Upload
chinh-le
View
228
Download
0
Embed Size (px)
Citation preview
8/2/2019 Cai dat ISA 2006
1/81
Trin khai ISA Firewall cho h thng doanhnghip- Phn II: Access Rules
Vit bi o Duy Hiu Th by, 21 Thng 8 2010 07:00
Tip theo phn 1, sau khi cc bn ci t thnh cng ISA Server 2006, cc bn cn phi to ra cc Access Rule qun l mi gi tin ra vo h thng. Trong phn 2 shng dn cch to cc Access Rule ph hp vi nhu cu ca cc doanh nghip hin nay. Trong b bi vit ny bao gm cc phn: Phn I: Ci t ISA Server 2006 Phn II: Cu hnh Access Rule Phn III: Cu hnh VPN Client-to-Gateway qua ng truyn ADSL
Bi lab bao gm cc bc: 1. Kim tra Default Rule2. To rule truy vn DNS phn gii tn min 3. To rule cho php cc user thuc nhm Manager truy cp Internet khng hn ch 4. To rule cho php cc user thuc nhm Staff ch c php truy cp 1 s trang web trong gi hnh chnh5. To rule cho php cc user thuc nhm Staff c truy cp web trong gi gii lao, ngoi trang ngoisao.net6. To rule cho php user c th kt ni mail yahoo bng Outlook Express 7. Khng cho nghe nhc trc tuyn, cm chat Yahoo Messenger, cm download file c ui .exe 8. Cm truy cp mt s trang web, nu truy cp s t ng chuyn n trang web cnh co cacng ty
II. Chun b : M hnh bi lab nh phn 1, bi lab bao gm 2 my:
- My DC: Windows Server 2003 SP2 hoc Windows Server 2008+ To OUHCM . Trong OUHCM , to 2 groupManager , Staff .+ Trong OUHCM , to 2 user Man1 , Man2 lm thnh vin ca groupManager + Trong OUHCM , to 2 user Staff1 , Staff2 lm thnh vin ca groupStaff
- My ISA Server: Windows Server 2003 SP2
III. Thc hin: 1. Kim tra Default Rule
http://www.msopenlab.com/index.php?article=32&phpMyAdmin=caa9d3c0b4ae160f4c8a41a185829121&option=com_content&Itemid=388http://www.msopenlab.com/index.php?article=32&phpMyAdmin=caa9d3c0b4ae160f4c8a41a185829121&option=com_content&Itemid=388http://www.msopenlab.com/index.php?article=32&phpMyAdmin=caa9d3c0b4ae160f4c8a41a185829121&option=com_content&Itemid=388http://www.msopenlab.com/index.php?option=com_mailto&tmpl=component&link=4052ea0e0095c97af0417e4fb81299412315e782http://www.msopenlab.com/index.php?view=article&catid=119:network-security&id=1270:trin-khai-isa-firewall-cho-h-thng-doanh-nghip-phn-ii-access-rules&tmpl=component&print=1&layout=default&page=&option=com_content&Itemid=388http://www.msopenlab.com/index.php?view=article&catid=119:network-security&id=1270:trin-khai-isa-firewall-cho-h-thng-doanh-nghip-phn-ii-access-rules&format=pdf&option=com_content&Itemid=388http://www.msopenlab.com/index.php?option=com_mailto&tmpl=component&link=4052ea0e0095c97af0417e4fb81299412315e782http://www.msopenlab.com/index.php?view=article&catid=119:network-security&id=1270:trin-khai-isa-firewall-cho-h-thng-doanh-nghip-phn-ii-access-rules&tmpl=component&print=1&layout=default