![Page 1: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/1.jpg)
SEC407
ISA Server Internals andInfrastructure DesignZachary Gutt and Steve Riley
Product Managers
Security Business Unit
Microsoft Corporation
![Page 2: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/2.jpg)
Why?Why?
Firewalls are “geeky” toysAdministrators typically are geeks
Intimate knowledge of firewall packet handling is often necessary to fully understand how to secure a protocol
ISA Server documentation lacks sufficient detail
Session’s content discusses many common questions on the newsgroups
![Page 3: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/3.jpg)
Agenda
Packet flows in publishing
DMZ scenarios
SSL handing in web publishing
Packet filters and filtering
Client-type thingsAuthentication, protocol handling, DNS
ISA Server vs. RRAS
IPSec and NAT
![Page 4: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/4.jpg)
Credits
DNSJim Harrison, Microsoft
ISA Server vs. RRAS and Q310888Craig Nelson, Avanade
Some extensibility infoRonald Beekelaar, Beekelaar Consultancy
Interesting design alternativeTom Schinder
![Page 5: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/5.jpg)
Packet flowsand publishing
![Page 6: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/6.jpg)
Packet flows in publishing
Server publishingSimple one-to-one mapping between outside address and LAT member over one particular protocol
“Half-NAT”
Web publishingMultiple servers and sites with one external IP address
Use URLs to direct traffic
“Full-NAT”
![Page 7: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/7.jpg)
Server publishing
1. Packet arrives on external interfaceSADR = client
Rule creates socket Rule creates socket on external i/fon external i/f
2. Payload is extracted (and inspected, if there’s an application filter)
3. New packet created on inside interfaceDifferent sequence number
4. New IP header added; packet is deliveredSADR = client
InternetInternet
ISA ServerISA Serverpublished published computercomputer
IPIP npnp payldpayld IPIP npnp payldpayldIPIP npnp payldpayld
![Page 8: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/8.jpg)
Server publishing
Multiple serversRemember:socket = {IPAddr, port, protocol}
Different protocolsCan reuse same external IP address; port number will be different
{IPAddr, port1, protA} {IPAddr, port2, protB}
Same protocolsMust use additional external IP address; port numbers will be same
{IPAddr1, port, protA} {IPAddr2, port, protA}
![Page 9: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/9.jpg)
Web publishing
1. Packet arrives on external interfaceSADR = client
Listener creates Listener creates socket on external i/fsocket on external i/f
2. Payload is extracted
3. New packet created on inside interfaceDifferent sequence number
4. New IP header added; packet is deliveredSADR = ISA Server inside IP
3. URL is examined to determine destination
InternetInternet
ISA ServerISA Serverpublished published computercomputer
IPIP npnp payldpayld IPIP npnp payldpayldIPIP npnp payldpayldURLURL
![Page 10: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/10.jpg)
Web publishing
Multiple serversThe listener creates the socket
Can have multiple listeners on different external IPs for varying authN needs
Use separate DNS names for each
The rule directs the requestDestination sets indicate which rule
Set contains URL entered in browser
![Page 11: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/11.jpg)
Web publishing
Multiple authN needsRequirements
www.example.com is public
my.example.com has no authN in appUse ISA Server for authN; basic over HTTPS
ComponentsTwo DNS “A” records
Two listeners
Two destination sets
Two publishing rules
Trusted computer certificate
![Page 12: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/12.jpg)
Web publishing
Multiple authN needsDNS records@ example.comwww IN A 131.107.39.56my IN A 131.107.39.57
Listeners131.107.39.56, on port 80, no authN
131.107.39.57, on port 443, use server certificate, basic authN
![Page 13: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/13.jpg)
Web publishing
Multiple authN needsDestination sets
DSPublic: www.example.com
DSPrivate: my.example.com
Publishing rulesWWW: send to inside-web-name for DSPublic
MY: send to inside-internal-name for DSPrivate
![Page 14: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/14.jpg)
Web publishing
Multiple authN needs
Browser requests addressBrowser requests addresswho is “my.example.com”?who is “my.example.com”?
