Microsoft’s ISA Server Enterprise exam tests your knowledge of security, policy-setting and troubleshooting—and your ability to read carefully.
ISA Server is aimed at adding security to a network environment
that has a presence on the Internet. ISA stands for Internet
Security and Acceleration, and it’s the direct descendent
of Proxy Server. You can install it in one of three modes:
cache, firewall or integrated. In cache mode, ISA Server
acts as a centralized point for Web access and keeps frequently
accessed Web content on its local hard drive, thus lowering
the amount of enterprise bandwidth expended on Internet
downloads. In firewall mode, ISA Server becomes a corporate
firewall, which allows configuration of packet filtering,
VPN access, and restriction of access to other Internet
protocols. Finally, integrated mode allows the best of
“If you have expert TCP/IP knowledge,
a good foundation in Windows 2000, and
know the details of how this product
works, you should be able to pass.”
Installing, Configuring, and Administering
Microsoft Internet Security and Acceleration
Server (ISA) 2000, Enterprise Edition
Live as of February 2001.
Who Should Take
It Elective credit for
What Class Prepares
2159: Deploying and Managing Microsoft
Internet Security and Acceleration Server
2000. Two days.
In this article I’ll discuss strategies for getting through
the ISA Server exam. Remember that this test covers ISA
Server 2000, Enterprise Edition.
Building a Fire(wall)
Our first task in the exploration of ISA Server is its
preconfiguration and installation. Before we can install
ISA Server, we have to ensure that we can connect to the
Internet. The recipe for a successful installation is
as follows: a dash of network card installation, a pinch
of DNS troubleshooting, and a sprinkle of verifying connectivity
on a TCP/IP subnet. Sound easy enough? It gets harder.
In addition to the basic preconfiguration tasks, you
need to know the installation of ISA Server inside and
out. Know how and when to install ISA Server in each of
the supported modes. For example, you have to run the
ISA Enterprise Initialization Tool before ISA Server can
be installed in an array. The Enterprise Initialization
Tool modifies the Windows 2000 Active Directory schema
to support objects that ISA Server requires to have a
Tip: Make sure you know
how to back up your Proxy Server 2.0 configuration, including
using MMC to do this.
Also know how to configure and troubleshoot Local Address
Table (LAT) problems. Simply put, the LAT is the range
of IP addresses that make up your internal network. Make
sure you don’t accidentally put an external address in
your LAT. It could spell disaster!
Crafty Configuration and Thorough
Once ISA Server is installed, you have to know how to
configure and troubleshoot it. Think you can puzzle out
most problems? Don’t get overconfident—in life or the
testing center. Read each question carefully and make
sure you understand exactly what you’re being asked.
Make sure you understand how to configure ISA Server
to keep the bad guys out and the good guys in. Once you
have a firewall set up, how do you allow Web traffic through
securely? Easy enough: You configure Web publishing. ISA
Server supports Web publishing and server proxy, which
directs Web requests to another machine. You can even
configure ISA Server to forward SSL requests and maintain
the integrity of the encryption. By the way, you should
know how to configure all of this.
Once you have your Web servers working, how do you get
your custom Web application going—especially since it’s
behind the firewall and uses several ports? Well, folks,
ISA Server has the answer to this one, too. The solution
is called server publishing. You can set up ISA Server
to allow applications to function that use multiple ports
and offer services on a machine inside the firewall, but
still have the protection of the external ISA Server.
Tip: Read Anil Desai’s article,
and Secure: The VPN Solution,” in the April issue
to get a quick familiarity with VPN installation.
While you’re at it, make sure you understand virtual
private networks (VPNs) and how to configure them. If
you’re a Win2K network infrastructure whiz, you’re bound
to do well here. Know how to configure ISA Server to allow
VPN traffic through. Make sure you also know what needs
to be set up within ISA Server’s configuration utility
and what needs to be set up through the Routing and Remote
Access Server console.
Also become familiar with configuring H.323 gatekeeper
rules. In case you’re not familiar with the technology,
H.323 is used for audio and video conferencing. In this
case, we’re talking about NetMeeting. Know about the types
of DNS records you need and how to configure destinations.
Tip: Make sure that you
use the external IP address of the ISA Server machine
in DNS for any services you advertise on the Internet.
Last, be certain you have a passing familiarity with
redundancy services like Network Load Balancing (NLB)
and how it helps an ISA Server array. Visit Microsoft’s
Web site and download the white paper, “Network Load Balancing
Technical Overview,” on how to configure NLB on Windows
2000 Advanced Server.
Dealing with ISA Server policies is probably one of the
most common tasks you’ll have as an administrator. You’ll
have to perform many tasks efficiently and accurately
in order to create a secure network environment.