&page=&option=com_content&Itemid=388http://www.msopenlab.com/index.php?view=article&catid=119:network-security&id=1270:trin-khai-isa-firewall-cho-h-thng-doanh-nghip-phn-ii-access-rules&format=pdf&option=com_content&Itemid=388http://www.msopenlab.com/index.php?option=com_mailto&tmpl=component&link=4052ea0e0095c97af0417e4fb81299412315e782http://www.msopenlab.com/index.php?view=article&catid=119:network-security&id=1270:trin-khai-isa-firewall-cho-h-thng-doanh-nghip-phn-ii-access-rules&tmpl=component&print=1&layout=default&page=&option=com_content&Itemid=388http://www.msopenlab.com/index.php?view=article&catid=119:network-security&id=1270:trin-khai-isa-firewall-cho-h-thng-doanh-nghip-phn-ii-access-rules&format=pdf&option=com_content&Itemid=388http://www.msopenlab.com/index.php?option=com_mailto&tmpl=component&link=4052ea0e0095c97af0417e4fb81299412315e782http://www.msopenlab.com/index.php?view=article&catid=119:network-security&id=1270:trin-khai-isa-firewall-cho-h-thng-doanh-nghip-phn-ii-access-rules&tmpl=component&print=1&layout=default&page=&option=com_content&Itemid=388http://www.msopenlab.com/index.php?view=article&catid=119:network-security&id=1270:trin-khai-isa-firewall-cho-h-thng-doanh-nghip-phn-ii-access-rules&format=pdf&option=com_content&Itemid=388http://www.msopenlab.com/index.php?article=32&phpMyAdmin=caa9d3c0b4ae160f4c8a41a185829121&option=com_content&Itemid=3888/2/2019 Cai dat ISA 2006
2/81
- Mc nh sau khi ci ISA Server 2006, ch c 1 access rule tnDefault Rule cm tt c mitraffic ra vo
- Ti my DC, log onMSOpenLab\Administrator , truy cp vo trang web bt k, kim tranhn c thng bo li ca ISA Server
- Vocmd g lnhnslookup , phn gii ln lt tn 2 trang web sau: www.google.com vwww.tuoitre.com.vn , kim tra phn gii tht bi
http://www.google.com/http://www.google.com/http://www.google.com/http://www.tuoitre.com.vn/http://www.tuoitre.com.vn/http://www.tuoitre.com.vn/http://www.google.com/8/2/2019 Cai dat ISA 2006
3/81
2. To rule truy vn DNS phn gii tn min - Ti my ISA Server, log onMSOpenLab\Administrator , m ISA ServerManagement , chut phiFirewall Policy , chnNew , chnAccess Rule
8/2/2019 Cai dat ISA 2006
4/81
- Hp thoiAccess Rule Names , t tn rule l:DNS Query
8/2/2019 Cai dat ISA 2006
5/81
- Hp thoiRule Action , chnAllow
- Hp thoiProtocols , chnSelected Protocols v nhnAdd
8/2/2019 Cai dat ISA 2006
6/81
- Trong hp thoiAdd Protocols , bung mcCommon Protocols , chnDNS , nhnAdd
8/2/2019 Cai dat ISA 2006
7/81
- NhnNext
- Hp thoiAccess Rule Sources , Add 2 Rule :Internal v Local Host
8/2/2019 Cai dat ISA 2006
8/81
- Hp thoiAccess Rule Destinaton , Add Rule:External, nhnNext
- Hp thoiUser Sets , chnAll Users, nhnNext
8/2/2019 Cai dat ISA 2006
9/81
