Page 1, Total 23 pages How to make a web publishing in the host single network card environment: http://www.isaser.org/articles/2004ispcolo.html Translation: szyoyo (jj96master@hotmail.com) Based on ISA 2004 firewall ISP managed configuration has a special configuration called "ISP Manage" configuration in the ISA firewall. I have written this configuration method based on ISA Server 2000 firewall in an article configured ISP Hosting Web / SMTP / ISA Server. I call it ISP hosted configuration, because you can't install multiple block cards for your server in the ISP host environment, so you only need a network card to run the ISP hosting web, FTP, SMTP server. This article will teach you how to create a single network card in the ISA 2004 firewall. This is a very interesting configuration because it is related to whether ISA 2004 firewall software effectively protects public accessible resources located on the ISP hosting host. If you are doing this, I strongly recommend that you do not install additional software on the ISA 2004 firewall host, because each additional program or service will increase the opportunity of the firewall being attacked. However, the deployment of the ISP hosting host is not close. Usually ISP will provide some basic PIX or NetScreen package filtration support, which is unable to filter based on network layers, once they need to perform high-intensity application layer detection, they seem to be powerful. You will feel important when you manage the ISA 2004 firewall software on the managed Web, FTP, SMTP host. This ISP host configuration can also be applied to other occasions, for example, suppose you want to give your network configuration powerful ISA 2004 application layer to detect firewalls, and you have to convince those people who believe in hardware firewalls as much as possible (refer to this article http://isaserver.org/articles/2004tales.html). A compromised method is to deploy ISA 2004 firewall in a DMZ area between 2 "hardware" firewalls, using this ISA 2004 firewall located in the DMZ area, will get real application layer detection protection. ISP hosting host configuration uses a single network card and a "virtual" network card, this virtual network card is the Microsoft LoopBack adapter, the LoopBack adapter is not a real physical network card, but can configure IP address information as the LOOPBACK adapter like the Qi network card. ISA 2004 firewall treats the LoopBack adapter as a physical interface that you can use to publish services. Installing a virtual network card on the ISA 2004 firewall You can "spoof" ISA think it acts as a firewall role. You can install a single network card for ISA 2004, but you will lose a lot of features of the firewall, because ISA 2004 firewall software thinks you just want the firewall to run in the web proxy mode. On the contrary, when you install the LoopBack adapter, the firewall software thinks it is a real interface that can fully perform the task of applying layer detection.
Page 2 of 23 This article we will discuss the ISP managed configuration, the following picture is an experimental deployment chart, you can use the VMware or Virtual PC virtual network environment test experiment. You can test from host tests located in the same network segment in the ISA 2004 firewall physical interface, and can also be tested from a wide area network host located at one end of the Internet router. The LoopBack adapter assigns a fake address 10.0.0.1/24, note that this fake internal interface does not have DNS and default gateway address assignments. ISA 2004 has a real IP address and default gateway on the external interface of the Firewall, which is important because this external IP address is required, and the default gateway address is also required to respond to the Internet host. The DNS server address should be a DNS server that resolves the Internet host name, because the hosted ISA 2004 firewall / web / ftp / smtp server needs to parse out the Internet MX domain name, note that ISA 2004 firewall can be used in configuration. SMTP Message Screener with belt. If you plan to use the ISA 2004 firewall located between 2 so-called "hardware" firewall DMZ schemes, I recommend that the DMZ segment and the rear firewall should be routing relationship rather than NAT. Configure the LoopBack Adapter as follows: Install the LoopBack Adapter on the host, configure IIS, install IIS, disable Socket Pool, bind these services on the IP address of the LoopBack Adapter ● Install ISA 2004 Firewall Software ● Internal Interface Disabling Web Agents & Firewall Customer Listeners Page 3 of 23 ● Create Web and Server Publishing Rules ● Creating SMTP Out from Local Host Networks to External Networks Output Rules ● Test Configuration Note: This site 98% of articles It is a real installation and configuration