ISA Server安全與速度的完美結(jié)合

企業(yè)級效勞器ISAServer

平安與速度的完美結(jié)合MICROSOFT北京維諾爾計算機網(wǎng)絡(luò)技術(shù)有限公司袁子能ISASERVER技術(shù)支Tel:8847243013011035647

E-mail:yuanzineng@平安問題日益增加所有數(shù)據(jù)來自/stats*2001Q1-Q3惡意行為的增長ISASERVERISAServerEditions

ISAServerStandardEditionISAServerEnterpriseEdition功能標準版企業(yè)版▲服務(wù)器的建置單機運作多機的集中管理▲原則的設(shè)定(policysupport)服務(wù)器本機服務(wù)器陣列▲硬件支持4顆CPU無限制Web緩存▲擴展性適合小型企業(yè)適合中大型企業(yè)▲分散式與階層式緩存僅階層式皆有統(tǒng)一的管理▲Windows?2000ActiveDirectory整合有限完全▲多層次原則無有▲多服務(wù)器管理無有Microsoft?ISAServer2000標準版與企業(yè)版功能比較表安裝ISAServer硬件和軟件的要求選擇安裝模式指定緩存尺寸配置LAT表UpgradingfromMicrosoftProxyServer2.0IdentifyingHardwareandSoftwareRequirementsHardDiskSpace20MBWindows2000Server,

Windows2000AdvancedServer,or

WindowsDatacenterHardDiskFormatNTFSInternalAdapterExternalAdapterActiveDirectoryArraysRAM256MBCPU300MHz

orhigherInstallationModes

CacheModeFirewallModeIntegratedModeMicrosoftISAServerStatusSelectthemodeforthisserver:FirewallmodeSelectthisoptiontoinstallenterprisefirewall

functionality.CachemodeSelectthisoptiontoinstallcacheandWebhosting

functionality.Cachemodeinstallationisrecommendedonlyforcomputers

thatarenotdirectlyconnectedtotheInternet.Ifthis

computerisdirectlyconnectedtotheInternet,installISA

Serverinintegratedmode.IntegratedmodeSelectthisoptiontoinstallintegratedenterprise

firewall,cache,andWebhostingfunctionality.ContinueExitSetup

Selecting

anInstallationModeMicrosoftInternetSecurityandAccelerationServerSetupSetuphasstoppedyourIISpublishingservice(W3SVC).AfterSetupis

complete,uninstallIISorreconfigureallIISsitesnottouseports80and

8080.OKHelpHelpMicrosoftInternetSecurityandAccelerationServerSetupSpecifytheNTFSdrivesonwhichcachesshouldbelocated

andthemaximumsizeofeachcache.Drive: C:[NTFS]Availablespace(MB) 28722Cachesize(MB): 100Totalcachesize(MB): 100MBOKSetDrive [FileSystem] MaximumSize(MB)C: [NTFS] 100CancelHelpSpecifyingtheInitialCacheSizeC: [NTFS] 100Initialcachesizeis100MB.Add0.5MBforeachWebProxyclient.MicrosoftInternetSecurityandAccelerationServerSetupEntertheIPaddressrangesthatspantheinternalnetworkaddressspace.InternalIPranges:From ToEditFromToAdd->Remove->OKCancelHelp00192.168.255MicrosoftInternetSecurityandAccelerationServerSetupEntertheIPaddressrangesthatspantheinternalnetworkaddressspace.InternalIPranges:From ToEditFromToAdd->Remove->Toconstructalocaladdresstable,clickConstruct

Table.ConstructTable…OKCancelHelpConfiguringtheLAT

ClickConstruct

Tabletoconstructalocaladdresstable.1SelectoptionstoaddprivateIPaddressrangesorroutingtableentries.21921681200192168255255Toconstructalocaladdresstable,clickConstruct