- Hp thoiCompleting the New Access Rule Wizard , kim tra li thng tin v Rule ln cui,sau nhnFinish
8/2/2019 Cai dat ISA 2006
10/81
- Nhn chnApply, Ok
Lu : Sau mi ln to rule, phi chn Apply rule c hiu lc
3. To rule cho php cc user thuc nhm Manager truy cp Internet khng hn ch a. To Element nh ngha nhm Manager v Staff - Trong ca s ISA Server Management, ti ca s th 3, chn tabToolbox, bung mcUsers,chnNew
- Hp thoiUser set name , t tn lManager
8/2/2019 Cai dat ISA 2006
11/81
- Hp thoiUsers , nhnAdd , chnWindows users and groups
- Add 2 usersMan1 v Man2 vo hp thoiUsers
8/2/2019 Cai dat ISA 2006
12/81
- Trong hp thoiCompleting , chnFinish
- NhnApply
8/2/2019 Cai dat ISA 2006
13/81
- Tng t, bn to thm nhm lStaff
- Hp thoi Users, Add 2 user Staff1 v Staff2, chnNext
8/2/2019 Cai dat ISA 2006
14/81
- Hp thoiCompleting the New User Set Wizard , chnFinish
8/2/2019 Cai dat ISA 2006
15/81
b To Access Rule: - Chut phiFirewall Policy , chnNew, chnAccess Rule
- Hp thoiAccess Rule Names , t tn rule l:Allow Manager Full Access
- Hp thoiRule Action , chnAllow
8/2/2019 Cai dat ISA 2006
16/81
- Hp thoiProtocols , chnAll outbound traffic
- Hp thoiAccess Rule Sources , addInternal, chnNext
8/2/2019 Cai dat ISA 2006
17/81
- Hp thoiAccess Rule Destinaton , addExternal, c hnNext
- Hp thoiUser Sets , remove groupAll Users , v add groupManager vo, chn Next
8/2/2019 Cai dat ISA 2006
18/81
- Hp thoiCompleting the New Access Rule Wizard , chnFinish
- Nhn chnApply, chnOK
8/2/2019 Cai dat ISA 2006
19/81
- Trn my DC, log onMSOpenLab\Man1 , truy cp trang web: http://vnexpress.net vhttp://www.google.com.vn kim tra truy cp thnh cng
http://vnexpress.net/http://vnexpress.net/http://vnexpress.net/http://www.google.com.vn/http://www.google.com.vn/http://www.google.com.vn/http://vnexpress.net/8/2/2019 Cai dat ISA 2006
20/81
4. To rule cho php cc user thuc nhm Staff ch c php truy cp 1 strang webtrong gi hnh chnh a. To Schedule Element - Trong ca s ISA Server Management, chn Firewall Policy, qua ca s th 3, ti tabToolbox, bung mcSchedules, chnNew
8/2/2019 Cai dat ISA 2006
21/81
- Trong Name , nhp tnWork Time . Bn di chn t(7h - 11h) v t(1h 5h)
8/2/2019 Cai dat ISA 2006
22/81
- Tng t, to thm 1 schedule lRest Time , vi thi gian l t11h 1h
b. To ElementURL Sets - Trong ca s ISA Server Management, chn Firewall Policy, qua ca s th 3, ti tabToolbox, bung mcNetwork Objects, nhnNew , chnURL Set
8/2/2019 Cai dat ISA 2006
23/81
- Trong hp thoiNew URL Set. Name , nhp tn:Restrict Web, add cc trang web m bnmun cm (Vd:http://ngoisao.net ) chnOK
8/2/2019 Cai dat ISA 2006
24/81
- Tng t, bn to thm URL Set l:Allow Web v add nhng trang web c php truy cpvo
8/2/2019 Cai dat ISA 2006
25/81
c. To Access Rule: - Chut phiFirewall Policy , chnNew, chnAccess Rule
