ISA Server 2006 Lab Manual (Version 3.0f) - HOL392

8/3/2019 ISA Server 2006 Lab Manual (Version 3.0f) - HOL392

1/26

ISA Server 2006Secure Application Publishing

Lab Manual

HOL392: Secure Application Publishing and Web Access Protection

Exercise 1 Publishing Exchange Web Access - Certificate Management 4

Exercise 2 Using Cross-Site Link Translation to Publish SharePoint Server 11

Exercise 3 Publishing a Web Farm for Load Balancing 15

Exercise 4 Configuring ISA Server 2006 for Flood Resiliency 23

Lab version 3.0f


2/26

2 HOL392: Secure Application Publishing and Web Access Protection

Lab SetupTo complete each lab module, you need to review the following:

Virtual Server

This lab makes use ofMicrosoft Virtual Server 2005 R2 SP1, which is an

application that allows you to run multiple virtual computers on the same physicalhardware. During the lab you will switch between different windows, each of which

contains a separate virtual machine running Windows Server 2003.

Before you start the lab, familiarize yourself with the following basics of

Virtual PC or Virtual Server:

To issue the Ctrl-Alt-Del keyboard combination inside a virtual machine, use

the Alt-Del instead.

Lab Computers

The lab uses five computers in virtual machines.

Denver.contoso.com (green) is domain controller for the contoso.com domain

on the Internal network. Denver runs DNS, RADIUS, Exchange 2003 SP1,

SharePoint Services 2.0 and is also Certification Authority (CA).

Istanbul.fabrikam.com (purple) is Web server and client computer on the

External network (Internet). Istanbul runs Outlook 2003. Istanbul is not

member of a domain. Paris (red) runs ISA Server 2006 Standard Edition. Paris has three network

adapters, which connect to the Internal network, the Perimeter network and the

External network (Internet). The Perimeter network is not used in this lab.

The computers cannot communicate with the host computer.

To allow you to examine and understand the traffic on the network, in each virtual

machine Microsoft Network Monitor 5.2, which is part of Windows Server 2003, is

installed.


3/26

HOL392: Secure Application Publishing and Web Access Protection 3

To start the lab

Before you can do any of the lab modules, you need to log on to the computers.

To log on to a computer in a virtual machine:

1. Press Alt-Del (instead of Ctrl-Alt-Del) to open the logon dialog box.

2. Type the following information: User name: Administrator

Password: password

and then clickOK.

3. You can now start with the exercises in this lab manual.

Enjoy the lab!

Comments and feedback

Please send any comments, feedback or corrections regarding the virtual machinesor the lab manual to:

Ronald Beekelaar

[email protected]

Lab version 3.0f


4/26


HOL392: Secure Application

Publishing and Web Access Protection

Exercise 1Publishing Exchange Web Access - CertificateManagement

In this exercise, you will enable access to the Exchange Server for clients that use Outlook

Web Access (OWA). You configure ISA Server to use SSL Bridging, because you want toencrypt the connection with the SSL protocol (HTTPS), but you also want to inspect the

traffic at the ISA Server computer.

This exercise also demonstrates the new certificate management functionality of

ISA Server 2006.

Tasks Detailed steps

Note: This lab exercise uses the following computers: Denver - Paris - Istanbul

Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers.

Perform the following steps on the Denver computer.

1. On the Denver computer,

import the denver.contoso.comWeb server certificate from the

C:\Tools\Certs folder.

a. On the Denver computer, use Windows Explorer (or My Computer) to

open the C:\Tools\Certs folder. The Certs folder contains a Web server certificate fordenver.contoso.com, and a script to import the certificate and private key in thelocal machine store.

b. In the Certs folder, right-clickdenver-certload.vbs, and then click

Open.

c. ClickYes to confirm that you want to import the certificate.

d. ClickOKto acknowledge that the import of the certificate is complete.

e. Close the Certs folder.

2. Configure IIS to use the

denver.contoso.com Web server

certificate.

a. On the Start menu, clickAdministrative Tools, and then click

Internet Information Services (IIS) Manager.

The IIS Manager console opens.

b. In the IIS Manager console, expand DENVER (local computer),

expand Web Sites, right-clickDefault Web Site, and then clickProperties.

c. In the Default Web Site Properties dialog box, on the

Directory Security tab, clickServer Certificate.

d. In the Welcome to the Web Server Certificate Wizard dialog box, click

Next.

e. On the Server Certificate page, select Assign an existing certificate,

and then clickNext.

f. On the Available Certificates page, select the certificate for

denver.contoso.com that has the intended purpose ofServer Authentication


5/26


(do not select a certificate with another intended purpose), and then clickNext.

g. On the SSL Port page, in the SSL port this web site should use text

box, type 443, and then clickNext.

h. On the Certificate Summary page, clickNext.

i. On the Completing the Web Server Certificate Wizard page, click

Finish.

The Default Web Site on Denver can now use the

denver.contoso.com Web server certificate for HTTPS connections.j. ClickOKto close the Default Web Site Properties dialog box.

k. Close the IIS Manager console.

Perform the following steps on the Paris computer.

3. On the Paris computer,

import the mail.contoso.com

Web server certificate from the

C:\Tools\Certs folder.

a. On the Paris computer, use Windows Explorer (or My Computer) to

open the C:\Tools\Certs folder.

The Certs folder contains a Web server certificate formail.contoso.com, and a script to import the certificate and private key in thelocal machine store.

b. In the Certs folder, right-clickmail-certload.vbs, and then clickOpen.

c. ClickYes to confirm that you want to import the certificate.

d. ClickOKto acknowledge that the import of the certificate is complete.

4. For demonstration

purposes, import invalid

certificates from the

C:\Tools\Certs\Invalid folder.

a. In the Certs folder, open the Invalid folder.

The Invalid folder contains certificates that demonstrate a fewcommon mistakes with using certificates on ISA Server, and a script to importthe certificates.

b. In the Invalid folder, right-clickcertload-invalid-Paris.vbs, and then

clickOpen.

c. ClickYes to confirm that you want to import the certificates.

d. ClickOKto acknowledge that the import of the certificates is complete.

Later in this exercise, you will see how ISA Server helps identify theinvalid certificates.

e. Close the Invalid folder.