Table.ConstructTable…LocalAddressTableSelecttheaddressranges(basedontheWindows2000routingtable)forinclusionin

thelocaladdresstable(LAT).TheLATshouldincludealltheaddressesinyou

internalnetwork.Addthefollowingprivateranges:10.xxx,192.168.xxand172.16.xx-

173.31.xxand169.254.xx..AddaddressrangesbasedontheWindows2000RoutingTableSelecttheaddressrangesthatareassociatedwiththefollowing

internalnetworkadapters:MSLoopBackDriver 293ComEtherLinkPCI(Micros… 00OKCancelHelpCard IPAddressesVerifytheIPaddressesthatdisplayinthelocaladdresstable.3MaintainingtheLATandLDTInternetISAServer00

0000

0025Msplat.txtMsplat.txtClientsUpgradingfrom

MicrosoftWindowsNTUpgradetoWindows2000ProxyServer2.0UpgradingfromMicrosoftProxyServer2.0UpgradingClientComputersPort80Client

RequestsPort

8080ISAServer2000ProxyServer2.0ISAServerWinsockProxyClients

andFirewallClientsISAServer接入形式BastionHost(堡壘型)PerimeterNetworkwithThree-HomedFirewall(三宿主〕PerimeterNetworkwithBack-to-BackFirewalls(背靠背)InternetInternalNetworkFirewallBastionHostPerimeterNetworkwithThree-HomedFirewall

FirewallInternetPerimeterNetworkInternalNetworkPerimeterNetworkwithBack-to-BackFirewalls

ISASRV

ISASRVPerimeterNetworkInternetBranchOffice/SmallBusinessFirewallBranchOfficeor

SmallBusiness實際連接PerceivedConnectionInternetISAServerISA的設(shè)計目標

Secure,fastInternetconnectivityAccelerationFastWebAccesswithaHigh-PerformanceCacheSecuritySecureInternetConnectivityThroughaMultilayeredFirewallManagementExtensibilityUnifiedManagementwithIntegratedAdministration

ExtensibleandOpenPlatform

需求1:平安的Internet訪問多層次控制方式的防火墻(Multilayer)入侵檢測功能(IntrusionDetection)支持DMZ區(qū)(DMZZone)效勞器發(fā)布功能(ServerPublishing)集成的VPN功能(IntegrationVPN)支持動態(tài)包過濾(DynamicFilter)支持NAT“平安鎖緊〞功能(SystemHarden)支持負載均衡多層次過濾的防火墻

由下至上–保護每個層次IP層〔封包過濾〕靜態(tài)過濾動態(tài)端口過濾協(xié)議層基于會話的過濾基于連接的控制應(yīng)用層智能的內(nèi)容探測協(xié)議層Circuit

level應(yīng)用層Application

levelIP層Packet

levelIP包過濾利用IP包頭信息分析IP包內(nèi)容SrcDstpayloadport源地址?目標地址?內(nèi)容是什么?請求的端口號需要什么服務(wù)）?IPHeaderUDP/TCPHDRPayload協(xié)議級的平安控制會話與連接之間的關(guān)系智能的監(jiān)測和控制主連接效勞器客戶端主連接第二連接應(yīng)用層的平安控制智能檢查支持內(nèi)容的過濾和鎖定防范的平安漏洞ClientSMTP:VRFY*CompanyserverDNS:ZoneattackHTTP:Virus!HTTP:ForbiddensiteInternetFiltersandNetworkAccess

Streaming

Media

SMTP

DNSIntrusion

Firewall

AccessPolicy

Allow

HTTP

AllDestinations

InternalNetworkExternalNetworkRulesAppliedStreaming

Media

SMTP

處理外出客戶端請求

Isthereasiteandcontentrulethatdeniestherequest?Isthereaprotocolrulethatdeniestherequest?RequestfrominternalclientDenyrequestRetrieveobjectIsthereaprotocolrulethatallowstherequest?YesNoNoYesYesNoNoIsthereasiteandcontentrulethatallowstherequest?YesNoYesDoesanIPpacketfilter

blocktherequest?Doesaroutingrulespecifyroutingtoan

upstreamserver?YesRouteto

upstreamserverNo入侵檢測功能

IntrusionDetectionIPPacket–LevelAttacks檢測和預(yù)警AlltypesofPortScanIPHalfScanAttackPingofdeathUDPbombattackWinNukeLandattacks應(yīng)用層攻擊

