ISA Server安全与速度的完美结合

企业级效劳器ISAServer

平安与速度的完美结合MICROSOFT北京维诺尔计算机网络技术有限公司袁子能ISASERVER技术支Tel:8847243013011035647

E-mail:yuanzineng@平安问题日益增加所有数据来自/stats*2001Q1-Q3恶意行为的增长ISASERVERISAServerEditions

ISAServerStandardEditionISAServerEnterpriseEdition功能标准版企业版▲服务器的建置单机运作多机的集中管理▲原则的设定(policysupport)服务器本机服务器阵列▲硬件支持4颗CPU无限制Web缓存▲扩展性适合小型企业适合中大型企业▲分散式与阶层式缓存仅阶层式皆有统一的管理▲Windows®2000ActiveDirectory整合有限完全▲多层次原则无有▲多服务器管理无有Microsoft®ISAServer2000标准版与企业版功能比较表安装ISAServer硬件和软件的要求选择安装模式指定缓存尺寸配置LAT表UpgradingfromMicrosoftProxyServer2.0IdentifyingHardwareandSoftwareRequirementsHardDiskSpace20MBWindows2000Server,

Windows2000AdvancedServer,or

WindowsDatacenterHardDiskFormatNTFSInternalAdapterExternalAdapterActiveDirectoryArraysRAM256MBCPU300MHz

orhigherInstallationModes

CacheModeFirewallModeIntegratedModeMicrosoftISAServerStatusSelectthemodeforthisserver:FirewallmodeSelectthisoptiontoinstallenterprisefirewall

functionality.CachemodeSelectthisoptiontoinstallcacheandWebhosting

functionality.Cachemodeinstallationisrecommendedonlyforcomputers

thatarenotdirectlyconnectedtotheInternet.Ifthis

computerisdirectlyconnectedtotheInternet,installISA

Serverinintegratedmode.IntegratedmodeSelectthisoptiontoinstallintegratedenterprise

firewall,cache,andWebhostingfunctionality.ContinueExitSetup

Selecting

anInstallationModeMicrosoftInternetSecurityandAccelerationServerSetupSetuphasstoppedyourIISpublishingservice(W3SVC).AfterSetupis

complete,uninstallIISorreconfigureallIISsitesnottouseports80and

8080.OKHelpHelpMicrosoftInternetSecurityandAccelerationServerSetupSpecifytheNTFSdrivesonwhichcachesshouldbelocated

andthemaximumsizeofeachcache.Drive: C:[NTFS]Availablespace(MB) 28722Cachesize(MB): 100Totalcachesize(MB): 100MBOKSetDrive [FileSystem] MaximumSize(MB)C: [NTFS] 100CancelHelpSpecifyingtheInitialCacheSizeC: [NTFS] 100Initialcachesizeis100MB.Add0.5MBforeachWebProxyclient.MicrosoftInternetSecurityandAccelerationServerSetupEntertheIPaddressrangesthatspantheinternalnetworkaddressspace.InternalIPranges:From ToEditFromToAdd->Remove->OKCancelHelp00192.168.255MicrosoftInternetSecurityandAccelerationServerSetupEntertheIPaddressrangesthatspantheinternalnetworkaddressspace.InternalIPranges:From ToEditFromToAdd->Remove->Toconstructalocaladdresstable,clickConstruct

Table.ConstructTable…OKCancelHelpConfiguringtheLAT

ClickConstruct

Tabletoconstructalocaladdresstable.1SelectoptionstoaddprivateIPaddressrangesorroutingtableentries.21921681200192168255255Toconstructalocaladdresstable,clickConstruct