8080
443443
DNS ServerDNS Server
DNS returns answerDNS returns answer131.107.39.57131.107.39.57
Browser creates requestBrowser creates requestIP hdr = 131.107.39.57IP hdr = 131.107.39.57HTTP hdr = my.example.comHTTP hdr = my.example.comListener requires authenticationListener requires authentication
HTTP error 401 - unauthorizedHTTP error 401 - unauthorized
Browser resends requestBrowser resends requestIP hdr = 131.107.39.57IP hdr = 131.107.39.57HTTP hdr = my.example.comHTTP hdr = my.example.comHTTP-auth = HTTP-auth = credentialscredentials
ISA ServerISA Server
AD DCAD DC
wwwintwwwint
myintmyint
creds good?creds good?
yesyesURL?URL?
my.example.com → dest-set: WSPrivatemy.example.com → dest-set: WSPrivate
rule?rule?
dest-set: WSPrivate → send to myintdest-set: WSPrivate → send to myint
ISAS sends requestISAS sends request
![Page 15: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/15.jpg)
DMZ scenarios
![Page 16: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/16.jpg)
DMZ Scenarios
The two traditional kinds
Disadvantages of using “DMZ” interfaces in ISA Server
Best way to design layered networks
![Page 17: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/17.jpg)
Network layering DMZ
InternetInternet InternetInternet
DMZDMZ
corpcorp
DMZDMZ
corpcorp
![Page 18: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/18.jpg)
Layered DMZ characteristics
Multiple firewalls
Each firewall protects its own network
Sometimes use different brandsHeterogeneity can be costly, though
Looks like the world’s only political DMZ
![Page 19: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/19.jpg)
Screened subnet “DMZ”
InternetInternet
DMZDMZ corpcorp
![Page 20: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/20.jpg)
Screened subnet characteristics
Not really a DMZ
More complex to buildToo many rules to wrap your brain around
Opportunities for misconfiguration
Performance problems
![Page 21: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/21.jpg)
ISA Server DMZs
ISA Server calls them “perimeter networks”
TypesBack-to-back (regular DMZ)
Three-homed (screened subnet)
Interesting undocumented third choice
Pretty easy to choose whichBut first…
![Page 22: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/22.jpg)
Network interfaces
Two kindsInternal
External
Two flavors of externalInternet-facing
DMZ
![Page 23: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/23.jpg)
Internal interfaces
Can have more than one
Defined by the LATAny interface whose IP address is in LAT is an internal interface
![Page 24: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/24.jpg)
External interfaces
Internet-facingCan have only one
Should be bound highest
The only NIC with a default gateway
Is connected to the Internet
More than one is unsupported and doesn’t work
DMZAll other interfaces in the computer
Not in LAT, no DG, not connected to Internet
![Page 25: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/25.jpg)
Traffic behavior
InternetInternet
DMZDMZ corpcorp
server publishingserver publishing web publishingweb publishing NATNAT application inspectionapplication inspection
packet packet filteringfiltering routingrouting
server publishingserver publishing web publishingweb publishing
NATNAT application inspectionapplication inspection
![Page 26: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/26.jpg)
Suboptimal design
Traffic into and out of DMZ interfaces isn’t well-protected
Basic packet filtering is just like any other firewall
Has no knowledge of application protocols
Can’t inspect for conformance
Doesn’t use web or application filters
Recommendation—Don’t use three-homed design
![Page 27: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/27.jpg)
Proper design
Back-to-back ISA Servers
LATsOutside: IP address range(s) of DMZ net
Inside: IP address range(s) of corp net
Achieve inspection everywhereInternet to DMZ
DMZ to corp net
It’s this inspection that’s the value
![Page 28: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/28.jpg)
Back-to-back publishing
In DMZNormal publishing method
In corp netPublish resource on inside ISA Server
Publish inside ISA Server on outside ISA Server
Use SSL offload cards for HTTPShttp://www.microsoft.com/isaserver/partners/ssl.asp
AEP Crypto—fast and cheap!
