next.
j. On the Authentication Delegation page, select
Basic Authentication, and then click Next.
l. On the Completing the New Exchange Publishing Rule Wizard
page, click Finish.
7. Examine the new OWA a. In the right pane, right-click Publish mail (OWA), and then
mail server publishing click Properties.
rule named b. In the Publish mail (OWA) Properties dialog box, select the To
Publish mail (OWA). tab.
c. Select the Traffic tab.
d. Select the Paths tab.
e. Select the Listener tab.
f. Select the Bridging tab.
g. Click Cancel to close the Publish mail (OWA) Properties
dialog box.
8. Apply the new rule. h. Click Apply to apply the new rule, and then click OK.
computer, configure IIS Administrative Tools, and then click
to require SSL on the Internet Information Services (IIS) Manager.
virtual directories used b. In the IIS Manager console, expand Default Web Site, right-
by OWA: click Exchange, and then click Properties.
c. In the Exchange Properties dialog, on the Directory Security
/Exchange
tab, in the Secure communications box, click Edit.
/ExchWeb
/Public d. In the Secure Communications box, enable
Require secure channel (SSL), and then click OK.
e. Click OK to close the Exchange Properties dialog box.
f. Right-click ExchWeb, and then click Properties.
g. In the ExchWeb Properties dialog box, on the Directory
Security tab, in the Secure communications box, click Edit.
h. In the Secure Communications box, enable
i. Click OK to close the ExchWeb Properties dialog box.
j. Right-click Public, and then click Properties.
k. In the ExchWeb Properties dialog box, on the Directory
Security tab, in the Secure communications box, click Edit.
l. In the Secure Communications box, enable
m. Click OK to close the Public Properties dialog box.
n. Close the IIS Manager console.
computer, use Internet Address box, type https://mail.contoso.com/exchange, and
Explorer to securely then press Enter.
connect to b. In the Connect to mail.contoso.com dialog box, complete the
https://mail.contoso.c following information:
om User name: Administrator
/exchange Password: password
Remember my password: disable (is default)
Send an e-mail to
and then click OK.
Administrator to test
the secure OWA c. On the OWA toolbar, click New.
connection to ISA d. In the new message window, complete the following
Server. information:
To: Administrator
Subject: Test mail through Secure OWA - 1
(Message): Publish Exchange using Secure OWA
and then click Send.
e. After a few moments, in the left pane, click Inbox to refresh
the display of the Inbox contents.
configure the pane, select Firewall Policy
External Web 443 Web b. In the task pane, on the Toolbox tab, in the Network Objects
listener to use HTML section, expand Web Listeners, right-click External Web
Form Authentication. 443, and then click Properties.
c. In the External Web 443 Properties dialog box, on the
Authentication tab, in the Client Authentication Method
drop-down list box, select HTML Form Authentication.
d. On the Forms tab, click Advanced.
e. Click Cancel to close the Advanced Form Options dialog box.
f. Click OK to close the External Web 443 Properties dialog box.
g. Click Apply to save the changes, and then click OK.
computer, use Internet Address box, type https://mail.contoso.com/exchange, and
Explorer to securely then press Enter.
connect to b. In the Office Outlook Web Access page, complete the
https://mail.contoso.c following information:
om Security: This is a private computer
/exchange again. Use Outlook Web Access Light: disable (is default)
Domain\user name: contoso\administrator
Password: password
40 de 106
and then click Log On.
configure the pane, select Firewall Policy.
listener to use Basic section, expand Web Listeners, right-click External Web
authentication. 443, and then click Properties.
Authentication tab, complete the following information:
Client Authentication Method: HTTP Authentication
Basic: enable
and then click OK to close the External Web 443 Properties
dialog box.
Exercise 2:Publishing an Exchange Server for SMTP and POP3

In this exercise, you will configure server publishing rules on the ISA Server to allow access to the
Exchange Server by using the SMTP and POP3 protocols.

computer, start All Programs, and then click Outlook Express.
Outlook Express, and b. In Outlook Express, on the toolbar, click Send/Recv.
then attempt to connect
c. In the Logon - Contoso mail dialog box, complete the following
to the Exchange Server
information:
(POP3) by clicking
Send/Recv. User Name: Administrator
Password: password
and then click OK.
d. Click Hide to close the error message box.
create a mail server pane, select Firewall Policy.
Name: Publish mail the rule list.
c. In the task pane, on the Tasks tab, click Publish Mail
Protocols: SMTP,
Servers.
POP3
d. In the New Mail Server Publishing Rule Wizard dialog box, in
Server: 10.1.1.5 the Mail Server Publishing rule name text box, type Publish
mail, and then click Next.
e. On the Select Access Type page, select
Client access: RPC, IMAP, POP3, SMTP, and then click
Next.
f. On the Select Services page, complete the following
information:
POP3 (standard port): enable
SMTP (standard port): enable
Leave all other check boxes disabled
g. On the Select Server page, in the Server IP address text box,
type 10.1.1.5, and then click Next.
h. On the Network Listener IP Addresses page, select External,
i. On the Completing the New Mail Server Publishing Rule
Wizard page, click Finish.
3. Apply the changes. a. Click Apply to apply the new rules, and then click OK.
4. On the Istanbul a. On the Istanbul computer, in Outlook Express, on the

computer, in Outlook toolbar, click Send/Recv.
Express, connect to b. If the Logon - Contoso mail dialog box appears, complete
the Exchange Server, the following information:
by clicking Send/Recv. User Name: Administrator
Password: password
Send an e-mail to and then click OK.
administrator
@contoso.com to test c. On the toolbar, click Create Mail.
the SMTP and POP3 d. In the New Message window, complete the following
connections to information:
ISA Server. To: administrator@contoso.com
Subject: Test mail through SMTP/POP3 - 2
(Message): Publish Exchange using SMTP/POP3
e. On the toolbar, click Send/Recv.
f. Close Outlook Express.
Exercise 3: Publishing an Exchange Server for Outlook (RPC)

In this exercise, you will publish the Exchange Server (Denver) for Remote Procedure Call (RPC)
access by Microsoft Outlook clients. This allows the full functionality of Outlook.
create a mail server pane, select Firewall Policy.
Name: Publish mail the rule list.
c. In the task pane, on the Tasks tab, click Publish Mail
Protocols: Outlook
Servers.
(RPC)
d. In the New Mail Server Publishing Rule Wizard dialog box, in
Server: 10.1.1.5 the Mail Server Publishing rule name text box, type Publish
mail, and then click Next.
e. On the Select Access Type page, select
Client access: RPC, IMAP, POP3, SMTP, and then click
Next.
f. On the Select Services page, complete the following
information:
Outlook (RPC) (standard port): enable
Leave all other check boxes disabled
42 de 106
g. On the Select Server page, in the Server IP address text box,
type 10.1.1.5, and then click Next.
h. On the Network Listener IP Addresses page, select External,
i. On the Completing the New Mail Server Publishing Rule
2. Examine the RPC Filter a. In the left pane, expand Configuration, and then select Add-
application filter. ins.
b. In the right pane, on the Application Filters tab, select RPC
Filter.
3. Examine the new mail a. In the left pane, select Firewall Policy.
server publishing rule b. In the right-pane, select Publish mail Exchange RPC Server,
named Publish mail and then in the task pane, on the Tasks tabs, click Edit
Exchange RPC Server Selected Rule.
.
c. In the Publish mail Exchange RPC Server Properties dialog
box, select the Traffic tab.
d. On the Traffic tab, click Properties.
e. In the Exchange RPC Server Properties dialog box, select the
Interfaces tab.
f. Click Cancel to close the Exchange RPC Server Properties
dialog box.
g. Click Cancel to close the Publish mail Exchange RPC Server
4. Apply the new rule. a. In the right pane, click Apply to apply the new rule, and then
click OK.

computer, start b. At the command prompt, type netstat -ano | find "EST",
Outlook 2003, and and then press Enter.
then examine the
c. On the Start menu, click All Programs, click
network connections.
Microsoft Office, and then click Microsoft Office Outlook
2003.
Use: netstat -ano
d. Switch to the Command Prompt window.
Use: Connection e. At the command prompt, type netstat -ano | find "EST",
Status and then press Enter.
f. Close the Command Prompt window.
g. Press the Ctrl-key, and then click the Outlook icon in the
system tray area.
h. In the context menu of the system tray Outlook icon, click
Connection Status.
i. Click Close to close the Exchange Server Connection Status
window.
6. Send an e-mail to a. In Outlook, on the toolbar, click New.
Administrator to test b. In the new message window, complete the following
the RPC connection to information:
ISA Server. To: Administrator
Subject: Test mail through RPC - 3
(Message): Publish Exchange using RPC
c. In the Inbox, select the new message.
d. Close Outlook.
Exercise 4: Publishing an Exchange Server for RPC over HTTP
In this exercise, you want to provide Microsoft Outlook clients with the full functionality of Outlook
when they connect to the Exchange Server. However, in this exercise, directly publishing Exchange
Server through the Remote Procedure Call (RPC) protocol is not possible. You will configure ISA
Server to tunnel RPC traffic inside HTTP (HTTPS) traffic. This uses the RPC over HTTP protocol.

import the Computer) to open the C:\Tools\Certs folder.
mail.contoso.com b. In the Certs folder, right-click mail-certload.vbs, and then
from the
complete.
computer, import the Computer) to open the C:\Tools\Certs folder.
denver.contoso.com b. In the Certs folder, right-click denver-certload.vbs, and then
from the
complete.
3. Configure IIS to use the a. On the Start menu, click Administrative Tools, and then click
denver.contoso.com Internet Information Services (IIS) Manager.
Web server certificate. b. In the IIS Manager console, expand DENVER (local
computer), expand Web Sites, right-click Default Web Site,
Directory Security tab, click Server Certificate.
d. In the Welcome to the Web Server Certificate Wizard dialog
box, click Next.
e. On the Server Certificate page, select Assign an existing
certificate, and then click Next.
f. On the Available Certificates page, select the certificate for
denver.contoso.com that has the intended purpose of
Server Authentication (do not select a certificate with
another intended purpose), and then click Next.
g. On the SSL Port page, in the SSL port this web site should
use text box, type 443, and then click Next.
h. On the Certificate Summary page, click Next.
i. On the Completing the Web Server Certificate Wizard page,
click Finish.
j. Click OK to close the Default Web Site Properties dialog box.
k. Close the IIS Manager console.
4. Install the a. On the Start menu, click Control Panel, and then click
RPC over HTTP Proxy Add or Remove Programs.
44 de 106
network service. b. In the Add or Remove Programs window, click
Add/Remove Windows Components.
c. On the Windows Components page, select the
Networking Services component (do NOT select the check
box), and then click Details.
d. In the Networking Services dialog box, select the
RPC over HTTP Proxy check box, and then click OK.
e. On the Windows Components page, click Next.
f. On the Completing the Windows Components Wizard page,
click Finish.
g. Close the Add or Remove Programs window.
5. In the IIS Manager a. On the Start menu, click Administrative Tools, and then click
console, examine the Internet Information Services (IIS) Manager.
RPC Proxy Server b. In the IIS Manager console, expand
extension. DENVER (local computer), and then in the left pane, select
Web Service Extensions.
6. Configure the /Rpc a. In the IIS Manager console, expand Web Sites, expand
virtual directory: Default Web Site, and then in the left pane, select Rpc.
b. Right-click Rpc, and then click Properties.
Anonymous access: No
c. In the Rpc Properties dialog box, on the Directory Security
tab, in the Authentication and access control box, click
Authentication method:
Edit.
Basic authentication
only d. In the Authentication Methods dialog box, enable
Basic authentication.
Require SSL: Yes e. In the IIS Manager warning message box, click Yes to confirm
that you want to continue.
f. In the Authentication Methods dialog box, complete the
Enable anonymous access: disable
Integrated Windows authentication: disable (is default)
Basic authentication: enable (done in previous step)
and then click OK.
g. On the Directory Security tab, in the
Secure communications box, click Edit.
h. In the Secure communications box, enable
i. On the Directory Security tab, click View Certificate.
j. Click OK to close the Certificate dialog box.
k. Click OK to close the Rpc Properties dialog box.
l. Close the IIS Manager console.
7. Configure the a. Open a Command Prompt window.
RPC Proxy network b. At the command prompt, type cd \tools\reskit, and then
service to communicate press Enter.
with the Exchange
c. Type rpccfg /hd.
Server and Global
Catalog server d. Type rpccfg /hr Denver.
(denver.contoso.com) e. Type rpccfg /ha Denver 6001 6002 6004.
on the following ports: f. Type rpccfg /ha denver.contoso.com 6001 6002 6004.
g. Type rpccfg /hd.
6001, 6002 and 6004
h. Type
reg.exe query HKLM\Software\Microsoft\Rpc\RpcProxy.
i. Close the Command Prompt window.
8. Configure the Global a. On the Start menu, click Run.
Catalog server (Denver) b. In the Run dialog box, type regedit.exe, and then click OK.
to use port 6004 for
c. In the Registry Editor window, select the
RPC over HTTP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
connections. Services\NTDS\Parameters key.
d. Right-click the Parameters key, click New, and then click
Multi-String Value.
e. In the New Value #1 text box, replace the text by typing
NSPI interface protocol sequences, and then press Enter.
f. Right-click the NSPI interface protocol sequences value,
and then click Modify.
g. In the Edit Multi-String dialog box, type ncacn_http:6004, and
then click OK.
h. Close the Registry Editor window.
9. Restart the Denver a. On the Start menu, click Shut Down.
computer. b. In the Shut Down Windows dialog box, complete the following
information:
What do you want the computer to do: Restart
Option: Other (Planned) (is default)
Comment: Changed RPC Proxy settings
and then click OK.
10. Log on to the computer: a. After the restart, at the Welcome to Windows dialog box, press
<right>Alt-Del (instead of Ctrl-Alt-Del).
User name: b. In the Log On to Windows dialog box, complete the following
Administrator information:
Password: password User name: Administrator
Log on to: CONTOSO Password: password
Domain: CONTOSO
and then click OK to log on.
disable the existing rule pane, select Firewall Policy.
that publishes the b. In the right pane, right-click Publish mail Exchange RPC
Exchange Server by Server, and then click Disable.
using RPC.
12. Create a new Web a. In the task pane, on the Toolbox tab, in the Network Objects
listener. section, expand Web Listeners (if possible).
b. If a Web listener named External Web 443 does not exist,
Name: External Web then right-click Web Listeners, and then click New Web
443 Listener.
c. In the New Web Listener Definition Wizard dialog box, in the
SSL: enable
Web listener name text box, type External Web 443, and
then click Next.
Network: External
Compression: disable d. On the Client Connection Security page, select
Require SSL secured connections with clients, and then
Certificate: click Next.
mail.contoso.com e. On the Web Listener IP Addresses page, complete the
Authentication: Listen on network: External
HTTP Authentication ISA Server will compress content: disable
- Basic and then click Next.
f. On the Listener SSL Certificates page, click Select
Certificate.
g. In the certificates list, select mail.contoso.com, and then click
Select.
h. On the Listener SSL Certificates page, click Next.
i. On the Authentication Settings page, complete the following
information:
Authentication method: HTTP Authentication (is default)
46 de 106
Basic: enable
j. On the Single Sign On Settings page, click Next.
k. On the Completing the New Web Listener Wizard page, click
Finish.
13. Create a new RPC over a. In the right pane, select the first rule, or select Default rule if
HTTPS Web publishing no other rule exists, to indicate where the new rule is added to
rule. the rule list.
b. In the task pane, on the Tasks tab, click
Name: Publish mail Publish Exchange Web Client Access.
(RPC over HTTPS)
c. In the New Exchange Publishing Rule Wizard dialog box, in
the Exchange Publishing rule name text box, type
Version:
Publish mail (RPC over HTTPS), and then click Next.
Exchange Server 2003
d. On the Select Services page, complete the following
Internal site name: information:
denver.contoso.com Exchange version: Exchange Server 2003 (is default)
Outlook Web Access: disable
Public name: Outlook RPC/HTTP(s): enable
mail.contoso.com Leave the other check boxes disabled (is default)
Web listener: e. On the Publishing Type page, select Publish a single Web
External Web 443 site, and then click Next.
f. On the Server Connection Security page, select
Delegation:
Use SSL to connect to the published Web server, and then
Basic Authentication
click Next.
g. On the Internal Publishing Details page, in the
Internal site name text box, type denver.contoso.com, and
then click Next.
h. On the Public Name Details page, complete the following
information:
Public name: mail.contoso.com
i. On the Select Web Listener page, in the Web listener
Next.
j. On the Authentication Delegation page, select
Basic Authentication, and then click Next.
l. On the Completing the New Exchange Publishing Rule Wizard
page, click Finish.
14. Examine the new Web a. In the right pane, right-click Publish mail (RPC over HTTPS),
publishing rule named and then click Properties.
Publish mail (RPC b. In the Publish mail (RPC over HTTPS) Properties dialog box,
over HTTPS). select the Path tab.
c. Click Cancel to close the Publish mail (RPC over HTTPS)
15. Apply the new rule. a. Click Apply to apply the new rule, and then click OK.
computer, use Internet Address box, type https://mail.contoso.com/rpc, and then
Explorer to verify the press Enter.
configuration of the b. In the Connect to mail.contoso.com dialog box, complete the
secure Web publishing following information:
rule, by connecting to User name: Administrator
https://mail.contoso.c Password: password
om Remember my password: disable (is default)
/rpc. and then click OK.
c. In the Connect to mail.contoso.com dialog box, type
The expected error
Administrator and password for the second time, and then
code is 401.3 (Access
click OK.
denied due to an ACL).
d. In the Connect to mail.contoso.com dialog box, type
Administrator and password for the third time, and then click
OK.
17. Configure the e-mail a. On the Start menu, click Control Panel, and then click Mail.
account in the current b. In the Mail Setup - Outlook dialog box, click E-mail Accounts.
Outlook profile to use
c. In the E-mail Accounts dialog box, select
RPC over HTTP:
View or change existing e-mail accounts, and then click
Next.
URL:
mail.contoso.com d. Click Cancel to close the Connecting to Microsoft Exchange
Server message box.
Use SSL only: Yes e. On the E-mail Accounts page, ensure that Contoso mail is
selected, and then click Change.
Principal name: f. On the Exchange Server Settings page, click More Settings.
msstd:mail.contoso.c
om g. In the Microsoft Exchange Server dialog box, on the
Connection tab, enable Connect to my Exchange mailbox
using HTTP, and then click Exchange Proxy Settings.
On fast/slow networks,
use HTTP first: Yes h. In the Exchange Proxy Settings dialog box, complete the
Proxy authentication: Use this URL (https://): mail.contoso.com
Basic Connect using SSL only: enable (is default)
Mutually authenticate the session: enable
Principal name for proxy server: msstd:mail.contoso.com
On fast networks, connect using HTTP first: enable
On slow networks, connect using HTTP first: enable (is
default)
Proxy authentication settings: Basic Authentication
and then click OK.
i. Click OK to close the Microsoft Exchange Server dialog box.
j. On the Exchange Server Settings page, click Next.
k. In the Connect to Denver.contoso.com dialog box, complete
User name: contoso\administrator
Password: password
and then click OK.
l. On the E-mail accounts page, click Finish.
m. Click Close to close the Mail Setup - Outlook dialog box.
18. Start Outlook 2003, a. Open a Command Prompt window.
and then examine the b. At the command prompt, type netstat -ano | find "EST",
network connections. and then press Enter.
c. On the Start menu, click All Programs, click
Use: netstat -ano
2003.
Use: Connection
Status d. In the Connecting to Denver.contoso.com dialog box,
Password: password
and then click OK.
e. Switch to the Command Prompt window.
48 de 106
f. At the command prompt, type netstat -ano | find "EST",
and then press Enter.
g. Close the Command Prompt window.
h. Press the Ctrl-key, and then click the Outlook icon in the
system tray area.
i. In the context menu of the system tray Outlook icon, click
Connection Status.
j. Click Close to close the Exchange Server Connection Status
window.
19. Send an e-mail to a. In Outlook, on the toolbar, click New.
Administrator to test b. In the new message window, complete the following
the RPC over HTTP information:
connection to To: Administrator
ISA Server. Subject: Test mail through RPC over HTTP - 4
(Message): Publish Exchange using RPC over HTTP
c. In the Inbox, select the new message.
d. Close Outlook.
20. Use Internet Explorer to a. Open Internet Explorer. In the Address box, type
connect to https://mail.contoso.com/exchange, and then press Enter.
https://mail.contoso.c b. In the Connect to mail.contoso.com dialog box, complete the
om following information:
/exchange User name: Administrator
Password: password
Remember my password: disable (is default)
and then click OK.
configure the pane, select Firewall Policy.
listener to use Form section, expand Web Listeners, right-click External Web
Authentication. 443, and then click Properties.
Authentication tab, complete the following information:
Client Authentication Method: HTML Form Authentication
and then click OK to close the External Web 443 Properties
dialog box.
connect to https://mail.contoso.com/exchange, and then press Enter.
https://mail.contoso.c b. In the Office Outlook Web Access page, complete the
om following information:
/exchange Security: This is a private computer
again. Use Outlook Web Access Light: disable (is default)
Domain\user name: contoso\administrator
Password: password
and then click Log On.
23. Start Outlook 2003. a. On the Start menu, click All Programs, click
2003.
b. In the Connecting to Denver.contoso.com dialog box,
Password: password
and then click OK.
c. Switch to the Command Prompt window.
d. Press the Ctrl-key, and then click the Outlook icon in the
system tray area.
e. In the context menu of the system tray Outlook icon, click
Connection Status.
f. Click Close to close the Exchange Server Connection Status
window.
g. Close Outlook.
h. Close the Internet Explorer Outlook Web Access window.
Module E: Enabling VPN Connections
Exercise 1: Configuring ISA Server to Accept Incoming VPN