Note: On ISA Server 2006 Enterprise Edition, when you configure a Server Authentication certificate to create

SSL connections, the same certificate (same name) must be installed on all array members.

5. Create a new Web listener.

Name: External Web 443

SSL: enable

Network: External

Compression: disable

Certificate:

mail.contoso.com

Authentication:

HTTP Authentication

- Basic

a. On the Start menu, clickAll Programs, clickMicrosoft ISA Server,

and then clickISA Server Management.

The ISA Server console opens.

b. In the ISA Server console, expand Paris, and then select

Firewall Policy.

c. In the task pane, on the Toolbox tab, in the Network Objects section,

right-clickWeb Listeners, and then clickNew Web Listener.

d. In the New Web Listener Definition Wizard dialog box, in the

Web listener name text box, type External Web 443, and then clickNext.

e. On the Client Connection Security page, selectRequire SSL secured connections with clients, and then clickNext.

f. On the Web Listener IP Addresses page, complete the following

information:

Listen on network: External

ISA Server will compress content: disable

and then clickNext.

g. On the Listener SSL Certificates page, clickSelect Certificate.

By default, the Select Certificate dialog box only shows the Webserver certificates that are installed correctly.


6/26


h. In the Select Certificate dialog box, disable

Show only valid certificates.

To help you troubleshoot common certificate mistakes, ISA Serverlists imported certificates that are not valid. The certificates namedcert2.contoso.com to cert5.contoso.com are the invalid certificates that youimported earlier in the exercise.

i. In the certificates list, select each of the certificates cert2.contoso.com

to cert5.contoso.com to see the problem with the certificate.

ISA Server can identify the following problems with certificates:

cert2.contoso.com - The certificate is installed in the current user store,instead of the local machine store.

cert3.contoso.com - The certificate is installed without private key.

cert4.contoso.com - The certificate has expired.

cert5.contoso.com - The certificate is not yet valid.

On ISA Server 2006 Enterprise Edition, there is one morecertificate problem that is identified:

The certificate is not imported on all array members.

j. In the certificates list, select mail.contoso.com, and then clickSelect.

k. On the Listener SSL Certificates page, clickNext.

l. On the Authentication Settings page, complete the followinginformation:

Authentication method: HTTP Authentication (is default)

Basic: enable

Digest: disable (is default)

Integrated: disable (is default)

and then clickNext.

m. On the Single Sign On Settings page, clickNext.

n. On the Completing the New Web Listener Wizard page, clickFinish.

A new Web listener (port443 on the IP address on the adapter ontheExternalnetwork) with the nameExternal Web 443 is created.

6. Create an OWA mail server

publishing rule:

Name: Publish mail (OWA)

Version:

Exchange Server 2003

Internal site name:

denver.contoso.com

Public name:

mail.contoso.com

Web listener:

External Web 443

Delegation:

Basic Authentication

a. In the right pane, select the first rule, or select Default rule if no other

rule exists, to indicate where the new rule is added to the rule list.

b. In the task pane, on the Tasks tab, click

Publish Exchange Web Client Access.

c. In the New Exchange Publishing Rule Wizard dialog box, in the

Exchange Publishing rule name text box, type Publish mail (OWA), and

then clickNext.

d. On the Select Services page, complete the following information:

Exchange version: Exchange Server 2003 (is default)

Outlook Web Access: enable (is default)

Leave the other check boxes disabled (is default)

and then clickNext.

e. On the Publishing Type page, select Publish a single Web site, and then

clickNext.

f. On the Server Connection Security page, selectUse SSL to connect to the published Web server , and then clickNext.

g. On the Internal Publishing Details page, in the Internal site name text

box, type denver.contoso.com, and then clickNext.

The specified name of the Web mail server must match exactly thename in the certificate on the Denver Web server. Otherwise Internet Exploreron the client computers fails to connect, and displays an error message (500

Internal Server Error - The target principal name is incorrect).

h. On the Public Name Details page, complete the following information:

Accept requests for: This domain name (type below):


7/26


Public name: mail.contoso.com

and then clickNext.

The specified public name must match exactly the name in thecertificate on Paris. Otherwise the connecting client computers will display a

security alert message (The name on the security certificate is invalid.).

i. On the Select Web Listener page, in the Web listener drop-down list

box, select External Web 443, and then clickNext.

j. On the Authentication Delegation page, select Basic Authentication,and then clickNext.

k. On the User Sets page, clickNext.

l. On the Completing the New Exchange Publishing Rule Wizard page,

clickFinish.

A new Web publishing rule is created, which publishes the threeOWA virtual directories on the Web site denver.contoso.com asmail.contoso.com on the External network.

7. Examine the new OWA

mail server publishing rule named

Publish mail (OWA).

a. In the right pane, right-clickPublish mail (OWA), and then click

Properties.

b. In the Publish mail (OWA) Properties dialog box, select the To tab.

OWA requires that the original host headers

(https://mail.contoso.com) are forwarded to the published server (Denver).c. Select the Traffic tab.

The OWA publishing rule only allows HTTPS access, not HTTPaccess.

d. Select the Paths tab.

The OWA publishing rule only allows access to the three virtualdirectories needed for OWA (/public, /exchweb and /exchange).

e. Select the Listener tab.

The certificate name (mail.contoso.com) exactly matches the nameon thePublic Name tab.

f. Select the Bridging tab.

ISA Server redirects incoming requests to the SSL port. It willcreate a new SSL connection from the ISA Server to Denver. The name on theTo tab exactly matches the name in the certificate on Denver.

g. ClickCancel to close the Publish mail (OWA) Properties dialog box.

8. Apply the new rule. h. ClickApply to apply the new rule, and then clickOK.

The new Publish mail (OWA) rule is applied.



configure IIS to require SSL on the

virtual directories used by OWA:

/Exchange

/ExchWeb

/Public

a. On the Denver computer, on the Start menu, click

Administrative Tools, and then click



b. In the IIS Manager console, expand Default Web Site, right-clickExchange, and then clickProperties.

/Exchange,/ExchWeb and/Public are the three virtual directories

used by Outlook Web Access (OWA).

c. In the Exchange Properties dialog, on the Directory Security tab, in the

Secure communications box, clickEdit.

d. In the Secure Communications box, enable

Require secure channel (SSL), and then clickOK.