Know how to configure packet filtering. Know common ports
for common services like SMTP, HTTP, POP3, and LDAP, and
understand how to troubleshoot common access problems
with them. You should be familiar with how to do this
in a variety of environments. For example, know how to
deal with packet filtering configuration in a network
with a single ISA Server, as well as a screened subnet
or a DMZ (demilitarized zone). A DMZ is a subnet on the
network between two ISA Server machines that usually contains
Web servers and e-mail servers.
Along the same lines, you need to be able to troubleshoot
problems that users have while trying to access resources.
Be ready to determine whether the problem is client-side
When it comes to learning ISA Server, spend time on configuring
policies. It’s a major part of understanding the product.
Policies consist of different kinds of rules. First come
site and content rules. These allow you to restrict what
sites and addresses the user can access. Second are protocol
rules, which allow you to set which protocols can be used.
As a side note, be able to configure custom protocols
as well. If only things were as easy as accepting the
default settings! Bandwidth rules allow you to set priorities
for traffic, thus allowing you to restrict what kinds
of traffic can enter and exit ISA Server.
Other items in a policy make your life a little bit easier,
such as a schedule. A schedule does exactly what you’d
expect it to do: set a time period in which a policy is
effective. Two similar items, destination sets and client
address sets, allow you to group resources together, so
you don’t have to list hundreds of items in each policy
over and over. You can create a set of clients or destinations
and refer to them in each policy.
Tip: You can’t add items
to a policy lower than the enterprise level if the enterprise
policy doesn’t already have what you want. So it’s in
your best interests to define policies liberally at the
enterprise level and restrict at the lower levels.
Finally, you need to be able to configure policies on
an enterprise basis. If you have an array of ISA Servers,
you need to be able to write an enterprise policy and
apply the policy to the array. Make sure you understand
how an enterprise policy works and how it relates to policies
that are applied at the array level and local level.
Another important aspect of administration is the configuration
of clients to use the services provided by ISA Server.
For example, if you’re using ISA Server as a firewall,
you need to install the Firewall Client on the client
machine. Know the operating systems on which the Firewall
Client can be installed. Make sure you understand the
limitations of the Firewall Client as well.
Also know how to configure clients to use ISA Server
as a proxy server. Spend time learning how an ISA Server
client can auto-detect an ISA Server in firewall or integrated
Tip: Make sure you understand
what Unix clients can and can’t do. Think about what software
can be installed on a Unix machine vs. a Windows machine.
Be certain you can distinguish what role the client plays
at any given time with the given resources. For example,
a client can access Web content through the firewall client
or the proxy server configuration in the browser. Understand
the ramifications of each.
Monitoring and Maintenance
Now that you have ISA Server installed and configured,
you should be able to monitor and optimize the environment
to enhance performance. Can you enable intrusion detection
and take corrective action when security is breached?
Can you gauge when you have too much security in place?
For example, you need to know what security holes you
may have to allow in order to have streaming audio and
media present in your network.
Alerts allow you to automate the sending of a notification
when a problem arises. Know how to configure ISA Server
to send an e-mail message if this occurs. Also be familiar
with ISA logging and how to make the log files write to
an ODBC data source, particularly Microsoft SQL Server.
It’s useful when working with ISA Server to remember
the tried and true command-line utilities like PING, NSLOOKUP
and NETSTAT. You should be able to view incoming connections
and understand how to stop them if necessary. Also learn
how to use telnet to access a specific port to ensure
it’s functioning properly. Know how to fix protocols when
they’re not responding as well.
Tip: Study intrusion detection
and all of its settings very well.
Of course, keeping the boss informed about corporate
security and proxy server use is also important. ISA Server
comes with some canned reports, which means you won’t
have to explain esoteric technical concepts. They provide
a simple graphical view of what’s occurring at the specified
time. Learn how to run reports and export them.
Finally, make sure you understand general tuning practices
of the Win2K Server family. Be able to spot when to add
memory, a new hard drive, a faster hard drive, or an additional
processor to a Win2K server that has ISA Server installed.
Spend Time with ISA Server
Before tackling the test, I’d recommend installing ISA
Server several times and see what it can do. Configure
policies, set up packet filtering and install clients.
Work with the configuration of the caching functionality,
as easy as it is. As always, experience is the best teacher.