Websense Installation Guide Supplement for Microsoft ISA Server ▷ 3. Contents . Microsoft ISA Server , Standard Edition and Enterprise Edition. ◇. What's New in ISA Server ISA Server contains a full- featured, application-layer inspection firewall that helps protect enterprises from attack by both. [PDF] Microsoft® Internet Security and Acceleration (ISA) Server Administrator's Pocket Consultant. Microsoft® Internet Security and Acceleration ( ISA).
|Language:||English, Spanish, Dutch|
|Genre:||Science & Research|
|ePub File Size:||22.69 MB|
|PDF File Size:||19.37 MB|
|Distribution:||Free* [*Register to download]|
Go Under the Hood of ISA Server Get Inside Application Layer Filtering Create a Supporting Infrastructure: Support the ISA Server firewall and the. Thank you for downloading microsoft internet security and acceleration isa server administrators pocket consultant. Maybe you have knowledge that. Microsoft Internet Security And Acceleration Isa Server. Administrators Pocket Consultant internet explorer 7 and 8 security settings - internet explorer 7 .
Security features: Microsoft Forefront TMG is a firewall which can inspect network traffic including web contents, secure web contents and emails and filter out malware , attempts to exploit security vulnerabilities and content that does not match a predefined security policy. In technical sense, Microsoft Forefront TMG offers application layer protection , stateful filtering , content filtering and anti-malware protection. Network performance features: Microsoft Forefront TMG can also improve network performance: It can compress web traffic to improve communication speed. It also offers web caching : It can cache frequently-accessed web contents so that users can access them faster from the local network cache. Developed under the code-name "Catapult",  Microsoft Proxy Server v1. Microsoft Proxy Server v1.
Response-String Filtering Through URL filtering, you can gain a large amount of control over the security of your network. You can even block off entire country top-level domains e. However, in some cases, content filtering based on URL checking isn't enough.
You can't know in advance all possible unacceptable URLs.
For those situations, ISA Server provides an additional content-filtering tool in the form of response-string filtering. Let's look at how response-string filtering works.
You might want to ban all Web sites that refer to United States Code 18, section , a common disclaimer-that adult content sites use on their logon page to confirm that they operate within the law. Typically, the notation appears as 18 U. If that notation appears on a Web page, the odds are pretty good that the page is part of an adult Web site.
Having ISA Server search for this notation and filter responses accordingly provides additional security for a small effort. The following scenario demonstrates how you can catch 18 U.
The Web Proxy Filter processes requests on behalf of your organization, then filters content that you request. You must activate it. In your rule set, locate the rule that lets your users browse the Web. In the Application Filters area at the bottom of the HTTP Properties dialog box, you should see a number of available filters, all of them unselected. Click Apply to commit the changes to the firewall. You should now have HTTP filtering enabled. Let's look at some of the rules you can create.
Right-click the name of the rule that lets your users access the Web. This option lets you define advanced HTTP filters for requests going in and out of your network. The HTTP policy applied to your rule has five main sections that correspond to the tabs: general, methods e. Because of this specificity, you can create different sets of HTTP filters based on firewall rule criteria. For example, you can let some users but not others download executable files. To filter Web pages that contain the string 18 U.
This tab lets you perform advanced string and signature filtering on HTTP requests and responses. Obviously, the dialog box is initially blank, which would allow everything to get through. To start adding content to this dialog box, click Add. You can now add a new signature, as Figure 3 shows. To enable parsing a Web page for a specific string, you select Response body as the area to search, then put the actual text in the Signature space.
In the Application Filters area at the bottom of the HTTP Properties dialog box, you should see a number of available filters, all of them unselected. Click Apply to commit the changes to the firewall.
You should now have HTTP filtering enabled. Let's look at some of the rules you can create. Right-click the name of the rule that lets your users access the Web.
You should see a new option for this rule: Configure HTTP. This option lets you define advanced HTTP filters for requests going in and out of your network. The HTTP policy applied to your rule has five main sections that correspond to the tabs: Because of this specificity, you can create different sets of HTTP filters based on firewall rule criteria. For example, you can let some users but not others download executable files.