Now that IIS has a Web server certificate configured, only secureaccess (HTTPS) to the OWA virtual directories should be allowed.


8/26


e. ClickOKto close the Exchange Properties dialog box.

Repeat the same configuration step for the/ExchWeb virtualdirectory.

f. Right-clickExchWeb, and then clickProperties.

g. In the ExchWeb Properties dialog box, on the Directory Security tab, in

the Secure communications box, clickEdit.

h. In the Secure Communications box, enable


i. ClickOKto close the ExchWeb Properties dialog box.

Repeat the same configuration step for the/Public virtual directory.

j. Right-clickPublic, and then clickProperties.

k. In the ExchWeb Properties dialog box, on the Directory Security tab, in

the Secure communications box, clickEdit.

l. In the Secure Communications box, enable


m. ClickOKto close the Public Properties dialog box.

n. Close the IIS Manager console.

Perform the following steps on the Istanbul computer.

10. On the Istanbul computer,

use Internet Explorer to securely

connect to

https://mail.contoso.com

/exchange

Send an e-mail to Administrator

to test the secure OWA connection

to ISA Server.

a. On the Istanbul computer, open Internet Explorer. In the Address box,

type https://mail.contoso.com/exchange, and then press Enter.

An authentication dialog box for mail.contoso.com appears.

Note: On Istanbul, mail.contoso.com resolves to 39.1.1.1 (Paris).

b. In the Connect to mail.contoso.com dialog box, complete the following

information:

User name: Administrator

Password: password

Remember my password: disable (is default)

and then clickOK.

Internet Explorer displays the Outlook Web Access Inbox of theAdministrator. The yellow lock icon at the bottom of the screen indicates thatthe connection uses SSL.

Note: The root certificate of Denver CA is already installed astrusted root certificate on Istanbul.

c. On the OWA toolbar, clickNew.

d. In the new message window, complete the following information:

To: Administrator

Subject: Test mail through Secure OWA - 1

(Message): Publish Exchange using Secure OWA

and then clickSend.

Internet Explorer sends the message.

After a few moments a new message appears in the Inbox. Thisresult shows that Internet Explorer successfully connected to the ExchangeServer on Denver, by using a secure OWA connection to ISA Server.

e. After a few moments, in the left pane, clickInbox to refresh the display

of the Inbox contents.

f. Close Internet Explorer.


9/26


Note: In the following steps, HTML Form Authentication is configured. The advantage of using HTML Form

Authentication is that the authentication credentials are not cached on the client computer. This is especially

important when users are connecting from public computers. The credential information is kept in a (temporary)

session-cookie while the OWA connection is open.



configure the External Web 443Web listener to use HTML Form

Authentication.

a. On the Paris computer, in the ISA Server console, in the left pane, select

Firewall Policyb. In the task pane, on the Toolbox tab, in the Network Objects section,

expand Web Listeners, right-clickExternal Web 443, and then click

Properties.

c. In the External Web 443 Properties dialog box, on the Authentication

tab, in the Client Authentication Method drop-down list box, select HTML

Form Authentication.

d. On the Forms tab, clickAdvanced.

The HTML Form Authentication allows you to specify idle sessiontimeout values for client browsers on public computers and client browsers on

private computers.

e. ClickCancel to close the Advanced Form Options dialog box.

f. ClickOKto close the External Web 443 Properties dialog box.

The Web listener is now configured to use HTML FormAuthentication.

g. ClickApply to save the changes, and then clickOK.



use Internet Explorer to securely

connect to

https://mail.contoso.com

/exchange again.


type https://mail.contoso.com/exchange, and then press Enter.

The Office Outlook Web Access authentication Web page appears.

b. In the Office Outlook Web Access page, complete the following

information:

Security: This is a private computer

Use Outlook Web Access Light: disable (is default) Domain\user name: contoso\administrator

Password: password

and then clickLog On.

When using HTML Form Authentication, the user indicates whetherthe client browser is on a public computer or on a private computer.

Internet Explorer displays the Outlook Web Access Inbox.

c. Close Internet Explorer.

Note: The following task is needed to avoid conflicts with other lab exercises.


13. On the Paris computer,configure the External Web 443

Web listener to use Basic

authentication.

a. On the Paris computer, in the ISA Server console, in the left pane, selectFirewall Policy.

b. In the task pane, on the Toolbox tab, in the Network Objects section,

expand Web Listeners, right-clickExternal Web 443, and then click

Properties.

c. In the External Web 443 Properties dialog box, on the Authentication

tab, complete the following information:

Client Authentication Method: HTTP Authentication

Basic: enable

Digest: disable (is default)

Integrated: disable (is default)


10/26


and then clickOKto close the External Web 443 Properties dialog box.

The Web listener is now configured to use Basic HTTPauthentication.

d. ClickApply to save the changes, and then clickOK.


11/26


Exercise 2Using Cross-Site Link Translation to PublishSharePoint Server

In this exercise, you will configure ISA Server to publish a SharePoint Server.

The portal Web site contains links to other Web servers. By using cross-site link translation,

you can access the links from the published portal Web site.

Note: This exercise applies to new functionality in ISA Server 2006.






connect to http://portal, and

examine the links on the Project-D

Portal Web site.

a. On the Denver computer, open Internet Explorer. In the Address box,

type http://portal, and then press Enter.

Internet Explorer displays a sample Project-D Portal Web site,which runs on Denver on IP address 10.1.1.10.

b. In the portal Web site, underShared Documents, move the mouse

pointer overAgenda (do not click).

In the status bar, notice that the Agenda.doc link refers tohttp://portal.

c. ClickAgenda.

d. In the File Download dialog box, clickOpen to confirm that you want to

open the Agenda.doc file. WordPad opens the Agenda.doc file.

e. Close WordPad.

f. In the portal Web site, underLinks, move the mouse pointer over

Research Web Site (do not click).

In the status bar, notice that the Research Web Site link refers tohttp://server1.

It is very common that SharePoint sites contain links to otherservers on the internal network.

g. ClickResearch Web Site.

Internet Explorer opens the research.htm file on server1. Server1 isa Web site running on Denver on IP address 10.1.1.21.

h. On the toolbar, click the Backbutton.

i. Close Internet Explorer



create a new Web listener.