DNSHostnameOverflowDNSLengthOverflowDNSZoneTransferfromPrivilegedPorts(1–1024)DNSZoneTransferfromHighPorts(Above1024)POPBufferOverflowConfiguringIntrusionDetection

IPPacketFiltersPropertiesGeneralOKCancelEnabledetectionoftheselectedattacks:PacketFiltersPPTPWindowsout-of-band(WinNuke)LandPingofdeathIPhalfscanUDPbombPortscanIntrusionDetectionDetectafterattackson 10 well-knownportsDetectafterattackson 20 portsToreceivealertsaboutintrusionattacks,seethepropertiesfor

specificalertsintheAlertsfolder.IntrusiondetectionfunctionalitybasedontechnologyfromInternetSecuritySystems,Inc.,Atlanta,GA,USA,ApplyDNSintrusiondetectionfilterPropertiesGeneralOKCancelFilterincomingtrafficforthefollowing:AttacksDNShostnameoverflowDNSlengthoverflowDNSzonetransferfromprivilegedports(1-1024)DNSzonetransferfromhighports(above1024)ApplySelectAttacksSelecttheoptionsthatarerequiredtoimplementyourmonitoringstrategy.檢測到入侵后可以采取的行動記入系統(tǒng)日志發(fā)送郵件執(zhí)行特定的應(yīng)用程序終止特定的效勞啟動特定的效勞ISA和Proxy2.0不同的發(fā)布機制Proxy2.0 *依賴IIS效勞 *被發(fā)布的效勞器需要安裝ProxyClient.

*不支持SSL橋接技術(shù)

ISA*完全獨立運行的效勞,可以完全把IIS卸載。*被發(fā)布的效勞器無需安裝任何軟件?！苍O(shè)置為SecureNET客戶端〕*支持端口的重定向(PortMapping)*支持SSL橋接技術(shù)(SSLBridging)PublishingInternet

ExternalAdapterInternalAdapterWebServerInternalNetworkPublishingServersonaBack-to-BackPerimeterNetwork

LAT

Internal

Network

LAT

Perimeter

Network

WebServerSQLServerInternalNetworkPerimeterNetworkISAServerISAServerInternetPublishingaServer

NametheRuleSpecifyAddressMappingSelectaProtocolSettingSelectaClientTypeStartFinishPublishingaMailServerMailServerSecurityWizardMailServicesSelection

Selectthemailservicesthatyouwouldliketopublishtoyourexternalusers<BackPublishthesemailservices:Default

AuthenticationSSL

AuthenticationIncomingSMTP ApplycontentfilteringOutgoingSMTPIncomingMicrosoftExchange/OutlookIncomingPOP3IncomingIMAP4IncomingNNTPNext>CancelSelecttoapplycontentfilteringtoincomingSMTPtraffic.GuidelinesforUsingPublishingIfyournetworkDoesnothaveaperimeternetworkHasaback-to-backperimeternetworkconfigurationHasathree-homedperimeternetworkconfigurationThenuse

ServerpublishingServerpublishingonbothISAServercomputersRoutingandpacketfilteringbetweentheInternetandperimeternetwork;serverpublishingbetweentheinternalandperimeternetworksNetworkLoadBalancing

InternetCacheCacheISAServerArrayPublishedServerCacheVPNUnderstandingVPNsConnectingRemoteUserstoaCorporateNetworkConnectingRemoteNetworkstoaLocalNetwork

