thiet lap an toan mang isa cho mang doanh nghiep

5/26/2018 Thiet Lap an Toan Mang ISA Cho Mang Doanh Nghiep

1/89

XY DNG HTHNG

AN TON MNG DOANH NGHIP

PHN I: XY DNG PROXY V FIREWALL VI ISA SERVER ........................... 2

BI 1: TNG QUAN VAN TON MNG ........................................................... 2

1.1. Khi nim bo mt ..................................................................................... 2

1.2. Cc hnh thc tn cng trn mng ............................................................... 2

1.3. Phng php chung ngn chn cc kiu tn cng ......................................... 4

2.1. Gii thiu ................................................................................................... 7

2.2 Ci t ISA 2004. ....................................................................................... 7

3.1. Gii thiu ................................................................................................. 14

3.2 Cho php cc my client truy cp y vo ISA Server ............................ 153.3. Cho php cc my ni btruy cp tt cdch vtrn External. .................... 19

3.4. Cho php Local Host truy cp Internet. ...................................................... 21

3.5. Cho php ISA Server cp IP ng cho cc Client ......................................... 22

3.6. Cho php cc Client v Local host truy vn DNS .......................................... 23

3.7. Cho php cc client truy xut mail chuyn dng (SMTP, POP3 hoc IMAP) .... 25

3.8. Qun l v gim st truy cp Internet trong ISA 2004. ................................ 26

4.1. Gii thiu: ................................................................................................ 364.2. Web Server Publishing. ............................................................................. 36

4.3. Mail Server Publishing. .............................................................................. 43

BI 5: TIT KIM BNG THNG INTERNET VI TNH NNG CACHE VCONTENT DOWNLOAD JOB ................................................................. 51

5.1. Cache v hot ng ca Cache .................................................................. 51

5.2. Cu hnh Content Download Job ................................................................ 59

BI 6: CU HNH PROXY SERVER CHO ISA SERVER .................................. 626.1. Cu hnh: ................................................................................................. 62

6.2. Sdng ISA Firewall Client tng cu hnh Proxy ............................. 63

BI 7: SAO LU V PHC HI THNG TIN CU HNH ISA SERVER .............. 68

7.1. Sao lu .................................................................................................... 68

7.2. Phc hi .................................................................................................. 69

PHN II: TRIN KHAI MULTI VPN ................................................................. 71


2/89

PHN I:XY DNG PROXY V FIREWALL VI ISA SERVER

BI 1: TNG QUAN VAN TON MNG

Mc tiu:

Hiu bit tm quan trng ca bo mt mng trong doanh nghip Hiu bit ti sn doanh nghip v nhng thnh phn lin quan n bo mt Nm bt c cc phng thc tn cng trn mng v cch phng chng

1.1. Khi nim bo mtTrong bi cnh tin trnh hi nhp, vn an ninh mng v bo mt d liu ang trnn rtc quan tm. Khi cshtng v cc cng nghmng p ng tt cc yu cu vbngthng, cht lng dch v, ng thi thc trng tn cng trn mng ang ngy mt gia tng thvn bo mt cng c ch trng hn. Khng chcc nh cung cp dch vInternet, cc cquan chnh phm cc doanh nghip, tchc cng c thc hn van ton thng tin.

Trin khai mt h thng thng tin v xy dng c cchbo vcht ch, an ton, l gpphn duy tr tnh bn vng cho hthng thng tin ca doanh nghip . V tt cchng tau hiu rng gi trthng tin ca doanh nghip l ti sn v gi. Khng chthun ty vvtcht, nhng gi trkhc khng tho m c nhuy tn ca hvi khch hng sra sao,nu nhng thng tin giao dch vi khch hng bnh cp, ri sau bli dng vi nhng mc

ch khc nhau..Hacker, attacker, virus, worm, phishing, nhng khi nim ny giy khngcn xa l, v thc sl mi lo ngi hng u ca tt ccc hthng thng tin (PCs, EnterpriseNetworks, Internet, etc..). V chnh v vy, tt cnhng hthng ny cn trang bnhng cngcmnh, am hiu cch x l i ph vi nhng phng thc tn cng vo h thngmng ca chng ta. Ai to ra bc tng la mnh ny c th chng mi xmnhp vo hthng? trc ht l thc sdng my tnh an ton ca tt cmi nhn vintrong mt tchc, sam hiu tinh tng ca cc Security Admin trong tchc , v cui cngl nhng cng cc lc nht phc vcho cuc chin ny.

Nhim vbo mt v bo vv vy m rt nng nv kh on nh trc. Nhng tu trung ligm ba hng chnh sau:

Bo m an ton cho pha server

Bo m an ton cho pha client

Bo mt thng tin trn ng truyn

1.2. Cc hnh thc tn cng trn mng Tn cng trc tip

Nhng cuc tn cng trc tip thng thng c sdng trong giai on u chim cquyn truy nhp hthng mng bn trong.


3/89

in hnh cho tn cng trc tip l cc hacker sdng mt phng php tn cng cIn l dtm cp tn ngi s dng v mt khu thng qua vic sdng mt s thng tin bit vngi sdng d tm mt khu, y l mt phng php n gin dthc hin. Ngoi racc hacker cng c th sdng mt chng trnh tng ho cho vic d tm ny. Chngtrnh ny c thddng ly c thng tin tInternet gii m cc mt khu m ho,chng c khnng thp cc ttrong mt tin ln da theo nhng quy tc do ngi dngtnh ngha. Trong mt strng hp, khnng thnh cng ca phng php ny cng kh

cao, n c thln ti 30%.

Nghe trm trn mngThng tin gi i trn mng thng c lun chuyn tmy tnh ny qua hng lot cc mytnh khc mi n c ch. iu , khin cho thng tin ca ta c thbkkhc nghe trm.Ti thn th, nhng knghe trm ny cn thay ththng tin ca chng ta bng thng tin dohtto ra v tip tc gi n i. Vic nghe trm thng c tin hnh sau khi cc hacker chim c quyn truy nhp hthng hoc kim sot ng truyn. May mn thay, chng tavn cn c mt scch bo vc ngun thng tin c nhn ca mnh trn mng bng cchm ho ngun thng tin trc khi gi i qua mng Internet. Bng cch ny, nu nhc ai n

c thng tin ca mnh th cng chl nhng thng tin v ngha.

Gimo a chGimo a chc thc thc hin thng qua sdng khnng dn ng trc tip. Vicch tn cng ny ktn cng gi cc gi tin ti mng khc vi mt a chgimo, ng thichr ng dn m cc gi tin phi i. Th dngi no c thgimo a chca bn gi i nhng thng tin c thlm nh hng xu ti bn.

V hiu ho cc chc nng ca hthngy l kiu tn cng lm t lit hthng, lm mt khnng cung cp dch v(Denial of Service- DoS) khng cho hthng thc hin c cc chc nng m n c thit k. Kiu tn cngny rt kh ngn chn bi chnh nhng phng tin dng tchc tn cng li chnh l nhngphng tin dng lm vic v truy cp thng tin trn mng. Mt th dvtrng hp c thxy ra l mt ngi trn mng sdng chng trnh y ra nhng gi tin yu cu vmt trmno . Khi nhn c gi tin, trm lun lun phi xl v tip tc thu cc gi tin n sau chon khi bm y, dn ti tnh trng nhng nhu cu cung cp dch vca cc my khc ntrm khng c phc v.

iu ng sl cc kiu tn cng DoS chcn sdng nhng ti nguyn gii hn m vn c thlm ngng trdch vca cc site ln v phc tp. Do vy loi hnh tn cng ny cn c gi

l kiu tn cng khng cn xng (asymmetric attack). Chng hn nh ktn cng chcn mtmy tnh PC thng thng vi mt modem tc chm vn c thtn cng lm ngng trccmy tnh mnh hay nhng mng c cu hnh phc tp. iu ny c thhin r qua cc ttn cng vo cc Website ca Mu thng 2/2000 va qua.

Tn cng vo cc yu tcon ngiy l mt hnh thc tn cng nguy him nht n c thdn ti nhng tn tht ht sc khlng. Ktn cng c thlin lc vi ngi qun trhthng thay i mt sthng tin nhmto iu kin cho cc phng thc tn cng khc.