SSL: disable

a. On the Paris computer, on the Start menu, clickAll Programs, click

Microsoft ISA Server, and then clickISA Server Management.



Firewall Policy.


12/26


Network: External


Authentication: none

(If this is not done already)


expand Web Listeners (if possible).

Note: If a Web Listener namedExternal Web 80 is already createdin an earlier exercise, then you can skip the rest of this task.

d. If a Web listener named External Web 80 does not exist, then


e. In the New Web Listener Definition Wizard dialog box, in the

Web listener name text box, type External Web 80, and then clickNext.f. On the Client Connection Security page, select

Do not require SSL secured connections with clients, and then clickNext.

g. On the Web Listener IP Addresses page, complete the following

information:



and then clickNext.

h. On the Authentication Settings page, in the drop-down list box, select

No Authentication, and then clickNext.

i. On the Single Sign On Settings page, clickNext.

j. On the Completing the New Web Listener Wizard page, clickFinish.


3. Create a Web publishing

rule to publish a SharePoint server.

Name: Portal Web Site

Publishing type:

single Web site

Internal site name:

portal

Public name:

portal.contoso.com

Web listener:

External Web 80

Delegation: none



b. In the task pane, on the Tasks tab, clickPublish SharePoint Sites.

c. In the New SharePoint Publishing Rule Wizard dialog box, in the

SharePoint publishing rule name text box, type Portal Web Site, and then

clickNext.

d. On the Publishing Type page, select Publish a single Web site, and then

clickNext.

e. On the Server Connection Security page, select Use non-secured

connections to connect to the published Web server, and then clickNext.

f. On the Internal Publishing Details page, in the Internal site name textbox, type portal, and then clickNext.

g. On the Public Name Details page, in the Public name text box, type

portal.contoso.com, and then clickNext.

h. On the Select Web Listener page, in the Web listener drop-down list


i. On the Authentication Delegation page, select No delegation, and client

cannot authenticate directly, and then clickNext.

j. On the Alternate Access Mapping Configuration page, select

SharePoint AAM is not yet configured, and then clickNext.

ISA Server forwards the public name (portal.contoso.com) to theSharePoint site. If SharePoint limits which names can be used to access the

site, then you have to add portal.contoso.com to the Extranet URL list

(Alternate Access Mapping list) on the SharePoint site.

k. On the User Sets page, clickNext.

l. On the Completing the New SharePoint Publishing Rule Wizard page,

clickFinish.

A new Web publishing rule is created, which publishes theSharePoint siteportalasportal.contoso.com on the External network.

4. Apply the changes. a. ClickApply to apply the changes, and then clickOK.


13/26




connect to

http://portal.contoso.com, and


Portal Web site.


type http://portal.contoso.com, and then press Enter.

Internet Explorer displays the sample Project-D Portal Web site.

This result demonstrates that you have successfully published theSharePoint site.

b. In the portal Web site, underShared Documents, move the mousepointer overAgenda (do not click).

In the status bar, notice that the Agenda.doc link refers tohttp://portal.contoso.com.

The SharePoint publishing rule wizard configured the Webpublishing rule to forward the original host header (http://portal.contoso.com)to the SharePoint site.SharePoint uses that information to create URLs that refer to the host name(portal.contoso.com) that the client can use.

c. ClickAgenda.

d. In the File Download dialog box, clickOpen to confirm that you want to

open the Agenda.doc file.

WordPad opens the Agenda.doc file. You can access documents on the published SharePoint Web site, inthe same way you can access them on the internal network when connecting tohttp://portal.

e. Close WordPad.

f. In the portal Web site, underLinks, move the mouse pointer over


In the status bar, notice that the Research Web Site link refers tohttp://server1.

g. ClickResearch Web Site.

Internet Explorer on Istanbul is not able to resolve the nameserver1 name to connect to the Web server on the internal network.

h. On the toolbar, click the Backbutton.

i. Close Internet Explorer.



create a Web publishing rule.

Name: Server1 Web Site

Publishing type:

single Web site

Internal site name:

server1

Public name:

web1.contoso.com

Web listener:

External Web 80

Delegation: none


Firewall Policy.

b. In the right pane, select the first rule to indicate where the new rule is

added.

c. In the task pane, on the Tasks tab, clickPublish Web Sites.

d. In the New Web Publishing Rule Wizard dialog box, in the

Web publishing rule name, type Server1 Web Site, and then clickNext.

e. On the Select Rule Action page, select Allow, and then clickNext.

f. On the Publishing Type page, select Publish a single Web site, and then

clickNext.

g. On the Server Connection Security page, select Use non-secured

connections to connect to the published Web server, and then clickNext.

h. On the Internal Publishing Details page, in the Internal site name text

box, type server1, and then clickNext.

i. On the next Internal Publishing Details page, leave the Path text box

empty, and then clickNext.

j. On the Public Name Details page, in the Public name text box, type


14/26


web1.contoso.com, and then clickNext.

k. On the Select Web Listener page, in the Web listener drop-down list


l. On the Authentication Delegation page, select No delegation, and client

cannot authenticate directly, and then clickNext.

m. On the User Sets page, clickNext.

n. On the Completing the New Web Publishing Rule Wizard page, click

Finish.

A new Web publishing rule is created, which publishes the Web siteserver1 as web1.contoso.com on the External network.


8. Examine the list of

per-server link translation

mappings.

a. In the left pane, expand Configuration, and then clickGeneral.

b. In the right pane, clickConfigure Global Link Translation.

ISA Server 2006 maintains a per-server (or per-array) list of URLtext replacement mappings that are applied to the content of HTTP response

packets through any Web publishing rule in the array.

c. Select the Global Mappings tab.

The mappings are created automatically based on the internal sitename and the public name of existing Web publishing rules, but you can also

add custom mappings.

The mapping to replace http://server1/withhttp://web1.contoso.com/is based on the newServer1 Web Site rule, and willbe used by thePortal Web Site rule.

d. ClickCancel to close the Link Translation dialog box.

Note: On ISA Server 2006 Enterprise Edition, you can enable link translation across arrays. This means that an

array can use link translation entries from other arrays in the same Enterprise.



connect to

http://portal.contoso.com, and


Portal Web site.


type http://portal.contoso.com, and then press Enter.