ConnectingRemoteUsers

toaCorporateNetwork

VPNTunnelISAServer

ComputerRemoteUserInternetCorporateNetwork

ConnectingRemoteNetworks

toaLocalNetwork

VPNTunnelISAServer

ComputerRemoteNetworkInternetLocalNetworkISAServer

ComputerConfiguringaVPNtoAcceptClientConnections

ISAVPNServerWizardISAVirtualPrivateNetwork(VPN)ServerSummary

ISAVirtualPrivateNetwork(VPN)ServercanacceptVPNconnectionsfrom

remoteclientsovertheInternet.<BackTheServerwillbeconfiguredwiththepropertieslistedbelow:ConfigureRoutingandRemoteAccessServerasVirtualPrivateNetwork(VPN)Enforcesecuredauthenticationandencryptionmethods.OpenstaticpacketfiltersforallowingPPTPandL2TPoverIPSECprotocols.Thenumberofportsavailableforclientstoconnectis128,butthisnumbercanbeNext>Liststheconfigurationpropertiessetbythewizard.ConfiguringaLocalVPNIdentifytheConnectionsSelecttheProtocol(s)SpecifyCommunicationSpecifyRemoteAddressesSpecifyLocalAddressesSaveConfigurationFileStartFinish

ConfiguringaRemoteVPN

RemoteISAVPNWizardISAVPNComputerConfigurationFile Specifythe.vpcfiletousewhensettingupandconfiguringtheISAVirtualPrivate

Network(VPN)computer.The.vpcfileincludesinformationabouttheremoteISA

VPNcomputer.<BackCancelSpecifythe.vpcfiletouseforsettingupandconfiguringtheISAVPNcomputer.The.vpcfileincludesinformationabouttheremoteISAVPNcomputer.Filename

Browse…Typethepasswordtodecrypttheconfigurationfile.PasswordSpecifythepathandfilenameforthe.vpcfile.Typethepasswordforthefile.Next>需求2:快速的Web訪問改進的存儲和檢索機制內(nèi)存緩存(RAMcaching)主動的和定時的內(nèi)容下載支持陣列(Array&CARP)層次化的緩存系統(tǒng)緩存的類型正向緩存反向緩存分布式緩存InternalNetworkInternalNetworkCacheCacheCacheCacheCacheWebServerInternetInternetInternetTheForwardCachingProcess

GETwww.bjwne.comGETGETwww.bjwne.comObjectissentfromInternetObjectissentfromcacheClient1Client2ISAServerCache12345InternetReverseCaching(互聯(lián)網(wǎng)

企業(yè))InternetISA服務(wù)器CacheWeb伺服器吸收Web負載的沖擊ISA扮演Web代理效勞器ProcessingRequestsforCachedObjectsRAMDiskCacheDirectoryObjectsObjects1Requesthttp://URLAhttp://URLA3http://URLACacheDirectoryBackupCacheEntry1CacheEntry12主動的和定時的內(nèi)容下載以目標生存時間為根底ISA自動分析緩存內(nèi)容的壽命ISA自動下載并更新緩存內(nèi)容使用撥號訪問Internet的用戶應(yīng)考慮使用定時下載內(nèi)容的方式BranchOffice/SmallBusinessOfficeCacheServerISAServerMainOfficeSmallBusinessCacheCacheBranchOfficeISAServerInternet企業(yè)緩存效勞InternetCorporateNetworkCacheCacheCacheISAServerArrayConfiguringHTTPCachingCacheConfigurationPropertiesGeneralOKCancelApplyNolessthan: 15 MinutesNomorethan: 1 DaysEnableHTTPCachingUnlesssourcespecifiesexpiration,updatesource:RestoreDefaultsHTTPFTPActiveCachingAdvancedFrequently(Expireimmediately)NormallyLessfrequently(Reducednetworktrafficisimportant)SetTimeToLive(TTL)ofobjectincacheto:Thispercentageofcontentage 20

(Timesincecreationofmodification):SelecttoenableHTTPcaching.CacheConfigurationPropertiesGeneralOKCancelEnableFTPcachingRestoreDefaultsHTTPFTPActiveCachingAdvancedConfiguringFTPCachingSpecifyatimeforFTPobjectstoremaininthecache.ApplyTimetoLiveforallobjects:1440 MinutesCacheConfigurationPropertiesGeneralOKCancelApplyEnableactiveCachingActivecachingautomaticallyretrievesfrequentlyaccessedfiles.RestoreDefaultsHTTPFTPActiveCachingAdvancedFrequently