Table.ConstructTable…LocalAddressTableSelecttheaddressranges(basedontheWindows2000routingtable)forinclusionin

thelocaladdresstable(LAT).TheLATshouldincludealltheaddressesinyou

internalnetwork.Addthefollowingprivateranges:10.xxx,192.168.xxand172.16.xx-

173.31.xxand169.254.xx..AddaddressrangesbasedontheWindows2000RoutingTableSelecttheaddressrangesthatareassociatedwiththefollowing

internalnetworkadapters:MSLoopBackDriver 293ComEtherLinkPCI(Micros… 00OKCancelHelpCard IPAddressesVerifytheIPaddressesthatdisplayinthelocaladdresstable.3MaintainingtheLATandLDTInternetISAServer00

0000

0025Msplat.txtMsplat.txtClientsUpgradingfrom

MicrosoftWindowsNTUpgradetoWindows2000ProxyServer2.0UpgradingfromMicrosoftProxyServer2.0UpgradingClientComputersPort80Client

RequestsPort

8080ISAServer2000ProxyServer2.0ISAServerWinsockProxyClients

andFirewallClientsISAServer接入形式BastionHost(堡垒型)PerimeterNetworkwithThree-HomedFirewall(三宿主〕PerimeterNetworkwithBack-to-BackFirewalls(背靠背)InternetInternalNetworkFirewallBastionHostPerimeterNetworkwithThree-HomedFirewall

FirewallInternetPerimeterNetworkInternalNetworkPerimeterNetworkwithBack-to-BackFirewalls

ISASRV

ISASRVPerimeterNetworkInternetBranchOffice/SmallBusinessFirewallBranchOfficeor

SmallBusiness实际连接PerceivedConnectionInternetISAServerISA的设计目标

Secure,fastInternetconnectivityAccelerationFastWebAccesswithaHigh-PerformanceCacheSecuritySecureInternetConnectivityThroughaMultilayeredFirewallManagementExtensibilityUnifiedManagementwithIntegratedAdministration

ExtensibleandOpenPlatform

需求1:平安的Internet访问多层次控制方式的防火墙(Multilayer)入侵检测功能(IntrusionDetection)支持DMZ区(DMZZone)效劳器发布功能(ServerPublishing)集成的VPN功能(IntegrationVPN)支持动态包过滤(DynamicFilter)支持NAT“平安锁紧〞功能(SystemHarden)支持负载均衡多层次过滤的防火墙

由下至上–保护每个层次IP层〔封包过滤〕静态过滤动态端口过滤协议层基于会话的过滤基于连接的控制应用层智能的内容探测协议层Circuit

level应用层Application

levelIP层Packet

levelIP包过滤利用IP包头信息分析IP包内容SrcDstpayloadport源地址?目标地址?内容是什么?请求的端口号需要什么服务）?IPHeaderUDP/TCPHDRPayload协议级的平安控制会话与连接之间的关系智能的监测和控制主连接效劳器客户端主连接第二连接应用层的平安控制智能检查支持内容的过滤和锁定防范的平安漏洞ClientSMTP:VRFY*CompanyserverDNS:ZoneattackHTTP:Virus!HTTP:ForbiddensiteInternetFiltersandNetworkAccess

Streaming

Media

SMTP

DNSIntrusion

Firewall

AccessPolicy

Allow

HTTP

AllDestinations

InternalNetworkExternalNetworkRulesAppliedStreaming

Media

SMTP

处理外出客户端请求

Isthereasiteandcontentrulethatdeniestherequest?Isthereaprotocolrulethatdeniestherequest?RequestfrominternalclientDenyrequestRetrieveobjectIsthereaprotocolrulethatallowstherequest?YesNoNoYesYesNoNoIsthereasiteandcontentrulethatallowstherequest?YesNoYesDoesanIPpacketfilter

blocktherequest?Doesaroutingrulespecifyroutingtoan

upstreamserver?YesRouteto

upstreamserverNo入侵检测功能

IntrusionDetectionIPPacket–LevelAttacks检测和预警AlltypesofPortScanIPHalfScanAttackPingofdeathUDPbombattackWinNukeLandattacks应用层攻击

DNSHostnameOverflowDNSLengthOverflowDNSZoneTransferfromPrivilegedPorts(1–1024)DNSZoneTransferfromHighPorts(Above1024)POPBufferOverflowConfiguringIntrusionDetection

