Xem mẫu

  1. Publishing Internal Resources Publishing internal resources follows largely the same process as creating an access rule. It is a wizard-driven process, but the focus of a publishing rule is allowing access to protected resources, as opposed to access rules (which allow access from protected resources). Regardless of which type of publishing rule you need to create, the process is fairly similar. The first step is to right-click the firewall policy and select to create a new publishing rule (for example, a web publishing rule) and follow the wizard. At the Welcome screen, enter the appropriate rule name and click Next. At the Select Rule Action screen, specify whether traffic that matches the rule should be permitted or denied and click Next. Figure 8-11 shows the Define Website to Publish screen. This is where you specify the information for the internal server that is hosting the website. Enter the appropriate information and click Next. For example, if you use host headers to allow multiple websites to exist on the same physical server, you will want to check the box to Forward the original host header instead of the actual one (specified above). This will cause the ISA server to actually keep the host header information, instead of just routing all web requests to the default website on the internal web server. One of the nice features of the web publishing rule is the ability to specify individual folders on the website that the rule will apply to. When you have finished, click Next. Figure 8-11. Define Website to Publish Screen [View full size image]
  2. At the Public Name Details screen, you enter the information that the website will be known to the public as (for example www.cisco.com). You can also define the public path that the Microsoft ISA Server 2004 server will advertise. Figure 8-12 illustrates this screen. Figure 8-12. Public Name Details Screen [View full size image]
  3. When you have finished, click Next. Doing so brings you to the Select Web Listener screen. The web listener allows you to define the external IP address and port number that the firewall will listen for requests for this rule on. If you do not already have a listener defined, you can click New to launch the New Web Listener Definition Wizard. Doing so enables you to define the interfaces and IP addresses as well as the port numbers that the rule will use. You can also define the internal path that the web request will be directed to on the internal web server. In most cases, the internal and external paths will match; if you want the external path to redirect to a different internal path, however, you can specify different settings. For example, if you want http://www.cisco.com/sales.htm to redirect on the internal web server to http://www.cisco.com, you specify an external path of http://www.cisco.com/sales.htm and an internal path of /*. After you have defined the listener, just select it from the Web Listener drop-down dialog box, as shown in Figure 8-13, and click Next. Figure 8-13. Select Web Listener Screen [View full size image]
  4. At the User Sets screen, select the users who the rule will apply to and click Next. Review the configuration and click Finish to create the rule. Once again, if you want to apply the rule to the firewall, you must then click Apply in the management console. Performing Application Filtering ISA Server 2004 contains a number of built-in application filters to provide for application layer inspection of the corresponding traffic. Configuring the application filters is performed in various locations within the management console. For web filters, just right-click an HTTP or HTTPS rule and select Configure HTTP. By default, Microsoft ISA Server 2004 supports the following HTTP application-filtering options: • Maximum header length (in bytes) • Maximum payload length (in bytes) • URL length and query length protection (in bytes) • URL normalization and high bit character blocking • Windows executable blocking • User defined HTTP method filtering (for example, denying POST methods) • File extension filtering • User-defined HTTP header content
  5. • User-defined signature content filtering For application filters, most can be managed from the add-ins screen, as shown in Figure 8-14. Figure 8-14. Application Filters [View full size image] A notable exception to this is the DNS filtering, which is configured under the General section of the management console by clicking Enable Intrusion Detection and DNS Attack Detection (by default, both intrusion detection and DNS attack detection is enabled). Configuring System Policy Rules Access rules and server publishing rules control the access to and from networks protected by the firewall. To control access to the firewall itself, system policy rules have been created. These rules do not show up by default when you view the firewall policy, but they can be enabled by selecting the firewall policy and then clicking Show System Policy Rules. Doing so causes all system policy rules to display in addition to any access and publishing rules, as shown in Figure 8-15. Figure 8-15. Displaying the System Policy Rules
  6. [View full size image] You can add, change, and delete the system policy rules manually, or you can edit the system policy via a graphical user interface (GUI) by right-clicking the firewall policy and selecting Edit System Policy. Doing so launches the System Policy Editor screen, as shown in Figure 8-16. Figure 8-16. System Policy Editor Screen [View full size image]
  7. The System Policy Editor enables you to configure everything from what systems are allowed to remotely manage the firewall to how the firewall performs its authentication tasks. Configuring Client Access Methods As previously mentioned, Microsoft ISA Server 2004 supports three firewall clients: the SecureNAT client, the firewall client, and the web proxy client. The SecureNAT client really is not a client at all. Instead, any system that accesses the firewall via TCP/IP that is not one of the other client types is a SecureNAT client.