Connections
In this exercise, you will configure ISA Server to accept incoming VPN connections from client
examine the status of Administrative Tools, and then click
the Routing and Remote Access.
Routing and Remote b. In the Routing and Remote Access console, select
Access service. PARIS (local).
2. Use the ISA Server a. On the Start menu, click All Programs, click
console to configure Microsoft ISA Server, and then click, ISA Server
VPN address ranges. Management.
IP address ranges: Virtual Private Networks (VPN).
- 10.3.1.1 - 10.3.1.120
c. In the right pane, ensure that the VPN Clients tab is selected.
d. In the task pane, on the Tasks tab, click
Define Address Assignments.
e. In the Virtual Private Networks (VPN) Properties dialog box,
on the Address Assignment tab, select Static address pool,
and then click Add.
f. In the Server IP Address Range Properties dialog box,
Start address: 10.3.1.1
End address: 10.3.1.120
and then click OK.
g. Click OK to close the Virtual Private Networks (VPN)
3. Enable and configure a. On the Tasks tab, click Enable VPN Client Access.
VPN client access. b. On the Tasks tab, click Configure VPN Client Access.
50 de 106
c. In the VPN Client Properties dialog box, on the General tab, in
- Maximum clients: 100 the Maximum number of VPN clients allowed text box,
leave the default value 100.
- Protocols: PPTP d. On the Protocols tab, ensure that only Enable PPTP is
selected.
e. Click OK to close the VPN Clients Properties dialog box.
4. Examine the VPN a. In the left pane, right-click Virtual Private Networks (VPN),
connection settings. and then click Properties.
b. In the Virtual Private Networks (VPN) Properties dialog box,
Access networks: select the Access Networks tab.
External
c. Select the Authentication tab.
Authentication: d. Click OK to close the Virtual Private Networks (VPN)
MS-CHAPv2 Properties dialog box.
5. Examine the VPN a. In the left pane, select Firewall Policy.

access rule: b. In the task pane, on the Tasks tab, click Show System
Policy Rules.
System policy rule:
c. In the right pane, select the Allow VPN client traffic to ISA
Allow VPN client
Server system policy rule (rule 13).
traffic to ISA Server
(rule 13). d. In the task pane, on the Tasks tab, click Hide System Policy
Rules.
6. Apply the VPN a. In the ISA Server console, click Apply to apply the VPN
configuration. configuration, and then click OK.
7. Examine the a. In the Routing and Remote Access console, in the left pane,
configuration of the right-click PARIS (local), and then click Refresh.
Routing and Remote b. Right-click PARIS (local), and then click Properties.
Access console.
c. In the PARIS (local) Properties dialog box, select the IP tab.
d. Click Cancel to close the PARIS (local) Properties dialog box.
e. Expand PARIS (local), and then select
Remote Access Policies.
f. In the right pane, right-click the ISA Server Default Policy
remote access policy, and then click Properties.
g. Click Cancel to close the ISA Server Default Policy Properties
dialog box.
h. Close the Routing and Remote Access console.
8. Configure the user a. On the Start menu, click Administrative Tools, and then click
profile of the Computer Management.
Administrator account b. In the Computer Management console, in the left pane,
so that it is allowed to expand Local Users and Groups, and then select Users.
dial in.
c. In the right pane, right-click Administrator, and then click
Properties.
d. In the Administrator Properties dialog box, on the Dial-in tab,
select Allow access, and then click OK.
e. Close the Computer Management console.
Exercise 2: Configuring a Client Computer to Establish a VPN
Connection
In this exercise, you will configure a client computer on the Internet to establish a VPN connection to
the ISA Server computer.

computer, examine the b. At the command prompt, type ipconfig, and then press Enter.
current IP address
c. Type ping 39.1.1.1, and then press Enter.
configuration, and use
the Ping command to d. Type ping 10.1.1.5, and then press Enter.
test connectivity to the e. Close the Command Prompt window.
Internal network
(10.1.1.5).
2. Create a new a. On the Start menu, click Control Panel, right-click
connection in the Network Connections, and then click Open.
Network Connections b. In the Network Connections window, right-click
window. New Connection Wizard, and then click New Connection.
c. In the New Connection Wizard dialog box, click Next.
Type: VPN connection
Name: VPN to d. On the Network Connection Type page, select
Contoso Connect to the network at my workplace, and then click
VPN Server: 39.1.1.1 Next.
e. On the Network Connection page, select
Virtual Private Network connection, and then click Next.
f. On the Connection Name page, in the Company Name text
box, type VPN to Contoso, and then click Next.
g. On the VPN Server Selection page, in the
Host name or IP address text box, type 39.1.1.1, and then
click Next.
h. On the Connection Availability page, select My use only, and
then click Next.
i. On the Completing the New Connection Wizard page, click
Finish.
3. Establish the VPN a. In the Connect VPN to Contoso dialog box, complete the
connection named following information:
VPN to Contoso. User name: Administrator
Password: password
User name: and then click Connect.
Administrator
Password: password
4. Examine the current a. Open a Command Prompt window.

IP address b. At the command prompt, type ipconfig, and then press Enter.
configuration, and use
c. Type route print, and then press Enter.
the Ping command to
test the connection to d. Type ping 10.1.1.5, and then press Enter.
the Internal network e. Type ping 10.3.1.1, and then press Enter.
(10.1.1.5), and the
VPN tunnel end-point
(10.3.1.1).
5. On the Paris computer, a. On the Paris computer, open a Command Prompt window.
52 de 106
use the Ping command b. At the command prompt, type ping 10.3.1.2 (or the higher
to test the connection to 10.3.1.x IP address assigned to Istanbul), and then press
the VPN client Enter.
computer (10.3.1.2 or c. Close the Command Prompt window.
higher).
d. In the ISA Server console, select Firewall Policy.
e. In the task pane, on the Tasks tab, click Show System
Policy Rules.
f. In the task pane, on the Tasks tab, click Hide System Policy
Rules.
6. Create a new access a. In the right pane, select the first rule., or select Default rule if
rule. no other rule exists, to indicate where the new rule is added to
the rule list.
Name: Allow Ping b. In the task pane, on the Tasks tab, click Create Access Rule.
from VPN clients
Applies to: PING
Allow Ping from VPN clients, and then click Next.
From network: d. On the Rule Action page, select Allow, and then click Next.
VPN Clients e. On the Protocols page, in the This rule applies to list box,
To network: Local Host select Selected protocols, and then click Add.
f. In the Add Protocols dialog box,
g. On the Protocols page, click Next.
h. On the Access Rule Sources page, click Add.
box.
j. On the Access Rule Sources page, click Next.
k. On the Access Rule Destinations page, click Add.
l. In the Add Network Entities dialog box,
box.
m. On the Access Rule Destinations page, click Next.
n. On the User Sets page, click Next.
o. On the Completing the New Access Rule Wizard page, click
Finish.
p. Click Apply to apply the new rule, and then click OK.
7. On the Istanbul a. On the Istanbul computer, at the command prompt, type
computer, use the Ping ping 10.3.1.1, and then press Enter.
command again to test b. Close the Command Prompt window.
connectivity to the VPN
tunnel end-point at the
ISA Server computer
(10.3.1.1).
Exercise 3: Allowing Internal Network Access for VPN Clients
In this exercise, you will configure ISA Server so that client computers on the Internet, are allowed
access to the internal network, by establishing a VPN connection.
examine the network pane, expand Configuration, and then select Networks.
rule for connectivity b. In the right pane, on the Network Rules tab, select the rule
between the VPN that defined the connectivity between the VPN Clients
Clients network and network and the Internal network.
the Internal network.
rule: Firewall Policy.
Name: Allow access rule is added to the rule list.
from VPN clients to
Internal
Applies to: PING, Access rule name text box, type
Microsoft CIFS (TCP) Allow access from VPN clients to Internal, and then click
Next.
From network: e. On the Rule Action page, select Allow, and then click Next.
VPN Clients f. On the Protocols page, in the This rule applies to list box,
To network: Internal select Selected protocols, and then click Add.
click All protocols, click Microsoft CIFS (TCP), and click
Add,
box.
box.
Finish.
3. On the Istanbul a. On the Istanbul computer, if the VPN to Contoso connection is

computer, reconnect disconnected, then in the Network Connections window,
the VPN to Contoso right-click VPN to Contoso, and then click Connect. In the
connection, if it was Connect VPN to Contoso dialog box, complete the following
54 de 106
disconnected. information:
Password: password
and then click Connect.
4. Use the Ping command a. Open a Command Prompt window.
to test connectivity to b. At the command prompt, type ping 10.1.1.5, and then press
the Internal network Enter.
(10.1.1.5), and use the
Run dialog box to
connect to \\10.1.1.5. d. On the Start menu, click Run.
e. In the Run dialog box, type \\10.1.1.5, and then click OK.
f. Close the \\10.1.1.5 window.
5. Disconnect the a. In the System tray, right-click the connection icon, and click
VPN to Contoso Disconnect.
connection, and close b. Close the Network Connections window.
the
Network Connections
window.
Exercise 4: Configuring VPN Quarantine on ISA Server