IPPacketFiltersPropertiesGeneralOKCancelEnabledetectionoftheselectedattacks:PacketFiltersPPTPWindowsout-of-band(WinNuke)LandPingofdeathIPhalfscanUDPbombPortscanIntrusionDetectionDetectafterattackson 10 well-knownportsDetectafterattackson 20 portsToreceivealertsaboutintrusionattacks,seethepropertiesfor

specificalertsintheAlertsfolder.IntrusiondetectionfunctionalitybasedontechnologyfromInternetSecuritySystems,Inc.,Atlanta,GA,USA,ApplyDNSintrusiondetectionfilterPropertiesGeneralOKCancelFilterincomingtrafficforthefollowing:AttacksDNShostnameoverflowDNSlengthoverflowDNSzonetransferfromprivilegedports(1-1024)DNSzonetransferfromhighports(above1024)ApplySelectAttacksSelecttheoptionsthatarerequiredtoimplementyourmonitoringstrategy.检测到入侵后可以采取的行动记入系统日志发送邮件执行特定的应用程序终止特定的效劳启动特定的效劳ISA和Proxy2.0不同的发布机制Proxy2.0 *依赖IIS效劳 *被发布的效劳器需要安装ProxyClient.

*不支持SSL桥接技术

ISA*完全独立运行的效劳,可以完全把IIS卸载。*被发布的效劳器无需安装任何软件。〔设置为SecureNET客户端〕*支持端口的重定向(PortMapping)*支持SSL桥接技术(SSLBridging)PublishingInternet

ExternalAdapterInternalAdapterWebServerInternalNetworkPublishingServersonaBack-to-BackPerimeterNetwork

LAT

Internal

Network

LAT

Perimeter

Network

WebServerSQLServerInternalNetworkPerimeterNetworkISAServerISAServerInternetPublishingaServer

NametheRuleSpecifyAddressMappingSelectaProtocolSettingSelectaClientTypeStartFinishPublishingaMailServerMailServerSecurityWizardMailServicesSelection

Selectthemailservicesthatyouwouldliketopublishtoyourexternalusers<BackPublishthesemailservices:Default

AuthenticationSSL

AuthenticationIncomingSMTP ApplycontentfilteringOutgoingSMTPIncomingMicrosoftExchange/OutlookIncomingPOP3IncomingIMAP4IncomingNNTPNext>CancelSelecttoapplycontentfilteringtoincomingSMTPtraffic.GuidelinesforUsingPublishingIfyournetworkDoesnothaveaperimeternetworkHasaback-to-backperimeternetworkconfigurationHasathree-homedperimeternetworkconfigurationThenuse

ServerpublishingServerpublishingonbothISAServercomputersRoutingandpacketfilteringbetweentheInternetandperimeternetwork;serverpublishingbetweentheinternalandperimeternetworksNetworkLoadBalancing

InternetCacheCacheISAServerArrayPublishedServerCacheVPNUnderstandingVPNsConnectingRemoteUserstoaCorporateNetworkConnectingRemoteNetworkstoaLocalNetwork

ConnectingRemoteUsers

toaCorporateNetwork

VPNTunnelISAServer

ComputerRemoteUserInternetCorporateNetwork

ConnectingRemoteNetworks

toaLocalNetwork

VPNTunnelISAServer

ComputerRemoteNetworkInternetLocalNetworkISAServer

ComputerConfiguringaVPNtoAcceptClientConnections

ISAVPNServerWizardISAVirtualPrivateNetwork(VPN)ServerSummary

ISAVirtualPrivateNetwork(VPN)ServercanacceptVPNconnectionsfrom

remoteclientsovertheInternet.<BackTheServerwillbeconfiguredwiththepropertieslistedbelow:ConfigureRoutingandRemoteAccessServerasVirtualPrivateNetwork(VPN)Enforcesecuredauthenticationandencryptionmethods.OpenstaticpacketfiltersforallowingPPTPandL2TPoverIPSECprotocols.Thenumberofportsavailableforclientstoconnectis128,butthisnumbercanbeNext>Liststheconfigurationpropertiessetbythewizard.ConfiguringaLocalVPNIdentifytheConnectionsSelecttheProtocol(s)SpecifyCommunicationSpecifyRemoteAddressesSpecifyLocalAddressesSaveConfigurationFileStartFinish