(Clientperformanceismoreimportant)Normally

(Clientperformanceandreducednetworktrafficareequally

important)Lessfrequently

(Reducednetworktrafficismoreimportant)Retrievefiles:Configuring

ActiveCachingSelecttocreateanactivecachingpolicy.CacheConfigurationPropertiesGeneralOKCancelApplyEnableactiveCachingActivecachingautomaticallyretrievesfrequentlyaccessedfiles.RestoreDefaultsHTTPFTPActiveCachingAdvancedFrequently

(Clientperformanceismoreimportant)Normally

(Clientperformanceandreducednetworktrafficareequally

important)Lessfrequently

(Reducednetworktrafficismoreimportant)Retrievefiles:ConfiguringAdvancedCacheSettingsCacheConfigurationPropertiesGeneralOKCancelApplyRestoreDefaultsHTTPFTPActiveCachingAdvancedMaximumsizeofURLcachedinmemory(bytes): 12800Donotreturntheexpiredobject(returnanerrorpage)Returntheexpiredobjectonlyifexpirationwas:AtlessthatthispercentageoforiginalTime 50

toLive:Butnomorethan(minutes): 60 IfWebsiteofexpiredobjectcannotbereached:Percentageofavailablememorytouseforcaching: 50Do

notcacheobjectslargerthan: 1 KBCacheobjectsthathaveanunspecifiedlastmodificationtimeCacheobjectseveniftheydonothaveanHTTPstatuscodeof200Cachedynamiccontent(objectswithquestionmarksintheURL)Selecttoconfigurecachesettingsforspecificobjects.需求３：統(tǒng)一和靈活的管理基于規(guī)那么的管理方式靈活和方便的客戶端部署賬號可以和Win2000活動目錄集成基于MMC的管理界面完善的日志,報表功能可訂制的報警功能帶寬控制機制(QoS)多種幫助向?qū)Х奖愕陌惭b過程創(chuàng)立策略元素PolicyElementOverviewCreatingSchedulesCreatingBandwidthPrioritiesCreatingDestinationSetsCreatingClientAddressSetsCreatingProtocolDefinitionsCreatingContentGroupsNewscheduleName: LunchHoursandWeekendsDescription:

Usethisscheduletopermitaccesstosites

lunchhoursandweekends.OKCancelCreatingSchedules

ClickActivetoaddportionsoftheweek,orclickInactivetoremoveportionsoftheweek.Settheactivationtimesforrulesthatarebasedonthisschedule.12·2·4·6·8·10·12·2·4·6·8·10·12AlSundayMondayTuesdayWednesdayThursdayFridaySaturdaySundayfrom12AMto12AMActiveInactiveCreatingBandwidthRulesNametheRuleSelecttheProtocol(s)SelectaScheduleSelectaClientTypeSelectaDestinationTypeSelectaContentGroupSelectBandwidthPriorityStartFinishCreatingBandwidthPrioritiesNewBandwidthPriorityName:Description

(optional):OKCancelBasicPriorityAssignshighprioritytoincomingtraffic.Outboundbandwidth(1-2000): Inboundbandwidth(1-200): 20NewBandwidthPriorityName:Description

(optional):OKCancelHighPriorityAssignshighprioritytoincomingtraffic.Outboundbandwidth(1-2000): Inboundbandwidth(1-200): 30CreatingSiteandContentRulesNametheRuleSpecifytheRuleActionSelectaDestinationSetSelectaScheduleSelectaClientTypeStartFinishCreatingDestinationSetsRemoveNewDestinationSetName: PartnerWebDescription

(optional):CancelIncludethesecomputers:Name/IPRange PathOKEdit…Add…Add/EditDestinationComputername: nwtraders.msftIPaddresses:CancelToincludeaspecificdirectoryinthedestinationset,typethepath

below.Toincludeallthefiles,usethisformat:/dir/*.Toselectaspecificfile,usethisformat:/dir/filename.Path:/sales/accounts.xlsOKBrowse…From:To(optional):Creating