In this exercise, you will configure ISA Server so that it can allow phased network access to
VPN clients. Only client computers whose security configuration meets the security policy are allowed
full access to the network.
in the C:\Tools folder, Computer) to open the C:\Tools folder.
examine the b. Right-click the RQScript.vbs file, and then click Edit (do not
RQScript.vbs script file click Open).
that is used to check
c. Maximize the RQScript.vbs - Notepad, if that is not done
the security
already.
configuration of the
VPN client computer. d. Close Notepad.
2. Install the Remote a. On the Start menu, click Control Panel, and then click
Access Quarantine Add or Remove Programs.
Agent service b. In the Add or Remove Programs window, click
(RQS.exe). Add/Remove Windows Components.
Networking Services component (do NOT select the check
box), and then click Details.
d. In the Networking Services dialog box, select the
Remote Access Quarantine Service check box, and then
click OK.
click Finish.
3. Configure the RQS.exe a. On the Start menu, click Run.
service: b. In the Run dialog box, type regedit.exe, and then click OK.
c. In the Registry Editor window, select the
AllowedSet:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
RQVersion3
Services\rqs key.
Authenticator: d. In the right pane, right-click the AllowedSet value, and then
vpnplgin.dll click Modify.
e. In the Edit Multi-String dialog box, delete the current value,
and then type RQVersion3, and click OK.
f. Right-click the rqs key, click New, and then click String
Value.
g. In the New Value #1 text box, replace the text by typing
Authenticator, and then press Enter.
h. Right-click the Authenticator value, and then click Modify.
i. In the Edit String dialog box, type
C:\Program Files\Microsoft ISA Server\vpnplgin.dll, and
then click OK.
j. Close the Registry Editor window.
k. On the Start menu, click Administrative Tools, and then click
Services.
l. In the Services console, in the right pane, right-click
Remote Access Quarantine Agent, and then click
Properties.
m. Click Cancel to close the Remote Access Quarantine Agent
n. Close the Services console.
4. Create a new protocol a. In the ISA Server console, in the left pane, select
definition: Firewall Policy.
b. In the task pane, on the Toolbox tab, in the Protocols
Name: RQS - Network section, on the New menu, click Protocol.
Quarantine
c. In the New Protocol Definition Wizard dialog box, in the
Direction: Outbound
Protocol definition name text box, type RQS -
Port: TCP 7250
Network Quarantine, and then click Next.
d. On the Primary Connection Information page, click New.
e. In the New/Edit Protocol Connection dialog box, complete the
Protocol type: TCP
Direction: Outbound
Port Range From: 7250
Port Range To: 7250
and then click OK.
f. On the Primary Connection Information page, click Next.
g. On the Secondary Connections page, select No, and then
click Next.
h. On the Completing the New Protocol Definition Wizard page,
click Finish.
5. Create a new access a. In the right pane, select the first rule to indicate where the new
rule: rule is added to the rule list.
b. In the task pane, on the Tasks tab, click Create Access Rule.
Name: Allow RQS
network quarantine
notification
Allow RQS network quarantine notification, and then click
Next.
Applies to: RQS -
Network Quarantine d. On the Rule Action page, select Allow, and then click Next.
e. On the Protocols page, in the This rule applies to list box,
From network: select Selected protocols, and then click Add.
Quarantined VPN Clie f. In the Add Protocols dialog box,
nts click User-Defined, click RQS - Network Quarantine, and
To network: Local Host
56 de 106
click Add,
click Networks, click Quarantined VPN Clients, and click
Add,
box.
box.
Finish.
6. In the C:\Tools\ISA a. Use Windows Explorer (or My Computer) to open the
folder, examine the C:\Tools\ISA folder.
ConfigureRQSForISA b. Right-click the ConfigureRQSForISA.vbs file, and then click
.vbs script file. Edit (do NOT click Open).
c. Maximize the ConfigureRQSForISA.vbs - Notepad window if
that is not done already.
d. Close Notepad.
e. Close the Windows Explorer window.
7. Configure ISA Server to a. In the ISA Server console, in the left pane, select Networks.
enable quarantine: b. In the right pane, on the Networks tab, right-click the
Quarantined VPN Clients network, and then click
Type: Use ISA Server Properties.
Disconnect quarantine:
c. In the Quarantined VPN Clients Properties dialog box, on the
60 seconds
Quarantine tab, select Enable Quarantine Control.
d. In the message box, click OK to acknowledge that enabling
quarantine control requires configuration on both the ISA
Server and VPN client computers.
e. On the Quarantine tab, complete the following information:
Enable Quarantine Control: enable (done in previous step)
Quarantine according to ISA Server policies: enable (is
default)
Disconnect quarantine users after (seconds): 60
and then click OK.
f. Click Apply to save the changes, and then click OK.
Exercise 5: Creating and Distributing a Connection Manager Profile
In this exercise, you will create and distribute a Connection Manager profile, for use with network
access quarantine. The profile is made available through an extranet distribution point.
install the Connection Control Panel, and then click Add or Remove Programs.
Manager b. In the Add or Remove Programs window, click
Administration Kit Add/Remove Windows Components.
(CMAK).
Management and Monitoring Tools component (do NOT
clear or select the check box), and then click Details.
d. In the Management and Monitoring Tools dialog box, select
the Connection Manager Administration Kit check box, and
then click OK.
click Finish.
2. Use CMAK to create a a. On the Start menu, click Administrative Tools, and then click
new Connection Connection Manager Administration Kit.
Manager profile. b. On the Welcome to the Connection Manager Administration
Kit Wizard page, click Next.
- Service name: VPN to
c. On the Service Profile Selection page, select New profile, and
Contoso (CM)
then click Next.
- File name: VPN_RQ
VPN server: 39.1.1.1 d. On the Service and File Names page, complete the following
information:
- Custom post-connect Service name: VPN to Contoso (CM)
action: File name: VPN_RQ
C:\Tools\RQScript.vbs and then click Next.
%TunnelRasEntry% e. On the Realm Name page, select
%Domain% Do not add a realm name to the user name, and then click
%UserName% Next.
f. On the Merging Profile Information page, click Next.
- Additional files:
C:\Program Files\ g. On the VPN Support page, complete the following information:
cmak\support\rqc.ex Phone book from this profile: enable
e Always use the same VPN server: 39.1.1.1
h. On the VPN Entries page, select VPN to Contoso (CM)
Tunnel, and then click Next.
i. On the Phone Book page, CLEAR the
Automatically download phone book updates check box,
j. On the Dial-up Networking Entries page, select
VPN to Contoso (CM), and then click Next.
k. On the Routing Table Update page, select
Do not change the routing tables, and then click Next.
l. On the Automatic Proxy Configuration page, select
Do not configure proxy settings, and then click Next.
m. On the Custom Actions page, click New.
n. In the New Custom Action dialog box, complete the following
information:
58 de 106
Description: Quarantine policy checking
Program to run: c:\tools\RQScript.vbs
Parameters:
%TunnelRasEntry% %Domain% %UserName%
Action type: Post-connect
Run this custom action for: All connections (is default)
Include the custom action program: enable
Program interacts with the user: enable (is default)
and then click OK.
o. On the Custom Actions page, click Next.
p. On the Logon Bitmap page, select Default graphic, and then
click Next.
q. On the Phone Book Bitmap page, select Default graphic, and
then click Next.
r. On the Icons page, select Default icons, and then click Next.
s. On the Notification Area Shortcut Menu page, click Next.
t. On the Help File page, select Default Help file, and then click
Next.
u. On the Support Information page, click Next.
v. On the Connection Manager Software page, select
Install Connection Manager 1.3, and then click Next.
w. On the License Agreement page, click Next.
x. On the Additional Files page, click Add.
y. In the Browse dialog box, in the
C:\Program Files\cmak\support folder, select the rqc.exe
file, and then click Open.
z. On the Additional Files page, click Next.
aa. On the Ready to Build the Service Profile page, do NOT select
Advanced customization, and then click Next.
bb. On the Completing the Connection Manager Administration Kit
3. Create a new folder a. Use Windows Explorer (or My Computer) to open the
C:\Inetpub\Extranet. C:\Program Files\cmak\Profiles\VPN_RQ folder.
b. Right-click the VPN_RQ.exe file, and then click Copy.
Copy VPN_RQ.exe to
c. In the Windows Explorer window, open the C:\Inetpub folder.
the Extranet folder.
d. Right-click in the empty area of the Inetpub folder, click New,
and then click Folder.
e. In the New Folder text box, replace the text by typing
Extranet, and then press Enter.
f. Open the Extranet folder.
g. In the empty area of the Extranet folder, click Paste.
h. Close the Extranet folder.
4. Configure the default a. On the Start menu, click Administrative Tools, and then click
Web site to use port 81, Internet Information Services (IIS) Manager.
and then start the Web b. In the IIS Manager console, expand PARIS (local computer),
site. expand Web Sites, right-click Default Web Site, and then
click Properties.
(If this is not done
already).
Web Site tab, ensure that the TCP port text box is set to 81,
and then click OK.
d. If the Default Web Site is not started, then right-click
Default Web Site (Stopped), and then click Start.
5. Create a new virtual a. In the IIS Manager console, in the left pane, expand Default
directory for the default Web Site.
Web site: b. Right-click Default Web Site, click New, and then click
Virtual Directory.
Alias: extranet c. In the Virtual Directory Creation Wizard dialog box, click Next.
d. On the Virtual Directory Alias page, in the Alias text box, type
Path:
extranet, and then click Next.
C:\Inetpub\Extranet
e. On the Web Site Content Directory page, in the Path text box,
Permissions: type C:\Inetpub\Extranet, and then click Next.
Read and Browse. f. On the Virtual Directory Access Permissions page, complete
Read: enable (is default)
Run scripts: disable (is default)
Execute: disable (is default)
Write: disable (is default)
Browse: ENABLE
g. On the Completing the Virtual Directory Creation Wizard page,
click Finish.
h. Close the IIS Manager console.
6. Create a new Web a. In the ISA Server console, in the left pane, select
listener. Firewall Policy.
b. In the task pane, on the Toolbox tab, in the Network Objects
Name: External Web section, expand Web Listeners (if possible).
80
c. If a Web listener named External Web 80 does not exist, then
right-click Web Listeners, and then click New Web Listener.
SSL: disable
d. In the New Web Listener Definition Wizard dialog box, in the
Network: External Web listener name text box, type External Web 80, and then
Compression: disable click Next.
e. On the Client Connection Security page, select
Authentication: none Do not require SSL secured connections with clients, and
then click Next.
(If this is not done f. On the Web Listener IP Addresses page, complete the
already) following information:
g. On the Authentication Settings page, in the drop-down list box,
h. On the Single Sign On Settings page, click Next.
i. On the Completing the New Web Listener Wizard page, click
Finish.
7. Create a Web a. In the left pane, select Firewall Policy.
Name: Extranet Web
Site
Publishing type: Web publishing rule name text box, type Extranet Web Site,
single Web site and then click Next.
Paris f. On the Publishing Type page, select Publish a single Web
IP address: 10.1.1.1 site, and then click Next.
Path: /extranet
Port: 81
Public name:
www.contoso.com h. On the Internal Publishing Details page, complete the
/extranet following information:
Internal site name: Paris
60 de 106
Web listener: Use a computer name or IP address: enable
External Web 80 Computer name or IP address: 10.1.1.1
Delegation: none i. On the next Internal Publishing Details page, complete the
Path: extranet/*
Forward the original host header: enable
information:
Path: /extranet/*
Next.
page, click Finish.
o. In the right pane, select the Extranet Web Site Web
publishing rule, and then in the task pane, on the Tasks tab,
click Edit Selected Rule.
p. In the Extranet Web Site Properties dialog box, on the
Bridging tab, in the Redirect requests to HTTP port text
box, type 81.
q. Click OK to close the Products Web Site (on Paris) Properties
dialog box.
r. Click Apply to apply the new rule, and then click OK.

computer, connect to Address box, type http://www.contoso.com/extranet, and
http://www.contoso.c then press Enter.
om b. In the extranet folder, right-click VPN_RQ.exe, and then click
/extranet Open.
and install the
c. In the File Download - Security Warning message box, click
VPN_RQ.exe
Run.
Connection Manager
profile. d. In the Internet Explorer - Security Warning message box, click
Run to confirm that you want to run this software (without a
valid signature to verify the publisher).
e. In the VPN to Contoso (CM) message box, click Yes to
confirm that you want to install the Connection Manager
profile.
f. In the next VPN to Contoso (CM) dialog box, select My use
only, and then click OK.
g. Click Cancel to close the VPN to Contoso (CM) connection
dialog box.
h. Close the Network Connections window.
i. Close Internet Explorer.
Exercise 6: Using VPN Quarantine on the Client Computer
In this exercise, you will use the network access quarantine by creating a VPN connection from the
VPN client to the ISA Server.

computer, use the Control Panel, right-click Network Connections, and then
VPN to Contoso (CM) click Open.
connection, to establish b. In the Network Connections window, under
a VPN connection to Connection Manager, right-click VPN to Contoso (CM), and
the ISA Server. then click Connect.
c. In the VPN to Contoso (CM) connection dialog box, complete
User name:
Administrator
Password: password User name: Administrator
Domain: (empty) Password: password
Logon domain: (leave empty)
Save password: ENABLE
Connect automatically: disable (is default)
d. Click OK to close the Remote Access Quarantine message
box.
e. Open a Command Prompt window.
f. At the command prompt, type ipconfig, and then press Enter.
g. At the command prompt, type ping 10.3.1.1, and then press
Enter.
create a new access pane, select Firewall Policy.
rule. b. In the right pane, select the first rule to indicate where the new
Name: Allow Ping
from Quarantined
VPN clients d. In the New Access Rule Wizard dialog box, in the
Applies to: PING Allow Ping from Quarantined VPN clients, and then click
Next.
From network: e. On the Rule Action page, select Allow, and then click Next.
Quarantined VPN Clie f. On the Protocols page, in the This rule applies to list box,
nts select Selected protocols, and then click Add.
To network: Local Host
click Networks, click Quarantined VPN Clients, and click
Add,
box.
62 de 106
box.
Finish.
3. On the Istanbul a. On the Istanbul computer, in the Reconnect message box,
computer, use the Ping click Yes.
command to test the b. In the VPN to Contoso (CM) connection dialog box, ensure
connection to the that the User name and Password information is still present,
VPN tunnel end-point and then click Connect.
(10.3.1.1) and the
c. Click OK to close the Remote Access Quarantine message
Internal network
box.
(10.1.1.5).
d. At the command prompt, type ping 10.3.1.1, and then press
Enter.
e. At the command prompt, type ping 10.1.1.5, and then press
Enter.
f. If the Reconnect message box appears, click No to close the
message box.
4. Enable Windows a. On the Start menu, click Control Panel, and then click
Firewall. Windows Firewall.
b. In the Windows Firewall message box, click Yes to confirm
that you want to start the Windows Firewall/ICS service.
c. After the Windows Firewall/ICS service has started, in the
Windows Firewall dialog box, on the General tab, select On,
and then click OK.
5. Use the a. In the Network Connections window, under
VPN to Contoso (CM) Connection Manager, right-click VPN to Contoso (CM), and
connection, to establish then click Connect.
a VPN connection to b. In the VPN to Contoso (CM) connection dialog box, ensure
the ISA Server again. that the User name and Password information is still present,
box.
start the Remote Administrative Tools, and then click Services.
Access Quarantine b. In the Services console, in the right pane, right-click
Agent (RQS.exe) Remote Access Quarantine Agent, and then click Start.
service.
c. Close the Services console.
7. On the Istanbul a. On the Istanbul computer, in the Reconnect message box,

computer, use the click Yes.
VPN to Contoso (CM) b. In the VPN to Contoso (CM) connection dialog box, ensure
connection, to establish that the User name and Password information is still present,
a VPN connection to and then click Connect.
the ISA Server again.
box.
Test the connection:
- Ping 10.1.1.5 d. At the command prompt, type ping 10.1.1.5, and then press
- Run \\10.1.1.5 Enter.
e. Close the Command Prompt window.
Disconnect the VPN f. On the Start menu, click Run.
connection again.
g. In the Run dialog box, type \\10.1.1.5, and then click OK.
h. Close the \\10.1.1.5 window.
i. Right-click the connection icon in the system tray area, and
then click Disconnect.
8. Use the VPN to a. In the Network Connections window, under
Contoso connection Virtual Private Network (not under Connection Manager),
(not the right-click VPN to Contoso, and then click Connect.
Connection Manager), b. In the Connect VPN to Contoso dialog box, complete the
to establish a VPN following information:
connection to the ISA User name: Administrator
Server. Password: password
Disconnect the VPN
connection again. c. Wait (60 seconds) until the Reconnect VPN to Contoso
dialog box appears, and then click Cancel, or right-click the
connection icon in the system tray area, and then click
Disconnect.
9. Disable Windows a. On the Start menu, click Control Panel, and then click
Firewall. Windows Firewall.
b. In the Windows Firewall dialog box, on the General tab, select
Off, and then click OK.
c. Close the Network Connections window.
disable VPN client pane, select Virtual Private Networks (VPN).
access. b. In the task pane, on the Tasks tab, click
Disable VPN Client Access.
c. Click Apply to save the changes, and then click OK.
64 de 106
Module F: ISA Server 2006 as Branch
Office Gateway
Exercise 1: Configuring HTTP Compression to Reduce Bandwidth

Usage
In this exercise, you will configure ISA Server to compress HTTP content when responding to requests
from client computers, and to request compressed HTTP content when connecting to other servers.

computer, examine the Administrative Tools, and then click
uncompressed file size Internet Information Services (IIS) Manager.
of content.htm in the b. In the IIS Manager console, expand
Default Web Site. ISTANBUL (local computer), expand Web Sites, and then
select Default Web Site.
c. Right-click Default Web Site, and then click Open.
d. Close the c:\inetpub\wwwroot window.
e. Close the IIS Manager console.
2. Open the C:\Tools\ a. Use Windows Explorer (or My Computer) to open the
Perfmon-sent.msc C:\Tools folder.
console. b. In the Tools folder, right-click Perfmon-sent.msc, and then
click Open.
c. Close the C:\Tools folder.
create a new access All Programs, click Microsoft ISA Server, and then click
rule. ISA Server Management.
b. In the left pane, expand Paris, and then select
Name: Allow Web Firewall Policy.
access (Branch)
c. In the right pane, select the first rule, or select Default rule if
Applies to: HTTP
the rule list.
From network: Internal d. In the task pane, on the Tasks tab, click Create Access Rule.
To network: External e. In the New Access Rule Wizard dialog box, in the
Allow Web access (Branch), and then click Next.
f. On the Rule Action page, select Allow, and then click Next.
g. On the Protocols page, in the This rule applies to list box,
h. In the Add Protocols dialog box,
click Common Protocols, click HTTP, click Add,
i. On the Protocols page, click Next.
j. On the Access Rule Sources page, click Add.
k. In the Add Network Entities dialog box,
box.
l. On the Access Rule Sources page, click Next.
m. On the Access Rule Destinations page, click Add.
n. In the Add Network Entities dialog box,
box.
o. On the Access Rule Destinations page, click Next.
p. On the User Sets page, click Next.
q. On the Completing the New Access Rule Wizard page, click
Finish.