ConfiguringaRemoteVPN

RemoteISAVPNWizardISAVPNComputerConfigurationFile Specifythe.vpcfiletousewhensettingupandconfiguringtheISAVirtualPrivate

Network(VPN)computer.The.vpcfileincludesinformationabouttheremoteISA

VPNcomputer.<BackCancelSpecifythe.vpcfiletouseforsettingupandconfiguringtheISAVPNcomputer.The.vpcfileincludesinformationabouttheremoteISAVPNcomputer.Filename

Browse…Typethepasswordtodecrypttheconfigurationfile.PasswordSpecifythepathandfilenameforthe.vpcfile.Typethepasswordforthefile.Next>需求2:快速的Web访问改进的存储和检索机制内存缓存(RAMcaching)主动的和定时的内容下载支持阵列(Array&CARP)层次化的缓存系统缓存的类型正向缓存反向缓存分布式缓存InternalNetworkInternalNetworkCacheCacheCacheCacheCacheWebServerInternetInternetInternetTheForwardCachingProcess

GETwww.bjwne.comGETGETwww.bjwne.comObjectissentfromInternetObjectissentfromcacheClient1Client2ISAServerCache12345InternetReverseCaching(互联网

企业)InternetISA服务器CacheWeb伺服器吸收Web负载的冲击ISA扮演Web代理效劳器ProcessingRequestsforCachedObjectsRAMDiskCacheDirectoryObjectsObjects1Requesthttp://URLAhttp://URLA3http://URLACacheDirectoryBackupCacheEntry1CacheEntry12主动的和定时的内容下载以目标生存时间为根底ISA自动分析缓存内容的寿命ISA自动下载并更新缓存内容使用拨号访问Internet的用户应考虑使用定时下载内容的方式BranchOffice/SmallBusinessOfficeCacheServerISAServerMainOfficeSmallBusinessCacheCacheBranchOfficeISAServerInternet企业缓存效劳InternetCorporateNetworkCacheCacheCacheISAServerArrayConfiguringHTTPCachingCacheConfigurationPropertiesGeneralOKCancelApplyNolessthan: 15 MinutesNomorethan: 1 DaysEnableHTTPCachingUnlesssourcespecifiesexpiration,updatesource:RestoreDefaultsHTTPFTPActiveCachingAdvancedFrequently(Expireimmediately)NormallyLessfrequently(Reducednetworktrafficisimportant)SetTimeToLive(TTL)ofobjectincacheto:Thispercentageofcontentage 20

(Timesincecreationofmodification):SelecttoenableHTTPcaching.CacheConfigurationPropertiesGeneralOKCancelEnableFTPcachingRestoreDefaultsHTTPFTPActiveCachingAdvancedConfiguringFTPCachingSpecifyatimeforFTPobjectstoremaininthecache.ApplyTimetoLiveforallobjects:1440 MinutesCacheConfigurationPropertiesGeneralOKCancelApplyEnableactiveCachingActivecachingautomaticallyretrievesfrequentlyaccessedfiles.RestoreDefaultsHTTPFTPActiveCachingAdvancedFrequently

(Clientperformanceismoreimportant)Normally

(Clientperformanceandreducednetworktrafficareequally

important)Lessfrequently

(Reducednetworktrafficismoreimportant)Retrievefiles:Configuring

ActiveCachingSelecttocreateanactivecachingpolicy.CacheConfigurationPropertiesGeneralOKCancelApplyEnableactiveCachingActivecachingautomaticallyretrievesfrequentlyaccessedfiles.RestoreDefaultsHTTPFTPActiveCachingAdvancedFrequently