8/2/2019 Cai dat ISA 2006
26/81
- Hp thoiAccess Rule Names , t tn rule l:Allow Staff on Work Time
- Hp thoiRule Action , chnAllow
8/2/2019 Cai dat ISA 2006
27/81
- Hp thoiProtocols , chnSelected Protocols v nhnAdd
- Trong hp thoiAdd Protocols , bung mcCommon Protocols , chnHTTP v HTTPS , nhn
8/2/2019 Cai dat ISA 2006
28/81
Add
- NhnNext
8/2/2019 Cai dat ISA 2006
29/81
8/2/2019 Cai dat ISA 2006
30/81
- Hp thoiAccess Rule Destinaton , nhnAdd
- BungURL Sets , chnAllow Web
8/2/2019 Cai dat ISA 2006
31/81
- NhnNext
8/2/2019 Cai dat ISA 2006
32/81
- Hp thoiUser Sets , remove groupAll Users , add groupStaff
- Hp thoiCompleting the New Access Rule Wizard , nhnFinish
8/2/2019 Cai dat ISA 2006
33/81
- Chut phi lnRule Allow Staff on Work Time , chnProperties
- Qua TabSchedule, trong khungschedule , chn lWork Time , NhnOK
8/2/2019 Cai dat ISA 2006
34/81
- Trn my DC, log onMSOPenLab\Staff1 , truy cptrang web http://vnexpress.net vhttp://www.nhatnghe.com , kim tra truy cp thnh cng
http://vnexpress.net/http://vnexpress.net/http://vnexpress.net/http://www.nhatnghe.com/http://www.nhatnghe.com/http://www.nhatnghe.com/http://vnexpress.net/8/2/2019 Cai dat ISA 2006
35/81
- Truy cp nhng trang web khc, v d: http://www.google.com , kim tra khng truy cp c
http://www.google.com/http://www.google.com/http://www.google.com/http://www.google.com/8/2/2019 Cai dat ISA 2006
36/81
5. To rule cho php cc user thuc nhm Staff c truy cp web trong gi gii lao, ngoitr trang ngoisao.net - Trong ca s ISA Server Management, chut phiFirewall Policy , chnNew, chnAccessRule
8/2/2019 Cai dat ISA 2006
37/81
- Hp thoiAccess Rule Names , t tn rule l:Allow Staff on Rest Time
- Hp thoiRule Action , chnAllow - Hp thoiProtocols , chnSelected Protocols v nhnAdd
8/2/2019 Cai dat ISA 2006
38/81
- Trong hp thoiAdd Protocols , bung mcCommon Protocols , chnHTTP v HTTPS ,nhnAdd
8/2/2019 Cai dat ISA 2006
39/81
- NhnNext
8/2/2019 Cai dat ISA 2006
40/81
- Hp thoiAccess Rule Sources , addInternal, nhnNext
8/2/2019 Cai dat ISA 2006
41/81
- Hp thoiAccess Rule Destinaton , addExternal, nhnNext
- Hp thoiUser Sets , remove groupAll Users , add groupStaff vo, chn Next
8/2/2019 Cai dat ISA 2006
42/81
- Hp thoiCompleting the New Access Rule Wizard , nhnFinish
- Chut phi ln ruleAllow Staff on Rest Time , chnProperties
8/2/2019 Cai dat ISA 2006
43/81
- Qua TabSchedule, trong mcSchedule, chnRest Time
- Qua tabTo, khungExceptions, nhnAdd
8/2/2019 Cai dat ISA 2006
44/81
- Bung mcURL Sets, chnRestrict Web
8/2/2019 Cai dat ISA 2006
45/81
- NhnApply, chnOK
8/2/2019 Cai dat ISA 2006
46/81
- Trn my DC, log on userMSOPenLab\Staff2 , truy cp trang: http://ngoisao.net , kim tra
nhn thng bo li.