4. Apply the changes. a. Click Apply to apply the new rule, and then click OK.
computer, open the Computer) to open the C:\Tools folder.
C:\Tools\ b. In the Tools folder, right-click Perfmon-received.msc, and
Perfmon- then click Open.
received.msc console.
c. Close the C:\Tools folder.
connect to http:// http://istanbul.fabrikam.com/content.htm, and then press
/
content.htm
7. Examine the peak bytes a. Switch to the Performance - Bytes Received console.
received per second in
the Performance
console.
8. On the Istanbul a. On the Istanbul computer, switch to the Performance - Bytes

computer, examine the Sent console.
peak bytes sent per
second in the
Performance console.
9. On the Paris computer, a. On the Paris computer, in the ISA Server console, under
examine the two Web Paris, expand Configuration, and then select Add-ins.
filters for HTTP b. In the right pane, select the Web Filters tab.
compression.
10. Configure HTTP a. In the left pane, under Configuration, select General.
Compression. b. In the right pane, click Define HTTP Compression
Preferences.
Return Compressed
c. In the HTTP Compression dialog box, on the
Data:
Return Compressed Data tab, click the top Add button.
Internal
d. In the Add Network Entities dialog box,
Content types: click Networks, click Internal, and click Add,
- Documents and then click Close to close the Add Network Entities dialog
- HTML Documents box.
- Macro Documents e. On the Return Compressed Data tab, click Content Types.
- Text f. In the Content Types dialog box, complete the following
information:
66 de 106
Compress the selected content types only: enable (is
default)
Documents: enable
HTML Documents: enable (is default)
Macro Documents: enable
Text: enable (is default)
All other check boxes: disable.
and then click OK to close the Content Types dialog box.
g. Click OK to close the HTTP Compression dialog box.
h. Click Apply to apply the changes, and then click OK.
11. On the Denver a. On the Denver computer, in Internet Explorer, on the Tools
computer, configure menu, click Internet Options.
Internet Explorer to use b. In the Internet Options dialog box, on the Connections tab,
HTTP 1.1 when click LAN Settings.
connection through a
c. Click Cancel to close the Local Area Network (LAN) Setting
proxy server.
dialog box.
d. On the Advanced tab, in the Settings list box, scroll to the
HTTP 1.1 settings section.
e. Enable the Use HTTP 1.1 through proxy connections check
box, and then click OK.
12. Refresh the content of a. In Internet Explorer, ensure that the
the Web page at http:// http://istanbul.fabrikam.com/content.htm Web page is
istanbul.fabrikam.com opened.
/ b. Hold the Ctrl-key, and then click the Refresh button on the
content.htm, by toolbar, to refresh the content of the Web page.
pressing Ctrl-F5 or
Ctrl-Refresh.
the Performance
console.
peak bytes sent per
second in the
15. Configure IIS to enable a. On the Start menu, click Administrative Tools, and then click
HTTP compression. Internet Information Services (IIS) Manager.
b. In the IIS Manager console, expand,
Application files: yes ISTANBUL (local computer), right-click Web Sites, and then
Static files: yes click Properties.
c. In the Web Sites Properties dialog box, on the Service tab,
Compress application files: enable
Compress static files: enable
and then click OK.
16. Restart IIS. a. In the IIS Manager console, in the left pane, right-click
ISTANBUL (local computer), click All Tasks, and then click
Restart IIS.
b. In the Stop/Start/Restart dialog box, in the drop-down list box,
select Restart Internet Services on ISTANBUL, and then
click OK.
c. Close the IIS Manager console.
17. Examine the IIS a. Use Windows Explorer (or My Computer) to open the
Temporary C:\Windows\IIS Temporary Compressed Files folder.
Compressed Files b. Do not close the IIS Temporary Compressed Files folder.
folder.
configure HTTP pane, select General.
Preferences.
Request Compressed
Data:
Request Compressed Data tab, click the top Add button.
External
d. In the Add Network Entities dialog box,
click Networks, click External, and click Add
box.
e. Click OK to close the HTTP Compression dialog box.
f. Click Apply to apply the changes, and then click OK.
19. On the Denver a. On the Denver computer, in Internet Explorer, ensure that the
computer, refresh the http://istanbul.fabrikam.com/content.htm Web page is
content of the Web opened.
page at http:// b. Hold the Ctrl-key, and then click the Refresh button on the
istanbul.fabrikam.com toolbar, to refresh the content of the Web page.
/
c. Wait five seconds, and then hold the Ctrl-key, and click the
content.htm, by
Refresh button on the toolbar again.
pressing Ctrl-F5 or
Ctrl-Refresh twice.
the Performance
console.
peak bytes sent per b. Close the Performance - Bytes Sent console.
second in the
22. Examine the IIS a. Switch to the IIS Temporary Compressed Files folder.
Temporary b. Close the IIS Temporary Compressed Files folder.
Compressed Files
folder.
23. Configure IIS to disable a. On the Start menu, click Administrative Tools, and then click
HTTP compression. Internet Information Services (IIS) Manager.
b. In the IIS Manager console, expand,
Application files: no ISTANBUL (local computer), right-click Web Sites, and then
Static files: no click Properties.
c. In the Web Sites Properties dialog box, on the Service tab,
Compress application files: disable
Compress static files: disable
and then click OK.
24. Restart IIS. a. In the IIS Manager console, in the left pane, right-click
ISTANBUL (local computer), click All Tasks, and then click
Restart IIS.
b. In the Stop/Start/Restart dialog box, in the drop-down list box,
select Restart Internet Services on ISTANBUL, and then
click OK.
68 de 106
c. Close the IIS Manager console.
disable HTTP pane, select General.
Preferences.
Return Compressed Data tab, select Internal, and then click
Remove.
d. On the Request Compressed Data tab, select External, and
then click Remove.
e. Click OK to close the HTTP Compression dialog box.
f. Click Apply to apply the changes, and then click OK.
26. Close the Performance a. Close the Performance - Bytes Received console.
console and close b. Close Internet Explorer.
Internet Explorer.
Exercise 2: Configuring ISA Server to Cache BITS Content

In this exercise, you will configure ISA Server to cache Background Intelligent Transfer Service (BITS)
content, and request ranges from cached files.

define a cache drive. Configuration, select Cache.
b. In the right pane, select the Cache Drives tab.
Cache size: 10 MB
Define Cache Drives (Enable Caching).
d. In the Define Cache Drives dialog box, in the
Maximum cache size (MB) text box, type 10, and then click
Set.
e. Click OK to close the Define Cache Drives dialog box.
2. Apply the changes and a. Click Apply to apply the changes.
restart the Firewall b. In the ISA Server Warning dialog box, CHANGE the current
service. selection, and select
Save the changes and restart the services, and then click
OK.
c. Click OK to close the Saving Configuration Changes dialog
box.
3. Open a Command a. Open a Command Prompt window.
Prompt window to verify b. At the command prompt, type cd \urlcache, and then press
the existence of the Enter.
disk cache file.
c. Type dir, and then press Enter
File:
c:\urlcache\Dir1.cdat
4. Examine the BITS a. In the ISA Server console, in the left pane, select Cache.
caching setting for the b. In the right pane, select the Cache Rules tab.
Default rule.
c. Right-click Default rule, and then click Properties.
d. In the Default rule Properties dialog box, select the Advanced
tab.
e. Click Cancel to close the Default rule Properties dialog box.
5. Examine the BITS a. In the right pane, right-click Microsoft Update Cache Rule,
caching setting for the and then click Properties.
Microsoft Update b. In the Microsoft Update Cache Rule Properties dialog box,
Cache Rule. select the Advanced tab.
c. On the To tab, select Microsoft Update Domain Name Set,
and then click Edit.
d. Click Cancel to close the Microsoft Update Domain Name Set
e. Click Cancel to close the Microsoft Update Cache Rule
6. Add a. Right-click Microsoft Update Cache Rule, and then click

istanbul.fabrikam.com Properties.
to Microsoft Update b. On the To tab, select Microsoft Update Domain Name Set,
Domain Name Set. and then click Edit.
c. In the Microsoft Update Domain Name Set Properties dialog
box, click Add.
d. Replace the New Domain text by typing
istanbul.fabrikam.com, and then press Enter.
e. Click OK to close the Microsoft Update Domain Name Set
f. Click OK to close the Microsoft Update Cache Rule Properties
dialog box.
8. Verify the existence of a. In the left pane, select Firewall Policy.
the Allow Web access
(Branch) firewall rule.
computer, examine the Administrative Tools, and then click Services.
BITS service. b. In the Services console, in the right pane, select
Background Intelligent Transfer Service.
10. Examine the a. Open a Command Prompt window.
bitsclient.cmd and b. At the command prompt, type cd \tools, and then press
bitsadmin.exe tools. Enter.
c. Type dir, and then press Enter.
Folder: C:\Tools
11. Use the bitsclient tool a. At the command prompt, type bitsclient, and then press
to download the Enter.
content2.htm file from b. Type bitsclient http://istanbul.fabrikam.com/content2.htm,
Istanbul. and then press Enter.
12. On the Paris computer, a. On the Paris computer, in the Command Prompt window, in
use the find command the C:\urlcache folder, type
to verify the presence of find /i "content2.htm" dir1.cdat, and then press Enter.
the content2.htm b. After a few seconds, press Ctrl-C to interrupt the find
content in the disk command, and to avoid searching the entire 10 MB disk cache
cache file. file.
70 de 106
computer, disable the Control Panel, and then right-click Network Connections,
Local Area Connectio and click Open.
n network adapter. b. In the Network Connections window, right-click
Local Area Connection, and then click Disable.
14. On the Denver a. On the Denver computer, in the Command Prompt window, in
computer, for the C:\Tools folder, type
demonstrative bitsclient http://istanbul.fabrikam.com/content2.htm 749:
purposes, request the 11, and then press Enter.
11 bytes starting at b. Type type bits-job1.txt, and then press Enter.
position 749 in the
content2.htm file.
15. On the Istanbul a. On the Istanbul computer, in the Network Connections
computer, enable the window, right-click Local Area Connection, and then click
Local Area Connectio Enable.
n network adapter. b. Close the Network Connections window.
disable caching. pane, select Cache.
b. In the right pane, select the Cache Drives tab.
c. In the task pane, on the Tasks tab, click Disable Caching.
d. Click Yes to confirm that you want to disable caching.
17. Apply the changes and a. Click Apply to apply the changes.
OK.
box.
Exercise 3: Configuring DiffServ Settings to Prioritize Network

Traffic
In this exercise, you will configure ISA Server to use Differentiated Services (DiffServ) tagging of
HTTP and HTTPS network packets.

enable the Web filter for Paris, expand Configuration, and then select Add-ins.
DiffServ tagging. b. In the right pane, select the Web Filters tabs.
c. In the right pane, select DiffServ Filter, and then in the task
pane, on the Tasks tab, click Enable Selected Filters.
d. Click Apply to apply the changes, and then click OK.
2. Define new DiffServ a. In the left pane, select General.
priorities. b. In the right pane, click Specify DiffServ Preferences.
c. In the HTTP DiffServ dialog box, on the General tab, select
Name: High priority
Enable network traffic prioritization.
DiffServ bits: 100110
Size limit: 700 bytes d. On the Priorities tab, click Add.
e. In the Add Priority dialog box, complete the following
Name: Medium information:
priority Priority name: High priority
DiffServ bits: 110110 DiffServ bits: 100110
Size limit: None Apply a size limit to this priority: enable
Size limit: 700
and then click OK.
f. On the Priorities tab, click Add.
g. In the Add Priority dialog box, complete the following
information:
Priority name: Medium priority
DiffServ bits: 110110
Apply a size limit to this priority: disable (is default)
and then click OK.
3. Assign priorities to a. In the HTTP DiffServ dialog box, on the URLs tab, click Add.
URLs. b. In the Add URL Priority dialog box, complete the following
information:
URL: URL: istanbul.fabrikam.com/sales/*
istanbul.fabrikam.com Priority: High priority
/sales and then click OK.
Priority: High priority
c. On the URLs tab, click Add.
URL: d. In the Add URL Priority dialog box, complete the following
istanbul.fabrikam.com information:
Priority: Medium URL: istanbul.fabrikam.com/*
priority Priority: Medium priority
and then click OK.
4. Assign priorities to a. In the HTTP DiffServ dialog box, on the Domains tab, click
Domains. Add.
b. In the Add Domain Priority dialog box, complete the following
Domain: information:
*.fabrikam.com Domain: *.fabrikam.com
Priority: Medium Priority: Medium priority
priority and then click OK.
5. Enable DiffServ tagging a. In the HTTP DiffServ dialog box, on the Networks tab, select
for the External External.
network. b. Click OK to close the HTTP DiffServ dialog box.
7. Start the log viewer. a. In the ISA Server console, in the left pane, select Monitoring.
b. In the right pane, select the Logging tab.
c. In the task pane, on the Tasks tab, click Start Query.
8. Verify the existence of a. In the left pane, select Firewall Policy.
the Allow Web access
(Branch) firewall rule.
computer, use Internet Address box, type
Explorer to connect to http://istanbul.fabrikam.com/default.htm, and then press
http:// Enter.
istanbul.fabrikam.com b. Close Internet Explorer.
/
default.htm
stop the log viewer. pane, select Monitoring.
b. In the right pane, select the Logging tab.
c. In the task pane, on the Tasks tab, click Stop Query.
72 de 106
11. Add the a. In the right pane, right-click the Log Time column header (or
Filter Information another column header), and then click
column to the list of Add/Remove Columns.
displayed columns. b. In the Add/Remove Columns dialog box, in the Available
columns list box, select Filter Information, and then click
Add.
c. In the Displayed columns list, select Filter Information, and
then click Move Up, so that the new column is not last in the
list.
d. Click OK to close the Add/Remove Columns dialog box.
12. Examine the contents a. In the right pane, scroll the list of log field columns, so that you
of the can see the Filter Information column near the end of the list.
Filter Information log b. In the column headers, double-click the small line between the
field. Filter Information column, and the next column.
c. Scroll the list of log entries until you see text in the
Filter Information field.
Module G: Enterprise Management of ISA