(Clientperformanceismoreimportant)Normally

(Clientperformanceandreducednetworktrafficareequally

important)Lessfrequently

(Reducednetworktrafficismoreimportant)Retrievefiles:ConfiguringAdvancedCacheSettingsCacheConfigurationPropertiesGeneralOKCancelApplyRestoreDefaultsHTTPFTPActiveCachingAdvancedMaximumsizeofURLcachedinmemory(bytes): 12800Donotreturntheexpiredobject(returnanerrorpage)Returntheexpiredobjectonlyifexpirationwas:AtlessthatthispercentageoforiginalTime 50

toLive:Butnomorethan(minutes): 60 IfWebsiteofexpiredobjectcannotbereached:Percentageofavailablememorytouseforcaching: 50Do

notcacheobjectslargerthan: 1 KBCacheobjectsthathaveanunspecifiedlastmodificationtimeCacheobjectseveniftheydonothaveanHTTPstatuscodeof200Cachedynamiccontent(objectswithquestionmarksintheURL)Selecttoconfigurecachesettingsforspecificobjects.需求３：统一和灵活的管理基于规那么的管理方式灵活和方便的客户端部署账号可以和Win2000活动目录集成基于MMC的管理界面完善的日志,报表功能可订制的报警功能带宽控制机制(QoS)多种帮助向导方便的安装过程创立策略元素PolicyElementOverviewCreatingSchedulesCreatingBandwidthPrioritiesCreatingDestinationSetsCreatingClientAddressSetsCreatingProtocolDefinitionsCreatingContentGroupsNewscheduleName: LunchHoursandWeekendsDescription:

Usethisscheduletopermitaccesstosites

lunchhoursandweekends.OKCancelCreatingSchedules

ClickActivetoaddportionsoftheweek,orclickInactivetoremoveportionsoftheweek.Settheactivationtimesforrulesthatarebasedonthisschedule.12·2·4·6·8·10·12·2·4·6·8·10·12AlSundayMondayTuesdayWednesdayThursdayFridaySaturdaySundayfrom12AMto12AMActiveInactiveCreatingBandwidthRulesNametheRuleSelecttheProtocol(s)SelectaScheduleSelectaClientTypeSelectaDestinationTypeSelectaContentGroupSelectBandwidthPriorityStartFinishCreatingBandwidthPrioritiesNewBandwidthPriorityName:Description

(optional):OKCancelBasicPriorityAssignshighprioritytoincomingtraffic.Outboundbandwidth(1-2000): Inboundbandwidth(1-200): 20NewBandwidthPriorityName:Description

(optional):OKCancelHighPriorityAssignshighprioritytoincomingtraffic.Outboundbandwidth(1-2000): Inboundbandwidth(1-200): 30CreatingSiteandContentRulesNametheRuleSpecifytheRuleActionSelectaDestinationSetSelectaScheduleSelectaClientTypeStartFinishCreatingDestinationSetsRemoveNewDestinationSetName: PartnerWebDescription

(optional):CancelIncludethesecomputers:Name/IPRange PathOKEdit…Add…Add/EditDestinationComputername: nwtraders.msftIPaddresses:CancelToincludeaspecificdirectoryinthedestinationset,typethepath

below.Toincludeallthefiles,usethisformat:/dir/*.Toselectaspecificfile,usethisformat:/dir/filename.Path:/sales/accounts.xlsOKBrowse…From:To(optional):Creating

ClientAddressSetsEditRemoveClientSetName: SupportStaffDescription

(optional): Selecttheaddressesofcomputersthatbelongtothisclient

addressset.Members:From ToAdd…CancelOKAdd/EditIPAddressesClientsetIPaddresses:CancelOKFrom: 192.168.101.0To: 192.168.101.255CreatingProtocolRulesNametheRuleSpecifytheRuleActionSelecttheProtocol(s)SelectaScheduleSelectaClientTypeFinishStartCreatingProtocolDefinitions