ClientAddressSetsEditRemoveClientSetName: SupportStaffDescription

(optional): Selecttheaddressesofcomputersthatbelongtothisclient

addressset.Members:From ToAdd…CancelOKAdd/EditIPAddressesClientsetIPaddresses:CancelOKFrom: 192.168.101.0To: 192.168.101.255CreatingProtocolRulesNametheRuleSpecifytheRuleActionSelecttheProtocol(s)SelectaScheduleSelectaClientTypeFinishStartCreatingProtocolDefinitions

Typeanumberbetweenbetween1and65535tospecifytheportnumber.CreatingContentGroupsISAServerincludesseveralpreconfiguredcontentgroups.ISAManagementAction ViewTreeName Description ContentTypesInternetSecurityandAccelerationServer ServersandArrays LONDON Monitoring Computer AccessPolicy Publishing BandwidthRules PolicyElements Schedules BandwidthPriorities DestinationSets ClientAddressSets ProtocolDefinitionsApplication Applications application/hta.application/x-internet-signup.application/x-pkcs7-certificApplicationDataFiles Filescontainingdataforapplications application/x-mscardfile.application/x-perform.application/x-msclip.applAudio Audiofiles audio.*,.ra,.ram,.rmi,.au,.snd,.aif,.aifc,.wav,.m3u,.mid,.mp3CompressedFiles CompressedFiles application/x-gzip,application/x-tar,application/x-gtar,application/x-comDocuments Documents text/tab-separated-values,text/xml,text/h323,application/postscript,applHTMLDocuments HTMLDocuments text/webviewhtml,text/html,.htm,.html,.htt,.stm,.xslImages Allknowntypesofimages .cod,.cmx,.ief,.pbm,.pnm,.ppm,.gif,.bmp,.jfif,.jpe,.jpg,.jpeg,.ico,.pgm,.rasMacroDocuments Documentsthatmaycontainmacr… application/msword,application/vnd.ms-excel,application/x-msaccess,aText Textcontent .txt,.h,.c,.htc,.vcf,.etx,.uls,.css,.bas,.rtx,text/plain,text/x-component,text/Video Videofiles video/*,.asf,.asr,.asx,.avi,.ivf,.lsf,.lsx,.mov,.movie,.mlv,.mp2,.mpa,.mpe,.VRML VRML x-world/x-vrml,.flr,.wrl,.wrz,.xaf,.xof認證模式BasicAuthenticationDigestAuthenticationIntegratedWindowsAuthenticationClientCertificateAuthenticationAuthenticationOverviewInternetISAServerSecureNATClientNouser-basedauthentication.FirewallClientAuthenticationisbasedonclientcredentials.WebProxyClientAuthenticationisdependenton

browserandoperatingenvironment.ConfiguringAuthenticationforOutgoingWebRequestsLONDONArrayPropertiesGeneralIncomingWebRequestsSecurityOKCancelAdd…ApplyPerformanceEnableSSLlistenersTCPport: 8080SSLport: 8443ConnectionsOutgoingWebRequestsAutoDiscoveryIdentificationUsethesamelistenerconfigurationforallinternalIPaddresses.ConfigurelistenersindividuallyperIPaddressServer IPAddress DisplayN…Authentic… ServerC…LONDON <Allinternal IntegratedRemoveEdit…Configure…Connectionsettings:AskunauthenticatedusersforidentificationConfiguringAuthenticationMethodsLONDONArrayPropertiesGeneralIncomingWebRequestsSecurityOKCancelAdd…ApplyPerformanceEnableSSLlistenersTCPport: 8080SSLport: 8443ConnectionsOutgoingWebRequestsAutoDiscoveryIdentificationUsethesamelistenerconfigurationforallinternalIPaddresses.ConfigurelistenersindividuallyperIPaddressServer IPAddress DisplayN…Authentic… ServerC…LONDON <Allinternal IntegratedRemoveEdit…Configure…Connectionsettings:AskunauthenticatedusersforidentificationCancelOKServer: LONDONIPAddress: <AllinternalIPaddresses>DisplayName:UseaservercertificatetoauthenticatetowebclientsSelect…AuthenticationBasicwiththisdomain:Digestwiththisdomain:IntegratedClientcertificate(securechannelonly)Selectdomain…Selectdomain…Add/EditListenersAdjustingCacheSizeLONDONPropertiesCacheDrivesLONDONOKCancelApplySet100Maximumcachesize(MB):Totaldiskspace(MB): 39064Totalmaximumcachesize(MB): 100Specifythesizeofthecache.urlcacheFile Edit View Favorites Tools HelpBackdir1 FileFolder 9/6/20009:43PMdir1 100,800KB MicrosoftISAServerCacheFile 9/18/20009:28PMSearchFoldersHistoryGoName Size Type ModifiedAddressurlcacheurlcacheSelectanitemtoviewits