http://ngoisao.net/http://ngoisao.net/http://ngoisao.net/http://ngoisao.net/8/2/2019 Cai dat ISA 2006
47/81
- Truy cp nhng trang web khc(v d: http://www.google.com.vn .) kim tra truy cp thnhcng
http://www.google.com.vn/http://www.google.com.vn/http://www.google.com.vn/http://www.google.com.vn/8/2/2019 Cai dat ISA 2006
48/81
6. To rule cho php user c th kt ni mail yahoo bng Outlook Express - Trong ca sISA Server Management , chut phiFirewall Policy , chnNew, chnAccessRule
8/2/2019 Cai dat ISA 2006
49/81
- Hp thoiAccess Rule Names , t tn rule l:Allow Manager Full Access
8/2/2019 Cai dat ISA 2006
50/81
- Hp thoiRule Action , chnAllow
- Hp thoiProtocols , chnSelected Protocol, nhnAdd
8/2/2019 Cai dat ISA 2006
51/81
- Trong hp thoiAdd Protocols , bung mcCommon Protocols , chnSMTP v POP3 , nhnAdd
8/2/2019 Cai dat ISA 2006
52/81
- NhnNext
8/2/2019 Cai dat ISA 2006
53/81
- Hp thoiAccess Rule Sources , AadInternal , nhnNext
- Hp thoiAccess Rule Destinaton , addExternal, nhnNext
8/2/2019 Cai dat ISA 2006
54/81
- Hp thoiUser Sets , bn chnAll Users
- Hp thoiCompleting the New Access Rule Wizard , Finish
8/2/2019 Cai dat ISA 2006
55/81
- Nhn chnApply, nhnOK
8/2/2019 Cai dat ISA 2006
56/81
- Log onMan1 trn myDC, voStart\Programs , chnOutlookExpress- Trong khungDisplay Name, bn g tn vo. V d: msopenlab . NhnNext
- Trong khungemail address, in a ch yahoo ca bn(V d: [email protected] ) NhnNext
mailto:[email protected]:[email protected]:[email protected]:[email protected]8/2/2019 Cai dat ISA 2006
57/81
- Trong hp thoiE-mail Server Names , trong khungMy incoming mail server, bn chn l POP3 + Incoming mail:pop.mail.yahoo.com.vn
+ Outgoing mail:smtp.mail.yahoo.com.vn nhnNext
8/2/2019 Cai dat ISA 2006
58/81
- Trong hp thoiInternet Mail Logon, nhp accountv password vo (khng [email protected])
8/2/2019 Cai dat ISA 2006
59/81
- Tip theo, voTools, chnAccounts
8/2/2019 Cai dat ISA 2006
60/81
- Qua tabMail, nhnProperties
8/2/2019 Cai dat ISA 2006
61/81
- Trong hp thoiProperties, qua tabAdvanced. + Trong khungOutgoing mail (SMTP): bn g vo587 + Trong khungIncoming mail (POP3), bn g vo995 v nh du check vo chnThisserver requires a secure connection + Trong khungDelivery, nh du check voLeave a copy of messages on server
8/2/2019 Cai dat ISA 2006
62/81
chnApply , OK
- Sau , nhn vo biu tngSend/Receive, bn s nhn c mail t yahoo ti v
8/2/2019 Cai dat ISA 2006
63/81
7. Khng cho nhn vin nghe nhc trc tuyn, cm chat Yahoo Messenger, cm downloadfile c ui .exe a. Cm trong gi hnh chnh - Ti myISA Server , trong ca sISA Server Management , chut phi ln ruleAllow Staff on Work Time , chnConfigure HTTP
- Qua tabSignatures, nhnAdd
8/2/2019 Cai dat ISA 2006
64/81
- khungName , nhp tn:Deny Yahoo MessengerKhungSearch in, chn ty chn: Request headers
KhungHTTP Header, nhp:Host:KhungSignature, nhp:msg.yahoo.comchnOK
8/2/2019 Cai dat ISA 2006
65/81
- NhnApply, chnOK
8/2/2019 Cai dat ISA 2006
66/81
- Qua tabMethods, trong khungSpecify the action taken for HTTP methods, chnBlockspecified methods (allow all others)
8/2/2019 Cai dat ISA 2006
67/81
- Nhp vo nhng nh dng file m bn mun cm, v d:.exe
- Chut phi voAllow Staff on Work Time, chnProperties
- Qua tabContent Types, khungThis rule applies to, chnSelected content types
8/2/2019 Cai dat ISA 2006
68/81