Ngoi ra, im mu cht ca vn an ton, an ninh trn mng chnh l ngi sdng. Hlim yu nht trong ton bhthng do knng, trnh sdng my tnh, bo mt dliukhng cao. Chnh h to iu kin cho nhng k ph hoi xm nhp c vo h thng


4/89

thng qua nhiu hnh thc khc nhau nhqua email hoc sdng nhng chng trnh khng rngun gc, thiu an ton.

Vi kiu tn cng nhvy skhng c bt cmt thit bno c thngn chn mt cch huhiu chc phng php duy nht l hng dn ngi sdng mng vnhng yu cu bo mtnng cao cnh gic. Ni chung yu tcon ngi l mt Im yu trong bt kmt hthngbo vno v chc shng dn ca ngi qun trmng cng vi tinh thn hp tc tpha

ngi sdng mi c thnng cao an ton ca hthng bo v.

Mt skiu tn cng khcNgoi cc hnh thc tn cng ktrn, cc hacker cn sdng mt skiu tn cng khc nhto ra cc virus t nm tim n trn cc file khi ngi sdng do v tnh trao i thng tin quamng m ngi s dng t ci t n ln trn my ca mnh. Ngoi ra hin nay cn rtnhiu kiu tn cng khc m chng ta cn cha bit ti v chng c a ra bi nhnghacker.

1.3. Phng php chung ngn chn cc kiu tn cng

thc hin vic ngn chn cc truy nhp bt hp php i hi chng ta phi a ra nhngyu cu hoch nh chnh sch nh: xc nh nhng ai c quyn s dng ti nguyn ca hthng, ti nguyn m hthng cung cp sc sdng nhthno nhng ai c quyn xmnhp hthng. Chnn a ra va quyn cho mi ngi thc hin cng vic ca mnh.Ngoi ra cn xc nh quyn li v trch nhim ca ngi sdng cng vi quyn li v nghavca ngi qun trhthng. Hin nay, qun l thng tin truy nhp tngoi vo trong hayttrong ra ngoi ngi ta thit lp mt bc tng la (Firewall) ngn chn nhng truy nhpbt hp php tbn ngoi ng thi nhng server thng tin cng c tch khi cc hthngsite bn trong l nhng ni khng i hi cc cuc xm nhp tbn ngoi.

Cc cuc tn cng ca hacker gy nhiu thit hi nht thng l nhm vo cc server. Hiuhnh mng, cc phn mm server, cc CGI script... u l nhng mc tiu cc hacker khaithc cc lhng nhm tn cng server. Cc hacker c thli dng nhng lhng trn servert kch vo cc trang web v thay i ni dung ca trang web , hoc tinh vi hn na lt nhp vo mng LAN v sdng server tn cng vo bt kmy tnh no trong mngLAN . V vy, vic m an ton tuyt i cho pha server khng phi l mt nhim vngin. iu phi lm trc tin l phi lp kn cc lhng c thxut hin trong ci t hiuhnh mng, t cu hnh cc phn mm server, cc CGI script, cng nhphi qun l cht chcc ti khon ca cc user truy cp.

Vic bo mt thng tin c nhn ca ngi sdng truyn i trn mng cng l mt vn cn

xem xt nghim tc. Ta khng thbit rng thng tin ca chng ta gi i trn mng c bai nghe trm hoc thay i ni dung thng tin khng hay sdng thng tin ca chng ta vocc mc ch khc. c thm bo thng tin truyn i trn mng mt cch an ton, i hiphi thit lp mt cchbo mt. iu ny c ththc hin c thng qua vic m ho dliu trc khi gi i hoc thit lp cc knh truyn tin bo mt. Vic bo mt sgip cho thngtin c bo van ton, khng bkkhc li dng. Ngy nay, trn Internet ngi ta sdngnhiu phng php bo mt khc nhau nhsdng thut ton m i xng v m khng ixng (thut ton m cng khai) m ho thng tin trc khi truyn trn internet. Tuy nhinngoi cc gii php phn mm hin nay ngi ta cn p dng ccc gii php phn cng.

Mt yu tchcht chng li truy nhp bt hp php l yu tcon ngi, chng ta phi lun

lun nhc nhmi ngi c thc trong vic sdng ti nguyn chung, trnh nhng sclmnh hng ti nhiu ngi.


5/89

Cng tc bo mt thng c bt u bng nhng cch thit lp ngay trn hthng, cng nhchnh sch ca cng ty (cc Group Policy trin khai):

i vi cc ti khon trn hthng: i password theo nh kvi cc password phc tp vi di t nht l 6 kttrong phi c k tphc tp.

Xc nh thi gian c thng nhp vo hthng, thot khi hthng khi htthi im sdng mng.

Users chc php sdng mt my cnh no v my phi gianhp vo Domain.

i vi ni lu tr: m bo phn quyn mt cch hp l, hn chnhng phn quyn mc nh. Cp quyn ph hp cho tng nhm ngi c trch nhim vtng tc vi dliu. m bo lun lun c backup phc hi khi c sc. An ton vmt vy l: gii php chng chy, scvin. D liu truyn ti phi m bo an ton, khng c sthay i hoc nh cpthng tin.

i vi hthng: m bo hthng lun lun c cp nht, khng chcc hiu hnh m cncnhng ng dng ca ngi dng.

S dng cc chng trnh Antivirus, AntiSpyware. mt cch hp l v phhp.

Trin khai cc chnh sch ph hp cho vic theo di, bo tr cng nhnng cphthng.

Ghi nhn cc skin. l mt scng tc phi thc hin m bo tnh bo mt cho hthng; bao gm vai trca cc IPO chnh sch - ngi qun tr- ngi dng.

Kt lun:

Nhim vbo mt v bo vgm ba hng chnh sau: Bo m an ton cho pha server Bo m an ton cho pha client Bo mt dliu v bo mt thng tin trn ng truyn

Cc hnh thc tn cng trn mng Tn cng trc tip Nghe trm trn mng Gimo a ch


6/89

V hiu ho cc chc nng ca hthng Tn cng vo cc yu tcon ngi

Phng php chung ngn chn cc kiu tn cng i password theo nh k Xc nh thi gian c thng nhp vo hthng, thot khi hthng khi htthi im sdng mng. m bo phn quyn mt cch hp l, hn chnhng phn quyn mc nh. Cp quyn ph hp cho tng nhm ngi c trch nhim vtng tc vi dliu.

m bo lun lun c backup phc hi khi c sc. m bo hthng lun lun c cp nht, khng chcc hiu hnh mcn cnhng ng dng ca ngi dng.

Sdng cc chng trnh Antivirus, AntiSpyware. mt cch hp l v phhp.

Trin khai cc chnh sch ph hp cho vic theo di, bo tr cng nhnngcp hthng.


7/89

BI 2: GII THIU V CI T ISA SERVER 2004

Mc tiu:

Hiu bit vphn mm ISA Server

Bit cch ci t chng trnh ISA Server

2.1. Gii thiu

Trong snhng sn phm tng la (firewall) kim chc nng NAT trn thtrng hin nay thISA ( Internet Connection Sharing ) ca Microsoft c nhiu ngi yu thch do khnng bovhthng mnh mcng vi cchqun l linh hot. ISA Server 2004 Firewall c hai phinbn Standard v Enterprise phc vcho nhng mi trng khc nhau.

ISA Server 2004 Standard p ng nhu cu bo vv chia sbng thng (cn gi l InternetConnection Sharing) cho cc doanh nghip c quy m va v nh. Vi phin bn ny chng tac thxy dng firewall kim sot cc lung d liu vo v ra h thng mng ni b caDoanh nghip, kim sot qu trnh truy cp ca ngi dng theo giao thc, thi gian v nidung nhm ngn chn vic kt ni vo nhng trang web c ni dung khng thch hp. Bn cnh chng ta cn c thtrin khai hthng VPN Site to Site hay Remote Access htrcho victruy cp txa, hoc trao i dliu gia cc vn phng chi nhnh.

i vi cc Doanh nghip c nhng hthng my chquan trng nhMail Server, Web Servercn c bo vcht chtrong mt mi trng ring bit th ISA 2004 cho php trin khai cc

vng DMZ (thut ngchvng phi qun s- khng c stn cng ca Hacker hay sphng thca ngi qun trmng) ngn nga stng tc trc tip gia ngi bn trong v bn ngoihthng. Ngoi cc tnh nng bo mt thng tin trn, ISA 2004 cn c hthng m (cache)gip kt ni Internet nhanh hn do thng tin trang web c thc lu sn trn RAM hay acng, gip tit kim ng kbng thng hthng. Chnh v l do m sn phm firewall nyc tn gi l Internet Security & Aceleration (bo mt v tng tc Internet).