Internet Explorer displays the sample Project-D Portal Web site.The site is published through thePortal Web Site publishing rule.

b. In the portal Web site, underLinks, move the mouse pointer over


In the status bar, notice that the Research Web Site link refers tohttp://web1.contoso.com.

The Portal Web Site rule used the link translation entry from theServer1 Web Site rule.

c. ClickResearch Web Site.

Internet Explorer displays the Research Web page from Server1.The site is published through theServer1 Web Site publishing rule.

d. On the toolbar, click the Backbutton.

e. Close Internet Explorer.


15/26


Exercise 3Publishing a Web Farm for Load Balancing

In this exercise, you will publish two Web servers (10.1.1.21 and 10.1.1.22) as a Web farm.ISA Server load balances Web requests to servers in a Web farm.

The exercise uses both Cookie-Based Load Balancing and Source-IP Based Load Balancing.






1. On the Paris computer,create a new Web listener.


SSL: disable

Network: External


Authentication: none

(If this is not done already)

a. On the Paris computer, on the Start menu, clickAll Programs, clickMicrosoft ISA Server, and then clickISA Server Management.



Firewall Policy.


expand Web Listeners (if possible).

Note: If a Web Listener namedExternal Web 80 is already createdin an earlier exercise, then you can skip the rest of this task.

d. If a Web Listener named External Web 80 does not exist, then


e. In the New Web Listener Definition Wizard dialog box, in the

Web listener name text box, type External Web 80, and then clickNext.

f. On the Client Connection Security page, select

Do not require SSL secured connections with clients, and then clickNext.

g. On the Web Listener IP Addresses page, complete the following

information:



and then clickNext.

h. On the Authentication Settings page, in the drop-down list box, select

No Authentication, and then clickNext.

i. On the Single Sign On Settings page, clickNext.

j. On the Completing the New Web Listener Wizard page, clickFinish.


2. Create a new Server Farm

network element.

Name: Shop Web Servers

Addresses:

- 10.1.1.21

- 10.1.1.22

a. In the task pane, on the Toolbox, in the Network Objects section,

right-clickServer Farms, and then clickNew Server Farm.

The New Server Farm Definition Wizard opens.

b. In the New Server Farm Definition Wizard dialog box, in the

Server farm name text box, type Shop Web Servers, and then clickNext.

c. On the Servers page, clickAdd.

d. In the Server Details dialog box, complete the following information:

Computer name or IP address: 10.1.1.21


16/26


Monitoring: http://*/ Description: Shopping Web Server 1

and then clickOK.

e. On the Servers page, clickAdd again.

f. In the Server Details dialog box, complete the following information:

Computer name or IP address: 10.1.1.22

Description: Shopping Web Server 2

and then clickOK.

Note: The Denver computer runs two Web sites at addresses10.1.1.21 and 10.1.122.

g. On the Servers page, clickNext.

h. On the Server Farm Connectivity Monitoring page, complete the

following information:

Send an HTTP/HTTPS GET request: enable (is default)

Current URL: http://*/ (is default)

and then clickNext.

ISA Server will monitor the connectivity to the servers in theShop Web Servers farm by connecting to each of the Web servers (using GEThttp://10.1.1.21/, and GET http://10.1.1.22/) every 30 seconds.

i. On the Completing the New Server Farm Wizard page, clickFinish.

j. In the HTTP Connectivity Verification dialog box, clickYes to confirmthat you want the connectivity verifiers system policy to be enabled.

The wizard enables system policy 19 to allow the HTTP GETrequest from the ISA Server to the Web servers in the Shop Web Servers farm.

3. Create a new Web

publishing rule.

Name: Sales Web Site

Type: Publish server farm

Internal name:

store.contoso.com/shop

Server farm:

Shop Web Servers

Load balance mechanism:

Cookie-based

Public name:

www.contoso.com/shop

Web listener:

External Web 80

Delegation: none



b. In the task pane, on the Tasks tab, clickPublish Web Sites.

c. In the New Publishing Rule Wizard dialog box, in the

Web publishing rule name text box, type Sales Web Site, and then click

Next.

d. On the Select Rule Action page, select Allow, and then clickNext.

The Publishing Type page has three choices:

Publish a single Web site - You create a single rule for a single Web site.

Publish a server farm - You create a single rule for multiple Web sites withidentical content. ISA Server load balances requests.

Publish multiple Web sites - You create a separate rule for each publishedWeb site with only a single run of the wizard.

e. On the Publishing Type page, select

Publish a server farm of load balanced Web servers, and then clickNext.

f. On the Server Connection Security page, select Use non-secured

connections to connect to the published Web server or server farm , and

then clickNext.

g. On the Internal Publishing Details page, in the Internal site name text

box, type store.contoso.com, and then clickNext.

Note: When you publish a server farm, ISA Server does not use the

internal site name (store.contoso.com) to find the published servers. Instead,later in the wizard you specify the Server Farm network element, which lists theaddresses of the servers in the farm.The internal site name is used as host header when connecting to the farm

servers, and it is used in automatic Link Translation mappings.

h. On the next Internal Publishing Details page, complete the following

information:

Path: shop/*

Forward the original host header: disable (default)

and then clickNext.


17/26


i. On the Specify Server Farm page, complete the following information:

Select the server farm (drop-down list box): Shop Web Servers

Cookie-based Load Balancing: enable (is default)

and then clickNext.

ISA Server can use two different methods to load balance request tothe servers in the farm:

Cookie-based Load Balancing- ISA Server uses round-robin to distributenew connections to the Web servers. It sends a temporary session cookie toeach client that connects, so that client session affinity to the selected Web

server is maintained.

Source-IP based Load Balancing- ISA Server uses a hash value of theclient's IP address to distribute connections to the Web servers. All requests

from the same client IP address go the same Web server.

Note: For load balancing Outlook Web Access or SharePointaccess, both of which use Internet Explorer, the Cookie-based Load Balancingis the recommended solution. For load balancing Outlook RPC over HTTPaccess, you need to use Source-IP based Load Balancing. Outlook cannot workwith HTTP cookies.

j. On the Public Name Details page, complete the following information:

Accept request for: This domain name (type below)

Public name: www.contoso.com

Path (optional): /shop/* (automatic)

and then clickNext.

k. On the Select Web Listener page, in the Web listener drop-down list


l. On the Authentication Delegation page, in the drop-down list box, select

No delegation, and client cannot authenticate directly, and then clickNext.

m. On the User Sets page, clickNext.

n. On the Completing the New Web Publishing Rule Wizard page, click

Finish.