Servers
Exercise 1: Enterprise Policies and Array Policies

In this exercise, you will create an enterprise policy, and apply this policy to multiple ISA Server arrays.
 Perform the following steps on the Florence computer.
1. On the Florence a. On the Florence computer, on the Start menu, click

computer, in the ISA All Programs, click Microsoft ISA Server, and then click
Server console, ISA Server Management.
examine the Enterprise b. In the ISA Server console, in the left pane, expand
nodes, Arrays node Enterprise.
and Servers node.
c. Expand Enterprise Policies, and then select Default Policy.
d. In the left pane, select Arrays
e. Expand Arrays, expand ITALY, expand Configuration, and
then select Servers.
2. Examine the a. In the left pane, select Arrays.
Configuration Storage b. Scroll the right pane, so that you can see the
server (CSS) settings. Configuration Server column.
c. Right-click ITALY, and then click Properties.
d. In the ITALY Properties dialog box, select the
Configuration Storage tab.
e. Click Cancel to close the ITALY Properties dialog box.
f. In the left pane, expand PORTUGAL, expand Configuration,
and then select Servers.
3. Examine the four a. In the left pane, expand Arrays, expand ITALY, and then
components of the select Firewall Policy (ITALY).
firewall policy rule list: b. In the task pane, on the Tasks tab, click Show System
Policy Rules.
- System policy rules c. On the Tasks tab, click Hide System Policy Rules.
- Enterprise rules
(before)
- Array-level rules
- Enterprise rules (after)
4. Create a new enterprise a. In the left pane, expand Enterprise, expand
policy: Enterprise Policies, and then select Enterprise Policies.
Name: Company Create New Enterprise Policy.
Enterprise Policy
c. In the New Enterprise Policy Wizard dialog box, in the
Enterprise policy name text box, type
Company Enterprise Policy, and then click Next.
d. On the Completing the New Enterprise Policy Wizard page,
click Finish.
e. In the left pane (NOT the right pane), select
Company Enterprise Policy.
5. Create an enterprise a. In the left pane, select Enterprise Networks.
network: b. In the task pane, on the Tasks tab, click
Create a New Network.
Name:
c. In the New Network Wizard dialog box, in the Network name
All Internal Networks
text box, type All Internal Networks, and then click Next.
Network addresses: d. On the Network Addresses page, click Add Range.
10.1.1.0 - 10.1.1.255 e. In the IP Address Range Properties dialog box, complete the
10.4.1.0 - 10.4.1.255 following information:
and then click OK.
f. On the Network Addresses page, click Add Range again.
g. In the IP Address Range Properties dialog box, complete the
and then click OK.
h. On the Network Addresses page, click Next.
i. On the Completing the New Network Wizard page, click
Finish.
6. In Company a. In the left pane, select Company Enterprise Policy, and then
Enterprise Policy, in the right pane, select Default rule.
create a new access b. In the task pane, on the Tasks tab, click Create Enterprise
rule: Access Rule.
Name:
Access rule name text box, type Baseline - Allow HTTP
Baseline - Allow HTTP
traffic to Internet, and then click Next.
traffic to Internet
d. On the Rule Action page, select Allow, and then click Next.
Applies to: HTTP e. On the Protocols page, in the This rule applies to list box,
From network: f. In the Add Protocols dialog box,
All Internal Networks click Common Protocols, click HTTP, and click Add,
To network: and then click Close to close the Add Protocols dialog box.
External
click Enterprise Networks, click All Internal Networks,
and click Add,
74 de 106
box.
click Enterprise Networks, click External, and click Add,
box.
Finish.
7. Assign Company a. In the left pane, right-click ITALY, and then click Properties.
Enterprise Policy to b. In the ITALY Properties dialog box, select the Policy Settings
the ITALY array. tab.
c. in the Enterprise policy list box, select
d. Click OK to close the ITALY Properties dialog box.
8. Assign Company a. In the left pane, right-click PORTUGAL, and then click
Enterprise Policy to Properties.
the PORTUGAL array. b. In the PORTUGAL Properties dialog box, select the Policy
Settings tab.
c. in the Enterprise policy list box, select
d. Click OK to close the PORTUGAL Properties dialog box.
9. Examine the firewall a. In the left pane, select Firewall Policy (PORTUGAL).
policy of the b. In the right pane, right-click the Baseline - Allow HTTP traffic
PORTUGAL array. to Internet rule, and then click Properties.
c. In the access rule properties dialog box, select the Action tab.
d. Click Cancel to close the access rule properties dialog box.
10. Collapse the a. In the left pane, collapse the PORTUGAL node.
PORTUGAL node.
11. Create a new enterprise a. In the left pane, select Enterprise Policies.
protocol definition: b. In the task pane, on the Toolbox tab, in the Protocols
section, on the New menu, click Protocol.
Name: Attack Ports
c. In the New Protocol Definition Wizard dialog box, in the
Protocol definition name text box, type Attack Ports, and
Protocols:
then click Next.
- TCP 12345
(outbound) d. On the Primary Connection Information page, click New.
- TCP 31337 e. In the New/Edit Protocol Connection dialog box, complete the
(outbound) following information:
Protocol type: TCP
Direction: Outbound
From: 12345
To: 12345
and then click OK.
f. On the Primary Connection Information page, click New.
g. In the New/Edit Protocol Connection dialog box, complete the
Protocol type: TCP
Direction: Outbound
From: 31337
To: 31337
and then click OK.
h. On the Primary Connection Information page, click Next.
i. On the Secondary Connections page, click Next.
j. On the Completing the New Protocol Definition Wizard page,
click Finish.
12. In Company a. In the left pane, select Company Enterprise Policy, and then
Enterprise Policy, in the right pane, select Baseline - Allow HTTP traffic to
create a new access Internet
rule: b. In the task pane, on the Tasks tab, click Create Enterprise
Access Rule.
Name:
Block - Trojan horse
Access rule name text box, type Block - Trojan horse
traffic
traffic, and then click Next.
Applies to: Attack d. On the Rule Action page, select Deny, and then click Next.
Ports e. On the Protocols page, in the This rule applies to list box,
From network: f. In the Add Protocols dialog box,
All Internal Networks click User-Defined, click Attack Ports, and click Add,
To network: and then click Close to close the Add Protocols dialog box.
External
click Enterprise Networks, click All Internal Networks,
and click Add,
box.
click Enterprise Networks, click External, and click Add,
box.
Finish.
p. Right-click Block - Trojan horse traffic, and then click Move
Up.
13. Examine the firewall a. In the left pane, select Firewall Policy (ITALY).
policy of the ITALY b. In the task pane, on the Toolbox tab, in the Protocols
array. section, expand User-Defined.
14. Assign Default Policy a. In the left pane, right-click ITALY, and then click Properties.
to the ITALY array. b. In the ITALY Properties dialog box, select the Policy Settings
tab.
c. In the Enterprise policy text box, select Default Policy, and
then click OK.
d. In the left pane, select Firewall Policy (ITALY).
15. Discard the changes. a. In the right pane, click Discard to discard all the changes
made in this exercise.
b. Click Yes to confirm that you want to discard the changes.
76 de 106
Exercise 2: Remote Management and Role-based Administration
In this exercise, you will configure ISA Server to allow remote management.
You can connect remotely to manage ISA Server using the ISA Server console, or using a Remote
Desktop connection.
1. On the Florence a. On the Florence computer, in the ISA Server console, in the
computer, add the left pane, expand Enterprise, and then select
Denver computer Enterprise Policies.
(10.1.1.5) to the b. In the task pane, on the Toolbox tab, in the Network Objects
Enterprise Remote section, expand Computer Sets.
Management
c. Right-click Enterprise Remote Management Computers,
Computers computer
set.
d. In the Enterprise Remote Management Computers Properties
dialog box, click Add, and then click Computer.
e. In the New Computer Rule Element dialog box, complete the
Name: Denver
Computer IP Address: 10.1.1.5
and then click OK.
f. Click OK to close the Enterprise Remote Management
Computers Properties dialog box.
2. For the ITALY array, a. In the left pane, select Firewall Policy (ITALY).
examine the Remote b. In the task pane, on the Toolbox tab, in the Network Objects
Management section, expand Computer Sets.
Computers computer
c. Right-click Enterprise Remote Management Computers,
set.
d. Click Cancel to close the Enterprise Remote Management
Computers Properties dialog box.
e. Right-click Remote Management Computers, and then click
Properties.
f. Click Cancel to close the Remote Management Computers
3. Examine the system a. In the task pane, on the Tasks tab, click
policy rules that are Show System Policy Rules.
used by the remote b. In the System Policy Rules list, select system policy rule 2.
management
computers:
Hide System Policy Rules.
System policy rules:
2 - 3 - 4 - 11 - 20 - 32
4. Use System properties a. On the Start menu, click Control Panel, and then click
to enable remote System.
desktop. b. In the System Properties dialog box, on the Remote tab, in
the Remote Desktop box, select Enable Remote Desktop
on this computer.
must have passwords, and that the correct port must be open
for remote connections.
5. Create a new user a. On the Start menu, click Administrative Tools, and then click
account. Computer Management.
b. In the Computer Management console, in the left pane,
Name: David expand Local Users and Groups, and then select Users.
c. Right-click Users, and then click New User.
Password: Password2
Change password at d. In the New User dialog box, complete the following
next logon: disable information:
User name: David
Member of: Password: Password2
Remote Desktop User Confirm password: Password2
s User must change password at next logon: disable
and then click Create.
e. Click Close to close the New User dialog box.
f. Right-click David, and then click Properties.
g. In the David Properties dialog box, on the Member Of tab,
click Add.
h. In the Select Groups dialog box, type
Remote Desktop Users, and then click OK.
i. Click OK to close the David Properties dialog box.
j. Close the Computer Management console.
 Perform the following steps on the Firenze computer.
6. On the Firenze a. On the Firenze computer, on the Start menu, click

computer, create a new Administrative Tools, and then click
(mirrored) user account. Computer Management.
b. In the Computer Management console, in the left pane,
Name: David expand Local Users and Groups, and then select Users.
c. Right-click Users, and then click New User.
Password: Password2
Change password at d. In the New User dialog box, complete the following
next logon: disable information:
User name: David
Password: Password2
Confirm password: Password2
User must change password at next logon: disable
and then click Create.
e. Click Close to close the New User dialog box.
f. Close the Computer Management console.
computer, assign array left pane, right-click ITALY, and then click Properties.
administrative roles: b. In the ITALY Properties dialog box, on the Assign Roles tab,
click the top Add button.
Array Administrator:
c. In the Administration Delegation dialog box, complete the
FLORENCE\David
Group or User: FLORENCE\David
Mirrored monitor
account: Role: ISA Server Array Administrator
David and then click OK.
d. Click OK to acknowledge that you must assign this role to the
mirrored account.
e. Click the bottom Add button.
f. In the Administration Delegation dialog box, complete the
Group or User: David
Role: ISA Server Array Administrator
78 de 106
and then click OK.
g. Click OK to close the ITALY Properties dialog box.
8. Examine the enterprise a. In the left pane, right-click Enterprise, and then click
administrative roles. Properties.
b. In the Enterprise Properties dialog box, select the
Assign Roles tab.
c. Click Cancel to close the Enterprise Properties dialog box.
9. Start the Array Status a. Use Windows Explorer (or My Computer) to open the
Monitor to quickly see C:\Tools\Status folder.
the current CSS status. b. In the Status folder, right-click ArrayStatus.hta, and then click
Open.
File:
c. Close the Status folder.
C:\Tools\Status\
ArrayStatus.hta
10. Apply the changes. a. Click Apply to save the changes, and then click OK. Use the
Array Status Monitor to wait until the CSS status is Synced.
computer, use ISA All Programs, click Microsoft ISA Server, and then click
Server console to ISA Server Management.
connect to ITALY. b. In the ISA Server console, in the left pane, select Microsoft
Internet Security and Acceleration Server 2006, and then in
CSS: Florence the task pane, on the Tasks tab, click
Connect to Configuration Storage Server.
CSS credentials:
c. In the Configuration Storage Server Connection Wizard dialog
David / Password2
box, click Next.
Monitor credentials: d. On the Configuration Storage Server Location page, in the
David / Password2 On remote computer (remote management) text box, type
Florence, and then click Next.
e. On the Configuration Storage Server Credentials page,
Credentials of the following user: enable
User name: David
Password: Password2
f. On the Array Connection Credentials page, select
The same credentials used to connect to the
Configuration Storage Server, and then click Next.
g. On the Completing the Connection Wizard page, click Finish.
12. Attempt to create a new a. In the ISA Server console, in the left pane, expand
enterprise policy. Enterprise.
b. Right-click Enterprise Policies, click New, and then click
Enterprise Policy.
c. Click OK to acknowledge that you do not have necessary
permissions.
13. Examine the services a. In the left pane, expand Arrays.
information for the array b. Expand ITALY, and then select Monitoring.
members.
c. In the right pane, select the Services tab.
14. Disconnect from the a. In the left pane, select Microsoft Internet Security and
enterprise, and close Acceleration Server 2006.
the ISA Server console. b. In the task pane, on the Tasks tab, click
Disconnect from Enterprise.
c. Click Yes to confirm that you want to disconnect from the
enterprise.
d. Close the ISA Server console.
15. Create a remote a. On the Start menu, click All Programs, click Accessories,
desktop connection to click Communications, and then click
Florence. Remote Desktop Connection.
b. In the Remote Desktop Connection dialog box, in the
Log on: Computer text box, type Florence, and then click Connect.
- User name: David
c. In the Log On to Windows dialog box, complete the following
- Password:
information:
Password2
User name: David
Password: Password2
and then click OK.
16. Use the ISA Server a. On the Start menu, click All Programs, click
console to examine the Microsoft ISA Server, and then click
permissions of David. ISA Server Management.
b. In the ISA Server console, expand Arrays.
c. Expand ITALY, and then select Monitoring.
d. In the right pane, select the Services tab.
e. Close the ISA Server console.
17. Log off from the remote a. On the Start menu, click Log Off.
desktop connection. b. Click Log Off to confirm that you want to log off.
properties to disable b. In the System Properties dialog box, on the Remote tab, in
remote desktop. the Remote Desktop box, CLEAR the Enable Remote
Desktop on this computer check box.
80 de 106
Exercise 3: Working with Configuration Storage Servers (Optional)
In this exercise, you will examine details on how ISA Server uses a Configuration Storage server
(CSS) to save configuration data.

computer, examine the left pane, right-click ITALY, and then click Properties.
Configuration Storage b. In the ITALY Properties dialog box, select the
server (CSS) settings. Configuration Storage tab.
c. Open the Check the Configuration Storage server for
updates every list box.
d. Close the Check the Configuration Storage server for
updates every list box.
e. Click Cancel to close the ITALY Properties dialog box.
2. In the ISA Server a. Open a Command Prompt window.
installation folder, b. At the command prompt, type
examine the cd \Program Files\Microsoft ISA Server, and then press
ChangeStorageServer Enter.
.vbs script.
c. Type cscript.exe ChangeStorageServer.vbs /?, and then
press Enter.
d. Do not close the Command Prompt window.
3. In the Services console, a. On the Start menu, click Administrative Tools, and then click
examine the Services.
ISASTGCTRL service. b. In the Services console, right-click ISASTGCTRL, and then
click Properties.
c. Click Cancel to close the ISASTGCTRL Properties (Local
Computer) dialog box.
d. Close the Services console.
4. In the Event Viewer a. On the Start menu, click Administrative Tools, and then click
console, examine the Event Viewer.
ADAM (ISASTGCTRL) b. In the Event Viewer console, in the left pane, select
log. ADAM (ISASTGCTRL).
c. Close the Event Viewer console.
5. Examine the CSS a. In the ISA Server console, in the left pane, right-click ITALY,
authentication setting. and then click Properties.
b. In the ITALY Properties dialog box, on the
Configuration Storage tab, click Select.
c. Click Cancel to close the Select Authentication Type dialog
box.
d. Click Cancel to close the ITALY Properties dialog box.
6. In the ISA Server e. In a Command Prompt window, in the
installation folder, C:\Program Files\Microsoft ISA Server folder, type
examine isacerttool.exe /?, and then press Enter.
ISACertTool.exe. f. Do not close the Command Prompt window.
7. Use the Certificates a. On the Start menu, click Run.
console to examine the b. In the Run dialog box, type mmc.exe, and then click OK.
Web server certificate
c. In the Console1 window, on the File menu, click
for the ISASTGCTRL
Add/Remove Snap-in.
service account.
d. In the Add/Remove Snap-in dialog box, click Add.
e. In the Add Standalone Snap-in dialog box, select Certificates,
and then click Add.
f. In the Certificates snap-in dialog box, select Service account,
g. In the Select Computer dialog box, select Local computer,
h. In the Certificates snap-in dialog box, in the Service account
list box, select ISASTGCTRL, and then click Finish.
i. Click Close to close the Add Standalone Snap-in dialog box.
j. Click OK to close the Add/Remove Snap-in dialog box.
k. Maximize the Console Root window.
l. In the left pane, expand
Certificates - Service (ISASTGCTRL), expand
ADAM_ISASTGCTRL\Personal, and then select
Certificates.
m. In the right pane, right-click the Florence certificate, and then
click Open.
n. Click OK to close the Certificate dialog box.
o. Close the Console1 window. Click No to confirm that you do
not want to save console settings to Console1.
8. Use the dsdbutil tool to a. On the Start menu, click All Programs, click ADAM, and then
examine the LDAP click ADAM Tools Command Prompt.
ports used by CSS. b. At the command prompt, type dsdbutil, and then press Enter.
c. At the dsdbutil: prompt, type list instances, and then press
Enter.
d. At the dsdbutil: prompt, type quit, and then press Enter.
9. Use the ldp tool to a. At the command prompt, type ldp, and then press Enter.
check the LDAP SSL b. In the Ldp window, on the Connection menu, click Connect.
connection to CSS.
c. In the Connect dialog box, complete the following information:
Server: Florence
Port: 2172
Connectionless: disable (is default)
SSL: enable
and then click OK.
d. Close the Ldp window.
10. Use the dsmgmt tool to a. At the command prompt, type dsmgmt, and then press Enter.
examine the CSS b. At the dsmgmt: prompt, type partition management, and
ADAM naming then press Enter.
contexts.
c. At the partition management: prompt, type connections, and
then press Enter.
d. At the server connections: prompt, type
connect to server Florence:2171, and then press Enter.
e. At the server connections: prompt, type quit, and then press
Enter.
f. At the partition management: prompt, type list, and then press
Enter.
g. At the partition management: prompt, type quit, and then
press Enter.
h. At the dsmgmt: prompt, type quit, and then press Enter.
i. Close the ADAM Tools Command Prompt window.
11. Use the ADAM ADSI a. On the Start menu, click All Programs, click ADAM, and then
Edit console to examine click ADAM ADSI Edit.
the ADAM site b. In the ADAM-adsiedit window, on the Action menu, click
replication Connect to.
configuration.
c. In the Connection Settings dialog box, complete the following
82 de 106
Connections to information:
[Florence:2171]: Connection name: Configuration
- Configuration Server name: Florence
and Port: 2171
- CN=FPC2 Well-known naming context: Configuration
and then click OK.
d. On the Action menu, click Connect to again.
e. In the Connection Settings dialog box, complete the following
information:
Connection name: Enterprise Data
Server name: Florence
Port: 2171
Distinguished name (DN) or naming context: CN=FPC2
and then click OK.
f. In the left pane, expand Configuration [Florence:2171],
expand CN=Configuration, CN={...}, expand CN=Sites,
expand CN=Default-First-Site-Name, and then select
CN=Servers.
g. In the left pane, select CN=Default-First-Site-Name, and then
in the right pane, right-click CN=NTDS Site Settings, and
click Schedule.
h. Click Cancel to close the Schedule dialog box.
i. In the left pane, expand CN=Inter Site Transports, and then
select CN=IP.
j. In the right pane, right-click CN=DEFAULTIPSITLINK, and
k. In the CN=DEFAULTIPSITELINK Properties dialog box, in the
Attributes list, select replInterval.
l. Click Cancel to close the CN=DEFAULTIPSITELINK
m. In the left pane, expand Enterprise Data [Florence:2171],
expand CN=FPC2, expand CN=Array-Root, expand
CN=Arrays, and then select the first CN={...}.
n. Close the ADAM-adsiedit window.
12. In the ISA Server a. In a Command Prompt window, in the
installation folder, C:\Program Files\Microsoft ISA Server folder, type
examine adamsites.exe /?, and then press Enter.
AdamSites.exe. b. At the command prompt, type adamsites.exe sites, and then
press Enter.
c. At the command prompt, type adamsites.exe sitelinks, and
then press Enter.
13. Examine the protocol a. In the ISA Server console, in the left pane, select
definitions related to Firewall Policy (ITALY).
CSS: b. In the task pane, on the Toolbox tab, in the Protocols
section, expand All Protocols.
- MS Firewall Storage
c. In the list of protocols, right-click MS Firewall Storage, and
- MS Firewall Storage
Replication
- MS Firewall Storage d. In the MS Firewall Storage Properties dialog box, select the
Server Parameters tab.
e. Click Cancel to close the MS Firewall Storage Properties
dialog box.
Module H: Configuring Load Balancing
Exercise 1: Configuring Network Load Balancing (NLB)