ISA Server 2004 Enterprise c sdng trong cc m hnh mng ln, p ng nhiu yu cutruy xut ca ngi dng bn trong v ngoi hthng. Ngoi nhng tnh nng c trn ISAServer 2004 Standard, bn Enterprise cn cho php thit lp h thng mng cc ISA Servercng s dng mt chnh sch, iu ny gip d dng qun l v cung cp tnh nng Load

Balancing (cn bng ti).

Tm li, ISA Server 2004 c cc chc nng chnh:

Chia skt ni internet chia sbng thng ca ng tryn internet. Lp Firewall Server, kim sot, khng chcc lung dliu truy cp tngoi vomng ni bhoc ngc li. Tng tc truy cp Web bng gii php Cache trn Server Htrthit lp hthng VPN (mng ring o) vi ISA Server lm VPN Server. ISA Server 2004 Enterprise cn c thm tnh nng Load Balancing h tr giiphp cn bng ti gia 2 hay nhiu ng truyn internet.

2.2 Ci t ISA 2004. Cc m hnh mng dng ISA Server:


8/89

ISA Server kim nhim Domain Controller, File Server, Web Server, Mail Server

ISA Server to thnh mt Firewall, ngn cch internet vi cc Server khc trongmng.

Trc khi ci t ISA Server 2004 Vi thut ngdng trong ISA Server

o External network:cc host giao tip vi ISA Server qua card giao tip internettrn my ISAo Internal network: cc host thuc mng ni b- giao tip ISA Server qua cardgiao tip ni bo Local host: my ISA Servero Firewall: Hthng kim sot cc lung dliu ra/vo, ngang qua Local host.o Web Caching: Ni lu tr(tm thi) d liu tcc Web Server i vo internetngang qua ISA Server.

Chun bmy trc khi ci ISA Server:


9/89

o My chphi ci Windows 2003 server, c 2 NIC. Mt dng giao tip ni mng vmt dng giao tip ra Internet.o Server nn c DHCP (cp a chIP ng) v DNS (phn gii tn min).o t tn 2 card mng trn my sao cho dnhn din. V d: Local v Internet.

o Xc lp a chIP tnh cho cc card mng Local:

o Xc lp a chIP tnh cho cc card mng Internet:


10/89

Tin hnh ci t ISA Server 20041. Mfile ISAAutorun.exe trn CDROM ISA 2004.

2. Mn hnh Setup ISA 2004 Chn Install ISA Server 2004


11/89

3. Chn kiu ci t:o Typical: chny chci t mt sdch vti thiuo

Complete: tt c cc dch v sc ci t nhFirewall; Message Screener;Firewall Client Installation Shareo Custom:cho php chn nhng thnh phn cn ci t ca ISA Server 2004

y chng ta chn kiu ci t l Typical v gimc nh ng dn thmc ci t bISAServer Next


12/89

4. Xc nh chnh xc dy a chIP thuc Internal Network bng cch nhn nt Add

192.168.10.1 -- 192.168.10.255

5. Nu trc y, cc Client trong internal ci t ISA Firewall Client 2000 th check voAllow computers running ealer version of Firewall Client software to connect chng cthkt ni vi ISA 2004 Server


13/89

6. Tip tc ci t nhn Finish hon tt qu trnh ci t ISA 2004.Kt lun:

ISA Server 2004 c cc chc nng chnh: Chia skt ni internet chia sbng thng ca ng tryn internet. Lp Firewall Server, kim sot, khng chcc lung dliu truy cp tngoi vomng ni bhoc ngc li.

Tng tc truy cp Web Htrthit lp hthng VPN (mng ring o) vi ISA Server lm VPN Server.


14/89

BI 3: FIREWALL POLICIES TRN ISA SERVER

Mc tiu:

Hiu bit v nm rcc chnh sch trn ISA Server

Qun l cc giao thc truy cp vo, ra thng qua ISA Server

3.1. Gii thiu

Mc nh, sau khi ISA Server 2004 ci t hon tt, ISA Server 2004 s thay th dch vRouting and Remote Access ca Windows Server thc hin chc nng NAT. Tuy nhin,Firewall Policy ca ISA Server mc nh l ng tt c cc port (TCP ln UDP) trn my ISAServer. iu ny lm cho tt c giao tip mng t Server n Internal hoc External u b

kho.

Firewall Policies trn ISA Server cho php ngi qun trt ra cc quy tc (Rule) cho php(Allow) hoc cm (Deny) cc lung dliu (theo giao thc kt ni Protocol) di chuyn tniny n ni khc (Source v Destination), p t cho mt hay nhiu ngi dng cthno (Users).

Cc lung dliu i ngang qua ISA Server schu skim duyt ca Firewall Policies da trncc quy tc m ngi qun trt ra hoc do ISA mc nh sn. Cc quy tc sc tham chiutheo tht(Order) ttrn xung di. Khi gp mt rule thou kin ca lung dliu, lungdliu sbchn hoc cho qua m khng quan tm n cc rule t pha di.

ISA Server 2004 Firewall c 3 dng chnh sch bo mt l: System policy, Access rule vPublishing rule.

System policy:Thng n (hiden), c dng cho vic tng tc gia firewall v ccdch vmng khc nh ICMP, RDP... System policy c x l trc khi access rule c pdng. Sau khi ci t cc system policy mc nh cho php ISA Server sdng cc dch vhthng nhDHCP, RDP, Ping...

Access Rule: L tp hp cc quy tc truy cp cc lung dliu nhInternet, Mail, FTP,DNS i ngang qua ISA Server

Publishing Rule: Dng cung cp cc dch vnhWeb Server, Mail Server trn lpmng Internal hay DMZ cho php cc ngi dng trn Internet truy cpCu hnh ISA Firewall Policy thng qua giao din ca chng trnh ISA Management Consoletrn chnh my ISA Server hoc ci cng cqun l ISA Management Console trn mt mykhc v kt ni n ISA Server thc hin cc thao tc qun trtxa.

Giao din ca ISA Server Management console c 3 phn chnh l:

Khung bn tri: duyt cc chc nng chnh nh Server name, Monitoring,Firewall Policy, Cache... Khung gia: hin th chi tit cc thnh phn chnh m chng ta chn nhSystem Policy, Access Rule... Khung bn phi: cn c gi l Tasks Panel cha cc tc v c bit nhPublishing Server, Enable VPN Server...


15/89

3.2 Cho php cc my client truy cp y vo ISA Server

Mt quy tc kiu Access Rule do ngi qun trt ra sbao gm cc thnh phn:

Rule name: tn ca quy tc - t tu. Tn ny sgi nhni dung ca quy tc Action: Hnh xca quy tc Cho (Allow) hoc Cm (Deny) Protocol: loi giao thc (hoc dch v) m quy tc tc ng ti Source: ngun xut pht ca lung dliu Destination: ch n ca lung dliu Users: Nhng ti khon schu tc ng ca quy tc

Di y l thao tc to ra mt Rule cho php tt ccClient trong mng ni btruy cp tt cdch vtrn ISA Server, p t cho tt cngi dng mng.

