Click here to go back to the Home Page! Click to know fun facts abot me Click here to send email to me    

Abstract

Content

Introduction

The Project Proposal

Literature Search

Project Plan

Investigation & Result

Critical Appraisal

Conclusion

Suggestions for further work

References

Appendices


APPENDICES

APPENDIX A

APPENDIX B

APPENDIX C

APPENDIX D

APPENDIX E

APPENDIX F

---------------------------------------------------------------------------------------------------------

APPENDIX A

Website:
http://www.rashidkhan.co.uk/
and also available on CD
Installing Windows Server 2003

To install Windows Server 2003 following actions were taken:

Booted directly from the Windows Server 2003 CD.
Setup loaded all the needed files and drivers.
The setup process begins loading a blue-looking text screen. I was asked to accept the EULA and choose a partition on which to install 2003, then I was asked to format it by using either FAT, FAT32 or NTFS. I chose NTFS.
Selected to Setup Windows Server 2003 by pressing ENTER.
Read and accepted the licensing agreement by pressing F8 to accept it.
The hard disk was unpartitioned, created and sized the partition on which to install Windows Server 2003.

Selected the NTFS file system for the installation partition.

Setup then began copying necessary files from the installation CD.

The computer then restarted in graphical mode, and the installation continued in a GUI mode phase. It then began to load device drivers based upon what hardware was found on the computer.

I didn't need to make any changes to the system local etc and just pressed Next.

Setup then copied the necessary files from the installation CD.

I was then prompted to enter a name, organization name, the product key, the appropriate license type and number of purchased licenses.

I was prompted to type the computer name and a password for the local Administrator account. Selected the date, time, and time zone settings. Setup then installed the networking components. I then highlighted the TCP/IP selection and pressed Properties. In the General tab entered the required information. I had to specify the IP address of the computer and Subnet Mask. Next step was to finish copying files and the setup. After the copying and configuring phase finished, setup finished and booted Windows Server 2003.

Virtual Private Networking – Appendix A– Installing Windows Server 2003

After carefull study I found out that the following procedures must be performed to install ISA Server 2000 on a Windows Server 2003 computer and they must be in the following order:

Install Windows Server 2003

  • Install ISA Server 2000
  • Install ISA Server Service Pack 1
  • Install isahf255.exe
  • Install Feature Pack 1

ISA Server 2000 can be installed in one of thee mode:

Cache Mode
Caching mode ISA Server is designed to have one or two network interfaces. Each interface must be located on the internal network because packet filtering is not enforceable on a caching only ISA Server machine.

Firewall Mode
Firewall mode provides a high level of firewall protection from external intruders and also protects your network by enabling granular outbound access control. Firewall mode does not include the Web caching features that are part of the Cache mode server.

Integrated Mode
Integrated mode provides all the firewall and caching features available with ISA Server 2000

The “Windows Server 2003” server machine that I was using for VPN deployment had to have the following characteristics:

  • At least two network interfaces – one internal and one external
  • DNS setting on the internal interface uses an internal DNS server that can resolve Internet host names
  • All non-essentials services on the ISA Server 2000 machine are disabled

An Integrated mode ISA Server firewall requires at least one internal and one external interface.

  • The internal interface is never configured with a default gateway address. The IP address on the internal interface is always on the LAT.
  • The external interface is configured with a default gateway that routes packets to the Internet. The external interface is never on the LAT.

Windows Server 2003, like Windows 2000, allows a single default gateway. The result is ISA Server 2000 on Windows Server 2003 supports a single external interface or single Internet interface . I can have multiple public address DMZ interfaces, but only a single interface can connect the internal network to the Internet.

The DNS settings on the ISA Server interfaces must be configured correctly. Misconfiguration of the DNS settings is the most common configuration error made on ISA Server firewalls in production. The preferred setup is to

  • Configure the internal interface of the ISA Server with the address of a DNS server on the internal network that is capable of resolving Internet host names
  • Place the internal interface on the top of the interface list. Windows Server 2003 uses the interface order to determine which name server addresses to query first.
  • Do not enter a DNS server address on the external interface

I had to perform the following steps to configure the interface order on the ISA Server computer:

  1. Clicked Start , pointed to Control Panel and right clicked on Network Connections . Clicked the Open command (figure 1).

