Configuring Outbound Internet Access

Microsoft Virtual Labs ®

Configuring Outbound Internet Access

Configuring Outbound Internet Access

Table of Contents Configuring Outbound Internet Access ...................................................................................... 1 Exercise 1 Allowing Outbound Web Access from Client Computers ...........................................................................2 Exercise 2 Enabling the Use of the Ping Command from Client Computers ................................................................6 Exercise 3 Allowing Outbound Access from the ISA Server ........................................................................................8 Exercise 4 Configuring ISA Server 2006 for Flood Resiliency ................................................................................... 10

Configuring Outbound Internet Access

Configuring Outbound Internet Access Objectives

Estimated Time to Complete This Lab Computer used in this Lab

After completing this lab, you will be better able to:
Configure ISA Server to allow outbound Web access for client computers on the internal network.
Configure ISA Server to allow ICMP network traffic, used by the Ping command, from client computers on the internal network.
Configure ISA Server to allow outbound access from the ISA Server computer.
Configure ISA Server to block a large number of TCP connections from the same IP address. 60 Minutes Denver Paris Istanbul The password for the Administrator account on this computer is: password.

Page 1 of 13

Configuring Outbound Internet Access

Exercise 1 Allowing Outbound Web Access from Client Computers Scenario In this exercise, you will configure ISA Server to allow outbound Web access for client computers on the internal network. Tasks

Detailed Steps

Complete the following task on:

Note: Perform the following steps on the Denver computer.

Denver 1. On the Denver computer, test your connectivity by opening Internet Explorer and attempting to connect to http:// istanbul.fabrikam.co m Complete the following 4 tasks on: Paris 2. On the Paris

computer, create a new access rule. Name: Allow outbound Web traffic Applies to: HTTP, HTTPS, FTP From network: Internal To network: External

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com, and then press Enter. Note: Internet Explorer is unable to connect to the Web site. b. Look at the bottom of the Web page and view the reason why the Web page cannot be displayed. Note: ISA Server denies the request. (502 Proxy Error - ISA Server denied the specified URL). This is because you have not created any access rules yet. Note: The firewall policy on ISA Server always contains a rule named Default rule. This rule denies all network traffic. This mean that ISA Server denies any network traffic that you did not specifically allow in another rule. c. Close Internet Explorer. Note: Perform the following steps on the Paris computer. a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. Note: The ISA Server console opens. b. In the ISA Server console, expand Paris, and then select Firewall Policy. c. In the right pane, on the Firewall Policy tab, select Default rule. Note: It is a good practice to always select an existing rule, before creating a new rule, to indicate where the new rule is added in the list. d. In the task pane, on the Tasks tab, click Create Access Rule. Note: Instead of using the task pane, you can also right-click Firewall Policy, click New, and then click Access Rule. e. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow outbound Web traffic, and then click Next. f. On the Rule Action page, select Allow, and then click Next. g. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add. Note: The Add Protocols dialog box appears. h. In the Add Protocols dialog box, • click Common Protocols, click HTTP, and click Add, • click HTTPS, and click Add, • click Web, click FTP, and click Add, and then click Close to close the Add Protocols dialog box. Note: Notice that the same protocols can be listed under multiple headings in the Add Protocols dialog box.

Page 2 of 13

Configuring Outbound Internet Access Tasks

Detailed Steps i. On the Protocols page, click Next. j. On the Access Rule Sources page, click Add. Note: The Add Network Entities dialog box appears. k. In the Add Network Entities dialog box, • click Networks, click Internal, and click Add, and then click Close to close the Add Network Entities dialog box. l. On the Access Rule Sources page, click Next. m. On the Access Rule Destinations page, click Add. n. In the Add Network Entities dialog box, • click Networks, click External, and click Add, and then click Close to close the Add Network Entities dialog box. o. On the Access Rule Destinations page, click Next. p. On the User Sets page, click Next. q. On the Completing the New Access Rule Wizard page, click Finish. Note: A new firewall policy rule is created that allows the FTP, HTTP and HTTPS protocols from the Internal network to the External network for all users. Note: The new rule has not been applied yet.

3. Apply the changes.

a. Click Apply to apply the new rule, and then click OK.