Typeanumberbetweenbetween1and65535tospecifytheportnumber.CreatingContentGroupsISAServerincludesseveralpreconfiguredcontentgroups.ISAManagementAction ViewTreeName Description ContentTypesInternetSecurityandAccelerationServer ServersandArrays LONDON Monitoring Computer AccessPolicy Publishing BandwidthRules PolicyElements Schedules BandwidthPriorities DestinationSets ClientAddressSets ProtocolDefinitionsApplication Applications application/hta.application/x-internet-signup.application/x-pkcs7-certificApplicationDataFiles Filescontainingdataforapplications application/x-mscardfile.application/x-perform.application/x-msclip.applAudio Audiofiles audio.*,.ra,.ram,.rmi,.au,.snd,.aif,.aifc,.wav,.m3u,.mid,.mp3CompressedFiles CompressedFiles application/x-gzip,application/x-tar,application/x-gtar,application/x-comDocuments Documents text/tab-separated-values,text/xml,text/h323,application/postscript,applHTMLDocuments HTMLDocuments text/webviewhtml,text/html,.htm,.html,.htt,.stm,.xslImages Allknowntypesofimages .cod,.cmx,.ief,.pbm,.pnm,.ppm,.gif,.bmp,.jfif,.jpe,.jpg,.jpeg,.ico,.pgm,.rasMacroDocuments Documentsthatmaycontainmacr… application/msword,application/vnd.ms-excel,application/x-msaccess,aText Textcontent .txt,.h,.c,.htc,.vcf,.etx,.uls,.css,.bas,.rtx,text/plain,text/x-component,text/Video Videofiles video/*,.asf,.asr,.asx,.avi,.ivf,.lsf,.lsx,.mov,.movie,.mlv,.mp2,.mpa,.mpe,.VRML VRML x-world/x-vrml,.flr,.wrl,.wrz,.xaf,.xof认证模式BasicAuthenticationDigestAuthenticationIntegratedWindowsAuthenticationClientCertificateAuthenticationAuthenticationOverviewInternetISAServerSecureNATClientNouser-basedauthentication.FirewallClientAuthenticationisbasedonclientcredentials.WebProxyClientAuthenticationisdependenton

browserandoperatingenvironment.ConfiguringAuthenticationforOutgoingWebRequestsLONDONArrayPropertiesGeneralIncomingWebRequestsSecurityOKCancelAdd…ApplyPerformanceEnableSSLlistenersTCPport: 8080SSLport: 8443ConnectionsOutgoingWebRequestsAutoDiscoveryIdentificationUsethesamelistenerconfigurationforallinternalIPaddresses.ConfigurelistenersindividuallyperIPaddressServer IPAddress DisplayN…Authentic… ServerC…LONDON <Allinternal IntegratedRemoveEdit…Configure…Connectionsettings:AskunauthenticatedusersforidentificationConfiguringAuthenticationMethodsLONDONArrayPropertiesGeneralIncomingWebRequestsSecurityOKCancelAdd…ApplyPerformanceEnableSSLlistenersTCPport: 8080SSLport: 8443ConnectionsOutgoingWebRequestsAutoDiscoveryIdentificationUsethesamelistenerconfigurationforallinternalIPaddresses.ConfigurelistenersindividuallyperIPaddressServer IPAddress DisplayN…Authentic… ServerC…LONDON <Allinternal IntegratedRemoveEdit…Configure…Connectionsettings:AskunauthenticatedusersforidentificationCancelOKServer: LONDONIPAddress: <AllinternalIPaddresses>DisplayName:UseaservercertificatetoauthenticatetowebclientsSelect…AuthenticationBasicwiththisdomain:Digestwiththisdomain:IntegratedClientcertificate(securechannelonly)Selectdomain…Selectdomain…Add/EditListenersAdjustingCacheSizeLONDONPropertiesCacheDrivesLONDONOKCancelApplySet100Maximumcachesize(MB):Totaldiskspace(MB): 39064Totalmaximumcachesize(MB): 100Specifythesizeofthecache.urlcacheFile Edit View Favorites Tools HelpBackdir1 FileFolder 9/6/20009:43PMdir1 100,800KB MicrosoftISAServerCacheFile 9/18/20009:28PMSearchFoldersHistoryGoName Size Type ModifiedAddressurlcacheurlcacheSelectanitemtoviewits

descriptionSeealso:

MyDocuments

MyNetworkPlaces2object(s)98.4MBMyComputerThe.cdatfileonthedrivewillbethesamesizeasthecache.

Drive Type Diskspace… Freespace… CacheSize…AdjustingMemoryAllocationCacheConfigurationPropertiesGeneralOKCancelApplyRestoreDefaultsHTTPFTPActiveCachingAdvancedMaximumsizeofURLcachedinmemory(bytes): 12800Donotreturntheexpiredobject(returnanerrorpage)Returntheexpiredobjectonlyifexpirationwas:AtlessthatthispercentageoforiginalTime 50

toLive:Butnomorethan(minutes): 60 If

Websiteofexpiredobjectcannotbereached:Percentageofavailablememorytouseforcaching: 50Donotcacheobjectslargerthan: 1 KBCacheobjectsthathaveanunspecifiedlastmodificationtimeCacheobjectseveniftheydonothaveanHTTPstatuscodeof200Cachedynamiccontent(objectswithquestionmarksintheURL)Typeanumberbetween1and100tospecifythemaximumpercentageofmemory.由上至下的规那么实施结构策略的级别EnterpriseArrayStand-alone策略可以强制组合提升ArrayArrayEnterpriseStand-aloneArrayArrayPromotePromoteActiveDirectory企业级阵列级在规那么实施上的关系Enterprise

PolicyISA

Server1ISA

Server2ISA

Server3ISA

Server4ISA

Server5ISA

Server6Array

Policy1Array

Policy2Array

Policy3ISA

Server7Standalo

Configuration

CombiningEnterprisePoliciesandArrayPolicies

PropertiesGeneralOKCancelUsearraypolicyonlyApplySpecifywhetherenterprisepoliciesshouldbeenabledforthisarray.Then,selecttheenterprisepolicyyouwanttoapply.AllowpublishingrulesForcepacketfilteringonthearrayOutgoingWebRequestsIncomingWebRequestsPoliciesAutoDiscoveryPerformanceSecurityUsedefaultenterprisepolicysettingsUsecustomenterprisepolicysettingsUsethisenterprisepolicy:EnterprisePolicy1Allowarray-levelaccessrulesthatrestrictenterprisepolicySelectthisoptiontoallowarray-levelsettings.CachArrayRoutingProtocol

Internetarray.dll?Get.Info.v1

WebProxyClientServer2Server1Server3Server4Server5Server1Server2

Server3

Server4Server5

ArrayMembershipListConfiguringCARP(CacheArrayRoutingProtocol)LONDONPropertiesOKCancelAdd…ApplyGeneralOutgoingWebRequestsIncomingWebRequestsPoliciesAutoDiscoveryPerformanceSecurityUsethesamelistenerconfigurationforallinternalIPaddresses.ConfigurelistenersindividuallyperIPaddressIdentificationEnableSSLlistenersServer IPAddress DisplayN… Authentic… ServerC…LONDON <Allinter… IntegratedRemoveEdit…TCPport: 8080SSLport: 8443Configure…AskunauthenticatedusersforidentificationResolverequestswithinarraybeforeroutingConnectionsConnectionsettingsSelecttoenableCARP.LONDONPropertiesOKCancelApplyGeneralArrayMembershipsUsethisIPaddressforintra-arraycommunication:Intra-arraycommunication131.107.3.1Find…Specifytheloadfactorforthisserver.Thisnumberindicatesthe