1. M ISA Managerment (trong Start Menu Programs Microsoft ISA Server), chnFirewall PolicyCreate New Access Rule

2. G vo Internal Access to Local host trong Access Rule Name click Next.


16/89

3. Mc Rule Action chn Allow click next

4. Ca sProtocol chn All outbound traffic click Next

5. Trong Access rule Source chn Add chn Internal close sau click Next


17/89

6. Trong Access rule Destinations chn Local Host click Close sau click Next

7. Chn All Users click Next


18/89

8. Click Finishhon tt.

Kt qu:


19/89

Sau khi quy tc ny c Apply, tt ccc Client thuc Internal struy cp c tt cgiaothc v dch vtrn my Local Host. p t cho tt cmi ngi dng

3.3. Cho php cc my ni btruy cp tt cdch vtrn External.

1. Trong Firewall Policy, to mt Access rule mi.

2. Nhp tn ca rule (Access Rule Name) v dnh: Internal Access Internet click Next.

3. Ti Rule Action chn Allow (Kiu hnh xca quy tc l Cho php)click Next

4. Trong Protocol, chn All outbound traffic (p t tt ccc lung dliu ca midch v) click Next


20/89

5. Trong Access Rule Source chn Add chn Internal close sau click Next

6. Trong Access rule Destinations chn External, click Close sau click Next


21/89

7. Chn All Users trong ca sUser Setsclick Next

8. Click FinishriApplyhon tt.

Kt qu:

Tt ccc my thuc mng ni bsc php truy xut tt cdch vtrn internet thng qua

ISA Server. p t cho tt cmi ngi dng

3.4. Cho php Local Host truy cp Internet.

Cch to tng tnhhai phn trn:

- Rule Name: Local Host Access to Internet.

- Action: Allow

- Protocols: All outbound traffic.

- Source: Local Host

- Destination: External

- User: All User

- Click Apply cp nht Access rule va to

Kt qu:


22/89

My ISA Server c php truy cp tt cdch vtrn internet. p t tt cngi dng.

3.5. Cho php ISA Server cp IP ng cho cc Client

Ginh, my ISA Server cng l mt DHCP Server. Chc chn rng, sau khi ci t ISA Server,chc nng DHCP trn ISA Server sbkho li.

Cng nn hiu rng, dch vDHCP hot ng 2 chiu:

Tcc DHCP Client, tn hiu xin IP c pht ln mng (gi l DHCP requestport 67). DHCP Server n nhn yu cu ny v hi p thng sIP cho DHCP Client (gil DHCP reply port 68)

To mt rule cho php dch vDHCP hot ng theo mu1. Access rule name:Allow DHCP2. Rule Action: Allow3. Protocol:

Ti This rule applies to: chn Selected protocols Click Add chn 2 giao thc DHCP Request v DHCP Reply


23/89

4. Access rule source: chn Internal v Local Host5. Access rule destination: chn Local Host v Internal6. User sets: chn All User7. ClickApply cp nhtAccess rule va to

Kt qu:

Cc my thuc internal tha hng dch vDHCP tISA Server

3.6. Cho php cc Client v Local host truy vn DNS

Tng tnhDHCP, dch vDNS server ci t trn ISA Server cng khng c php hot

ng nu cha to rule cho php

DNS cng hot ng 2 chiu nhDHCP:

Tcc DNS Client, tn hiu truy vn tn min, hoc truy vn IP (gi l DNS Client)c gi n DNS Server Nu ISA Server cng l DNS Server, n stip nhn yu cu truy vn v gii pIP (hoc tn min) cho DNS Client (DNS Server v DNS cng dng port 53)

To mt rule cho php dch vDNS hot ng theo mu1.Access rule name:Allow DNS2. Rule Action: Allow3. Protocol:


24/89

Ti This rule applies to: chn Selected protocols ClickAddchn 2 giao thc DNS v DNS Server (nu DNS server chlmnhim vForwaders, c thkhng cn np DNS Server)

4.Access rule source: chn Internal v Local Host5.Access rule destination: chn Local Host v Internal6. User sets: chn All User7. ClickApply cp nht Access rule va to

Kt qu:


25/89

Tt ccc Client trong mng ni btha hng dch vDNS cung cp tISA Server

Lu : Trng hp my ISA server khng phi l DNSServer, phi thay i Destination l External.C th thay Local Host bng mt hay nhiu DNSServer c th no trn mng. iu ny i hingi qun tr phi nh ngha trc i tngComputer hoc Computer sets

Kim tra khnng phn gii tn min. Start menu Run CMD (mcommand prompt) G lnh: nslookup (lnh tra cu DNS) >server 203.113.188.1 (chnh DNS server dng ra cu tn mn) >www.google.com(tra cu IP address ca Google)

3.7. Cho php cc client truy xut mail chuyn dng (SMTP, POP3 hoc IMAP)Mail chuyn dng: truy xut mail bng phn mm chuyn dng nh: MS Outlook Express, MSOutlook, Thurnbird, Netscape Mssenger (khng phi truy xut mail trn Web)

Dch vmail cng hot ng 2 chiu:

Tcc mail Client, thsc gi n mail Server bng giao thc SMTP (SimpleMail Transfer Protocol) dng port mc nh l 25 Thnhn vtMail Server bng 1 trong cc giao thc:

o POP3 (Post Office Protocol) port mc nh 110o IMAP4 (Internet Mail Access protocol) port 143o POP3S (POP3 Security) port 995


26/89

o IMAP4S (IMAP4 Security) port 993 To mt access rule cho php dch vMail hot ng theo mu:

1. Access rule name:Allow Mail2. Rule Action:Allow3.

Protocol: Ti This rule applies to: chn Selected protocols Click Add chn cc giao thc SMTP, POP3, IMAP

4. Access rule source: chn All Networks (tt ccc mng)5. Access rule destination: chn All Networks6. User sets: chn All User7. ClickApply cp nht Access rule va to

Kt qu:

Tt ccc my thuc tt cmng c php truy cp dch vgi/nhn email ln nhau. p tcho tt cngi dng

3.8. Qun l v gim st truy cp Internet trong ISA 2004.

Mc d hthng kt ni c Internet, nhng mt sDoanh nghip c nhng yu cu ringvchnh sch hthng nh: lc bWeb en (khng cho nhn vin truy cp); khng cho phpchat bng mt cng cno ; cho php ti tp tin thng qua FTP

Bn cnh , phc vnhu cu duyt web, giao thc HTTP c cho php sdng nhngcm khng cho ti nhng tp tin c ththc thi trn hthng Windows qua HTTP ngn ngasly nhim virus. ISA Firewall Policy cho php thc hin iu ny.

3.8.1. Cm tt c cc nhn vin truy cp vo nhng website khng mong mun Web Filter.

thc hin, u tin, phi to mi mt i tng mng kiu URL sets. i tng ny dngcha danh sch cc a chURL (Uniform Resource Locator tm hiu l ni cha ti nguyn ngi dng truy cp) m ngi qun trmun cm (hoc cho) truy cp ti .

1. Thao tc to mi mt URL sets v nhp vo cc URLs2. Trong ISA Managerment, chn Toolbox (nm nhnh bn phi) NetworkObjects. Click NewURL Set


27/89

3. Ti dng Name: nhp tn ca bURL sets. V dWebs Denied4. Click nt Newnhp vo cc URL cho bSets (Xem hnh minh ho)

- Click OKthm URL set Webs Dinied vo danh sch i tng.5. To Access rule: Web Filter6.Access rule name: Web Filter7. Rule Action: Deny


28/89

8. Protocol:chn Selected protocols v Add vo 2 giao thc HTTP v HTTPS

9.Access rule source: chn Internal10.Accessrule destination: chn URL sets Webs Denied

11.User sets: chn All User12.ClickApply cp nht Access rule va to

Kt qu:


29/89

Tt c my ni b khng c php truy cp vo cc Web site c trong danh sch WebsDenied. p t tt cngi dng

3.8.2. Cm cc nhn vin thuc phng ban no truy cp Internet trong gilmvic.

u tin ngi Qun trphi to biu thi gian lm vic da vo thit lp cc chnhsch Firewall theo thi gian. Tng t, nu mun Firewall Policy p t cho ngi dng cth,mi ngi dng phi s hu mt ti khon truy cp vo h thng mng Domain ca Doanhnghip. (Xin xem li hc phn Windows 2003 Server)

1. Xc nh biu thi gian lm vic trong cquan (Schedule)

2. Trong ISA Managerment, chn Toolbox (nhnh bn phi) Schedules Click New

3. To mi Schedule gm cc ni dung

Name: tn ca Schedule

Description: m tchi tit ni dung schedule (nu cn)

Cc vung biu thgitrong ngy. Trong , nhng mu xanh dng tngtrng cho nhng gim schedule sc hiu lc. Ngc li, nhng mu trng l gikhng c hiu lc ca schedule

Hnh minh hodi y l schedule quy nh gilm vic t8h00 n 12h00 v t14h00 n18h00 cc ngy trong tun, trChnht. Ring chiu th7, khng khng chthi gian.