introduction, 2% of the article is what I think can be expressed. These experimental articles need to be explained in practice, but I know that people I know did not really test in the actual environment. That is why I want to provide an experimental deployment reference map in most art so that you can understand the configuration before actual operation. I hope that there is no impression of the ISASERVER.org community mistake, think this article is just a paper talking rather than a real case, I hope that most of the articles I offer can withstand the test of real network environment testing. ● Install the LoopBack adapter on the hosted ISA 2004 firewall host, configure the IP address information (after installation of Windows Server 2003 on a single network card machine) Install the Microsoft LoopBack Adapter. Installation through the Add / REMOVE HARDWARE panel. 1. On the ISA 2004 firewall host, Start-> Control Panel-> Add Hardware2 click Next, 3.Is the hardware connected: Yes, I have already connected thehardware-> Next4.The following hardware is already installed on your computer: Add anew hardware device-> Next5.The wizard can help you install other hardware: install the hardwarethat I manually select from a list (Advanced) -> Next6.From the list below, select the type of hardware you areinstalling: Network adapters-> Next7.select network adapter: Microsoft-> Microsoft LoopbackAdapter-> Next
Page 4 of 23 8.The Wizard is Ready to Install your hardware: -> next9.com: -> finish10. Right-click My Network Places: -> Properties11.Network Connections: -> loopback adapter - > Properties12.properties: -> Internet Protocol (TCP / IP) -> Properties13.netNet Protocol (TCP / IP) Properties: -> ipaddress: 10.0.0.1-> Subnet Mask: 255.255.255.014.ok ● Install IIS, disable Socket Pool first installs the IIS service. In this case we need to install IIS World Wide Web (W3SVC or WWW service), FTP service, SMTP service. You may think of Microsoft Exchange service, I plan to install it on the same ISA 2004 firewall host. If you want the Exchange server to be protected by ISA 2004 firewall, then it should be placed behind the firewall and make special arrangements with managed equipment. Perform the following steps to install IIS services on the ISA 2004 firewall host: Page 5, Total 23 pages 1. On the ISA host: start-> control panel-> add or remove proGrams2.add / remove components3.windows Components: Application Server- > Details4.Application Server: Internet Information Services (IIS) -> Details5.IIS: File Transfer Protocol (FTP) Services, SMTP Services and WWWServices-> OK6.Application Server: -> OK7.Windows Components: -> Next8.Insert Disk : -> ok9.files needed: Enter the Windows Server 2003 I386 path -> ok10.completing the windows Components Wizard-> Finish Next is the socket poibility for IIS services. Socket Pooling allows IIS services to listen to the same port number on all interface cards, which is a performance optimization for dedicated IIS servers. But for IIS servers running ISA 2004 firewall software, Socket Pooling is a fatal harm. To allow our Web and Server publishing scenarios in the ISA 2004 firewall, you need to disable Socket Pool before configuring the internal IP address (IP address assigned to the LoopBack Adapter). Perform the following steps to prohibit Socket Pool in the IIS WWW service: 1. Copy Windows Server 2003 Install CD / Support / Tools to ISA hosts. 2. Install Suptools.msi3.Start-> Run-> CMD4. Enter: httpcfg set iplisten -i 10.0.0.1, return: httpsetServiceConfiguration completed with 05. Enter: httpcfg query iplisten
Page 6 of 23 Now let's disable the socket polling in the IIS FTP service: 1.cmd-> net stop msftpsvc2. Steering / INETPUB / Adminscripts, Run CScript Adsutil.vbs Set / MSFTPSVC / 1 / DisablesoCketPool 13.cmd -> NET Start MsftpsVC Prohibits Socket Polling in IIS SMTP Services: 1.cmd-> Net Stop SMTPSVC2. Steering / INETPUB / Adminscripts, Run CScript Adsutil.vbs SET / SMTPSVC / 1 / DisablesoCketPooling 1 Page 7 of 23 3.Cmd-> Net Start SMTPSVC is now bound to the IP address of the ISA 2004 firewall: 1. On the ISA server, Start-> Administrative Tools-> IIS Manager2. Expand Web Sites-> Default Web Site-> Properties3.default Web Site Properties: IP Address Bar Select 10.0.0.1-> Apply
Page 8 of 23 4. Expand FTP Sites-> default ftp site-> Properties5.ip address: 10.0.0.16.default SMTP Virtual Server-> Properties7.IP address: 10.0.0.18.access-> Authentication9.authentication: Check Integrated Windows Authentication. This option allows authentication of users to transfer by published SMTP servers. Note that the SMTP repeater will not be opened, and the unauthenticated user will not be transferred through the SMTP server, and send to external messages will not be required. The SMTP server on the Internet will not be required to verify it. For example, you may have to provide your customers with host transcend services, you can use the remote domain to forward mail to their servers; once their servers are drop, your SMTP server can receive these messages until their server Back to normal. 10 .-> Apply-> OK11.Restart IIS