![Page 29: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/29.jpg)
Interesting alternative
Three-homed design
No “DMZ” interface
Two internal interfacesApplication inspection between Internet and all internal interfaces
Need to protect cross-interface communications—how?
Good for constrained budgets
![Page 30: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/30.jpg)
Interesting alternative
InternetInternet
internal 1internal 1
screened screened subnetsubnet
internal 2internal 2
corp netcorp net
server publishingserver publishing web publishingweb publishing NATNAT application inspectionapplication inspection
RRAS packet RRAS packet filtersfilters
server publishingserver publishing web publishingweb publishing NATNAT application inspectionapplication inspection
![Page 31: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/31.jpg)
RRAS filters
Use RRAS filtering to control communications between nets
Think securely!Block all from 1 to 2…
…except that which is necessary
Block all from 2 to 1……except that which is necessary
Don’t allow everything from corp to screened
Not concerned with VPN protocols hereRRAS is just providing the filtering
![Page 32: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/32.jpg)
SSL handlingand certificates
![Page 33: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/33.jpg)
SSL handling
Three options“Passthrough” or “tunneling”
“Termination”
“Regeneration”
2 and 3 sometimes referred to as bridging—but which kind?
![Page 34: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/34.jpg)
SSL handling
Passthrough (server publishing)
InternetInternet ISAISAServerServer
publishedpublishedcomputercomputer
IPIP npnp payldpayld IPIP npnp payldpayldIPIP npnp payldpayld
Payload remains encrypted
No examination occurring here
Can be valuable if policy favors privacy over inspection
![Page 35: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/35.jpg)
SSL handling
Termination (Web publishing)
InternetInternet ISAISAServerServer
publishedpublishedcomputercomputer
IPIP npnp payldpayld IPIP npnp payldpayldIPIP npnp payldpayld
Payload is decrypted
Examination possible
Valuable if policy favors inspection
Insecure: cleartext on inside network
![Page 36: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/36.jpg)
SSL handling
Regeneration (Web publishing)
InternetInternet ISAISAServerServer
publishedpublishedcomputercomputer
IPIP npnp payldpayld IPIP npnp payldpayldIPIP npnp payldpayld
Payload is decrypted
Examination possible
Valuable if policy favors inspection
Payload is then re-encrypted
Secure: ciphertext even on inside
![Page 37: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/37.jpg)
Certificates
Server certificatesWhen ISA Server is an HTTPS server
Obtain from public CA
Choose on the listener tab
Client certificatesWhen published server requires client certs for authN
Obtain from internal CA
Choose on the listener tab
Certs for published web serversIssued from internal CA
Add internal root to ISA Server
![Page 38: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/38.jpg)
Packet filters,packet filteringand IP routing
![Page 39: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/39.jpg)
Does this hurt?
![Page 40: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/40.jpg)
Traffic passing
LAT ↔ external is well-understoodProtocol rules: getting out
Publishing rules: getting in
But…What are packet filters?
What happens when you turn on packet filtering?
What is IP routing?
![Page 41: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/41.jpg)
Access policy
Packet filters allow traffic into and out of the external interface
Are independent of protocol and publishing rules
Should always enable packet filtering to protect ISA Server computer
Blocks nearly everything except…
Some ICMP, outbound DNS questions
![Page 42: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/42.jpg)
Packet filters
From/to ISA Server computerNot recommended! (It’s a firewall, not a workstation)
External ↔ DMZNeed a filter for each protocol allowed into the DMZ
Don’t need response rules
LAT ↔ external/DMZOnly for non-TCP/UDP protocols
![Page 43: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/43.jpg)
IP routing
Needed for non-TCP/UDP access by secureNAT clients
Improves performance by enabling the kernel mode data pump!