Figure 1

  1. In the Network Connections window, clicked the Advanced menu and then clicked the Advanced Settings command (figure 2).

Figure 2

  1. In the Advanced Settings dialog box, selected the interface representing the internal interface and clicked the up arrow to move the internal interface to the top of the interface list. Clicked OK in the Advanced Settings dialog box after making the changes to the interface order.

Figure 3

I disabled all non-essential services on the ISA Server firewall computer. While individual implementations of ISA Server firewalls require a customized set of services, it is safe to conclude the IIS W3SVC (the World Wide Web service) should not run on the ISA Server firewall.

APPENDIX B

Installing ISA Server 2000

I located the ISA Server 2000 CD-ROM disk and put it into the CD-ROM drive. Performed the following steps to install ISA Server on a Windows Server 2003 machine:

  1. Double click on the ISAAutorun.exe file on the ISA Server CD (figure 4), local hard disk, or network share point.

Figure 4

  1. Click on the Install ISA Server link on the Internet Security & Acceleration Server 2000 splash page (Figure 5).

Figure 5

  1. I saw an ISA 2000 dialog box informing that I need to install ISA 2000 Service Pack 1 (figure 6). Error messages occurred during the installation. I was not concerned about these errors as I will perform the required procedures to prevent them from becoming a problem. Clicked Continue .

Figure 6

  1. Clicked Continue on the Welcome to the Microsoft ISA Server installation program page (figure 7).

Figure 7

  1. Entered the CD Key in the CD Key dialog box (figure 8). Clicked OK .

Figure 8

  1. Wrote down the Product ID as list in the Product ID dialog box. Clicked OK in the Product ID dialog box after writing this number down.

Virtual Private Networking – Appendix B– Installing ISA Server 2000

  1. Clicked I Agree in the Microsoft ISA Server Setup dialog box (figure 9).

Figure 9

  1. Clicked the Full Installation button in the installation type dialog box (figure 10). This allows me to use all ISA Server features. I can use the Add/Remove Programs applet later if I need to remove some ISA Server features.

Figure 10

  1. Here I am installing ISA Server in standalone mode, not in enterprise array mode. Clicked Yes in the dialog box that asked if I want to continue (figure 11).

Figure 11

  1. Selected the Integrated mode option on the Select the mode for this server page (figure 12). I wanted to take advantage of the full power of your ISA Server firewall. Integrated mode gives everything the Web Proxy and Firewall services have to offer. Clicked Continue .

Figure 12

  1. On the Web cache page (figure 13), selected a drive to put the Web cache file on. The drive had to be NTFS, so I made sure of that. Typed in a size of the cache in the Cache size (MB) text box and then clicked the Set button. Then clicked OK .

Figure 13

  1. On the LAT page (figure 14), clicked the Construct Table button. On the Local Address Table page, removed the checkmark in the Add the following private ranges checkbox. Put a checkmark in the Add address ranges based on the Windows 2000 Routing Table checkbox. Removed the checkmark from the checkbox representing the external interface, and left the checkmark in the checkbox for the internal interface. Clicked OK in the Local Address Table dialog box, then clicked OK in the Setup Message dialog box that informed me that the LAT was constructed based on the Windows 2000 routing table (in spite of the fact that I am installing ISA Server on a Windows Server 2003 machine).

Figure 14

•  Clicked OK on the LAT dialog box after reviewing the list listing in the Internal IP ranges list (figure 15). Figure 15

  1. Unlike Windows 2000, Windows Server 2003 does not install IIS by default. I saw a dialog box telling me that I will have to install the SMTP service if I want to run the SMTP Message Screener. Clicked OK to continue (figure 16).

Figure 16

  1. When installation is complete, I saw a warning balloon informing me that ISA 2000 will cause Windows to become unstable . Closed the balloon, removed the checkmark from the Start ISA Server Getting Started Wizard checkbox, and then clicked OK in the Launch ISA Management Tools dialog box (figure 17).