- Trong khungContent Types b du chn Audio v Video ( user khng nghe nhc trctuyn). NhnApply, chnOK
b. Cm trong gi gii lao: Lm tng t bc a trn ruleAllow Staff on Rest Time
c. Kim tra:- Log onAdministrator trn myClient, thSign in voYahoo Messenger, bn skhng thng nhp Yahoo c
8/2/2019 Cai dat ISA 2006
69/81
- Th truy cp vo trang http://nhacso.net , kim tra khng c nghe nhc trc tuyn
http://nhacso.net/http://nhacso.net/http://nhacso.net/http://nhacso.net/8/2/2019 Cai dat ISA 2006
70/81
- Bn thdownload 1 file.exe bt k t trang web no . (VD : http://bkav.com.vn)
http://bkav.com.vn/http://bkav.com.vn/8/2/2019 Cai dat ISA 2006
71/81
- Kim tra s thydownload tht bi
8/2/2019 Cai dat ISA 2006
72/81
8. Cm truy cp mt s trang web, nu truy cp s t ng chuyn n trang web cnh boca cng ty a. To Access Rule cho truy cp t Internal ti Internal vi All Protocol(tng t nhcc bc trn)
b. To URL Sets : (xem li phn 4b) - Add nhng trang web m bn mun cm vo Deny Web
8/2/2019 Cai dat ISA 2006
73/81
c. To AccessRule - Chut phiFirewall Policy , chnNew, chnAccess Rule
- Hp thoiAccess Rule Names , t tn rule l:Deny and Redirect Web
8/2/2019 Cai dat ISA 2006
74/81
- Hp thoiRule Action , chnDeny
- Trong hp thoiProtocols , chnSelected protocols , nhnAdd
8/2/2019 Cai dat ISA 2006
75/81
- Trong hp thoiAdd Protocols , bung mcCommon Protocols , chnHTTP v HTTPS , nhnAdd
8/2/2019 Cai dat ISA 2006
76/81
- Hp thoiAccess Rule Sources , Add Rule:Internal, nhnNext
- Hp thoiAccess Rule Destinaton , nhnAdd.
8/2/2019 Cai dat ISA 2006
77/81
- Bung mcURL Sets , addDeny Web
8/2/2019 Cai dat ISA 2006
78/81
- NhnNext
- Hp thoiUser Sets , chnAll Users
8/2/2019 Cai dat ISA 2006
79/81
- Hp thoiCompleting the New Access Rule Wizard , nhnFinish
- Move up ruleDeny and Redirect Web lm rule s 2, chnApply, nhnOK
8/2/2019 Cai dat ISA 2006
80/81
- Chut phi vo ruleDeny and Redirect Web, chnProperties
- Trong hp thoiDeny and Redirect Web Properties, qua tabAction, nh du check vomcRedirect HTTP requests to this Web Page, khung bn di nhp vo trang web m bnmun redirect v http://www.msopenlab.com/canhcao.htm (Trong bi vit c hosting sntrang web ny ti my DC, tham kho bi vit INTERNET INFORMATION SERVICES(IIS) 7.0 )
- Log on userMSOPenLab\Man2 trn myDC, truy cp vo trang web b cm. VD:http://www.muctim.com.vn s t ng redirect v trang cnh bo ca cng ty
http://www.msopenlab.com/canhcao.htmhttp://www.msopenlab.com/canhcao.htmhttp://www.msopenlab.com/canhcao.htmhttp://www.msopenlab.com/index.php?article=16&phpMyAdmin=caa9d3c0b4ae160f4c8a41a185829121&option=com_content&Itemid=388http://www.msopenlab.com/index.php?article=16&phpMyAdmin=caa9d3c0b4ae160f4c8a41a185829121&option=com_content&Itemid=388http://www.msopenlab.com/index.php?article=16&phpMyAdmin=caa9d3c0b4ae160f4c8a41a185829121&option=com_content&Itemid=388http://www.msopenlab.com/index.php?article=16&phpMyAdmin=caa9d3c0b4ae160f4c8a41a185829121&option=com_content&Itemid=388http://www.muctim.com.vn/http://www.muctim.com.vn/http://www.muctim.com.vn/http://www.msopenlab.com/index.php?article=16&phpMyAdmin=caa9d3c0b4ae160f4c8a41a185829121&option=com_content&Itemid=388http://www.msopenlab.com/index.php?article=16&phpMyAdmin=caa9d3c0b4ae160f4c8a41a185829121&option=com_content&Itemid=388http://www.msopenlab.com/canhcao.htm8/2/2019 Cai dat ISA 2006
81/81