In this exercise, you will configure ISA Server to use NLB for load balanced and fault tolerant
outbound and inbound access.

computer, examine the Control Panel, click Network Connections, right-click
current configuration of Internal Connection, and then click Properties.
the Internal b. Click Cancel to close the Internal Connection Properties
Connection network dialog box.
adapter, before NLB is
enabled.
2. In the ISA Server a. On the Start menu, click All Programs, click
console, enable NLB Microsoft ISA Server, and then click
integration, and enable ISA Server Management.
NLB on the Internal b. In the ISA Server console, expand Arrays, expand ITALY,
network. expand Configuration, and then in the left pane, select
Networks.
Primary Virtual IP
c. In the right pane, select the Networks tab.
address:
10.1.1.3 d. In the task pane, on the Tasks tab, click
Subnet mask: Enable Network Load Balancing Integration.
255.255.255.0 e. In the Network Load Balancing Wizard dialog box, click Next.
f. On the Select Load Balanced Networks page, select Internal,
and then click Set Virtual IP.
g. In the Set Virtual IP Addresses dialog box, complete the
Primary VIP: 10.1.1.3
Subnet mask: 255.255.255.0
and then click OK.
h. On the Select Load Balanced Networks page, click Next.
i. On the Completing the Network Load Balancing Integration
j. Click OK to close the message box.
k. In the left pane, right-click ITALY, and then click Properties.
l. In the ITALY Properties dialog box, select the
Configuration Storage tab.
m. Click Cancel to close the ITALY Properties dialog box.
3. Examine the NLB and a. In the left pane, select Networks, and in the right pane, on the
CARP configuration on Networks tab, right-click Internal, and then click Properties.
the Internal network. b. In the Internal Properties dialog box, select the NLB tab.
c. Select the CARP tab, and ensure that CARP is NOT enabled
on this network.
d. Click OK to close the Internal Properties dialog box.
4. Examine the status of a. In the left pane, select Monitoring, and then in the right pane,
the Network Load select the Services tab.
84 de 106
Balancing service on
the Monitoring/Services b. Do NOT click Apply yet to save the changes.
tab.
5. Start the Array Status a. Use Windows Explorer (or My Computer) to open the
Monitor to quickly see C:\Tools\Status folder.
the current CSS status b. In the Status folder, right-click ArrayStatus.hta, and then click
and NLB status. Open.
c. Close the Status folder.
File:
C:\Tools\Status\
ArrayStatus.hta
6. Apply the changes and a. In the ISA Server console, click Apply to save the changes.
OK.
box.
d. Use the Array Status Monitor to wait until the CSS status is
Synced, and the NLB status is Running. This may take 5 to
10 minutes.
7. Examine the NLB host a. In the left pane, select Servers.

IDs, and the network b. In the right pane, right-click Florence, and then click
used for intra-array Properties.
communication.
c. In the Florence Properties dialog box, select the
Communication tab.
d. Click Cancel to close the Florence Properties dialog box.
8. Delete all existing Web a. In the left pane, select Firewall Policy (ITALY).
publishing rules and b. In the right pane, in the Firewall Policy Rules list, for each
Server publishing rules. Server publishing rule, right-click the rule, click Delete, and
then click OK to confirm that you want to delete the rule.
c. For each Web publishing rule, right-click the rule, click Delete,
and then click OK to confirm that you want to delete the rule.
9. Create a new access a. In the right pane, select the first rule in the
rule. Firewall Policy Rules list, or select Default rule if no other
rule exists, to indicate where the new rule is added to the rule
Name: Allow Web list.
access (NLB) b. In the task pane, on the Tasks tab, click Create Access Rule.
Applies to: HTTP
Access rule name text box, type Allow Web access (NLB),
From network: Internal
To network: External d. On the Rule Action page, select Allow, and then click Next.
e. On the Protocols page, in the This rule applies to list box,
f. In the Add Protocols dialog box,
box.
box.
Finish.
10. After NLB integration is a. Before you apply the new rule, ensure that NLB integration is
fully enabled, apply the fully enabled on the ISA Server array. Wait until the CSS
changes. status is Synced, and the NLB status is Running.
b. Click Apply to apply the new rule, and then click OK. Wait
until the CSS status is Synced, and the NLB status is
Running.
computer, connect to Address box, type http://istanbul.fabrikam.com/web.asp,
http:// and then press Enter.
istanbul.fabrikam.com b. On the Tools menu, click Internet Options.
/
web.asp.
click LAN Settings.
Use proxy server d. In the Local Area Network (LAN) Settings dialog box,
address: complete the following information:
10.1.1.1:8080 Use a proxy server for your LAN: enable
and Address: 10.1.1.3
10.1.1.3:8080 Port: 8080
Bypass proxy server for local addresses: enable
and then click OK.
f. On the toolbar, click the Refresh button.
g. Close Internet Explorer.
12. On the Firenze a. On the Firenze computer, in a Command Prompt window, type
computer, stop, wait 10 net stop fwsrv, and then press Enter.
seconds, and start the b. Wait 10 seconds, and then type net start fwsrv, and press
Microsoft Firewall Enter.
service.
computer, enable NLB left pane, select Networks.
on the External b. In the task pane, on the Tasks tab, click Configure Load
network. Balanced Networks.
c. In the Network Load Balancing Wizard dialog box, click Next.
Primary Virtual IP
address: d. On the Select Load Balanced Networks page, select External,
39.1.1.3 and then click Set Virtual IP.
Subnet mask: e. In the Set Virtual IP Addresses dialog box, complete the
255.255.255.0 following information:
Primary VIP: 39.1.1.3
Subnet mask: 255.255.255.0
and then click OK.
f. On the Select Load Balanced Networks page, click Next.
g. On the Completing the Load Balanced Networks Wizard page,
click Finish.
86 de 106
h. Click Apply to apply the changes, and then click OK. Wait
Running.
14. Refresh the ISA Server a. In the left pane, right-click Firewall Policy (ITALY), and then
console, so that the click Refresh.
new virtual IP address
is shown in the user
interface.
15. Create a new Web a. In the left pane, select Firewall Policy (ITALY).
listener. b. In the task pane, on the Toolbox tab, in the Network Objects
section, right-click Web Listeners, and then click
Name: New Web Listener.
External Web 80 NLB
c. In the New Web Listener Definition Wizard dialog box, in the
Web listener name text box, type External Web 80 NLB, and
SSL: disable
then click Next.
Network: d. On the Client Connection Security page, select
External - 39.1.1.3 Do not require SSL secured connections with clients, and
Compression: disable then click Next.
e. On the Web Listener IP Addresses page, select the External
Authentication: none check box, and then click Select IP Addresses.
f. In the External Network Listener IP Selection dialog box,
select the Specified IP addresses option, and then in the
Available IP Addresses list, select 39.1.1.3, and click Add.
g. Click OK to close the External Network Listener IP Selection
dialog box.
h. On the Web Listener IP Addresses page, clear
ISA Server will compress content, and then click Next.
i. On the Authentication Settings page, in the drop-down list box,
j. On the Single Sign On Settings page, click Next.
k. On the Completing the New Web Listener Wizard page, click
Finish.
16. Create a Web a. In the right pane, select the first rule in the
publishing rule. Firewall Policy Rules list to indicate where the new rule is
added to the rule list.
Name: b. In the task pane, on the Tasks tab, click Publish Web Sites.
Web Home Page NLB
c. In the New Web Publishing Rule Wizard dialog box, in the
Web publishing rule name text box, type
Publishing type:
Web Home Page NLB, and then click Next.
single Web site
d. On the Select Rule Action page, select Allow, and then click
denver.contoso.com e. On the Publishing Type page, select Publish a single Web
Public name: f. On the Server Connection Security page, select Use
shop.contoso.com non-secured connections to connect to the published
Web listener:
External Web 80 NLB g. On the Internal Publishing Details page, complete the
Delegation: none Internal site name: denver.contoso.com
Use a computer name or IP address: disable (is default)
h. On the next Internal Publishing Details page, complete the
Path: (leave empty)
i. On the Public Name Details page, complete the following
information:
Public name: shop.contoso.com
Path: (leave empty)
j. On the Select Web Listener page, in the Web listener
drop-down list box, select External Web 80 NLB, and then
click Next.
k. On the Authentication Delegation page, select No delegation,
l. On the User Sets page, click Next.
m. On the Completing the New Web Publishing Rule Wizard
page, click Finish.
n. Click Apply to apply the new rule, and then click OK. Wait
Running.
computer, verify the IP b. At the command prompt, type ping shop.contoso.com, and
address of the press Enter.
shop.contoso.com,
c. Open Internet Explorer. In the Address box, type
and then connect to
http://shop.contoso.com/web.asp, and then press Enter.
http://shop.contoso.c
om/ d. Close Internet Explorer.
web.asp
Exercise 2: Examining Details on NLB

In this exercise, you will examine details on how ISA Server configures and controls the NLB driver to
provide load balancing functionality for array members. You will also perform the steps needed to
disable NLB integration on an array.

1. On the Florence a. On the Florence computer, in a Command Prompt window,
computer, use the type nlb query, and then press Enter.
nlb query command to
see the current
convergence state of
the NLB cluster.
2. Use the nlb queryport a. At the command prompt, type nlb queryport 8080, and then
command to see the press Enter.
number of accepted
and dropped network
packets.
3. On the Firenze a. On the Firenze computer, open a Command Prompt window.
computer, use the b. At the command prompt, type nlb queryport 8080, and then
nlb queryport press Enter.
command to see the
number of accepted
and dropped network
88 de 106
packets.
computer, examine the Control Panel, click Network Connections, right-click
configuration of the Internal Connection, and then click Properties.
Internal Connection b. In the Internal Connection Properties dialog box, select
network adapter. Network Load Balancing (do NOT clear the check box), and
c. Select the Host Parameters tab.
d. Select the Port Rules tab.
e. Click CANCEL to close the Network Load Balancing
f. Click Cancel to close the Internal Connection Properties
dialog box.
g. In a Command Prompt window, type ipconfig /all, and then
press Enter.
5. On the Firenze a. On the Firenze computer, open a Command Prompt window.
computer, examine the b. At the command prompt, type ipconfig /all, and then press
configuration of the Enter.
Internal Connection
network adapter.
6. On the Florence a. On the Florence computer, in the ISA Server console, in left
computer, create a new pane, select Firewall Policy.
access rule. b. In the right pane, select the first rule in the
Firewall Policy Rules list, to indicate where the new rule is
Name: Allow Ping to added to the rule list.
firewall
Applies to: PING d. In the New Access Rule Wizard dialog box, in the
Access rule name text box, type Allow Ping to firewall, and
From network: Internal then click Next.
To network: Local Host e. On the Rule Action page, select Allow, and then click Next.
box.
click Networks, click Local Host, click Add,
box.
Finish.
q. Click Apply to apply the new rule, and then click OK. Wait
Running.
computer, examine the b. At the command prompt, type ping 10.1.1.1, and then press
MAC addresses used Enter.
by 10.1.1.1, 10.1.1.2,
c. Type ping 10.1.1.2, and then press Enter.
and 10.1.1.3.
d. Type ping 10.1.1.3, and then press Enter.
e. Type arp -a, and then press Enter.
f. Close the Command Prompt window.
8. Connect to a. Open Internet Explorer. In the Address box, type
http:// http://istanbul.fabrikam.com/web.asp, and then press
/ b. On the Tools menu, click Internet Options.
web.asp.
click LAN Settings.
Use proxy server
address: d. In the Local Area Network (LAN) Settings dialog box,
10.1.1.3:8080 complete the following information:
and Use a proxy server for your LAN: disable
use default gateway: and then click OK.
10.1.1.1. e. Click OK to close the Internet Options dialog box.
9. Change the default a. In a Command Prompt window, type ipconfig, and then press
gateway from 10.1.1.1 Enter.
to 10.1.1.3. b. On the Start menu, click Control Panel, click
Network Connections, right-click Local Area Connection,
c. In the Local Area Connection Properties dialog box, select
Internet Protocol (TCP/IP) (do NOT clear the check box), and
d. In the Internet Protocol (TCP/IP) Properties dialog box,
Default gateway: 10.1.1.3
and then click OK.
e. Click Close to close the Local Area Connection Properties
dialog box.
f. In the Command Prompt window, type ipconfig, and then
press Enter.
g. Close the Command Prompt window.
10. Connect to a. In Internet Explorer, in the Address box, type
http:// http://istanbul.fabrikam.com/reload.asp, and then press
/ b. Do not close Internet Explorer.
reload.asp.
Use default gateway:

10.1.1.3.
computer, use the ISA left pane, select Monitoring.
Server console to stop b. In the right pane, on the Services tab, select the Microsoft
the Microsoft Firewall Firewall service for Firenze.
service on Firenze.
Stop Selected Service.
90 de 106
12. On the Denver a. On the Denver computer, in Internet Explorer, wait until
computer, wait until reload.asp is refreshed through Florence (39.1.1.1), instead
reload.asp is refreshed of Firenze (39.1.1.2).
through Florence.