To filter Web pages that contain the string 18 U. This tab lets you perform advanced string and signature filtering on HTTP requests and responses. Obviously, the dialog box is initially blank, which would allow everything to get through.
To start adding content to this dialog box, click Add. You can now add a new signature, as Figure 3 shows.
To enable parsing a Web page for a specific string, you select Response body as the area to search, then put the actual text in the Signature space. Doing so lets ISA Server know that if it finds that string in the HTTP response within the boundaries of the byte range a Web server provides, it should block the page. The default byte range typically starts at 1 and ends at You should probably increase the upper value of this range so that the filter will actually parse the entire page.
However, because searching larger portions of a requested page incurs a performance penalty, you must weigh the benefits and the costs. As you can see in Figure 3 , I've set the upper value to bytes. When users stumble knowingly or unknowingly across a page that contains the restricted signature, they receive a "The page cannot be displayed" error message in their browser.
The Technical Information section at the bottom of the error page explains that the HTTP filter rejected the request to the target Web site. Signature Matching Although filtering on keywords within the body of an HTML page is useful and improves your organization's security, one of the most powerful ways to use HTTP signatures is to block malicious code embedded in Web pages by directly matching a signature to it.
One example of hostile code to block is download.
This threat propagated itself to Web browsers by sending improper data in the response headers of an HTTP request not in the body of the page itself , which the computer browsing the associated page then processed.
The method involved creating a signature based on the response headers not the body and entering C: Malicious coders continue to focus their efforts on port 80 whenever they can Code Red I and Code Red II were examples of port attacks , knowing that nearly every organization must allow traffic through port The dialog box lets you define any number of file extensions to either allow or block, depending on how you want to create your rules. For example, if your organization's security policy indicates that users should be downloading documents only never anything else , you can set Specify the action taken for file extensions to allow specified extensions only and populate this page with the types you want to allow e.
Figure 5 , however, shows the opposite approach. After the rule is in place, any attempt to download a file with one of the specified extensions results in an error message that explains that the HTTP filter rejected the request.
Let me list common file types that many organizations filter either through their mail server or through a Web proxy filter such as ISA Server. Be sure that your e-mail system is secure before doing so.
You can also deploy a root CA certificate through group policy in Active Directory. Because there is a cost associated with commercial digital certificates, in a scenario where the secure connections are expected to come from internal corporate clients, we recommend that you set up a local CA and issue your own certificates. The procedures for doing so are provided in Appendix B: Certificates from a Local Certification Authority in this document.
In a scenario where you anticipate the need for secure connections from public clients, as in the case where you are publishing a website to the Internet, we recommend that you obtain a certificate from a commercial CA.
You thus avoid the issue of root certificate distribution, and will also have a certificate from a CA that is known and trusted by public users.
Top of page Scenarios Digital certificates are used in a wide variety of scenarios. Using Internet Security and Acceleration ISA Server , there are two common publishing scenarios which may require digital certificate installation.
This is a more secure configuration. Based on these considerations, the Web publishing scenarios can be subdivided into more specific scenarios. This scenario begins with one certificate already installed on the Web server.
Top of page The following sections provide the solutions to all of the previously listed scenarios. Publishing Using Server Publishing Rules Walk-through When you publish a server using server publishing rules, install a digital certificate on the published server, and not on the ISA Server computer. Detailed instructions for each step are provided in the appendices, as noted in the steps.
Install a trusted root certificate on computers that will be SSL clients of the server certificate. If you are using a certificate from a commercial certification authority CA that is included in the Internet Explorer database of CAs, you do not have to perform this step.
Request and install a certificate. The name on the certificate must be the fully qualified host name or URL for the server that you are publishing, or clients will receive an error message when they send HTTPS requests to the server. To install a certificate from a commercial CA, follow the procedures in Appendix A: Certificates from a Commercial Certification Authority in this document.
In addition, you may install or have previously installed a certificate on the Web server.