Figure 17

  1. Clicked OK in the dialog box informing me that setup was completed (figure 18).

Figure 18

  1. Clicked OK in the dialog box informing me that setup has failed to start one or more services (figure 19).

Figure 19

Now I was ready to install ISA Server Service Pack 1.

APPENDIX C

Installing ISA Server Service Pack 1

The next step was to immediately install ISA Server Service Pack 1. I got Service Pack 1 from http://www.microsoft.com/isaserver/downloads/sp1.asp Downloaded SP1. Downloaded the Service Pack to a machine on the internal network, scanned it for viruses, and then copied it to the ISA Server. Performed the following steps after copying the service pack to the ISA Server:

  1. Double clicked on the isasp1.exe file. Typed in a path to put the temporary files in the Choose Directory for Extracted Files dialog box (figure 20). Clicked OK .

Figure 20

  1. Clicked I Agree in the End User License Agreement (EULA) dialog box (figure 21).

Figure 21

  1. Clicked OK in the Microsoft ISA Server 2000 Update Setup dialog box (figure 22). The computer restarted after that (That's normal).

Figure 22

This finished installing ISA Server service pack 1.

APPENDIX D

Installing HotFix isahf255.exe

Logged on the ISA Server, service pack 1 installation routine restarts the machine. There are a few hotfixes and updates that I needed to install on the Windows Server 2003/ISA Server machine to insure ISA Server compatibility with Windows Server 2003. I downloaded the HotFix pack, isahf255.exe at http://www.microsoft.com/downloads/details.aspx?familyid=77d89f87-5205-4779-b1ab-fc338283b2d9&displaylang=en

Downloaded the file to a machine on the internal network, scanned it for viruses, and then copied it to the ISA Server. Performed the following steps after copying the file to the ISA Server:

  1. Double clicked on the isahf255.exe file. Clicked I Agree in the ISA Server 2000 hot fix 255 (331062) dialog box. Typed in a path for the temporary files in the Choose Directory for Extracted Files dialog box, then clicked OK (figure 23).

Figure 23

  1. Clicked I Agree in the EULA dialog box.
  2. Clicked OK in the Microsoft ISA Server 2000 Update Setup dialog box that informed me that the update was successful applied (figure 24).

Figure 24

I did need to restart the server. The next step was to install Feature Pack 1.

APPENDIX E

Installing Feature Pack 1

Feature Pack 1 (FP1) is not required. I don't have to install ISA Server Feature Pack 1 on the Windows Server 2003/ISA Server machine. However, it is highly recommended that I install ISA Server Feature Pack 1 because it adds several new and useful features. I downloaded ISA Server Feature Pack 1 at http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en

Downloaded the feature pack to a machine on the internal network and scanned it for viruses. Then copied the file to the ISA Server and performed the following steps:

  1. Double clicked on the isaftp1.exe file. Typed in a path for the extracted files in the Choose Directory For Extracted Files dialog box (figure 25).

Figure 25

  1. Clicked I Agree in the Feature Pack 1 EULA dialog box.
  2. Clicked OK in the Microsoft ISA Server 2000 Feature Pack 1 dialog box. Left the checkmark in the Read about ISA Server Feature Pack 1 checkbox to learn more about what I get with Feature Pack 1.

At this point the ISA Server was ready to use but needed to be configured.

APPENDIX F

Configuring the ISA Server 2000/VPN Server

A Windows Server 2003/ISA Server 2000 computer uses the Routing and Remote Access Service (RRAS) to manage VPN connections. The ISA Server 2000 component creates packet filters to allow inbound and outbound VPN communications. Although the Routing and Remote Access Service controls and manages all VPN connections, ISA Server 2000 provides critical protection against attack. In addition, ISA Server provides easy to use Wizards that perform many of the complex RRAS and VPN configuration tasks.