descriptionSeealso:

MyDocuments

MyNetworkPlaces2object(s)98.4MBMyComputerThe.cdatfileonthedrivewillbethesamesizeasthecache.

Drive Type Diskspace… Freespace… CacheSize…AdjustingMemoryAllocationCacheConfigurationPropertiesGeneralOKCancelApplyRestoreDefaultsHTTPFTPActiveCachingAdvancedMaximumsizeofURLcachedinmemory(bytes): 12800Donotreturntheexpiredobject(returnanerrorpage)Returntheexpiredobjectonlyifexpirationwas:AtlessthatthispercentageoforiginalTime 50

toLive:Butnomorethan(minutes): 60 If

Websiteofexpiredobjectcannotbereached:Percentageofavailablememorytouseforcaching: 50Donotcacheobjectslargerthan: 1 KBCacheobjectsthathaveanunspecifiedlastmodificationtimeCacheobjectseveniftheydonothaveanHTTPstatuscodeof200Cachedynamiccontent(objectswithquestionmarksintheURL)Typeanumberbetween1and100tospecifythemaximumpercentageofmemory.由上至下的規(guī)那么實施結(jié)構(gòu)策略的級別EnterpriseArrayStand-alone策略可以強制組合提升ArrayArrayEnterpriseStand-aloneArrayArrayPromotePromoteActiveDirectory企業(yè)級陣列級在規(guī)那么實施上的關(guān)系Enterprise

PolicyISA

Server1ISA

Server2ISA

Server3ISA

Server4ISA

Server5ISA

Server6Array

Policy1Array

Policy2Array

Policy3ISA

Server7Standalo

Configuration

CombiningEnterprisePoliciesandArrayPolicies

PropertiesGeneralOKCancelUsearraypolicyonlyApplySpecifywhetherenterprisepoliciesshouldbeenabledforthisarray.Then,selecttheenterprisepolicyyouwanttoapply.AllowpublishingrulesForcepacketfilteringonthearrayOutgoingWebRequestsIncomingWebRequestsPoliciesAutoDiscoveryPerformanceSecurityUsedefaultenterprisepolicysettingsUsecustomenterprisepolicysettingsUsethisenterprisepolicy:EnterprisePolicy1Allowarray-levelaccessrulesthatrestrictenterprisepolicySelectthisoptiontoallowarray-levelsettings.CachArrayRoutingProtocol

Internetarray.dll?Get.Info.v1

WebProxyClientServer2Server1Server3Server4Server5Server1Server2

Server3

Server4Server5

ArrayMembershipListConfiguringCARP(CacheArrayRoutingProtocol)LONDONPropertiesOKCancelAdd…ApplyGeneralOutgoingWebRequestsIncomingWebRequestsPoliciesAutoDiscoveryPerformanceSecurityUsethesamelistenerconfigurationforallinternalIPaddresses.ConfigurelistenersindividuallyperIPaddressIdentificationEnableSSLlistenersServer IPAddress DisplayN… Authentic… ServerC…LONDON <Allinter… IntegratedRemoveEdit…TCPport: 8080SSLport: 8443Configure…AskunauthenticatedusersforidentificationResolverequestswithinarraybeforeroutingConnectionsConnectionsettingsSelecttoenableCARP.LONDONPropertiesOKCancelApplyGeneralArrayMembershipsUsethisIPaddressforintra-arraycommunication:Intra-arraycommunication131.107.3.1Find…Specifytheloadfactorforthisserver.Thisnumberindicatesthe