4. Examine the network

a. In the left pane, expand Configuration, and then select Networks.

rule for connectivity between the Internal network and the External network. 5. Examine the Web

Proxy settings of the Internal network.

b. In the right pane, on the Network Rules tab, select the rule that defines the connectivity between the Internal network and the External network. Note: In the default configuration for the 3-Leg Perimeter network template, the network rule named Internet Access (rule 5) indicates that network traffic between the Internal network and the External network will use NAT. a. On the Networks tab, right-click Internal, and then click Properties. b. In the Internal Properties dialog box, select the Web Proxy tab. Note: The Enable Web Proxy clients check box indicates that ISA Server listens (on port 8080) for requests from Web Proxy clients on the Internal network. c. Click Cancel to close the Internal Properties dialog box.

Complete the following task on: Denver 6. On the Denver computer, test your connectivity again by opening Internet Explorer and connecting to http:// istanbul.fabrikam.co m and by establishing an FTP session with istanbul.fabrikam.co m.

Note: Perform the following steps on the Denver computer. a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com, and then press Enter. Note: Internet Explorer displays the Istanbul Web site. The access rule that you created grants access to network traffic to the Istanbul Web server. b. In Internet Explorer, on the Tools menu, click Internet Options. c. In the Internet Options dialog box, on the Connections tab, click LAN Settings. Note: Notice that Denver is indeed configured as Web Proxy client. d. Click Cancel to close the Local Area Network (LAN) Settings dialog box. e. Click Cancel to close the Internet Options dialog box. f. Close Internet Explorer. g. Open a Command Prompt window. h. At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter. Note: The FTP server on Istanbul prompts you to log on. This result confirms that you can connect using the FTP protocol. i. Type Ctrl-C to close the FTP session.

Page 3 of 13

Configuring Outbound Internet Access Tasks

Detailed Steps j. If the ftp> prompt appears, type quit, and then press Enter. k. Close the Command Prompt window.

Complete the following 2 tasks on: Paris 7. On the Paris

computer, create a new Computer Set rule element. Name: Restricted Internal Computers Included in the set: 10.1.1.5-10.1.1.8 (Domain Controllers)

Note: Perform the following steps on the Paris computer. a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy. b. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Computer Sets, and then click New Computer Set. c. In the New Computer Set Rule Element dialog box, in the Name text box, type Restricted Internal Computers. d. Click Add, and then click Address Range. e. In the New Address Range Rule Element dialog box, complete the following information: • Name: Domain Controllers • Start Address: 10.1.1.5 • End Address: 10.1.1.8 • Description: DCs on the internal network and then click OK. Note: The example suggests that there are 4 domain controllers on the Internal network. The lab only has a single domain controller named Denver (10.1.1.5). f. Click OK to close the New Computer Set Rule Element dialog box. Note: A new Computer Set rule element is created.

8. Create a new access

rule. Name: Deny restricted computers Action: Deny Applies to: All outbound traffic From: Restricted Internal Computers To network: External

a. In the Firewall Policy list, select the Allow outbound Web traffic rule. Note: The new rule will be added before the selected rule. b. In the task pane, on the Tasks tab, click Create Access Rule. c. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Deny restricted computers, and then click Next. d. On the Rule Action page, select Deny, and then click Next. e. On the Protocols page, in the This rule applies to list box, select All outbound traffic, and then click Next. f. On the Access Rule Sources page, click Add. g. In the Add Network Entities dialog box, • click Computer Sets, click Restricted Internal Computers, and click Add, and then click Close to close the Add Network Entities dialog box. h. On the Access Rule Sources page, click Next. i. On the Access Rule Destinations page, click Add. j. In the Add Network Entities dialog box, • click Networks, click External, and click Add, and then click Close to close the Add Network Entities dialog box. k. On the Access Rule Destinations page, click Next. l. On the User Sets page, click Next. m. On the Completing the New Access Rule Wizard page, click Finish. Note: A new firewall policy rule is created that denies all network traffic from the computers in the Restricted Internal Computers set to the External network. Note: The new rule is listed first in the firewall policy rule list. n. Click Apply to apply the new rule, and then click OK.

Complete the following

Note: Perform the following steps on the Denver computer.