A new Web publishing rule named Sales Web Site is created. Theicon with the four small servers indicates that this rule publishes a server farm.


5. Examine the connectivity

verifiers for the Shop Web Servers

farm.

a. In the ISA Server console, in the left pane, select Monitoring.

b. In the right pane, select the Connectivity Verifiers tab.

Note: You may (temporarily) need to close the task pane in order tosee the Connectivity Verifiers tab.

c. Right-click the first Farm: Shop Web Servers connectivity verifier, and

then clickProperties.

d. In the Farm: Shop Web Servers Properties dialog box, select the

Connectivity Verification tab.

Every 30 seconds, ISA Server connects to the published Webservers (using GET http://10.1.1.21/, and GET http://10.1.1.22/). If the Webserver responds with HTTP code 200 (OK) within 5 seconds, ISA Serverconsiders the Web server to be available, and load balances requests to theWeb server.

Note: For the GET http://*/ request to succeed, the Web servermust accept anonymous access to the root, and must have a default documentavailable. Otherwise, the connectivity verifier fails to connect.

e. ClickCancel to close the Farm: Shop Web Servers Properties dialog

box.

When the Web servers are available, the connectivity verifier iconcontains a green check mark, and theResultcolumn displays the observedresponse time.


18/26




use Internet Explorer to connect to

http://www.contoso.com/

shop/web.asp


type http://www.contoso.com/shop/web.asp, and then press Enter.

Internet Explorer displays the web.asp page from Web server10.1.1.21 (Server1). The client did not include a cookie in the Web request.

Note: Due to the round-robin nature of the Cookie-based Load

Balancing, and depending on earlier Web requests that you may have done, itis possible that the Web page in this task is returned from 10.1.1.22. In thatcase, close the Internet Explorer window, and connect to the Web addressagain.

b. On the toolbar, click the Refresh button to refresh the content of the

Web page.

The same Web server handles the Web request. For the second andthe subsequent requests, the client includes the session cookie (starting with

ISAWPLB), which it received in the response of the first request. The cookietext contains a Global Unique Identifier (GUID) that ISA Server uses toidentify which Web server it should send the Web request to. This ensures the

session affinity with the same Web server. (ISAWPLB stands for ISA WebPublishing Load Balancing.)

Note: In the response, ISA Server also forwards an ASP Sessioncookie from the Web server to the client computer.

7. Create two new Internet

Explorer sessions, and connect to


shop/web.asp

a. On the Start menu, clickAll Programs, and then click

Internet Explorer.

A second Internet Explorer window opens.

b. In Internet Explorer, in the Address box, type

http://www.contoso.com/shop/web.asp, and then press Enter.

The new Web request does not contain a session cookie. ThereforeISA Server forwards the request to the other Web server 10.1.1.22 (Server2),and includes a new cookie in the response.

c. On the toolbar, click the Refresh button to refresh the content of the

Web page.

The second Internet Explorer session uses a different cookie.d. On the Start menu, clickAll Programs, and then click

Internet Explorer again.

A third Internet Explorer window opens.

e. In Internet Explorer, in the Address box, type

http://www.contoso.com/shop/web.asp, and then press Enter.

ISA Server load balances the third session to Web server 10.1.1.21(Server1) again.



stop the Server1 Web Site to

simulate a connectivity problemwith the Web server on 10.1.1.21.

a. On the Denver computer, on the Start menu, click

Administrative Tools, and then click



b. In the IIS Manager console, expand DENVER (local computer),

expand Web Sites, and then select Server1 Web Site.

c. Right-clickServer1 Web Site, and then clickProperties.

Notice that Server1 Web Site is listening on IP address 10.1.1.21.

d. ClickCancel to close the Server1 Web Site Properties dialog box.

e. Right-clickServer1 Web Site, and then clickStop.

The Web site at 10.1.1.21 is no longer responding to Web requests.


19/26




attempt to refresh the content of

the Web pages that were from

10.1.1.21 (Server1).

a. On the Istanbul computer, switch to one of the Internet Explorer

windows that currently displays the web.asp page from 10.1.1.21 (Server1).


Web page.

Internet Explorer displays an error message: Bad request (invalid

hostname).c. Wait 20 seconds, and then on the toolbar, click the Refresh button

again.

Internet Explorer displays the web.asp page from 10.1.1.22(Server2). ISA Server has forwarded the Web request to the remaining Web

server in the farm.

Note: Because ISA Server checks the connectivity to the 10.1.1.21Web server every 30 seconds, and then waits for the timeout for another

5 seconds, on average it takes 15+5 seconds after the Web server is no longeravailable, before ISA Server forwards all the Web requests to the other Web

server. Due the way http.sys works on the Denver computer, it still returned aresponse (Bad request) when connecting to 10.1.1.21.

d. Switch to the other Internet Explorer window that displays the web.asp

page from 10.1.1.21 (Server1).

e. On the toolbar, click the Refresh button.

Internet Explorer immediately displays the web.asp page from10.1.1.22 (Server2).



examine the connectivity verifier

and the alert for the connection to

10.1.1.21.


Monitoring.

b. In the right pane, select the Connectivity Verifiers tab.

Notice that the icon for the connectivity verifier to 10.1.1.21contains a red mark, indicating a connectivity issue.

c. In the right pane, select the Alerts tab.

d. In the task pane, on the Tasks tab, clickRefresh Now.

e. In the right pane, expand the No Connectivity alert, and then select the

lowerNo Connectivity line.

The alert information describes that the connection to 10.1.1.21failed.

f. Right-click the lowerNo Connectivity line, and then clickReset.

g. ClickYes to confirm that you want to reset the No Connectivity alert.



start the Server1 Web Site.

a. On the Denver computer, in the IIS Manager console, right-click

Server1 Web Site, and then clickStart.

The Web site at 10.1.1.21 is available again.



refresh the Web page from

10.1.1.22, and create a new

connection to


shop/web.asp.

a. On the Istanbul computer, switch to any of the Internet Explorer



Web page.