I created a Windows Server 2003-based ISA Server firewall/VPN server by completing the following procedures:

  • The ISA Virtual Private Network Configuration Wizard
  • Customized the VPN Server configuration in the Routing and Remote Access to meet my requirements
  • Assigned a machine certificate to the VPN server to support L2TP/IPSec connections

The ISA Virtual Private Networking Configuration Wizard

The ISA Virtual Private Network Configuration Wizard starts the Routing and Remote Access service and configures the RRAS server to accept incoming PPTP and L2TP/IPSec VPN connections. The Wizard also creates ISA Server packet filters to allow incoming PPTP and L2TP/IPSec connections. If the Routing and Remote Access Service is already started, the Wizard will create the packet filters and configure the Routing and Remote Access Service to accept incoming PPTP and L2TP/IPSec VPN connections.

Performed the following steps to start the ISA Virtual Private Network Configuration Wizard on the ISA Server machine:

Customizing the VPN Server Configuration

The ISA Server VPN Wizard has done most of the work. However, because not all network environments are the same, the changes the VPN Wizard makes might work for one organization but not for another. It's important to review the VPN server related changes and confirm that they fit the networking environment.

Performed the following steps to review and customize your VPN configuration:

Assigning a Machine Certificate to the ISA Server firewall/VPN Server

The ISA Server firewall/VPN server requires a machine certificate before it can create L2TP/IPSec connections with VPN clients. There are several ways that can assign a machine certificate to the ISA Server firewall/VPN server:

  • Via The Certificate Server Web Enrollment Site
  • Via the Certificates standalone snap-in MMC
  • Via Group Policy-based Autoenrollment

The Certificate Server Web Enrollment Site

The Web enrollment site requires that the Internet Information Server's W3SVC be running on the Certificate Server. The certificate request is made via the browser interface and the certificate is obtained via the browser. The advantage of using the Web enrollment site is that the ISA Server firewall/VPN server doesn't not need to belong to the Internet network domain. The disadvantage is that the Web browser is installed and being used on a firewall, which can be considered to be a security risk.

Group Policy-based Autoenrollment

Group Policy based autoenrollment allows to deploy machine certificates automatically by configuring domain policy to assign machine certificates to all machines in the domain. The disadvantage of using Group Policy based autoenrollment is that the ISA Server firewall/VPN server must belong to the internal network domain, or that I must create a domain for the ISA Server firewall/VPN servers to use that is separate from the user domain and then create a one-way trust between the ISA Server firewall/VPN server domain and the internal network domain that contains the users/groups I want to use for outbound and inbound access control.

The Certificates Standalone Snap-in

The Certificates snap-in allows to use the Microsoft Management Console (MMC) interface to request and install a certificate directly from an enterprise Certificate Authority. The advantage of using the certificates MMC is that it's very simple to request and install a machine certificate using the built-in Wizard. The disadvantage is that the ISA Server firewall/VPN server must belong to the same domain as the enterprise CA.

Performed the following steps on ISA Server firewall/VPN server to request a machine certificate:

  1. Clicked Start and clicked the Run command. Typed mmc in the open text box and clicked OK .
  2. In the Console 1 console, clicked the File menu and then clicked the Add/Remove Snap-in command.


APPENDIX G

Connecting to the VPN:
Navigate to Network Connections.

Click on File and then New Connection.

On the first screen of the wizard, which contains just information about the wizard's purpose, click Next.

The first screen of the wizard asks to determine exactly what kind of network connection I would like to create. Since I was connecting to a VPN, I chose the "Connect to the network at my workplace" option. It doesn't really matter where the VPN resides. Clicked next.

Then I selected the Virtual Private Network connection option and click the Next button.

The next step of the wizard asks to name the new connection. I can use just about anything here since this just helps to keep track of what's what on the client machine. A name is useful if more than one VPN connection is to be managed.

The next step of the wizard asked to decide which users should be able to use this new connection. I then enabled the VPN connection for my use only.

Finally, the process of how to create the initial connection was finished. Clicked Finish.

Figure C

Figure B

Figure D

Figure E

Figure F
   
 
    © 2004-2005 Rashid Yunus Khan. All Rights Reserved.