relativecacheavailabilityofthisservercomparedtotherestofthearraymembers:LoadFactor100ISA的客戶端管理3種客戶端類型WebProxyClientSecureNATClientFirewallClientInternetISAServerSecureNATClient Donotrequireyoutodeployclientsoftwareorconfigureclientcomputers.FirewallClientAllowInternetaccessonlyforauthenticatedusers.WebProxyClientImprovetheperformanceofWebrequestsforinternalclients.配置WebProxy客戶端SelecttheUseaproxyservercheckbox.TypetheportnumberinthePortbox,andthenclickOK.13LocalAreaNetwork(LAN)SettingsAutomaticconfigurationOKCancelAutomaticconfigurationmayoverridemanualsettings.Toensure

theuseofmanualsettings,disableautomaticconfiguration.AutomaticallydetectsettingsUseautomaticconfigurationscript008080

ProxyServerUseaproxyserverAddress:Port:BypassproxyserverforlocaladdressesTypetheIPaddressornameoftheISAServercomputerintheAddressbox.2ISAServer–Microsoft’sFirewall

ISAServer結(jié)構(gòu)zWebProxy

ClientSecureNAT

ClientFirewall

ClientLocal

Area

NetworkWebProxyServiceFirewall

ServiceWebFilterPacketFilteringThirdPartyFilterStreamingFilterSMTPFilterH.323FilterFTPFilterCacheInternetNAT

DriverHTTP

Redirector帶寬控制機制用來控制網(wǎng)絡(luò)的使用情況通過如下方式控制帶寬使用分級帶寬控制規(guī)那么帶寬控制機制能做什么限制多媒體信息在整個帶寬中的百分比授予指定的用戶更高的優(yōu)先級ISAServerAlertEventsISAManagementAction ViewTreeName Description Server EventInternetSecurityandAccelerationServer ServersandArrays LONDON Monitoring Computer AccessPolicy SiteandContentRules ProtocolRules IPPacketFilters Publishing BandwidthRules PolicyElements CacheConfiguration MonitoringConfiguration Alerts Logs ReportJobs Extensions ApplicationFilters WebFilters NetworkConfiguration ClientConfiguration H.323GatekeepersAlertactionfailure Theactionassociatedwiththisalertfa… PHOENIX AlertactionfailureCachecontainerinitializationerror Thecachecontainerinitializationfaile… PHOENIX CachecontainerinitializationCachecontainerrecoverycomplete Recoveryofasinglecachecontainer… PHOENIX Cachecontainerrecovery…Cachefileresizefailure Theoperationtoreducethesizeofthe… PHOENIX CachefileresizefailureCacheinitializationfailure TheWebcacheproxywasdisabledto… PHOENIX CacheinitializationfailureCacherestorationcompleted Thecachecontentrestorationwasco… PHOENIX CacherestorationcompletedCachewriteerror Therewasafailureinwritingcontent… PHOENIX CachewriteerrorCachedobjectdiscarded Duringcacherecovery,anobjectwith… PHOENIX CacheobjectdiscardedComponentloadfailure Failedtoloadanextensioncomponent… PHOENIX ComponentloadfailureConfigurationerror Anerroroccurredwhilereadingconfig… PHOENIX ConfigurationerrorDial-on-demandfailure Failedtocreateadial-on-demandcon… PHOENIX Dial-on-demandfailureDNSintrusion Ahostnameoverflow,lengthoverflow… PHOENIX DNSintrusionEventlogfailure Anattempttologtheeventinformaito… PHOENIX EventlogfailureFirewallcommunicationfailure Thereisafailureincommunicationbet… PHOENIX Client/servercommunica..Intrusiondetected Anintrusionwasattemptedbyanexte… PHOENIX IntrusiondetectedInvaliddial-on-demandcredentials Dial-on-demandcredentialsareinvalid PHOENIX Invaliddial-on-demandcr..InvalidODBClogcredentials Thespecifiedusernameorpassword… PHOENIX InvalidODBClogcredent…IPpacketdropped IPpacketwasdro