Huh?
Checkbox has a completely different meaning than what’s implied by “IP routing”
![Page 44: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/44.jpg)
Secondary connections
“Data channels” negotiated and opened while primary connection still exists
ExamplesSt(r)eaming media
Audio/video conferencing
FTP
![Page 45: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/45.jpg)
KMDP
If:A protocol has secondary connectionsThere is no application filter that wants to inspect the data stream
Then:Enabling IP routing sends secondary connections through the KMDPBig performance boost
Works withAll client typesFilters that are KMDP-aware
![Page 46: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/46.jpg)
A bad configuration
If you:Enable packet filtering
Write packet filters for TCP, UDP, and other IP protocols
Enable routing
Have no protocol or publishing rules
You have a basic, stupid layer 3/layer 4 stateful inspection firewall
![Page 47: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/47.jpg)
Clients
![Page 48: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/48.jpg)
Client types
SecureNATCrazy name—there is no client software or configurationHandled by firewall service
HTTP requests redirected to web proxy service if redirector is enabled
Firewall clientHandled by firewall service
HTTP requests redirected to web proxy service if redirector is enabled
Web proxy clientHandled by web proxy service
![Page 49: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/49.jpg)
“All protocols”
Means different things
SecureNATOnly those where a (simple) protocol definition exists
Need application filter for complex
Firewall clientLiterally everything
Web proxy clientWeb protocols
![Page 50: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/50.jpg)
Authentication
SecureNATNo user authentication; only IP addresses can be used in client address sets
Firewall clientCarries user credentials
Authenticates for all protocols
There’s an exception…
Web proxy clientCarries user credentials
![Page 51: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/51.jpg)
Firewall client authentication
ExemptionScenario
User is FW client only
HTTP redirector filter is onSends FW client HTTP requests to web proxy
User credentials are lostFirewall service doesn’t forward
Logs will show anonymous ID
SolutionConfigure redirector to reject HTTP requests from FW and SecureNAT clients
![Page 52: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/52.jpg)
Firewall client operation
Intercepts all WinSock API calls—calls to external addresses are redirected to ISA Server
Layered service provider; works with all IP protocols
Supports user authentication; can set permissions by protocol and port
No need for address editing
![Page 53: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/53.jpg)
Firewall client operation
Internet Application(TCP/IP)
NIC
Windows Sockets orOther TCP/IP Interface
TCP/IP
Winsock Proxy Service
NIC
Windows Sockets APIWSOCK32.DLL
NIC
TCP/IP
Windows SocketsApplication (TCP/IP)
NIC
Windows Sockets APIWSOCK32.DLL
WSPWSP.DLL
TCP/IP
local host ISA Server remote host
Local Network Internet
![Page 54: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/54.jpg)
Firewall client operation
Establishing a connection
InternetServer
77.1.1.2
WS app
WSPWinsockProvider
ISAServer
10.1.1.2
connect to 77.1.1.2:23
[OK - 10.1.1.2:1200]
WinSock
connect {77.1.1.2:23}
connect {10.1.1.2:1200}
![Page 55: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/55.jpg)
Firewall client operation
Port usage1745/TCP: configuration refreshes
MSPCLNT.INI and MSPLAT.TXT
1745/UDP: control connectionNegotiation of data channel
Ephemeral: data connection
![Page 56: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/56.jpg)
DNS
SecureNATMust have access to DNS server—ISA Server won’t proxy DNS
Need DNS protocol rule
Firewall clientISA Server or the client perform DNS
Depends on settings in MSPCLNT.INI
Web proxy clientISA Server performs DNS
![Page 57: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/57.jpg)
DNS configuration
Must have proper DNS configurationON ISA Server external interface if no DNS forwarding available
