Microsoft ISA Server 2004 Firewall phần 4

Publishing Internal Resources Publishing internal resources follows largely the same process as creating an access rule. It is a wizard-driven process
Nội dung trích xuất từ tài liệu:
Microsoft ISA Server 2004 Firewall phần 4Publishing Internal ResourcesPublishing internal resources follows largely the same process as creating an access rule.It is a wizard-driven process, but the focus of a publishing rule is allowing access toprotected resources, as opposed to access rules (which allow access from protectedresources).Regardless of which type of publishing rule you need to create, the process is fairlysimilar. The first step is to right-click the firewall policy and select to create a newpublishing rule (for example, a web publishing rule) and follow the wizard. At theWelcome screen, enter the appropriate rule name and click Next. At the Select RuleAction screen, specify whether traffic that matches the rule should be permitted or deniedand click Next. Figure 8-11 shows the Define Website to Publish screen. This is whereyou specify the information for the internal server that is hosting the website. Enter theappropriate information and click Next. For example, if you use host headers to allowmultiple websites to exist on the same physical server, you will want to check the box toForward the original host header instead of the actual one (specified above). This willcause the ISA server to actually keep the host header information, instead of just routingall web requests to the default website on the internal web server. One of the nice featuresof the web publishing rule is the ability to specify individual folders on the website thatthe rule will apply to. When you have finished, click Next. Figure 8-11. Define Website to Publish Screen [View full size image]At the Public Name Details screen, you enter the information that the website will beknown to the public as (for example www.cisco.com). You can also define the publicpath that the Microsoft ISA Server 2004 server will advertise. Figure 8-12 illustrates thisscreen. Figure 8-12. Public Name Details Screen [View full size image]When you have finished, click Next. Doing so brings you to the Select Web Listenerscreen. The web listener allows you to define the external IP address and port numberthat the firewall will listen for requests for this rule on. If you do not already have alistener defined, you can click New to launch the New Web Listener Definition Wizard.Doing so enables you to define the interfaces and IP addresses as well as the portnumbers that the rule will use. You can also define the internal path that the web requestwill be directed to on the internal web server. In most cases, the internal and externalpaths will match; if you want the external path to redirect to a different internal path,however, you can specify different settings. For example, if you wanthttp://www.cisco.com/sales.htm to redirect on the internal web server tohttp://www.cisco.com, you specify an external path of http://www.cisco.com/sales.htmand an internal path of /*. After you have defined the listener, just select it from the WebListener drop-down dialog box, as shown in Figure 8-13, and click Next. Figure 8-13. Select Web Listener Screen [View full size image]At the User Sets screen, select the users who the rule will apply to and click Next.Review the configuration and click Finish to create the rule. Once again, if you want toapply the rule to the firewall, you must then click Apply in the management console.Performing Application FilteringISA Server 2004 contains a number of built-in application filters to provide forapplication layer inspection of the corresponding traffic. Configuring the applicationfilters is performed in various locations within the management console. For web filters,just right-click an HTTP or HTTPS rule and select Configure HTTP. By default,Microsoft ISA Server 2004 supports the following HTTP application-filtering options: • Maximum header length (in bytes) • Maximum payload length (in bytes) • URL length and query length protection (in bytes) • URL normalization and high bit character blocking • Windows executable blocking • User defined HTTP method filtering (for example, denying POST methods) • File extension filtering • User-defined HTTP header content • User-defined signature content filteringFor application filters, most can be managed from the add-ins screen, as shown in Figure8-14. Figure 8-14. Application Filters [View full size image]A notable exception to this is the DNS filtering, which is configured under the Generalsection of the management console by clicking Enable Intrusion Detection and DNSAttack Detection (by default, both intrusion detection and DNS attack detection isenabled).Configuring System Policy RulesAccess rules and server publishing rules control the access to and from networksprotected by the firewall. To control access to the firewall itself, system policy rules havebeen created. These rules do not show up by default when you view the firewall policy,but they can be enabled by selecting the firewall policy and then clicking Show SystemPolicy Rules. Doing so causes all system policy rules to display in addition to any accessand publishing rules, as shown in Figure 8-15. Figure 8-15. Displaying the System Policy Rules [View full size image]You can add, change, and delete the system policy rules manually, or you can edit thesystem policy via a graphical user interface (GUI) by right-clicking the firewall policyand selecting Edit System Policy. Doing so launches the System Policy Editor screen, asshown in Figure 8-16. Figure 8-16. System Policy Editor Screen [View ful ...