relativecacheavailabilityofthisservercomparedtotherestofthearraymembers:LoadFactor100ISA的客户端管理3种客户端类型WebProxyClientSecureNATClientFirewallClientInternetISAServerSecureNATClient Donotrequireyoutodeployclientsoftwareorconfigureclientcomputers.FirewallClientAllowInternetaccessonlyforauthenticatedusers.WebProxyClientImprovetheperformanceofWebrequestsforinternalclients.配置WebProxy客户端SelecttheUseaproxyservercheckbox.TypetheportnumberinthePortbox,andthenclickOK.13LocalAreaNetwork(LAN)SettingsAutomaticconfigurationOKCancelAutomaticconfigurationmayoverridemanualsettings.Toensure

theuseofmanualsettings,disableautomaticconfiguration.AutomaticallydetectsettingsUseautomaticconfigurationscript008080

ProxyServerUseaproxyserverAddress:Port:BypassproxyserverforlocaladdressesTypetheIPaddressornameoftheISAServercomputerintheAddressbox.2ISAServer–Microsoft’sFirewall

ISAServer结构zWebProxy

ClientSecureNAT

ClientFirewall

ClientLocal

Area

NetworkWebProxyServiceFirewall

ServiceWebFilterPacketFilteringThirdPartyFilterStreamingFilterSMTPFilterH.323FilterFTPFilterCacheInternetNAT

DriverHTTP

Redirector带宽控制机制用来控制网络的使用情况通过如下方式控制带宽使用分级带宽控制规那么带宽控制机制能做什么限制多媒体信息在整个带宽中的百分比授予指定的用户更高的优先级ISAServerAlertEventsISAManagementAction ViewTreeName Description Server EventInternetSecurityandAccelerationServer ServersandArrays LONDON Monitoring Computer AccessPolicy SiteandContentRules ProtocolRules IPPacketFilters Publishing BandwidthRules PolicyElements CacheConfiguration MonitoringConfiguration Alerts Logs ReportJobs Extensions ApplicationFilters WebFilters NetworkConfiguration ClientConfiguration H.323GatekeepersAlertactionfailure Theactionassociatedwiththisalertfa… PHOENIX AlertactionfailureCachecontainerinitializationerror Thecachecontainerinitializationfaile… PHOENIX CachecontainerinitializationCachecontainerrecoverycomplete Recoveryofasinglecachecontainer… PHOENIX Cachecontainerrecovery…Cachefileresizefailure Theoperationtoreducethesizeofthe… PHOENIX CachefileresizefailureCacheinitializationfailure TheWebcacheproxywasdisabledto… PHOENIX CacheinitializationfailureCacherestorationcompleted Thecachecontentrestorationwasco… PHOENIX CacherestorationcompletedCachewriteerror Therewasafailureinwritingcontent… PHOENIX CachewriteerrorCachedobjectdiscarded Duringcacherecovery,anobjectwith… PHOENIX CacheobjectdiscardedComponentloadfailure Failedtoloadanextensioncomponent… PHOENIX ComponentloadfailureConfigurationerror Anerroroccurredwhilereadingconfig… PHOENIX ConfigurationerrorDial-on-demandfailure Failedtocreateadial-on-demandcon… PHOENIX Dial-on-demandfailureDNSintrusion Ahostnameoverflow,lengthoverflow… PHOENIX DNSintrusionEventlogfailure Anattempttologtheeventinformaito… PHOENIX EventlogfailureFirewallcommunicationfailure Thereisafailureincommunicationbet… PHOENIX Client/servercommunica..Intrusiondetected Anintrusionwasattemptedbyanexte… PHOENIX IntrusiondetectedInvaliddial-on-demandcredentials Dial-on-demandcredentialsareinvalid PHOENIX Invaliddial-on-demandcr..InvalidODBClogcredentials Thespecifiedusernameorpassword… PHOENIX InvalidODBClogcredent…IPpacketdropped IPpacketwasdro