On inside interface if server in LAT can forward to Internet
Bind NIC with DNS settings higherhttp://isaserver.org/pages/article.asp?id=239
Incorrect defaults for DNS cachehttp://isaserver.org/pages/article.asp?id=238
Firewall clients are “special”…
![Page 58: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/58.jpg)
DNS configuration
Firewall clientResolution obeys setting for each application in MSPCLNT.INI
Local or proxied
“Common configuration” is localJust like SecureNAT
Error 14120Occurs if FW client is accessing a published server
Traffic leaves then re-enters ISA Server
http://isaserver.org/pages/article.asp?id=236
http://isaserver.org/pages/article.asp?id=353
![Page 59: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/59.jpg)
ISA Server vs. RRAS
![Page 60: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/60.jpg)
Terminology
Remote access VPNClient on Internet connects to VPN server
Network VPNTwo networks create VPN over Internet
Gateway server on each network
Often called “site-to-site VPN”
IPSecTransport mode: used in L2TP+IPSec remote access and network VPNs
Tunnel mode: designed for network VPNs
![Page 61: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/61.jpg)
RRAS
RRAS handles all VPN work
ISA Server’s wizard simplifies configuration for typical scenarios
Inbound remote-access
Network
Doesn’t eliminate need to understand RRAS
![Page 62: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/62.jpg)
ISA Server
Can—Originate and terminate PPTP and L2TP+IPSec VPNs
For remote access and network
Permit outbound PPTP
Can’t—Terminate IPSec tunnel mode VPNs
Permit outbound L2TP+IPSec
Server-publish any VPN protocol
NAT-T improves situation; stay tuned
![Page 63: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/63.jpg)
Enabling outbound PPTP
UI: packet filter properties<server>\Access Policy\IP Packet Filterscontext menu: Properties
Sets up packet filter to allow outbound PPTP
Filter type: “PPTP call”
IP protocol 47, both directions
![Page 64: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/64.jpg)
Enabling inbound VPN
ISA Server terminates incoming VPN connections
Can’t server-publish any VPN protocol
Enables PPTP and L2TP+IPSecConfigures RRAS
Enforces authentication and encryption
Opens packet filters
![Page 65: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/65.jpg)
Inbound VPN packet filters
Allow IKE (Internet Key Exchange)any-ip:500/udp ↔ external-ip:500/udp
Allow L2TPany-ip:1701/udp ↔ external-ip:1701/udp
Application filters handle PPTP“PPTP receive”: accepts inbound PPTP
“PPTP call”: allows responses
IP protocol 47, both directions
![Page 66: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/66.jpg)
RRAS configuration
Both routing and remote access
MS-CHAP and MS-CHAPv2 authNDisable MS-CHAP on RRAS and in policy profile
DHCP address assignment
128 PPTP and 128 L2TP ports
No RRAS packet filtering
40-, 56-, and 128-bit encryptionChange policy profile to allow only “Strongest” = 128-bit
![Page 67: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/67.jpg)
Recall the limitations
Can’t—Terminate IPSec tunnel mode VPNs
Permit outbound L2TP+IPSec
Server-publish any VPN protocol
Various architectural and protocol reasons
But first…
![Page 68: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/68.jpg)
IPSec background
Security association (SA)Alice and Bob have a secure “channel” between their computers
Authenticates and optionally encrypts
Transport modeSA between two nodes
Tunnel modeSA between two gateways
Node-to-node is secure because it passes through gateways
![Page 69: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/69.jpg)
IPSec background
IPSec alone not sufficient for remote access VPNs
No user authentication
No endpoint address assignment
L2TP performs these functions
IPSec protects trafficAuthenticates machines
Encrypts L2TP
![Page 70: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/70.jpg)
IPSec background
L2TP+IPSec suitable for both remote access and network VPNs
Supported in product
Well-documented
Compare to pure IPSec tunnel modeSupported only for network VPNs
Difficult to configure
No routable interfaces in RRAS