13. On the Florence a. On the Florence computer, in the ISA Server console, on the
computer, use the ISA Services tab, select the Microsoft Firewall service for
Server console to start Firenze.
the Microsoft Firewall b. In the task pane, on the Tasks tab, click
service on Firenze. Start Selected Service.
c. Wait until the CSS status is Synced, and the NLB status is
Running.
14. On the Denver a. On the Denver computer, in Internet Explorer, notice that
computer, examine the reload.asp continues to be refreshed through Florence
continuing refresh of (39.1.1.1).
reload.asp. b. Close Internet Explorer.
c. Open Internet Explorer again, and in the Address box, type
Close and reopen
http://istanbul.fabrikam.com/reload.asp.
Internet Explorer, and
connect to d. Close Internet Explorer.
http://
/
reload.asp.

computer, connect to Address box, type http://shop.contoso.com/web.asp, and
http://shop.contoso.c then press Enter.
om/ b. Do not close Internet Explorer.
web.asp.

computer, change the Firewall Policy Rules list, right-click Web Home Page NLB,
Web Home Page NLB and then click Properties.
rule. b. In the Web Home Page NLB Properties dialog box, on the To
tab, select Requests appear to come from the original
Requests appear to client, and then click OK.
come from: original
c. Click Apply to apply the new rule, and then click OK. Wait
client
Running.
17. On the Istanbul a. On the Istanbul computer, in Internet Explorer, on the toolbar,
computer, refresh the click the Refresh button.
connection to b. Close Internet Explorer.
http://shop.contoso.c
om/
web.asp.
18. On the Florence a. On the Florence computer, in a Command Prompt window,

computer, use the type nlb params 39.1.1.3, and the press Enter.
nlb params command b. At the command prompt, type nlb params 10.1.1.3, and then
and the press Enter.
C:\Tools\fwengmon / c. Type cd \tools, and then press Enter.
N command to examine
d. Type fwengmon /?, and then press Enter.
the NLB bi-directional
configuration. e. Type fwengmon /N, and then press Enter.
f. Type fwengmon /N > nlbrules.txt, and then press Enter.
g. Type notepad nlbrules.txt, and then press Enter.
h. In Notepad, on the Format menu, ensure that Word Wrap is
disabled.
i. Maximize the nlbrules.txt - Notepad window, if that is not done
already.
j. Close Notepad.
computer, connect to b. On the Tools menu, click Internet Options.
http://
click LAN Settings.
web.asp.
d. Ensure that Internet Explorer is not configured to use a proxy
Use default gateway server.
10.1.1.3 e. Click OK to close the Local Area Network (LAN) Settings
(Do not use a proxy dialog box.
server) f. Click OK to close the Internet Options dialog box.
g. In the Address box, type
http://istanbul.fabrikam.com/web.asp, and then press
Enter.
20. Connect again to a. On the Tools menu, click Internet Options.
http:// b. In the Internet Options dialog box, on the Connections tab,
istanbul.fabrikam.com click LAN Settings.
web.asp.
c. In the Local Area Network (LAN) Settings dialog box,
Use a proxy server:
Address: 10.1.1.3
Port: 8080
and then click OK.
d. Click OK to close the Internet Options dialog box.
e. On the toolbar, click the Refresh button.


computer, examine the left pane, select Networks, and in the right pane, select the
warning message when Networks tab.
attempting to disable b. In the task pane, on the Tasks tab, click
NLB integration. Disable Network Load Balancing Integration.
c. Click CANCEL to indicate that you do NOT yet want to disable
NLB integration.
22. Delete the firewall a. In the left pane, select Firewall Policy (ITALY).
policy rules and rule b. In the right pane, in the Firewall Policy Rules list, right-click
elements that use the Web Home Page NLB, and then click Delete.
virtual IP addresses.
c. Click Yes to confirm that you want to delete the Web Home
Page NLB rule.
Firewall policy rule:
Web Home Page NLB d. In the task pane, on the Toolbox tab, in the
Network Objects section, under Web Listeners, right-click
92 de 106
External Web 80 NLB, and then click Delete.
Web listener: e. Click Yes to confirm that you want to delete the External Web
External Web 80 NLB 80 NLB Web listener.
(Step 1)
23. Disable NLB on all a. In the left pane, select Networks, and in the right pane, select
networks. the Networks tab.
Networks: Configure Load Balanced Networks.
Internal
c. In the Network Load Balancing Wizard dialog box, click Next.
External
d. On the Select Load Balanced Networks page, clear the check
(Step 2) boxes of all networks, and then click Next.
e. On the Completing the Load Balanced Networks Wizard page,
click Finish.
24. Apply the changes. a. Click Apply to save the changes, and then click OK. Wait until
the CSS status is Synced, and the NLB status is Not
(Step 3) configured.
25. Use nlb query, and a. In a Command Prompt window, type nlb query, and then
ipconfig /all to press Enter.
examine the network b. At the command prompt, type ipconfig /all, and then press
configuration. Enter.
26. Disable NLB a. In the ISA Server console, in the left pane, select Networks,
integration. and in the right pane, select the Networks tab.
Apply the changes and Disable Network Load Balancing Integration.
restart the Firewall
c. Click OK to confirm that you want to disable NLB integration.
service.
d. In the left pane, select Monitoring, and in the right pane,
(Step 4) select the Services tab.
e. Click Apply to save the changes.
f. In the ISA Server Warning dialog box, CHANGE the current
selection, and select
OK.
g. Click OK to close the Saving Configuration Changes dialog
box.
h. Wait until the CSS status is Synced.
proxy server click LAN Settings.
10.1.1.1:8080, and
change the default
gateway to 10.1.1.1.
Address: 10.1.1.1
Port: 8080
and then click OK.
f. On the Start menu, click Control Panel, click
Network Connections, right-click Local Area Connection,
g. In the Local Area Connection Properties dialog box, select
Internet Protocol (TCP/IP) (do NOT clear the check box), and
h. In the Internet Protocol (TCP/IP) Properties dialog box,
Default gateway: 10.1.1.1
and then click OK.
i. Click Close to close the Local Area Connection Properties
dialog box.
Exercise 3:Using CARP to Distribute Cache Content

In this exercise, you will configure ISA Server to use Cache Array Routing Protocol (CARP). When you
enable CARP, the cache drives on all servers are treated as a single logical cache drive.
You will also explore the CARP algorithm in the automatic configuration script that is used by Internet
Explorer.
computer, verify that left pane, select Networks.
ISA Server listens for b. In the right pane, on the Networks tab, right-click Internal,
Web Proxy client and then click Properties.
requests on the
c. In the Internal Properties dialog box, on the Web Proxy tab,
Internal network.
ensure that
Enable Web Proxy client connections on this network is
enabled, and that HTTP port is 8080.
d. Select the CARP tab. (Do NOT enable CARP).
e. Click OK to close the Internal Properties dialog box.
2. Create a new access a. In the left pane, select Firewall Policy (ITALY).
rule. b. In the right pane, select the first rule in the Firewall Policy
Rules list, or select Default rule if no other rule exists, to
Name: Allow Web indicate where the new rule is added to the rule list.
access (CARP)
Applies to: HTTP d. In the New Access Rule Wizard dialog box, in the
From network: Internal Allow Web access (CARP), and then click Next.
To network: External e. On the Rule Action page, select Allow, and then click Next.
box.
94 de 106
box.
Finish.
q. Click Apply to apply the new rule, and then click OK. Wait
until the CSS status is Synced.

computer, connect to Address box, type http://istanbul.fabrikam.com/web.asp,
http:// and then press Enter.
istanbul.fabrikam.com b. On the Tools menu, click Internet Options.
/
web.asp
click LAN Settings.
Use proxy server d. In the Local Area Network (LAN) Settings dialog box,
address: complete the following information:
and Address: 10.1.1.2
10.1.1.2:8080 Port: 8080
and then click OK.
computer, enable left pane, select Cache.
caching and configure b. In the right pane, on the Cache Drives tab, select Florence.
cache settings and
cache rules.
Define Cache Drives (Enable Caching).
(Step 1) d. Click Cancel to close the Florence Properties dialog box.
e. Select the Cache Rules tab.
f. In the task pane, on the Tasks tab, click
Configure Cache Settings.
g. In the Cache Settings dialog box, select the Advanced tab.
h. Click Cancel to close the Cache Settings dialog box.
i. In the right pane, right-click Default rule, and then click
Properties.
j. Click Cancel to close the Default rule Properties dialog box.
5. Create a new domain a. In the left pane, select Firewall Policy (ITALY).
name set for CARP b. In the task pane, on the Toolbox tab, in the Network Objects
exceptions: section, right-click Domain Name Sets, and then click
New Domain Name Set.
Name:
c. In the New Domain Name Set Policy Element dialog box, in
CARP Exception Web
the Name text box, type CARP Exception Web Sites, and
Sites
then click Add.
Computer: d. In the New Domain text box, replace the text by typing
download.contoso.co download.contoso.com, and then press Enter.
m e. Click OK to close the New Domain Name Set Policy Element
dialog box.
6. Enable CARP on the a. In the left pane, select Networks.
Internal network.
b. In the right pane, on the Networks tab, right-click Internal,
Add the new domain and then click Properties.
name set as CARP c. In the Internal Properties dialog box, on the CARP tab, select
exceptions. Enable CARP on this network.
d. In the CARP Exceptions box, click Add.
(Step 2)
e. In the Add Domain Name Sets dialog box,
click CARP Exception Web Sites, and click Add,
and then click Close to close the Add Domain Name Sets
dialog box.
f. Select the NLB tab.
g. Click OK to close the Internal Properties dialog box.
7. Configure a a. In the left pane, select Servers.
CARP load factor for b. In the right pane, right-click Florence, and then click
each array member. Properties.
c. In the Florence Properties tab, select the CARP tab.
(Step 3)
8. Configure the network a. In the Florence Properties dialog box, select the
used for intra-array Communication tab.
communication b. Click Cancel to close the Florence Properties dialog box.
(Perimeter) to listen for
c. In the left pane, select Networks.
Web Proxy client
requests. d. In the right pane, on the Networks tab, right-click Perimeter,
(Step 4) e. In the Perimeter Properties dialog box, on the Web Proxy tab,
Enable Web Proxy clients: enable
Enable HTTP: enable (is default)
HTTP port: 8080 (is default)
Enable SSL: disable (is default)
and then click OK.
9. Apply the changes. a. Click Apply to apply the changes, and then click OK. Wait
until the CSS status is Synced.
10. On the Denver a. On the Denver computer, in Internet Explorer, on the toolbar,
computer, refresh the click the Refresh button.
Web page
http://
/
web.asp
Use proxy server

address:
10.1.1.2:8080
computer, examine the left pane, select Networks.
URL of the CARP b. In the right pane, on the Networks tab, right-click Internal,
calculation script. and then click Properties.
c. In the Internal Properties dialog box, select the Firewall Client
tab.
d. Select the Web Browser tab.
e. Click Cancel to close the Internal Properties dialog box.
96 de 106
an automatic click LAN Settings.
configuration script.
c. In the Local Area Network (LAN) Settings dialog box, in the
Automatic configuration box, complete the following
Address:
information:
http://
10.1.1.1:8080/array.dll Use automatic configuration script: enable
? Address:
Get.Routing.Script http://10.1.1.1:8080/array.dll?Get.Routing.Script
and then click OK.
13. Refresh the Web page a. On the toolbar, click the Refresh button.
http:// b. In the Address box, type
istanbul.fabrikam.com http://ankara.fabrikam.com/web.asp, and then press Enter.
/
web.asp
and connect to
http://
ankara.fabrikam.com/
web.asp
Use configuration
script.
save a copy of the http://10.1.1.1:8080/array.dll?Get.Routing.Script, and then
configuration script to press Enter.
C:\Tools\array.Script.t b. In the File Download dialog box, click Save.
xt
c. In the Save As dialog box, browse to the C:\Tools folder, and
then in the File name text box, type array.Script.txt, and click
Save.
15. Examine the contents a. Use Windows Explorer (or My Computer) to open the
of C:\Tools folder.
C:\Tools\array.Script.t b. In the Tools folder, right-click array.Script.txt, and then click
xt in Notepad. Open.
c. Scroll to the end of the script.
d. Close Notepad.
16. Use a. Open a Command Prompt window.
C:\Tools\carpdemo.js b. At the command prompt, type cd \tools, and then press
to calculate the Enter.
selected proxy server
c. Type dir, and then press Enter.
for:
d. Type carpdemo istanbul.fabrikam.com/web.asp, and then
istanbul.fabrikam.com press Enter.
/ e. Click OK. Type
web.asp carpdemo istanbul.fabrikam.com/yourname (replace
yourname by your own name), and then press Enter.
istanbul.fabrikam.com f. Click OK. Type carpdemo ankara.fabrikam.com, and then
/ press Enter.
<yourname>
g. Click OK. Type carpdemo izmir, and then press Enter.
ankara.fabrikam.com h. Click OK to close the CARP Routing Script demo message
box.
izmir i. Close the Command Prompt window.
17. Configure Internet a. In Internet Explorer, on the Tools menu, click

Explorer to use a proxy Internet Options.
server: b. In the Internet Options dialog box, on the Connections tab,
click LAN Settings.
Address: 10.1.1.1:8080
Use automatic configuration script: disable
Address: 10.1.1.1
Port: 8080
and then click OK.
computer, disable left pane, select Networks.
CARP on the Internal b. In the right pane, on the Networks tab, right-click Internal,
network. and then click Properties.
c. In the Internal Properties dialog box, on the CARP tab,
CLEAR the Enable CARP on this network check box.
d. Click OK to close the Internal Properties dialog box.
e. Click Apply to save the changes, and then click OK. Wait until
the CSS status is Synced.
Exercise 4: Using CARP and Scheduled Content Download Jobs

In this exercise, you will configure ISA Server to use CARP and a content download job to update
cache content.

computer, examine the Administrative Tools, and then click Services.
Microsoft ISA Server b. In the Services console, select the
Job Scheduler service. Microsoft ISA Server Job Scheduler service (two services
below Microsoft Firewall in the list)
2. Configure the a. In the ISA Server console, in the left pane, select Networks.
Local Host network to b. In the right pane, on the Networks tab, right-click Local Host,
listen for and then click Properties.
Web Proxy client
c. In the Local Host Properties dialog box, on the Web Proxy
requests.
tab, complete the following information:
Enable Web Proxy clients: enable
Enable HTTP: enable (is default)
HTTP port: 8080 (is default)
Enable SSL: disable (is default)
and then click OK.
3. Enable system policy a. In the left pane, select Firewall Policy (ITALY).
rule 29 to allow HTTP b. In the task pane, on the Tasks tab, click
from the Local Host
98 de 106
network for content Show System Policy Rules.
download jobs. c. In the right pane, right-click system policy rule 29, and then
click Properties.
d. Select the Users tab.
e. Click Cancel to close the system policy rule 29 dialog box.
f. Right-click system policy rule 29, and then click
Edit System Policy.
g. In the System Policy Editor dialog box, in the
Configuration Groups list, ensure that
Scheduled Download Jobs is selected, and then select the
Enable check box.
h. Click OK to close the System Policy Editor dialog box.
i. In the task pane, on the Tasks tab, click
5. Create a new content a. In the left pane, select Cache, and then in the right pane,
download job. select the Content Download Jobs tab.
b. In the task pane, on the Tasks tab, click Schedule a Content
Name: Download Job.
Fabrikam News Site
c. In the New Content Download Job Wizard dialog box, in the
Content Download Job name text box, type
Download frequency:
Fabrikam News Site, and then click Next.
Daily at 7:00 AM
d. On the Download Frequency page, select Daily, and then
URL: click Next.
http:// e. On the Daily Frequency page, complete the following
istanbul.fabrikam.com information:
/ Job start date: today's date (is default)
news.htm Job start time: 7:00 AM
Run the job one time every day: enable (is default)
f. On the Content Download page, in the Download content
from this URL text box, type
http://istanbul.fabrikam.com/news.htm and then click Next.
g. On the Content Caching page, click Next.
h. On the Completing the Scheduled Content Download Job
6. Examine the a. In the left pane, select Monitoring, and then in the right-pane,
configuration status of select the Configuration tab.
the array servers. b. In the task pane, on the Tasks tab, click Refresh Now.
c. Wait until the configuration status is Synced.
7. Edit the log viewer filter: a. Select the Logging tab.
b. In the task pane, on the Tasks tab, click Edit Filter.
Log Record Type:
Web Proxy Filter
existing Log Record Type condition.
Start the log viewer. d. In the Value list box, select Web Proxy Filter, and then click
Update.
e. Click Start Query to close the Edit Filter dialog box.
8. Start the a. In the left pane, select Cache, and in the right-pane select the
Fabrikam News Site Content Download Jobs tab.
content download job b. In the right pane, select the Fabrikam News Site job.
now.
c. Scroll the contents of the right pane to the right, so that you
can see the Status column.
d. In the task pane, on the Tasks tab, click
Start Selected Jobs Now.
e. After a few seconds, on the Tasks tab, click Refresh Now.
9. Stop the log viewer, a. In the left pane, select Monitoring, and in the right pane
and examine the Web select the Logging tab.
Proxy log entries. b. After a few seconds, in the task pane, on the Tasks tab, click
Stop Query.
10. Enable CARP on the a. In the left pane, select Networks.
Local Host network. b. In the right pane, on the Networks tab, right-click Local Host,
c. In the Local Host Properties dialog box, on the CARP tab,
select Enable CARP on this network.
d. Click OK to close the Local Host Properties dialog box.
e. Click Apply to save the changes, and then click OK. Wait until
11. On the Denver a. On the Denver computer, in a Command Prompt window, in
computer, use the C:\Tools folder, type
C:\Tools\carpdemo.js carpdemo istanbul.fabrikam.com/news.htm, and then
to calculate the press Enter.
selected proxy server b. Click OK. Type
for: carpdemo ankara.fabrikam.com/economy.htm, and then
press Enter.
/
news.htm
and
ankara.fabrikam.com
economy.htm
computer, start the log left pane, select Monitoring, and in the right pane select the
viewer. Logging tab.
b. In the task pane, on the Tasks tab, click Start Query.
13. Start the a. In the left pane, select Cache, and in the right-pane select the
Fabrikam News Site Content Download Jobs tab.
content download job b. In the right pane, select the Fabrikam News Site job.
now.
Start Selected Jobs Now.
d. After a few seconds, on the Tasks tab, click Refresh Now.