30/89

To nhm ngi dng trong ISA Server

Vic to nhm ngi dng (gi l User sets) sgip cho ngi Qun trp t access rule cho

ngi dng cthtrong mng.1. Trong ISA Managerment, chn Toolbox (nhnh bn phi) Users Click New

2. t tn cho i tng User set. V dSale Group3. Trong ca sUsers: Chn Add... Windows user and Groups...4. Chn cc Ti khon thuc AD mun a vo bUser Sets click Next Finish.


31/89

3.8.3. To Access Rule cm nhm Sale Group kt ni internet trong gilm vic:Cc la chn cho Access rule ny:

Access rule name: Cam Sales truy cap internet Rule Action: Deny Protocol: chn All outbound protocol Access rule source: chn Internal Access rule destination: chn External User sets: loi bAll User. Thm vo Sale Group

Kt qu:

Sau khi to xong Access rule, Properties cho Access rule ny chn tab Schedule p tthi gian m Access rule c hiu lc


32/89

ClickApply cp nht Access rule va to

3.8.4.To access rule cho php cc nhn vin thuc phng ban no truy cpinternet trong gic qui nh.

Cc la chn cho Access rule ny:

Access rule name: Cho truy cap trong gio lam viec Rule Action: Allow Protocol: chn All outbound protocol Access rule source: chn Internal Access rule destination: chn External Usersets: loibAll User

Sau khi to xong Access rule, Properties cho Access rule ny chn tab Schedule chnWork times p t thi gian m Access rule c hiu lc

ClickApply cp nht Access rule va to

Kt qu:


33/89

Tt ccc my ni bc php truy cp internet trong thi gian lm vic. p t cho tt cmi ngi

Nn lu n tht(Order) ca 2 access rule Cm vCho truy cp internet phn 3.5.2 v 3.5.3.

Nu Access rule loi Allow c xp trn ruleDeny, cc ngi dng thuc Sale Group s c

php truy cp (do rule Allow p dng cho AllUsers

3.8.5. Cho php cc nhn vin truy cp Web chc Text v Image.Cc la chn cho Access rule ny:

Access rule name: All Web Text. Rule Action: Allow Protocol: chn Selected protocols v Add vo 2 giao thc HTTP v HTTPS Access rule source: chn Internal Access rule destination: chn External User sets: loibAll User

Sau khi to xong Access rule, Properties cho Access rule ny chn tab Content type quinh loi ni dung ti liu c hoc khng c hiu lc i vi Access rule.

y, chng ta chcho php truy cp ni dung thuc dng ti liu (Documents), ch(Text),siuvn bn (HTML Documents) v nh (Images)


34/89

Vic khng chni dung ti liu truy cp scho ngi qun trnhiu gii php trong vic gimbng thng, ngn chn xem phim, nghe nhc online, ngn chn virus (dng thc thi - *.exe,*.dll) tinternet nhim vo mng ni b.

Kt lun:

Mc nh, sau khi ISA Server 2004 ci t hon tt, ISA Server 2004 sthay thdch vRouting and Remote Access ca Windows Server thc hin chc nng NAT.Tuy nhin, Firewall Policy ca ISA Server mc nh l ng tt ccc port (TCP ln UDP)trn my ISA Server.

Firewall Policies trn ISA Server cho php ngi qun trt ra cc quy tc (Rule)

cho php (Allow) hoc cm (Deny) cc lung dliu (theo giao thc kt ni Protocol)di chuyn tni ny n ni khc (Source v Destination), p t cho mt hay nhiungi dng cthno (Users).

Cc lung d liu i ngang qua ISA Server s chu s kim duyt ca FirewallPolicies da trn cc quy tc m ngi qun trt ra hoc do ISA mc nh sn. Ccquy tc sc tham chiu theo th t (Order) t trn xung di. Khi gp mt rulethou kin ca lung d liu, lung d liu sb chn hoc cho qua m khngquan tm n cc rule t pha di.

ISA Server 2004 Firewall c 3 dng chnh sch bo mt l: System policy,Access rulevPublishing rule.

System policy: Thng n (hiden), c dng cho vic tng tc giafirewall v cc dch vmng khc nhICMP, RDP... System policy c xl trckhi access rule c p dng. Sau khi ci t cc system policy mc nh cho phpISA Server sdng cc dch vhthng nhDHCP, RDP, Ping...


35/89

Access Rule: L tp hp cc quy tc truy cp cc lung dliu nhInternet,Mail, FTP, DNS i ngang qua ISA Server

Publishing Rule: Dng cung cp cc dch vnhWeb Server, Mail Servertrn lp mng Internal hay DMZ cho php cc ngi dng trn Internet truy cp


36/89

BI 4: PUBLISSING WEB V MAIL TRONG ISA 2004.

Mc tiu:

Bit cch Publish cc Web Server v Mail Server ra mng ngoi

4.1. Gii thiu:

ngi dng bn ngoi Internet c thtruy cp n cc Mail hoc Web server trong Doanhnghip mnh chng ta cn phi "Publish - xut bn" chng thng qua ISA Server ca mnh

Cn lu l c th truy cp email th phi c thm nhng protocol khc nhDNS, POP,SMTP... V vy c th chng ta cn cho php cc yu cu vDNS tMail Server vi Domain

Controler (c ci tch hp DNS) trong lp mng Internal hay vi cc ISP DNS4.2. Web Server Publishing.Ginh, trong ni mng ca Bn c mt my Web Server (IP address l 192.168.1.100). WebServer ny ngn cch internet bi ISA Server. ngi dng internet truy xut Web Server trnqua ISA Server, ngi qun trphi thc hin Publish Web Server trn ISA Firewall.

1. Trong ISA Managerment Firewall Policy TasksPublishing a Web Server

2. t tn cho Rule ti Web publishing


37/89

3. rule name

4. Chn Action l Allow Click Next.

5. Trong Define Web Server to publish (nh Server sc publish), nhp IP addressca Web Server mun publish.

V d: 192.168.1.100

Nu mun ngi dng internet chc php truy cp ti mt Virtual Site trn Web Servernhng li tng nhm l ang truy cp vo Website gc th check vo Forward the origin hostheader instead of actual one v nhp ng dn ca Virtual site


38/89

6. Ca sPublish Name Detail cho php la chn khnng Web server p ng yucu truy cp i vi ngi dng thuc domain chnh (this Domain name type below)hoc i vi ngi dng thuc bt kDomain no (Any Domain name).


39/89

7. Ca sSelect Web Server Listener cho php qui nh IP address v port m ISAserver stip nhn yu cu truy cp Web tinternet vo. Nu ngi qun trcha nh

ngha mt Listener no th click New to mi.


40/89

8. To mi mt Web listener vi tn v dl: Web listener


41/89

9. Ca sIP Addresses: trong danh sch Listen for request from these networks(Lng nghe yu cu truy cp tnhng mng ny), chn External (Ngun gi yu cu truycp ttt ccc IP address trn internet). click Next

10.Ca sPort Specification: chnh port nhn yu cu truy cp Web. mc nh l80.


42/89

11.Chn Finishtrli mn hnh Select Web Listener . Ti y, c thtinh chnh liListener bng nt Edit hoc chn Listener va to click Next.


43/89

12.Chn p t cho All Users v Finish

Kt qu:

Tt ccc yu cu truy cp Web gi tInternet n ISA Server (qua port 80) sc chuynn Web server 192.168.1.100.

Web Server sp ng yu cu truy cp Web cho tt cngi dng.

4.3. Mail Server Publishing.1. Publish Mai servercho Client truy cp trn Web (WebMail)2. Trong ISA ManagermentFirewall PolicyTasksPublish a Mail Server

3. t tn cho Rule. V dnhPublishing Exchange server


44/89

4. Ca sSelect Access type a ra 3 kiu truy xut tcc Client bn ngoi vo MailServer trong ni mng:

5. Web Client Access : Cho php truy cp Mail Server qua Web bng cch dch vnh:OWA, OMA

6. Client access: Cho php Client truy cp mail bng cc trnh duyt mail chuyn dng quagiao thc SMTP, POP,IMAP...

7. Server-to-Server: Chuyn tip mail gia cc Mail Servery, chn Web Client Access.

8.

Ca sSelect Service: Chn Outlook web access v Exchange ActicveSync.