Not possible today with ISA Server
![Page 71: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/71.jpg)
L2TP+IPSec packet behavior
When an L2TP+IPSec VPN server receives traffic—1. IPSec packet arrives at ISA Server
2. Packet filter driver hands to IPSec
3. IPSec decrypts then reinjects L2TP into receive path
4. Packet filter driver sees L2TP and accepts
5. Packet goes to L2TP driver in RRAS
6. Packet decapsulated
![Page 72: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/72.jpg)
L2TP+IPSec packet behavior
Say we tried pure IPSec tunnel mode1. Packet arrives at ISA Server
2. Packet filter driver hands to IPSec
3. IPSec decrypts and passes up the stack
Packet has destination IP address other than ISA server’s own, so—1. Packet placed on stack’s send path—this is
normal Windows behavior
2. Packet goes back out ISA Server, rather than delivered to client behind
![Page 73: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/73.jpg)
L2TP+IPSec limitations
Therefore: can’t use IPSec tunnel mode
Can’t also allow outbound L2TP+IPSec at all
NAT issue; see NAT-T info later
![Page 74: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/74.jpg)
VPN server publishing
Not possible in current version of ISA Server
Server publishing understands only TCP and UDP
VPNs use other IP protocols
PPTP: 47, generic routing encapsulation
IPSec ESP: 50, encapsulated security payload
IPSec AH: 51, authenticated header
![Page 75: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/75.jpg)
Q310888
RRAS “Internal” interface is server-side tunnel termination point
Can NAT this interface to treat incoming tunnels as private interfaces
NATing them allows easy outbound access either back through RRAS or through some other firewall
Also allows NATing between RRAS sites
Article explains how to set this up
![Page 76: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/76.jpg)
Functionality issue
ISA Server replaces RRAS’s NAT driverRRAS “Internal” interface can no longer be NATed
Breaks Q310888
RRAS NAT GUI makes no sense
NETSH NAT settings ignored
Do you want VPN users to be able to get back out to the Internet?
Yes: need separate RRAS and ISA Server computers
Do Q310888 on RRAS computer
![Page 77: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/77.jpg)
Recommendations
RAVPN
NetVPN
OutboundInternet Q310888 RRAS
ISAServer Both Separate
![Page 78: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/78.jpg)
RRAS security
Don’t forget RRAS packet filters if using RRAS alone
External interface—PPTP: from any:any to ext-ip:1723/tcp
L2TP: from any:any to ext-ip:1701/udp
LAN interface—PPTP: from lan-ip:1723/tcp to any:any
L2TP: from lan-ip:1701/udp to any:any
No IPSec filterspecs neededTraffic is L2TP once RRAS sees it
![Page 79: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/79.jpg)
Next StepsNext Steps
Complete the evaluation of ISA Server that you’ve already been doing
Right?
Consider where adding application-aware inspection can increase security
Exchange RPC
Outlook Web Access
SharePoint Servers of various flavors
Anything built on any web server
Deploy it!
![Page 80: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/80.jpg)
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
Microsoft® Internet Security and Microsoft® Internet Security and Acceleration (ISA) Server 2000 Acceleration (ISA) Server 2000 Administrator's Pocket Administrator's Pocket Consultant: 0-7356-1442-3Consultant: 0-7356-1442-3
TodayToday
Writing Secure Code, Second Writing Secure Code, Second Edition: 0-7356-1722-8Edition: 0-7356-1722-8
TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
![Page 81: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/81.jpg)
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
![Page 82: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/82.jpg)
evaluationsevaluations
![Page 83: SEC407 ISA Server Internals and Infrastructure Design Zachary Gutt and Steve Riley Product Managers Security Business Unit Microsoft Corporation](https://reader035.vdocuments.mx/reader035/viewer/2022062314/56649ecb5503460f94bd9cc9/html5/thumbnails/83.jpg)
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.