14. Stop the log viewer, a. In the left pane, select Monitoring, and in the right pane
and examine the Web select the Logging tab.
Proxy log entries. b. After a few seconds, in the task pane, on the Tasks tab, click
Stop Query.
15. Edit the log viewer filter: a. In the left pane, select Monitoring, and then in the right-pane,
select the Logging tab.
Log Record Type: b. In the task pane, on the Tasks tab, click Edit Filter.
Firewall or Web Proxy
Filter
existing Log Record Type condition.
d. In the Value list box, select Firewall or Web Proxy Filter, and
then click Update.
e. Click Start Query to close the Edit Filter dialog box.
100 de 106
f. On the Tasks tab, click Stop Query.
16. Delete the a. In the left pane, select Cache.
Fabrikam News Site b. In the right pane, on the Content Download Jobs tab, right-
content download job. click the Fabrikam News Site job, and then click Delete.
c. Click Yes to confirm that you want to delete the Fabrikam
News Site job.
d. Wait until the CSS status is Synced.
17. Disable a. In the left pane, select Networks.
Web Proxy clients and b. In the right pane, on the Networks tab, right-click Local Host,
CARP on the and then click Properties.
Local Host network.
c. In the Local Host Properties dialog box, on the Web Proxy
tab, CLEAR the Enable Web Proxy clients check box.
d. On the CARP tab, CLEAR the Enable CARP on this network
check box.
e. Click OK to close the Local Host Properties dialog box.
18. Disable a. On the Networks tab, right-click Perimeter, and then click
Web Proxy clients on Properties.
the network used for b. In the Perimeter Properties dialog box, on the Web Proxy tab,
intra-array CLEAR the Enable Web Proxy clients check box.
communication
c. Click OK to close the Perimeter Properties dialog box.
(Perimeter).
19. Disable system policy a. In the left pane, select Firewall Policy (ITALY).
rule 29. b. In the task pane, on the Tasks tab, click
Show System Policy Rules.
c. In the right pane, right-click system policy rule 29, and then
click Edit System Policy.
d. In the System Policy Editor dialog box, in the
Configuration Groups list, ensure that
Scheduled Download Jobs is selected, and then CLEAR the
Enable check box.
e. Click OK to close the System Policy Editor dialog box.
f. In the task pane, on the Tasks tab, click

Module I: Using Monitoring, Alerting and
Logging
Exercise 1: Monitoring the ISA Server

In this exercise, you will explore the monitoring functions of ISA Server.
examine the alert All Programs, click Microsoft ISA Server, and then click,
definition for the ISA Server Management.
Service Shutdown b. In the ISA Server console, in the left pane, expand Paris, and
event. then select Monitoring.
c. In the right pane, select the Dashboard tab.
d. Select the Alerts tab.
e. In the task pane, on the Tasks tab, click Configure Alert
Definitions.
f. In the Alert Properties dialog box, select the
Service Shutdown line (do not clear the check box for
Service Shutdown), and then click Edit.
g. In the Service Shutdown Properties dialog box, select the
Events tab.
h. Select the Actions tab.
i. Click Cancel to close the Service Shutdown Properties dialog
box.
j. Click Cancel to close the Alerts Properties dialog box.
2. Use the Services a. On the Start menu, click Administrative Tools, and then click
console to stop the Services.
Microsoft ISA Server b. In the Services console, in the right pane, right-click
Job Scheduler service Microsoft ISA Server Job Scheduler service, and then click
to simulate an Stop.
unexpected shutdown
of the service.
3. Examine how an alert a. In the ISA Server console, on the Alerts tab, wait for
shows up on the Alerts 30 seconds for the new alert (Service Shutdown) to show up,
tab, and the or in the task pane, on the Tasks tab, click Refresh Now.
Dashboard tab. b. Select the Dashboard tab. Wait for 30 seconds, or in the task
pane, on the Tasks tab, click Refresh Now.
4. Investigate the a. On the Dashboard tab, click the heading of the Alerts
Service Shutdown summary box to return to the Alerts tab.
alert and resolve the b. On the Alerts tab, select the Service Shutdown alert, and
issue by starting the then expand the Service Shutdown alert.
ISA Server Job
c. Select the second Service Shutdown alert line.
Scheduler service on
the Services tab. d. In the task pane, on the Tasks tab, click Acknowledge
Selected Alerts.
e. Select the Services tab, and then in the task pane, on the
102 de 106
Tasks tab, click Refresh Now.
f. In the right pane, select Microsoft ISA Server Job Schedule,
and then in the task pane, on the Tasks tab, click
Start Selected Service.
g. On the Alerts tab, select the second acknowledged Service
Shutdown alert line.
h. In the task pane, on the Tasks tab, click
Reset Selected Alerts.
i. Click Yes to confirm that you want to reset Service Shutdown.
5. Examine the intrusion a. In the ISA Server console, in the left pane, expand
detection options. Configuration, and then select General.
b. In the right pane, click Enable Intrusion Detection and DNS
Attack Detection.
c. Click Cancel to close the dialog box.
6. Examine the a. On the Start menu, click All Programs, click
performance monitoring Microsoft ISA Server, and then click
options. ISA Server Performance Monitor.
b. Close the ISA Server Performance Monitor console.
c. If a message box appears, click No to confirm that you do not
want to save console settings to msisaprf.msc.
Exercise 2: Checking Connectivity from the ISA Server

In this exercise, you will explore the connectivity checking functions of ISA Server.
create two new pane, select Monitoring.
connectivity verifiers: b. In the right pane, select the Connectivity Verifiers tab.
Name: Istanbul (ping)
Create New Connectivity Verifier.
Server: 39.1.1.7
Method: Ping d. In the New Connectivity Verifier Wizard dialog box, in the
Connectivity Verifier name text box, type Istanbul (ping),
Name: Istanbul (http) and then click Next.
Server: 39.1.1.7 e. On the Connectivity Verification Details, complete the
Method: HTTP "GET" following information:
Monitor connectivity to this server or URL: 39.1.1.7
Group type used to categorize: Web (Internet)
Verification method: Send a Ping request
f. On the Completing the Connectivity Verifier Wizard page, click
Finish.
g. In the task pane, on the Tasks tab, click
Create New Connectivity Verifier.
h. In the New Connectivity Verifier Wizard dialog box, in the
Connectivity Verifier name text box, type Istanbul (http),
i. On the Connectivity Verification Details, complete the
Monitor connectivity to this server or URL: 39.1.1.7
Group type used to categorize: Web (Internet)
Verification method: Send an HTTP "GET" request
j. On the Completing the Connectivity Verifier Wizard page, click
Finish.
k. If the Enable HTTP Connectivity Verification message box
appears, click Yes to confirm that a system policy rule is
enabled.
2. Examine the System a. In the left pane, select Firewall Policy.
policy rules used by the b. In the task pane, on the Tasks tab, click Show System
connectivity verifiers. Policy Rules.
3. Apply changes to save a. In the left pane, select Monitoring.

and activate the new b. In the right pane, click Apply to save the new connectivity
connectivity verifiers. verifiers, and then click OK.
4. Wait for the successful a. On the Connectivity Verifiers tab, wait one minute, and then
check of the two in the task pane, on the Tasks tab, click Refresh Now.
connectivity verifiers for
Istanbul.

computer, stop the Administrative Tools, and then click
Default Web Site to Internet Information Services (IIS) Manager.
simulate a failure of the b. In the IIS Manager console, expand
Web server. ISTANBUL (local computer), expand Web Sites, right-click
Default Web Site, and then click Stop.
6. On the Paris computer, a. On the Paris computer, on the Connectivity Verifiers tab,
wait for the failure state wait one minute, and then in the task pane, on the Tasks tab,
of the Istanbul (http) click Refresh Now.
connectivity verifier.
7. On the Istanbul a. On the Istanbul computer, in the IIS Manager console, right-
computer, start the click Default Web Site (Stopped), and then click Start.
Default Web Site b. Close the IIS Manager console.
again.
8. On the Paris computer, a. On the Paris computer, on the Connectivity Verifiers tab,
wait for the success wait one minute, and then in the task pane, on the Tasks tab,
state of the click Refresh Now.
Istanbul (http)
connectivity verifier.
9. Delete the two a. Right-click the Istanbul (http) connectivity verifier, and then
connectivity verifiers for click Delete.
Istanbul. b. Click Yes to confirm that you want to delete the connectivity
verifier.
c. Right-click the Istanbul (ping) connectivity verifier, and then
click Delete.
d. Click Yes to confirm that you want to delete the connectivity
verifier.
104 de 106
Exercise 3: Logging Client Computer Access
In this exercise, you will explore the logging functions of ISA Server.

find the location of the pane, select Monitoring, and then select the Logging tab.
ISA Server log files. b. In the task pane, on the Tasks tab, click
Configure Firewall Logging.
c. In the Firewall Logging Properties dialog box, on the Log tab,
click Options.
d. Click Cancel to close the Options dialog box.
e. Click Cancel to close the Firewall Logging Properties dialog
box.
2. Start a new online log a. On the Logging tab, click Start Query.
query.
rule. Firewall Policy.
b. In the right pane, select the first rule, or select Default rule if
Name: Allow Web no other rule exists, to indicate where the new rule is added to
access (logging test) the rule list.
Applies to: HTTP
From network: Internal Access rule name text box, type
To network: External Allow Web access (logging test), and then click Next.
e. On the Rule Action page, select Allow, and then click Next.
box.
box.
Finish.

computer, use Address box, type http://istanbul.fabrikam.com, and then
Internet Explorer to press Enter.
connect to http://
.
create a filter definition pane, select Monitoring, and then select the Logging tab.
for online mode logging. b. In the task pane, on the Tasks tab, click Edit Filter.
c. In the Edit Filter dialog box, complete the following
Filter by:
information:
Destination IP
Condition: Equals Filter by: Destination IP
Value: 39.1.1.7 Condition: Equals
Value: 39.1.1.7
and then click Add To List to add the filter definition.
d. Click Start Query to close the Edit Filter dialog box.

6. On the Denver a. On the Denver computer, in Internet Explorer, ensure that the
computer, refresh the http://istanbul.fabrikam.com Web page is opened.
content of the Web b. Hold the Ctrl-key, and click the Refresh button on the toolbar,
page at http:// to refresh the content of the Web page, regardless of any
istanbul.fabrikam.com changes.
twice.
c. Wait a few seconds, and then click the Refresh button on the
toolbar (without the Ctrl-key) to refresh the content of the Web
- First press Ctrl-F5
page when it has changed.
(Ctrl-Refresh).
- then press F5
(Refresh)
7. Attempt to open the a. In Internet Explorer, in the Address box, type
non-existing Web page http://istanbul.fabrikam.com/test.htm, and then press
at http:// Enter.
istanbul.fabrikam.com b. Close Internet Explorer.
/
test.htm
8. On the Paris computer, a. On the Paris computer, on the Logging tab, wait a few
view the online mode moments for the log file entries for destination IP 39.1.1.7 to
logging records for appear on the screen.
destination IP 39.1.1.7. b. Right-click the Log Time heading, and then click
Add/Remove Columns.
Add column:
c. In the Add/Remove Columns dialog box, in the
HTTP Status Code
Available columns list box, select HTTP Status Code, and
then click Add ->.
d. In the Displayed columns list, select HTTP Status Code,
and then click Move Up, until HTTP Status Code is just after
HTTP Method.
e. Click OK to close the Add/Remove Columns dialog box.
9. Remove the online filter a. In the task pane, on the Tasks tab, click Edit Filter.
definition, and stop the b. In the Edit Filter dialog box, select the Destination IP -
query. Equals - 39.1.1.7 expression, and then click Remove.
c. Click Start Query to close the Edit Filter dialog box.
d. In the task pane, on the Tasks tab, click Stop Query.
106 de 106

ISA 2006 Lab Manual

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ISA 2006 Lab Manual

Încărcat de

Drepturi de autor:

Formate disponibile

ISA Server 2006

To complete each lab module, you need to review the following:

To start the lab

To start any virtual machine:

To log on to a computer in a virtual machine:

Enjoy the lab!

Comments and feedback

Exercise 1: Exploring the User Interface

Tasks Detailed steps

 Perform the following steps on the Paris computer.

Exercise 2: Ease of Use: Multiple Networks

Tasks Detailed steps

 Perform the following steps on the Paris computer.

a. In the ISA Server console, in the left pane, ensure that

Tasks Detailed steps

 Perform the following steps on the Paris computer.

Exercise 4: Ease of Use: Monitoring

Tasks Detailed steps

 Perform the following steps on the Paris computer.

Exercise 1: Allowing Outbound Web Access from Client

Tasks Detailed steps

 Perform the following steps on the Denver computer.

1. On the Denver a. On the Denver computer, open Internet Explorer. In the

6. On the Denver a. On the Denver computer, open Internet Explorer. In the

9. On the Denver a. On the Denver computer, open Internet Explorer. In the

Exercise 2: Enabling the Use of the Ping command from Client

Tasks Detailed steps

 Perform the following steps on the Denver computer.

1. On the Denver a. On the Denver computer, open a Command Prompt window.

4. On the Denver a. On the Denver computer, open a Command Prompt window.

5. On the Istanbul a. On the Istanbul computer, open a Command Prompt window.

Exercise 3: Allowing Outbound Access from the ISA Server

Tasks Detailed steps

 Perform the following steps on the Paris computer.

Tasks Detailed steps

 Perform the following steps on the Paris computer.

12. On the Denver a. On the Denver computer, open Internet Explorer.

Exercise 1: Publishing a Web Server in the Internal Network

Tasks Detailed steps

 Perform the following steps on the Paris computer.

6. On the Istanbul a. On the Istanbul computer, open a Command Prompt window.

9. On the Istanbul a. On the Istanbul computer, in Internet Explorer, ensure that

Exercise 2: Publishing the Web Server on the ISA Server Computer

Tasks Detailed steps

 Perform the following steps on the Paris computer.

Tasks Detailed steps

 Perform the following steps on the Istanbul computer.

Tasks Detailed steps

 Perform the following steps on the Denver computer.

1. On the Denver a. On the Denver computer, open Internet Explorer. In the

5. On the Istanbul a. On the Istanbul computer, open Internet Explorer. In the

9. On the Istanbul a. On the Istanbul computer, open Internet Explorer. In the

Exercise 5: Publishing a Web Farm for Load Balancing

Tasks Detailed steps

 Perform the following steps on the Paris computer.

6. On the Istanbul a. On the Istanbul computer, open Internet Explorer. In the

8. On the Denver a. On the Denver computer, on the Start menu, click

9. On the Istanbul a. On the Istanbul computer, switch to one of the Internet

Exercise 6: Publishing Multiple Terminal Servers

Tasks Detailed steps

 Perform the following steps on the Denver computer.

1. On the Denver a. On the Denver computer, on the Start menu, click

4. On the Istanbul a. On the Istanbul computer, on the Start menu, click