45/89

9. Ca sBridging mode cho 3 la chn thit lp kt ni gia Client v Mail Server theo 3kiu:

10.Secure connection to clients:Thit lp bo mt cho kt ni gia ISA Server v mailclients

11.Secure connection to clients and mail Server: Thit lp bo mt cho kt ni giaMail Server - ISA Server - mail clients

12.Standard connections only. Khng bo mt kt ni


46/89

13.Ca sSpecify Web Mail server yu cu nhp IP address ca Mail Server.

14.Ca sPublic Name Details: c ngha tng tpublish web. Chn Any domain name.

15.Ca sSelect Web Listener: y, cn phi nhn thc rrng dch vWebmail chophp ngi dng truy cp mail da trn Web. iu ny c ngha port ca WebMail cngl HTTP port (80). Do vy, chn Web listener to phn 3.6.1.


47/89

16.Trong User sets chn All users.17.Click Apply cp nht qu trnh thit lp.

Kt qu:

Publish mail Server 192.168.1.99 cho mi ngi truy cp theo kiu WebMail

Publish mail Servercho truy cp bng trnh duyt mail chuyn dng.

1. Trong ISA Managerment Firewall Policy TasksPublish a Mail Server


48/89

2. t tn cho Rule. V dnhPublish mail server with POP33. Ca sSelect Access type a ra 3 kiu truy xut tcc chn Client access: (Cho

php Client truy cp mail bng cc trnh duyt mail chuyn dng qua giao thc SMTP,POP,IMAP...)

4. Trong Select Services Chn cc dch vnh: POP3, IMAP4 v SMTP.


49/89

5. n nh IP address ca Mail Server ti Select Server

6. Chnh vtr ca cc mail Client truy cp vo Mail Server. Chng hn, chn External7. (All IP address)


50/89

8. Chn Finish hon tt.9. ClickApplycp nht qu trnh thit lp

Kt qu:

Ba giao thc cho php truy cp mail Server 192.168.1.99 tcc mail client qua ISA Server bngtrnh duyt mail chuyn dng

Kt lun:

ngi dng bn ngoi Internet c thtruy cp n cc Mail hoc Web servertrong Doanh nghip mnh chng ta cn phi "Publish - xut bn" chng thng qua ISAServer ca mnh

Cn lu l c thtruy cp email th phi c thm nhng protocol khc nhDNS, POP, SMTP... V vy c th chng ta cn cho php cc yu cu vDNS tMailServer vi Domain Controler (c ci tch hp DNS) trong lp mng Internal hay vi ccISP DNS


51/89

BI 5: TIT KIM BNG THNG INTERNET VI TNH NNGCACHE V CONTENT DOWNLOAD JOB

Mc tiu:

Hiu bit vcch hat ng ca cache Bit cch cu hnh cache trong ISA Server

5.1. Cache v hot ng ca Cache nh ngha Cache trn ISA:Cache l mt khng gian a cng (trn my ISA Server) dng lu trcc dliu i ngang quaISA server.

Mc nh, sau khi ci t ISA server, cache khng hot ng bi v khng gian a cng dnglm cache cha c xc nh.

Hot ng ca Cache:C mt hthng kt ni LAN Internet nhhnh di. My ISA Server c cu hnh Cache:

1. Client 1 gi yu cu truy cp Web ti ISA Server.2. ISA Server chuyn yu cu ra Web Server trn internet3. Thng tin hi p tWeb Server sc chuyn vISA Sever. ISA Slu thng tin vo cache.

4. Mt bn copy ca thng tin c chuyn vClient 1.5. Khi Client 2 gi yu cu truy cp web ti ISA Server,


52/89

6. Nu thng tin ca yu cu c sn trong cache, ISA Server shi p vClient 2 mkhng cn truy xut ngoi internet.

u nhc im ca Cache trn ISA server:Cache gip tng hiu sut sdng nhng thng tin ti vc tinternet. T, lm gim ticho bng thng ng truyn internet,. ng thi, ngi dng Client scm thy truy cp webnhanh hn

Do thng tin thng ly tcache, ngi dng thng chc truy cp nhng thng tin c. Ccthng tin mi hn phi i ISA cache lm ti (refresh) li vo lc thi gian lu trthng tin trong cache ht hn

5.1.1.Cu hnh Cache trong ISA Management1. Ti nhnh bn tri ca ISA server 2004 Management, mrng mc Configuaration

Click chut phi vo Cache chn Define Cache Drives... (nh a lm cache)

2. ISA Server yu cu a cha cache phi c file system l NTFS. Xc nh dung lngti a cho cache ti Maximume cache size(MB). Dung lng cho cache do nhqun trtxc lp tuthuc mt truy cp Web v FTP ca cc Client v dung lngcn trng ca a.

3. Click nt Set n nh dung lng cache.


53/89

4. Sau khi cache c nh ngha, ngi qun trcn phi kch hot cho Cache bngcch: Click chut phi vo mc Cachechn Properties...

5. Chn tab Active Caching nh du check vo Enable Active Caching (Kchhot cho cache)


54/89

6. ISA cho ngi dng la chn 1 trong 3 gii php caching: Frequenly: Nu ngi qun trmun gia tng tn sut truy vn thng tin mi trncc Web (hay FTP) server. Less Frequenly: Nu ngi qun trcho rng vic gim bng thng internet l quantrng hn so vi vic gia tng tn sut lm mi thng tin trong cache.

Normally: C2 hnh ng, lm mi thng tin trong cache v gim bng thng cngi qun trt ngang nhau.

7. Ty thuc vo nhu cu, chn 1 trong 3 gii php trn v Click OK xc nhn.8. Do c cu hnh thm dch vmi. Khi Apply phi chnSave the changes and

restart the services


55/89

5.1.2.Xc lp Cache Rule.Nh cp trn, Cache trong ISA server gip tit kim bng thng, nhng lm hn chtruy cp nhng thng tin mi nh: bo ch, tm kimgii quyt vn ny, ngi qun trc thto mi mt cache rule khng cho cache nhng thng tin tnhhng URLs i hi lun

cp nht thng tin mi nht.

Thao tc to Cache Rule

1. Trn khung Taskchn Create a Cache Rule

2. t tn cho Cache Rule. V dl: None Caching.3. Ca sCache rule destination xc nh ch n l cc URL chu tc ng ca cacherule. y, URLs l a chnhng web site cha thng tin cn cp nht mi lin tc.

Click Add a danh sch URLs ny vo Cache destination


56/89

4. Nu cha to mt danh sch cha cc URLs none caching no, click New URLSet


57/89

5. Nhp tn cho URL Set l No Cache Webs. Sau , chn nt Newnhp vo achca nhng Web site skhng lu trthng tin trong ISA cache.

6. Nhn OKquay trli ca sAdd New Network Entities, mmc URL Setschn No Cache WebsAdd


58/89

7. Do dnh ca phn ny l khng cache ni dung ca nhng web site lit k trongURL Sets No cache webs, khng quan tm n cc la chn trn mn hnh ContentRetrieval

8. Trn ca sCache Content: chn Never, no content will ever be cached(Khng cache ni dung)

9. Cui cng nhn Finish kt thc qu trnh thit lp.


59/89

5.2. Cu hnh Content Download JobGis, trn hthng ni bc nhiu ngi dng trn thng hay truy cp vo trang web no xem cc thng tin. htrtng tc truy cp, ngi qun trscu hnh ISA Server tng ti ni dung ca trang web ny lu vo cache trc vo ngy gino trong tun (gi lContent Download Job)

Thao tc cu hnh Content Download Job

1. Ti nhnh bn tri ca ISA server 2004 Management, mrng mc ConfiguarationClick chut phi vo Cachechn New Content Download Job...

2. t tn cho Content Download Job (V d: ispace.edu.vn)3. Xc nh thi im chy tin trnh Download


60/89

4. Ca sContent download Nhp vo a chweb site cn ti vtrong Downloadcontent from this URL

5. Chn gi trmc nh trong cc bc tip theo cui cng nhn Finishhon tt.Cu hnh cho Client sdng Cache v Content download job trn ISA Server


61/89

Cc my Client trong mng truy cp internet qua ISA Server theo 2 hnh thc:

Client sdng ISA Server nhl mt NAT Server Client sdng ISA Server nhl mt Proxy Server

S dng ISA Server nh l mt SecureNAT, cc my Client xem ISA Server l mt DefaultGateway.

