ISA 2004 Training Labs

Posted on January 8, 2009 by Daniel Petri in Security with 0 Comments

ISA Server 2004 Training Labs

A review of Train Signal’s ISA Server 2004 Training. See more details at Train Signal’s website.

I was reasonably familiar with Microsoft Proxy 2.0 and I had installed ISA 2000 once about 3 years ago, although due to it’s location it was only used as a Caching Server. So, what could be different in ISA 2004? As we are about to find out, LOTS!!  David Davis simplifies this complex and versatile application with easy to understand explanations and comprehensive videos.

Daniel’s recommendations
If you are looking to really master Active Directory (or other Networking skills), I strongly recommend that you try Train Signal. I’ve discovered this company a few months ago and I always send people their way because the training is so good. You can see more HERE.Daniel Petri

We start with the Concepts video where we learn about Firewalls, the different types and why we need one. We find out why we need to be comfortable with IP, NAT, Protocols and Ports and how important they are to a firewall. Security Policies are also introduced with their vital importance emphasized. I mean, why put deadlocks on all your doors and windows and then leave the master key hanging from the doorbell button.

In Firewall Design and Implementation we learn problems that can be encountered when using a firewall, the benefits of using one, what ISA 2004 does and doesn’t do, where they can and possibly should be placed, how many you may need and what type you may require. A quick demo of Linksys and Cisco firewalls finished along with implementing a new firewall discussion rounded off this video.

The Lab Setup defines the scenario of the company we are installing ISA 2004 into. This scenario is very detailed and could easily be based on a live situation so you can easily relate to it when you do an actual install and setup. No detail seemed too small to be included and it gives you a good feel of what they want, why they want it and how they need it to work.  The following videos proceed to teach us how to do it.

Video 1 covers Client-side Firewalls and how they fit into your client’s scenario. We discover the basics of client-side firewalls, the pros and cons, application compared to port-to-port and we finish off with a look at the built-in Windows firewall and ZoneAlarm. David gives ZoneAlarm a good workout installing and configuring it.

Video 2 starts to get down to the fun stuff. Here we learn about planning the installation of ISA 2004, installation best practices, configuring the NICs and then the good stuff…. installing ISA 2004 Server. Each screen option and setting is covered so you really know what you need to do when you setup your practice lab.

Video 3 covers ISA 2004 Server concepts and how they relate to our sites defense, network perimeter security and the various filtering used. An overview of ISA 2004 features and how it protects published resources like OWA/OMA, VPN and web caching just to name a couple. The multitude of configuration tabs were I thought comprehensively covered and any difficult concepts were fully explained with David’s extensive knowledge and experience enabling him to get the message successfully across.

Video 4 delves into the connection between the Internet and ISA 2004 and/or from a client using SecureNAT. Follow the simple step-by-step instructions as David effortlessly guide us through the configuration. Unlike my preconceptions, this was just the case of adding another simple Rule and as we will learn later in the Lab, Rules are the heart of ISA 2004’s security. So simple a blind mouse could create them BUT they need to be placed in the correct order. That is what I consider to be the trick to getting ISA 2004 working correctly and efficiently.

Video 5 goes into more depth about adding Rules, one of which I used to stop students users from downloading demo games into their home folders. Saved over 2GB of throughput in the first month alone! We learn about System Policies and how they are hidden by default and how to find them. In fact, ISA 2004s default install is in lockdown mode. The first rule you see is DENY access to EVERYTHING!!  This made my initial installation very interesting until I spent some quality time with this excellent Train Signal tutorial. Instead of looking like a complete twit in front of my client, Train Signal’s ISA 2004 Server Lab made me look positively brilliant and allowed me to extol the virtues of ISA 2004. I was able to show the client how it was going to save them money while at the same time allow us to further control what the student and staff could access and download. Thanks David…..It’s Miller Time.

Video 6 takes us deeper into SecureNAT than we experienced in video 4 and learn about its good and bad parts. We look more into NAT, how it works, why it is used and find it has an unintended beneficial feature. We also learn there are different types of NAT and what they do. SecureNAT is configured with step-by-step instructions and then we are shown how to disable it.

Video 7 is all about ISA Client and Automatic Provisioning. Huh? Well that’s what I thought but what it all boiled down to was the firewall client, web proxy client and learning how to restrict access to individual users and/or sites. This was followed by setting it so the client would automatically discover ISA 2004 (and use it) and using a GPO to automate the firewall client install.

Video 8 starts to get down to the nitty gritty of the security side.  Here we learn more about SPI (a popular firewall in many routers) and Application Layer Filtering (ALF). While I knew about SPI, my knowledge of ALF was zero. ALF works at Layer 7 of the OSI model and this allows ISA 2004 to filter HTTP, FTP, SMTP and protocols that work at this level. David goes into some detail about ALF with what can and cannot be configured. Web filters are discussed and we learn how to use this in conjunction with the ALF to block unwanted programs like Bearshare, Morpheus and the like. We can also use SPI to detect attacks on our site and again we get a run through with each step and setting explained.

Video 9 was all about Caching. This was covered in surprising detail, well surprising for me, mainly due to the extra abilities of ISA 2004. We learn about the different types of caching, how useful they can be or not due to what is being cached and how it can benefit large sites. We learn about more Rules and how they can be used to achieve our desired outcomes.  Caching, easy subject? No! I watched this video several times, well parts of it several times so I could truly understand how to fully apply it to my situation. I found that monitoring web caching was going to be a very useful tool for me.