Page 4 of 13

Configuring Outbound Internet Access Tasks

Detailed Steps

task on:

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com, and then press Enter. Note: Internet Explorer is unable to connect to the Web site (502 Proxy Error). ISA Server denies access to the Istanbul Web site, because Denver (10.1.1.5) is in the Restricted Internal Computers set and is denied access by the new access rule.

Denver 9. On the Denver

computer, test your connectivity again by opening Internet Explorer and attempting to connect to http:// istanbul.fabrikam.co m.

b. Close Internet Explorer.

Complete the following task on:

Note: Perform the following steps on the Paris computer.

Paris 10. On the Paris computer, move the Allow outbound Web traffic rule, before the Deny restricted computers rule.

b. In the right pane, right-click the Allow outbound Web traffic rule (order 2), and then click Move Up. Note: The Allow outbound Web traffic rule (order 1) is now listed before the Deny restricted computers rule (order 2).

Complete the following task on:

Note: Perform the following steps on the Denver computer.

Denver 11. On the Denver computer, test your connectivity again by opening Internet Explorer and connecting to http:// istanbul.fabrikam.co m.

a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy.

c. Click Apply to save the changes, and then click OK.

a. On the Denver computer, open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com, and then press Enter. Note: Internet Explorer displays the Istanbul Web site, even though the Firewall Policy list contains a rule that denies access from the Denver (10.1.1.5) computer. Note: To evaluate access, ISA Server follows the Firewall Policy rule order very strictly. Currently the Allow rule for Web traffic from Denver is listed before the Deny rule for all protocols from Denver. b. Close Internet Explorer.

Complete the following task on:

Note: Perform the following steps on the Paris computer.

Paris 12. On the Paris computer, delete the Deny restricted computers access rule.

b. In the right pane, right-click the Deny restricted computers rule, and then click Delete.

a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy.

c. Click Yes to confirm that you want to delete the rule. Note: The access rule is deleted. d. Click Apply to save the changes, and then click OK.

Page 5 of 13

Configuring Outbound Internet Access

Exercise 2 Enabling the Use of the Ping Command from Client Computers Scenario In this exercise, you will configure ISA Server to allow ICMP network traffic, used by the Ping command, from client computers on the internal network. Tasks

Detailed Steps

Complete the following task on:

Note: Perform the following steps on the Denver computer.

Denver 1. On the Denver

computer, use the Ping command to test connectivity with istanbul.fabrikam.co m

a. On the Denver computer, open a Command Prompt window. b. At the command prompt, type ping istanbul.fabrikam.com, and then press Enter. Note: The ping requests time out, because by default the ISA Server does not allow outgoing ping requests (ICMP type 8 packets) from computers on the internal network to the Internet. c. Close the Command Prompt window.

Complete the following 2 tasks on:

Note: Perform the following steps on the Paris computer.

Paris 2. On the Paris computer, create a new access rule.

b. In the right pane, select the first rule to indicate where the new rule is added to the rule list.

Name: Allow outbound Ping traffic

a. On the Paris computer, in the ISA Server console, in the left pane, select Firewall Policy.

c. In the task pane, on the Tasks tab, click Create Access Rule. d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow outbound Ping traffic, and then click Next. e. On the Rule Action page, click Allow, and then click Next.

Applies to: PING

f. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add.

From network: Internal To network: External

g. In the Add Protocols dialog box, • click Common Protocols, click PING, and click Add, and then click Close to close the Add Protocols dialog box. Note: The PING protocol definition is ICMP protocol, ICMP type 8. h. On the Protocols page, click Next. i. On the Access Rule Sources page, click Add. j. In the Add Network Entities dialog box, • click Networks, click Internal, and click Add, and then click Close to close the Add Network Entities dialog box. k. On the Access Rule Sources page, click Next. l. On the Access Rule Destinations page, click Add. m. In the Add Network Entities dialog box, • click Networks, click External, and click Add,

Page 6 of 13

Configuring Outbound Internet Access Tasks

Detailed Steps and then click Close to close the Add Network Entities dialog box. n. On the Access Rule Destinations page, click Next. o. On the User Sets page, click Next. p. On the Completing the New Access Rule Wizard page, click Finish. Note: A new firewall policy rule is created that allows the ICMP protocol, ICMP type 8, from the Internal network to the External network for all users. q. Click Apply to apply the new rule, and then click OK.