Sdng ISA Server nhl Proxy Server, phi p ng 2 iu kin:

Cu hnh thm chc nng Proxy Server cho ISA Server. Client khai bo Proxy Server cho cc trnh duyt.

Content download job trn ISA Server ch h tr chonhng Client xem ISA Server nh l mt Web ProxyServer hoc FTP Proxy Server.

Kt lun:

Cache l mt khng gian a cng (trn my ISA Server) dng lu tr cc d liu ingang qua ISA server. Mc nh, sau khi ci t ISA server, cache khng hot ng bi vkhng gian a cng dng lm cache cha c xc nh.

Cache gip tng hiu sut sdng nhng thng tin ti vc tinternet. T, lmgim ti cho bng thng ng truyn internet,. ng thi, ngi dng Client s cmthy truy cp web nhanh hn

Do thng tin thng ly tcache, ngi dng thng chc truy cp nhng thng tinc. Cc thng tin mi hn phi i ISA cache lm ti (refresh) li vo lc thi gian lutrthng tin trong cache ht hn


62/89

BI 6: CU HNH PROXY SERVER CHO ISA SERVER

Mc tiu:

Hiu bit vproxy Server Cu hnh Proxy Server trong ISA

6.1. Cu hnh:

1. Trong ISA Server Management chn Network (nhnh bn tri) Properties choLocal Host

2. Ca s Local Host Properties Check mc Enable Web Proxy OK. (ghinhn port mc nh ca Proxy l 8080)

3. Khai bo Proxy Server cho Client.


63/89

Trn my Client: Vo Control PanelInternet Options Chn tab Connection nt LAN Settings Check vo Use a Proxy Server v nhp IP address (hoc tn my) v port ca

Proxy

6.2. Sdng ISA Firewall Client tng cu hnh Proxy

c bsource ISA Firewall Client ci t cho cc Client, trn my ISA Server, ngi Quntrphi np thm thnh phn ISA Firewall Client cho bphn mm ISA Server 2004.

1. Trn my ISA Server: Install li bMS ISA Server 2004

2. Chn Modify thm/bt cc thnh phn.


64/89

3. Trong ca s Custom Setup, click vo Firewall Client Installation Share chnThis feature will be install on local hard drive (La chn ny sc ci t vo acng ni b)

4. Nhn Nextcho n khi hon tt.

Sau khi ci t Firewall Client Installation Share, th mc Clients (trong C:\Program

Files\Microsoft ISA Server) sc chia s ln mng (dng Share name l Mspclnt). Thmc ny cha bsource ISA Firewall Client.


65/89

Ci t ISA Firewall Client trn cc my Client trong mng bng cch chy Setup.exetbsource.

Sau khi ci t thnh cng, biu tng ca chng trnh Firewall Client xut hin ti Traybar.

Khi u, ISA Firewall Client trng thi Disable khng thc hin cu hnh thng schomy Client.

1. Click phi trn biu tng Firewall Client Configure mtrang cu hnh

2. Trong tab General: check vo Enable Microsoft Firewall Client (kch hot FirewallClient)

3. C 2 chnh ISA Server cho Client:Automatically detect ISA Server: click nt Detect Now chng trnh tngd tm ISA Server

Manually select ISA Server: Ngi dng tnhp tn my (hoc a chIP) ca ISAServer. Nt Test Server kim tra tnh chnh xc thng tin nhp.


66/89

4. Trn tab Web Browser: Check vo Enable Web browser automaticconfiguaration v click nt Configure Now p t cc thng scu hnh Proxycho cc trnh duyt Web c trn my Client. Cc thng sny sc ly tISA Server.


67/89

Sdng Proxy truy cp web, cc my Client c thkhng cn khai boDefault GatewayhocDNS Server.Chcn khai bo IP address cng Network ID vi ISA

Server l

Kt lun:

Proxy c chc nng ca mt firewall (bc tng la), nhng c thm tin ch sdngcache lu trdata. N hot ng nhmt gateway vi khnng bo mt gia mngLAN v Internet. N s ngn chn vic ngi dng net truy cp ti cc a ch "nhycm".

c bsource ISA Firewall Client ci t cho cc Client, trn my ISA Server, ngiQun trphi np thm thnh phn ISA Firewall Client cho bphn mm ISA Server2004.


68/89

BI 7: SAO LU V PHC HI THNG TIN CU HNH ISA SERVER

Mc tiu:

Bit cch sao lu v phc hi ISA

7.1. Sao lui vi cc h thng ln vi nhiu phng ban v nhn vin, trong mi b phn li yu cunhng chnh sch truy cp ring lm cho slng policy rt nhiu v kh qun l. V vy bom hthng lun hot ng n nh chng ta cn phi tin hnh sao lu (backup) cc policymt cch y c thphc hi (restore) khi c scxy ra. Chng ta c thsao lu ton

bISA Server hay chmt scc firewall policy no .

1. M ISA Management Console, chn server name (ISA) v nhn vo Backup the ISAServer Configuration trn khung Tasks Panel

2. Tip theo chng ta t tn ca tp tin sao lu chn ni lu trv nhn nt Backup

Mt hp thoi yu cu t password cho tp tin backup hin ra nhp password OK.


69/89

7.2. Phc hi1. Chn Restore this ISA Server Configurationtrn khung Tasks Pane

2. Xc nh tp tin sao lu chn Restorenhp vo passwordOK


70/89

Lu :Trong trng hp chsao lu mt firewall policyno chng ta cng tin hnhtng tvi chc nng Export vImport Firewall Policy trn khung Task Panel.

Tng kt:

bo m h thng lun hot ng n nh chng ta cn phi tin hnh sao lu(backup) cc policy mt cch y c thphc hi (restore) khi c scxy ra.Chng ta c thsao lu ton bISA Server hay chmt scc firewall policy no .


71/89

PHN II: TRIN KHAI MULTI VPN

Mc tiu:

Hiu bit cc phng thc kt ni Internet cho mng doanh nghip

Cu hnh chia struy xut Interner vi Proxy, NAT Trin khai VPN site site truyn thng bo mt nhiu site ca doanh nghip Xy dng hthng xc thc tp trung RADIUS Xl cc sckt ni VPN, RADIUS

Phng thc kt ni WAN Internet.

Hin nay, cc kt ni ra ngoi Internet a phn u sdng dch vWAN l ADSL. Bn cnhADSL cn c nhng kiu thu bao khc nhLeased Line, Frame Relay v nhng ng dng trncc thu bao WAN ngy cng c sdng nhiu nhFrame Relay vi cng nghVPN MPLS,ADSL vi cc dch vMegaWAN. Trong nhng nm u sdng Internet cn c cng nghDial-up.

Khi c Internet th vn cn li l schia skt ni ny cho ton bhoc mt phn hthng sdng chung Internet ny. Vic chia sInternet c ththc hin bng cc dch vcsn trong Windows hoc sdng phn mm ca hng thba. Di y l mt scch thcthc hin:

Sdng dch vICS (Internet Connecting Sharing) ca Windows Sdng dch vNAT trong Windows Server Sdng phn mm nhWinroute.

1. ICS2. Winroute3. NATNAT (Network Address Translation) l mt dch vc sn trong Windows Server, mc ch caNAT l cho php cc my mn a chca my trung gian truy xut qua my mng khc.Thng thng NAT thng c sdng chia sInternet cho ton bmng LAN bn trong.

Trc ht, a chIP c chia lm 2 loi, mt loi dng trong mng LAN c gi l Private,mt dng cho a chtrn Internet l a chPublic. Theo quy c th cc a chPrivate khngc php xut hin trn Internet bi v khi mt Server chng hn nhMail Yahoo reply thngtin yu cu th a chch n xut pht tMail Yahoo sl a chmng ni bv dnhl192.168.1.100, nhng a ch th trn thgii chc c khong vi chc ngn, nn dliu skhng chnh xc.

Gistrng hp sdng NAT chia sInternet th u tin my tnh smn a chPublicca thit bhoc my tnh ra Internet - a ch l duy nht ti thi im truy cp. Khi MailYahoo reply thng tin yu cu th sn a chPublic , v ti thit bsi chiu li a chPublic do my tnh no yu cu v sgi li ti my tnh hon tt qu trnh chuyn tin.

