Dr. Hidaia Mahmood Alassouli - Configuration of Microsoft ISA Proxy Server and Linux Squid Proxy Server

By

Dr. Hidaia Mahmood Alassouli

Hidaia_alassouli@hotmail.com

The paper concerns about basic Microsoft ISA server and Linux Squid Server configuration As a lot of technicians switch between ISA server and Squid server, I decided to write this paper to present some reference when configuring ISA and Squid. There a lot of issues that not covered, and you can go to the manual of ISA server and Squid server for detailed configuration of ISA and Squid. The paper is composed from two parts

1. Microsoft ISA server 2004 Configuration
2. Linux Squid Server Configuration

Note that, this work was done without proper simulation, because of the lack of resources, as testing firewall configuration requires many computers, with one of them should have many network cards. Also the ISA server is not used in the computer center now.

KEYWORDS:

Internet Security Acceleration Server, ISA Server, Squid Server, Proxy, Firewall.

2.1 MAIN OPERATION:

All of the network rules and access rules make up the firewall policy. The firewall policy is applied in the following way:

1. A user using a client computer sends a request for a resource located on the Internet.

2. If the request comes from a Firewall Client computer, the user is transparently authenticated using Kerberos or NTLM if domain authentication is configured. If the user cannot be transparently authenticated, ISA Server requests the user credentials. If the user request comes from a Web proxy client, and the access rule requires authentication, ISA Server requests the user credentials. If the user request comes from a SecureNAT client, the user is not authenticated, but all other network and access rules are still applied.

3. ISA Server checks the network rules to verify that the two networks are connected. If no network relationship is defined between the two networks,

the request is refused.

4. If the network rules define a connection between the source and destination networks, ISA Server processes the access rules. The rules are applied in order of priority as listed in the ISA Server Management interface. If an allow rule allows the request, then the request is forwarded without checking any additional access rules. If no access rule allows the request, the final default access rule is applied, which denies all access.

5. If the request is allowed by an access rule, ISA Server checks the network rules again to determine how the networks are connected. ISA Server checks the Web chaining rules (if a Web proxy client requested the object) or the firewall chaining configuration (if a SecureNAT or Firewall Client requested the object) to determine how the request will be serviced.

6. The request is forwarded to the Internet Web server.

2.2 TYPE OF NETWORKS AND NETWORK RELATIONSHIPS AND ISA SERVER CLIENTS:

The default type of networks,

• VPN Clients- Built-in dynamic network object representing client computers connected to ISA Server via VPN.
• Internal- Network representing the internal network, i.e. 10.12.00.00 -10.12.255.254.
• Local Host- Built-in network object representing the ISA Server computer
• Quarantined VPN Clients- Built-in dynamic network representing client computers connecting to ISA Server via VPN that are currently quarantined.
• Perimeter- Network object representing a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).
• External- Network object representing the Internet.

There are two types of network relationships:

ISA Server provides secure access to internet for all of its clients. ISA server has three type of clients:

• Firewall clients: Firewall clients are computers that have firewall client software installed and enabled. When computer with firewall client software installed makes a request for resources on internet, the request is directed to firewall service on ISA server computer. The firewall service will authenticate and authorize the user and filter the request based on firewall rules and application filters and other add-ins. The Firewall service may also cache the requested object or serve the object from the ISA server cache using web proxy filter. Firewall clients provide highest level of functionality.
• SecureNAT clients: SecureNAT clients are computers that dont have firewall client installed. Instead, SecureNAT clients are configured to route all requests for resources on other networks to an internal IP address on the computer running ISA server. If the network includes only a single segment, the SecureNAT client is configured to use the internal IP address on the computer running ISA server as the default gateway. Requests from SecureNAT clients are directed first to the network address translation (NAT) driver, which substitutes the ISA server external IP address for the internal IP address of the SecureNAT client. The client request is then directed to firewall service to determine if the access is allowed. Finally, the request maybe filtered by application filters and other extensions. The firewall service may cache the request object or deliver the object to ISA server cache. You need to configure only the default gateway of the client computers.
• Web Proxy Clients: They are any computers that run CERN-compatible web application such as web browsers. Requests from the web proxy clients are directed to firewall service on the ISA server computer to determine if the access is allowed. The firewall service may also cache the requested object or serve the object from the ISA server web cache. The web application must be configured to use the ISA server.

2.3. CONFIGURING THE ISA SERVER AS PROXY AND FIREWALL:

All the HTTP requests pass through the web proxy component on ISA server, regardless of the client type. To configure the ISA server as proxy, expand the Configuration, and then Networks, and click the network whose web access properties you would like to configure, this is usually the internal network. Click Edit the selected Network, and in the Web Proxy Tab, ensure that Enable Web Proxy Clients is selected, and you can configure in this tab the following:

• Enable HTTP: Configure the ISA Server to listen on the HTTP connections on specified port, i.e. 80 or 8080
• Enable SSL: Configures ISA server to listen on for HTTPS connections on specified port number. If you enable SSL, you must also configure a Certificate that will be used for SSL authentication and encryption. Web browsers cant use this setting but can be used for web chaining.
• Authentication method: Configure methods of authentication supported by ISA server.
• Requires all users to authenticate: Configure ISA server to allow only authenticated users to access other networks. If you choose this option, SecureNAT will not be able to access the internet using ISA server.
• Authentication domain: Configure the default domain that will be used for authentication when using Basic, Digest, or Remote Authentication Dial-In User service (RADIUS) authentication.
• Number of connections: Configure the number of users that can connect to ISA server at one time.
• Connection timeout: Configures the connection timeout for idle connections.