ISA Server continues to forward the Web requests to 10.1.1.22(Server2), even though 10.1.1.21 is available again. All current sessionsalready use a cookie that contains the GUID of Server2, and will stay on this


20/26


21/26


with the Web server on 10.1.1.22. The Web site at 10.1.1.22 is no longer responding to Web requests.




the Web page that was from

10.1.1.22 (Server2).

a. On the Istanbul computer, switch to one of the Internet Explorer



Web page.

Internet Explorer displays an error message: Bad request (invalidhostname).

c. Wait 20 seconds, and then on the toolbar, click the Refresh button

again.

Internet Explorer displays the web.asp page from 10.1.1.21(Server1). ISA Server has forwarded the Web request to the remaining Web

server in the farm.



start the Server2 Web Site.

a. On the Denver computer, in the IIS Manager console, right-click

Server2 Web Site, and then clickStart.

The Web site at 10.1.1.22 is available again.

b. Close the IIS Manager console.




the Web page that was from

10.1.1.21 (Server1).

a. On the Istanbul computer, switch to the Internet Explorer window that

currently displays the web.asp page from 10.1.1.21 (Server1).


Web page.

ISA Server may still forward the Web request to 10.1.1.21.

After an average of 20 seconds, the connectivity verifier on ISAServer detects that Web server 10.1.1.22 is available again.

c. Wait 20 seconds, and then on the toolbar, click the Refresh button

again.

Internet Explorer displays the web.asp page from 10.1.1.22(Server2).

Note: With cookie-based load balancing, ISA Server continues toforward requests to the same Web server, after the original Web server isavailable again - called client stickiness.Withsource-IP based load balancing, ISA Server falls back to forwarding Webrequest to the original Web server. There is no client stickiness.

d. Close all Internet Explorer windows.

Note: The following tasks are needed to avoid conflicts with other lab exercises.



delete the Sales Web Site rule, and

delete the Shop Web Servers

farm.


Firewall Policy.

b. In the right pane, right-click the Sales Web Site rule, and then click

Delete.

c. ClickYes to confirm that you want to delete Sales Web Site.

The Sales Web Site rule is deleted.

d. In the task pane, on the Toolbox tab, in the Network Objects section,

expand Server Farms.

e. Under Server Farms, right-clickShop Web Servers, and then click


22/26


Delete.

f. ClickYes to confirm that you want to delete Shop Web Servers.

The Shop Web Servers farm and the two related connectivityverifiers are deleted.



23/26


Exercise 4Configuring ISA Server 2006 for FloodResiliency

In this exercise, you will configure ISA Server to block a large number of TCP connectionsfrom the same IP address.







examine the flood mitigation

settings.

a. On the Paris computer, on the Start menu, clickAll Programs, click

Microsoft ISA Server, and then clickISA Server Management.


b. In the ISA Server console, in the left pane, expand Paris, expand

Configuration, and then select General.

c. In the right pane, underAdditional Security Policy, click

Configure Flood Mitigation Settings.

ISA Server 2006 can help stop the flooding of connections fromthree different kind of attacks:

Worm propagation - A computer on the internal network starts sending outnetwork packets to different IP addresses on the Internet.

TCP denial-of-service attack- An attacker sends out TCP packets in order touse up all the resources at the firewall, or server behind the firewall.

HTTP denial-of-service attack- A computer on the internal network sends avery large number of HTTP request over the same connection.

In all these cases, the Firewall Engine component of ISA Serverlimits the number of connections, connection requests, and half- openconnections per minute, or per rule, from a particular IP address.

d. In the Flood Mitigation dialog box, on the Flood Mitigation tab, click

the second Edit button.

As an example of a limit, ISA Server allows a maximum of160 concurrent TCP connections from the same IP address. There is also acustom limit (400) that applies to a set of exception IP addresses.

e. ClickCancel to close the Flood Mitigation Settings dialog box.

f. In the Flood Mitigation dialog box, select the IP Exceptions tab.

You can specify the IP addresses of computers to which the customlimit applies.

2. Disable the logging of

network traffic blocked by flood

mitigation settings.

a. In the Flood Mitigation dialog box, select the Flood Mitigation tab.

b. Clear the Log traffic blocked by flood mitigation settings check box.

To avoid overwhelming the log file with identical block entries,after the flood mitigation settings have blocked an attack, you can disable thelogging of those blocked network connections.

c. ClickOKto close the Flood Mitigation dialog box.

3. Create a new access rule. a. In the left pane, select Firewall Policy.


24/26


Name: Allow Web access (Flood)

Applies to: HTTP

From network: Internal

To network: External

b. In the right pane, select the first rule, or select Default rule if no other


c. In the task pane, on the Tasks tab, clickCreate Access Rule.

d. In the New Access Rule Wizard dialog box, in the Access rule name

text box, type Allow Web access (Flood), and then clickNext.

e. On the Rule Action page, select Allow, and then clickNext.

f. On the Protocols page, in the This rule applies to list box, select

Selected protocols, and then clickAdd.g. In the Add Protocols dialog box,

clickCommon Protocols, clickHTTP, clickAdd,

and then clickClose to close the Add Protocols dialog box.

h. On the Protocols page, clickNext.

i. On the Access Rule Sources page, clickAdd.

j. In the Add Network Entities dialog box,

clickNetworks, clickInternal, clickAdd,

and then clickClose to close the Add Network Entities dialog box.

k. On the Access Rule Sources page, clickNext.

l. On the Access Rule Destinations page, clickAdd.

m. In the Add Network Entities dialog box,

clickNetworks, clickExternal, clickAdd,and then clickClose to close the Add Network Entities dialog box.

n. On the Access Rule Destinations page, clickNext.

o. On the User Sets page, clickNext.

p. On the Completing the New Access Rule Wizard page, clickFinish.

A new firewall policy rule is created that allows the HTTP protocolfrom the Internal network to the External network.




configure Internet Explorer not touse a proxy server.

a. On the Denver computer, open Internet Explorer.

b. In Internet Explorer, on the Tools menu, clickInternet Options.c. In the Internet Options dialog box, on the Connections tab, click

LAN Settings.

d. In the Local Area Network (LAN) Settings dialog box, clear the

Use a proxy server for your LAN check box, and then clickOK.