Page 9 of 23 12.Stop / Start / Restart: -> Restart Internet Services OnServerName-> ok13.cmd-> netstat -na, pay attention port 21, 25, 8 is listened on 10.0.0.1, these ports ( Socket Pooling of the service is prohibited because they are not listened to 0.0.0.0. ● Install ISA 2004 firewall software
Page 10 of 23 1.ISA Server 2004 CD-ROM-> ISAAUTORUN.EXE-> Install isa Server20042.next3.i accept the terms in the license agreement-> Next4.user name-> Organization-> Product Serial Number -> Next5.Setup Type: -> Complete-> Next6.internal Network: -> add7.select network adapter8.select network adapter: As shown in Figure 9.ok10.address Ranges Dialog Box: -> OK11.Next Page 11 23 12.Firewall Client Connection settings: accept the default settings -> Next13.Services: -> Next14.Ready to Install the Program: -> Install15.Installation Wizard Completed: -.> Finish16.Restart the firewall17 log on as an administrator, Close the web browser window. ● Disable the Web Agent and Firewall Customer Listener on the internal interface because there is no real internal network, there is no internal network client, so there is no need to open the web proxy and firewall customer listener. These listeners may cause conflicts of Web Publishing Rules, using service resources on the ISA2004 server, for this reason, we must disable the Web Agent and Firewall Customer Listener. Perform the following steps: 1.ISA 2004 Console: Expand Server Name -> Expand Configuration-> Networks2. Right-click Internal Network-> Properties3.Internal Properties: -> Web Proxy
Page 12 of 23 4.Web Proxy: Cancel Enable Web Proxy Clients Options 5 .-> FireWall Client 6.fireWall Client: Cancel Enable FireWall Client Support for this Network option 7 .-> Apply-> OK ● Create Web and Server Publishing Rules In order to allow remote users to access services on the ISA 2004 firewall, we must use the Web / Server release rule. Web Publishing Rules is used to publish web protocols (HTTP, HTTPS (SSL)). Web protocols are not strictly defined, you can also publish the Download-Only FTP site using the web publishing rules. All other services must use the Server Publishing rules, the Web and Server release rules reflect the complex application layer detection mechanism for ISA 2004 firewall connections. We will create 1 Web Publish Rules and 2 Server Publish Rules, and the web publishing rules are used to allow remote to connect to the web server on the ISA 2004 firewall host, and Server release rules are used to allow external connections to SMTP and FTP services.
Page 13, in the following example, the web publishing rule allows us to connect to the Web site using ISA 2004 firewall external IP address, but I want to remind you, I should not use his "public" name to release the site. If you do this, the user will be able to use the IP address to access the published Web site instead of accessing the FQDN of your site. Allow access to your site's IP address may have hazards that are attacked by worms and anonymous scan. In fact, I suggest you publish the site to accessible IP addresses, but I don't want to do a detailed description of how to deploy DNS or HOSTS file items, and the related articles have already been there. Perform the following steps to create a Web Publishing Rule: 1.ISA 2004 Console: Expand Server Name -> FireWall Policy2.publish A Web Server Link3.new Web Publishing Rule Wizard: Enter the Web Server Name 4.Select Rule Action: -> Allow Option5. Define Website to Publish: Enter the web server listener IP address, where the web server listens on 10.0.0.1, so enters this value, enter "/ *" in Path Text -> Next Page 14, Total 23 6.public Name Details: Select "This Domain Name (Type Below", enter the IP address external IP address of the ISA2004 firewall, note: The IP address used here is demonstrated. I suggest you do not publish the WEB site that can be accessed using an IP address, and enter "/ *" in Path (optional). 7.Web Listener: Select a web listener if there is no Web listener to create one. In this case we don't need to create any web listener, if you want to create click New. 8.welcome to the new Web listner Wizard: Enter the HTTP Listener -> Next9.ip address: Check External, so the ISA 2004 firewall allows external access requests to bind Web listeners on all IP addresses in the external interface -> NEXT. 10.Port Specification: Accept the default setting, select Enable HTTP, HTTP port is 80.11.new Web listener wizard: -> finish12.select web listener: -> Next, Note: We created a web listener appearing in Web Listener drop-down The list is in the list.