S dng NAT cn c u im khc l cc my trong mng LAN c th truy xut Internetnhng cc my tnh Internet rt kh c thtruy xut mng LAN nn to c cchan ton.


72/89

Cu hnh NAT bao gm cc bc sau:

Kch hot dch vRouting and Remote Access Chn la Card mng kt ni vi Internet (hoc mng mun ti). Cc cu hnh khc (nu cn thit).

1. my tnh sdng NAT cn c 2 card mng. Mt kt ni vi Internet v mt kt nivi LAN.

2. Kch hot dch vRouting and Remote Access bng cch vo Administrative Tools ---Routing and Remote Access. Click chut phi v chn Enable dch v.

3. Chn dch vNAT nu chthc hin kt ni vi Internet n thun hoc c thchnCustom Configure. y, chn NAT v chcn chia skt ni Internet.


73/89

Chn kt ni card kt ni vi Internet.

n Next hon tt vic kt ni (ch phi chn ng card kt ni Internet thmi truy xut c Internet).


74/89

p dng: sdng dch vNAT mt cch tt nht cn ch bsung thm cc thng schocc m Clients nhDefault Gateway v DNS. Cch thc hin tt nht l kt hp vi DHCP cpcc dch vny. Xem li phn DHCP hc phn trn.

Ghi ch: ICS l dch vchia sc sn trn Windows tuy nhin n chthch hp vi vic chia skt ni khong 10 15 PC v khng c nhiu tnh nng nhNAT nn cc bn c ththam

kho thm vdch vny.

Ghi ch: NAT vn cho php my tnh truy xut mt Server bn trong mng ni b, bng cchcu hnh Port Forwarding.

VPN (Virtual Private Network).

Do nhu cu cng vic, mi cng ty u c cc chi nhnh, cc i tc v m bo cc thngtin truyn ti mt cch hiu quv an ton trn mi trng Internet - mt mi trng khng anton v khng thun tin cho vic trao i cc thng tin. Do , mng VPN (Virtual PrivateNetwork) ra i nhm gii quyt cc vn :

Trao i v truyn ti cc thng tin an ton gia cc chi nhnh bng phng thcto ra mt knh truyn ring bit gia cc chi nhnh c gi l Tunnel. Cung cp hnh thc m ha dliu trc khi truyn v pha bn nhn sgii msdng. Cung cp phng thc xc thc tnh ton vn dliu bng thut ton bm (Hashkey) m bo dliu khng thay i so vi ban u.

VPN thng c cc dng sau:

Remote Access VPN: c sdng cho php ngi dng nh c thkt ni ticng ty lm vic ng thi m bo c thng tin truyn ti trn mng l t bmtmt.


75/89

Site to Site VPN: c s dng kt ni 2 chi nhnh, kt ni vi ccpartner; m bo dliu truyn gia cc VPN l an ton.

User to User VPN.Trong chng trnh hc, chng ta chsdng dng Remote Access VPN v Site to Site VPN.

Phng thc (Protocol) sdng truyn ti VPN thng l:

PPTP L2TP IPSec

Cc iu kin c ththc hin c kt ni VPN l:

Mt hthng mng public nhInternet, Wireless, LAN

Mt VPN Server cung cp cc dch vchng thc ngi sdng ng thi cung cpmt a chIP hot ng.

Ngi sdng phi c php sdng dch vVPN quay strong Active DirectoryUsers and Computers.

Cc bc ci t kt ni VPN trn my ngi sdng.

1. Trn my Server, mtnh nng VPN c trong dch vRouting and Remote Access

Start --- Programs --- Administrative Tools --- Routing and Remote Access

Enable tnh nng Routing and Remote Access (nu cha kch hot). Chn Custom Configuration


76/89

Chn tnh nng VPN

n Finish hon tt.


77/89

2. Cu hnh chng thc User trn VPN

Trong ca sRouting and Remote Access chn Properties ca kt ni mi cit.

Chn Tab Security


78/89

Chn mc Authentication provider v Accounting provider l WindowsAuthentication (tc l chng thc bng ti khon Users c trong AD).

Chn mc IP thit lp a chIP cho ngi dng.


79/89

3. To User v cho php Users kt ni vi VPN Serer

To User trn Active Directory, trong trng hp ny l user vpn Vo Properties ca User chnh li Remote Access Permission (Dial up or VPN) lAllow.


80/89

4. Trn my Client to kt ni VPN.

To thm mt kt ni mi cho my Client.

Chn dng kt ni l VPN.


81/89

G tn hoc a chIP ca my VPN Server.

Hon tt kt ni v a ra ngoi Desktop.


82/89

5. Thkt ni vi VPN bng cch nhp user v password vo kt ni.

Ch : khi thc hin kt ni bng hnh thc PPTP ny trn thc t, Modem/Router ADSL phi m

port 1723 c thkt ni c. Xem chi thit thng tin cu hnh Port Forwarding trn cc tiliu hng dn km theo Modem/Router ADSL.

Cu hnh VPN htrtnh nng xc thc bng RADIUS.


83/89

Cc bc cu hnh VPN + RADIUS:

Cu hnh VPN Server + RADIUS Client Cu hnh RADIUS Server trn Domain Controller. Kim tra li kt ni.

1. Cu hnh VPN Server vi tnh nng xc thc bng RADIUS: (VPN Servr RADIUSClients)

Cu hnh VPN Server tng tnh ca PPTP ch khc bit l khai bo sdngphng thc Authentiacation provider v Accounting provider l RADIUS (xem hnh).

Tip theo chn Configure chVPN Server.


84/89

Chn phn Configure v bsung Server RADIUS vo (thng thng RADIUS Server c cingay trn AD).

2. Ci t dch vchng thc Internet Authentication Service trn Domain Controller:

Trn my Domain Controller ci t thm dch vInternet Authentication Servicehtrchng thc RADIUS. Bng cch vo Start --- Setting --- Control Pannel ---Add or Remove Program --- Add Windows Components --- Network Services ---- Internet Authentication Services (IAS)


85/89

Cu hnh RADIUS Server.Vo IAS va ci t, to v ng k VPN Server vi Active Directory.


86/89

Chnh tn ca VPN Server v a chIP ca my tnh.

Chn kha key cn kt ni vi RADIUS Server.


87/89

ng k dch vvi Active Directory.

3. To Users c quyn hn kt ni VPN htrRADIUS.

To User trn Active Directory cn ch : ngoi vic cho php sdng VPN cnphi bsung User vo nhm RAS and IAS Server c chng thc.


88/89

Thc hin ci t quay stng tnhbi tp trn.

Tng kt:

Phng thc kt ni WAN Internet. Hin nay, cc kt ni ra ngoi Internet a phn u s dng dch vWAN lADSL. Bn cnh ADSL cn c nhng kiu thu bao khc nh Leased Line, Frame

Relay v nhng ng dng trn cc thu bao WAN ngy cng c sdng nhiu nhFrame Relay vi cng nghVPN MPLS, ADSL vi cc dch vMegaWAN.

Chia sInternet c ththc hin bng cc dch vc sn trong Windows hoc sdngphn mm ca hng thba nh:

Sdng dch vICS (Internet Connecting Sharing) ca Windows Sdng dch vNAT trong Windows Server Sdng phn mm nhWinroute.

VPN (Virtual Private Network)

Trao i v truyn ti cc thng tin an ton gia cc chi nhnh bng phng thcto ra mt knh truyn ring bit gia cc chi nhnh c gi l Tunnel.

Cung cp hnh thc m ha dliu trc khi truyn v pha bn nhn sgii msdng.


89/89

Cung cp phng thc xc thc tnh ton vn dliu bng thut ton bm (Hashkey) m bo dliu khng thay i so vi ban u.

Remote Access VPN: c sdng cho php ngi dng nh c thkt ni ticng ty lm vic ng thi m bo c thng tin truyn ti trn mng l t bmtmt.

Phng thc (Protocol) sdng truyn ti VPN thng l: PPTP L2TP IPSec

Cc iu kin c ththc hin c kt ni VPN l: Mt hthng mng public nhInternet, Wireless, LAN Mt VPN Server cung cp cc dch vchng thc ngi sdng ng thi cung cpmt a chIP hot ng.

Ngi sdng phi c php sdng dch vVPN quay strong Active DirectoryUsers and Computers.