When you configure Internet Explorer to use a proxy server, allHTTP connections to the ISA Server use the same connection to the Web ProxyTCP port 8080. In this exercise, you use two Internet Explorer windows, which

should count as two separate connections.

e. ClickOKto close the Internet Options dialog box.

6. Use Internet Explorer to

connect to http://

istanbul.fabrikam.com/

web.asp

a. In Internet Explorer, in the Address bar, type

http://istanbul.fabrikam.com/web.asp, and then press Enter.

Internet Explorer displays the content of the web.asp page fromIstanbul. This is a single TCP connection from the Denver computer.

b. Do not close Internet Explorer.

7. Use the

C:\Tools\tcpflooder.vbs tool to

create 200 concurrent TCP

connections.

a. Use Windows Explorer (or My Computer) to open the C:\Tools folder.

The Tools folder contains a script named tcpflooder.vbs, whichattempts to set up 200 connections to IP addresses 42.1.0.0 through 42.1.19.9.

Note: By default, ISA Server allows a maximum of 160 concurrentTCP connections from the same IP address.

b. Right-clicktcpflooder.vbs, and then clickOpen.

c. ClickYes to confirm that you want to start TCP Flooder.


25/26


Please wait 10 seconds while TCP Flooder attempts to set up the200 TCP connections.

Note: The IP addresses on the 42.1.0.0 network do not exist in thelab environment, but Denver will set up a maximum of 160 TCP connectionswith ISA Server. ISA Server blocks the remaining 40 TCP connections.

d. Press OKto acknowledge that 200 TCP connections are created.

e. Close the Tools folder.

8. In Internet Explorer, refreshthe existing Web page, and attempt

to create a second connection to

http://

istanbul.fabrikam.com/

web.asp

a. In the Internet Explorer windows, on the toolbar, click the Refreshbutton.

If the Internet Explorer connection did not time out yet, then theServer time on the Web page is changed. That is an indication that the pagerefreshed successfully.

Even though ISA Server has blocked connections from Denver(10.1.1.5), existing connections, such as the one in the Internet Explorerwindow can still be used.

b. On the Start menu, clickAll Programs, and then click

Internet Explorer.

A second Internet Explorer window opens.

c. In Internet Explorer, in the Address box, type

http://istanbul.fabrikam.com/web.asp, and then press Enter.

ISA Server blocks new connections from 10.1.1.5. After a fewmoments, Internet Explorer displays an error page to indicate that it cannotdisplay the page.

d. Close the Internet Explorer windows.

Note: ISA Server blocks traffic based on the flood mitigation settings for 60 seconds. To avoid the situation

where an attacker uses a large number of network packets with a spoofed sender IP address to intentionally

block another computer, ISA Server will first complete a TCP three-way handshake to verify that the sender IP

address is not spoofed.



examine the flooding alert.


Monitoring.b. In the right pane, select the Alerts tab.

c. In the task pane, on the Tasks tab, clickRefresh Now.

d. In the alert list, expand the Concurrent TCP Connections from One

IP Address Limit Exceeded alert, and then select the alert line below that.

Notice in the Alert Information description that ISA Serveridentifies which IP address (10.1.1.5) exceeded the configured limit ofconcurrent TCP connections. This information allows you to further investigatethe cause of the high number of connection attempts.

10. Configure the log viewer

filter conditions:

Log Time: Last Hour

Client IP:

Equals 10.1.1.5

Destination IP:

Greater or Equal 42.1.0.0

a. In the right pane, select the Logging tab.

Note: You may (temporarily) need to close the task pane in order tosee the Logging tab.

b. In the task pane, on the Tasks tab, clickEdit Filter.

c. In the Edit Filter dialog box, in the conditions list, select the

Log Time - Live condition.

d. In the Condition drop-down list box, select Last Hour, and then click

Update.

The condition is changed to Log Time - Last Hour.

e. Complete the following information:

Filter by: Client IP

Condition: Equals

Value: 10.1.1.5


26/26


and then clickAdd To List.

f. Complete the following information:

Filter by: Destination IP

Condition: Greater or Equal

Value: 42.1.0.0

and then clickAdd To List.

g. ClickStart Query to close the Edit Filter dialog box.

After a few moments, the log viewer displays all log entries from10.1.1.5 to the 42.1.0.0 network from the last hour. The most recent log entry islisted first.

h. Scroll to the top of the list of log entries.

Notice that the most recent log entry is for the connection to an IPaddress that is a close to 42.1.15.9. That is a exactly 160 concurrent TCPconnections. The last IP address may be a little lower, if ISA Server hadexisting connections, or may be a little higher if ISA Server closed a few TCPconnections already.

To avoid overwhelming the log file with identical block entries, youconfigured Flood Mitigation to not log traffic that is blocked by the floodmitigation settings (all connections to IP address close to 42.1.16.0 through42.1.19.9).

Note: The following tasks are needed to avoid conflicts with other lab exercises.

11. Restore the log viewer filter

conditions:

Log Time: Live

Client IP: (remove)

Destination IP: (remove)

a. In the task pane, on the Tasks tab, clickEdit Filter.

b. In the Edit Filter dialog box, in the conditions list, select

Log Time - Last Hour.

c. In the Condition drop-down list box, select Live, and then click

Update.

The condition is changed to Log Time - Live.

d. In the conditions list, select the Destination IP condition, and then click

Remove.

e. In the conditions list, select the Client IP condition, and then click

Remove.

f. ClickStart Query to close the dialog box.

g. In the task pane, on the Tasks tab, clickStop Query.



configure Internet Explorer to use

a proxy server.

a. On the Denver computer, open Internet Explorer.

b. In Internet Explorer, on the Tools menu, clickInternet Options.

c. In the Internet Options dialog box, on the Connections tab, click

LAN Settings.

d. In the Local Area Network (LAN) Settings dialog box, complete the

following information:

Use a proxy server for your LAN: enable

Address: 10.1.1.1 Port: 8080

Bypass proxy server for local address: enable

and then clickOKto close the Local Area Network (LAN) Settings dialog box.

e. ClickOKto close the Internet Options dialog box.

f. Close Internet Explorer.

ISA Server 2006 Lab Manual (Version 3.0f) - HOL392

Documents

Transcript of ISA Server 2006 Lab Manual (Version 3.0f) - HOL392