Page 15, 23 13. IUSER SETS: Select Default All Users -> Next14.Finish15.Apply16.ok -> Apply New Configuration The following steps Create a SMTP server Publishing rules: 1.isa2004 console: firewall policy2.create a New Server Publishing Rule Link3. Enter the name of the SMTP Server 4.Sselect Server: Enter the IP address of the listened SMTP service, this example is 10.0.0.1.5.select Protocol: Select SMTP Server
Page 16 of 23 6.IP Addresses: Check External7.Finish Final FTP Server Publish Rules: 1.isa2004 Console: FireWall Policy2.create A New Server Publishing Rule Link3. Enter ftp server name 4.Select Server : Enter the IP address of the listened SMTP service, this example is 10.0.0.1.5.select Protocol: Select FTP Server Page 17, Total 23 Page 6.IP Addresses: Check External7.Finish8.Apply9.ok ● Created Allows SMTP services configured in this example from local host networks to external networks This example allows users to verify that users are allowed from local relays to other E-mail domains, and ISA2004 firewalls must be configured to allow access to external networks from local host networks. So that the firewall can forward SMTP messages on the SMTP server on the Internet. Note that this is not allowed to be anonymous SMTP relay, anonymous SMTP relay will make spam through your SMTP server, resulting in additional network bandwidth and overhead, worse, possibly by anti-spam alliance blacklist. Perform the following steps to create an SMTP outgoing access rule: 1.isa2004 console: firewall policy -> Create new access rule link2. Enter the outgoing SMTP -> Next3. Select Allow -> Next
Page 18 of 23 4. Select SELECTED Protocols -> Add5. Select SMTP Protocol -> Close6. -> Next7 .-> Add8. Select local host network -> close9 .-> next10 .-> add11. Select External Network -> Close12 .-> Next13. Accept the default all users -> next14 .-> finish15 .-> apply16 .-> ok
Page 19 of 23 ● Test Configuration Now let's test configuration, first step, use Outlook Express to send mail to the SMTP server on the ISA 2004 firewall, OE configured to use the SMTP server to verify the administrator account using the ISA host default administrator account, In the actual environment you need to create a user account on the ISA firewall host so that external users can use this account to relate to mail through the firewall. I will send an e-mail to my Hotmail account. When I send it, we can see the following information on the ISA Firewall, and the red line frame is displayed from the Outlook client to the ISA firewall. Connection, note that this connection is allowed by the SMTP server rule. The blue line frame is displayed out of the SMTP connection, which is allowed to go out of SMTP rules. The last reflected on the picture is DNS query. ISA 2004 firewall does not discover the MX record information of the Hotmail site, which may occur before the message is sent out, but the log record represents the email, because DNS query The response is very fast. When we go to the Hotmail Site, the mail information displays the Received ByisalOcal from xpprosp1, then the hotmail.com server accepts this message from Isalocal. Note that IP addresses listed by Isalocal are indeed the IP address on the external interface of the router, not Isalocal host's own IP address. Received: from isalocal ([209.30.181.91]) BYMC4-F12.Hotmail.com with Microsoft SMTPSVC (5.0.2195.6824); Tue, 13 Jul 2004 21:15:13 -0700Received: from xpprosp1 ([192.168.1.172]) by ISALOCAL withMicrosoft SMTPSVC (6.0.3790.0); Tue, 13 Jul 2004 23:12:36 -0500X-Message-Info: JGTYoYF78jHHLX5R9IFBtsCYF3X PLrDMessage-ID: <000801c46958$ca281700$ac01a8c0@msfirewall.org> X-MSMail-Priority: NormalX -Mailer: Microsoft Outlook Express 6.00.2800.1158 page 20 of 23 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165Return-Path: tshinder@tacteam.netX-OriginalArrivalTime: 14 Jul 2004 04: 12: 36.0626 (UTC FILETIME = [CB8CD720: 01C46958] Now test the function of the FTP site, put some files in the ftProot directory of the ISA firewall host, open the command line from the external client, enter the FTP 192.168.1.70, enter the Administrator and administrator password, Enter DIR, you will see a list of files, use the get command to download the file, press the PUT command upload file. Let's try the put command, we upload the Boot.ini file on the client root directory, the legend shows the command sequence, note that 550 refusal access information, what is going on?
Page 21 of 23, the answer is that ISA 2004 is a firewall instead of a package filtering or a NAT server. The default setting is a security setting. It is only allowed to download, and upload to the FTP site will enable the server to be a great security threat to the server. In, we must modify the FTP server release rules to allow FTP uploading. Perform the following steps to make the required modification: 1.isa2004 console: firewall policy -> Right-click FTP Server PublishingRule-> configure ftp2. Cancel Read-Only item -> Apply-> OK page 22, 23 pages 3 .-> Apply4 .-> ok Now let's go back to the FTP site and log in to enter, enter the put command, see the following information:
Page 23, a total of 23 pages The last test is to use a web browser on an external client, enter http://192.168.1.70, will see the default Web site.