Video 10 and we enter the world of Publishing Applications with specific apps like Web, Exchange, OWA and later we configure an application to publish. One of the scenario tasks was to publish an Exchange Server. Simple eh!  Well not really, but David takes us through it one step at a time until it is all finished. While not undaunting it was complex and I watched this segment several time, practicing on my remote lab along the way with each step. Here is the beauty of Train Signal Labs.  When you do it for practice or real, you have a Virtual Instructor looking over your shoulder helping you if you get stuck. Then to backup that lesson, we publish a Web Server. The same principal just slightly different options.

Video 11 and here comes the VPN server. Unfortunately I have not the opportunity to go live with this lesson but it is damn interesting, informative and chock full of information.  We learn about PPTP VPN server, L2TP/IPSEC VPN server and using AD and RADIUS Authentication. VPN Quarantine is discussed but it really requires additional knowledge of the Connection Management Administration Kit (CMAK – don’t you just love all the acronyms we have to know) a downloadable tool from Microsoft.

David uses a diagram to make a simple explanation of the complexity of a VPN setup. A picture really is worth a thousand words. The rest of this video is dedicated to going through the steps of setting it up and getting it working, and work it does.

Video 12 is about ISA site-to-site VPN tunneling and how it is configured. While this is something I will most likely never use, the functionality I found fascinating. The simplicity was surprising (by now I don’t know why I was still being surprised) and again it was the Rules that did all the work, once they were setup that is. The Wizard used to create the rules makes this setup job a lot easier than you think. (A bit like algebra, what you do to one side, you do to the other). As with all Microsoft wizards you choose an option and click next for the following options. Make sure you read any popup screens and understand what they say before moving onto the next option. Again David explains each screen in the wizard (popup included) which simplifies even further this seemingly complex process.

There is so much in this video alone it could almost do with its own review or even be a Lab on its own.

Video 13 is about some third party products for ISA 2004.  They include GFI Web Monitor, SurfControl, Akonix, Panda Anti-virus and some free tools that can be downloaded from Microsoft. These were but a few tools that are available for ISA 2004 and you really need to find the one or ones that best suite your needs. I have to admit I was impressed by GFI Web Monitor as it would apply to my situation perfectly. However justifying it to the beancounters can be another problem. A trial version was installed so you too can check out the excellent tool. As you will see from the trial GFI install, it is a really good program for ISA [Note to self. Install key logger on beancounter’s PC. Need leverage to get this program].

So as not to appear biased, SurfControl look pretty good to but appears to me as a more specialized app. Akonix was more specialized and was more focused on Instant Message control.  Panda anti-virus is something I have never used so I can’t make any personal comments but it must have merit if David has chosen it as one of the few mentioned.  The Microsoft free tools are worth a look and they do come at the right price for all. Microsoft’s free tool CacheDir is another tool that is a must install. You will understand why after watching this video.

Also mentioned are a couple of Forums dedicated to ISA Server. Microsoft obviously have one but http://www.isaserver.org is a resource rich site and should probably a first port of call for any ISA questions.

Video 14 covers the Enterprise Edition of ISA 2004 and I suppose it does boldly go where no ISA Server has gone before.  We delve into the benefits of Network Load Balancing, Active Directory Application Mode (ADAM) and configuring some Enterprise Edition features. Not using the Enterprise Edition I only gave this video a single look but the depth of information and detail was what I have come to expect from Train Signal. David even runs through and install so you can see what the differences are between this and the Standard Edition are and as usual the different option are discussed and explained.

Video 15 and lucky last. This video is massive with the info it contains and not surprisingly since it is all about Monitoring, Logging, Reporting and Troubleshooting ISA 2004. Compared to what I was used to with Microsoft Proxy 2.0, what you can do is just mind boggling. If I mentioned half of what it could do I am sure I would double the size of this review and I am sure not all the facilities and features were mentioned, just the major ones. Alerting is mentioned, what can trigger one and what actions can be taken when one occurs.  We go to the ISA MMC to get a hands on look at the various monitoring options available. We learn how to customize error pages (this was touched on in IIS 6 Web Servers) and how it can inform users what action they can take if a particular error page is displayed. There was also an interesting point on error pages for SecureNAT.

We can look at ISA Array Reports and see what protocols are being used. Amount of requests, what user made the request , what site was accessed and a plethora of other information. We also learnt about how to configure logging so a report can be generated about an individuals Internet activity and we get a step-by-step walk through of how to set it up and how to add different options along the way. Be advised that these logs can consume a considerable amount of HDD capacity. These logs can be used to run a query on a certain beancounter, err, I mean user. They can surf but they can’t hide where they’ve been.

It took me the best part of two weeks worth of evenings and a weekend to thoroughly go through this Lab and the result was fantastic. I was able to install ISA 2004 on a production server, have it running and successfully servicing clients in less than an hour. Of course tweaking is continuing.  Without Train Signal’s Lab 21 ISA Server 2004, I think I would have aged 30 – 75 years and lost any hair I actually have left. This is the second most extensive Train Signal Lab I have had the pleasure to use (Exchange 2003 training was the first).

ISA 2004 Server Lab was stupendous and if it was triple the price you would still be getting an inexpensive and superb tutorial. This is another Train Signal winner!!

ISA 2004 Video Lab Training – Product Details

About the writer

Chris G. Breen (aka Biggles77) is one of the Petri.co.il forum moderators and one of the most active writes on these forums. Chris lives and works in Australia.

For more information and review copies

Please visit Train Signal’s website

Sponsored