3. Examine the PING

protocol definition.

a. In the task pane, on the Toolbox tab, in the Protocols section, expand Common Protocols, right-click PING, and then click Properties. b. In the PING Properties dialog box, select the Parameters tab. Note: A protocol definition for a firewall policy rule can use other protocols than only TCP (IP protocol 6) or UDP (IP protocol 17). c. Click Cancel to close the PING Properties dialog box.

Complete the following task on: Denver 4. On the Denver computer, use the Ping command to test connectivity with istanbul.fabrikam.co m again. Complete the following task on: Istanbul 5. On the Istanbul

computer, use the Ping command to test connectivity with the ISA Server.

Note: Perform the following steps on the Denver computer. a. On the Denver computer, open a Command Prompt window. b. At the command prompt, type ping istanbul.fabrikam.com, and then press Enter. Note: The Istanbul computer returns four echo replies, because ISA Server allows outgoing echo requests from the computers on the internal network to the Internet. Note: All firewall policy rules are stateful. This means that a single rule allows the request and the corresponding reply to the sender. c. Close the Command Prompt window. Note: Perform the following steps on the Istanbul computer. a. On the Istanbul computer, open a Command Prompt window. b. At the command prompt, type ping 39.1.1.1, and then press Enter. Note: The ping requests time out, because the ISA Server does not allow incoming ping requests from computers on the Internet. The Allow outbound Ping traffic access rule only allows replies to earlier outgoing ping requests to come from the Internet. c. Close the Command Prompt window.

Page 7 of 13

Configuring Outbound Internet Access

Exercise 3 Allowing Outbound Access from the ISA Server Scenario In this exercise, you will configure ISA Server to allow outbound access from the ISA Server computer. Tasks

Detailed Steps

Complete the following 6 tasks on:

Note: Perform the following steps on the Paris computer.

Paris 1. On the Paris computer, test your connectivity by attempting to establish an FTP session with istanbul.fabrikam.co m. 2. Create a new access

rule. Name: Allow FTP from firewall Applies to: FTP

a. On the Paris computer, open a Command Prompt window. b. At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter. Note: After one minute, the ftp command will time out ("Host is unreachable"). By default, ISA Server does not allow an FTP connection from the ISA Server to the Internet. c. At the ftp> prompt, type quit, and then press Enter. d. Close the Command Prompt window.

a. In the ISA Server console, in the left pane, select Firewall Policy. b. In the right pane, select the first rule to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access Rule. d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow FTP from firewall, and then click Next. e. On the Rule Action page, click Allow, and then click Next.

From network: Local Host To network: External

f. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add. g. In the Add Protocols dialog box, • click Web, click FTP, and click Add, and then click Close to close the Add Protocols dialog box. h. On the Protocols page, click Next. i. On the Access Rule Sources page, click Add. j. In the Add Network Entities dialog box, • click Networks, click Local Host, and click Add, and then click Close to close the Add Network Entities dialog box. Note: The Local Host network represents the ISA Server computer. k. On the Access Rule Sources page, click Next. l. On the Access Rule Destinations page, click Add. m. In the Add Network Entities dialog box, • click Networks, click External, and click Add, and then click Close to close the Add Network Entities dialog box. n. On the Access Rule Destinations page, click Next. o. On the User Sets page, click Next.

Page 8 of 13

Configuring Outbound Internet Access Tasks

Detailed Steps p. On the Completing the New Access Rule Wizard page, click Finish. Note: A new firewall policy rule is created that allows the FTP protocol from the ISA Server to the External network for all users. q. Click Apply to apply the new rule, and then click OK.

3. Test your

connectivity again by establishing an FTP session with istanbul.fabrikam.co m.

a. Open a Command Prompt window. b. At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter. Note: The FTP server on Istanbul prompts you to log on. This result confirms that you can connect using the FTP protocol. c. Type Ctrl-C to close the FTP session. d. If the ftp> prompt appears, type quit, and then press Enter. Note: ISA Server uses firewall policy rules to define access between any defined network, including traffic that starts or ends at the ISA Server computer itself (Local Host network). e. Close the Command Prompt window.

4. Show the

System Policy Rules in the Firewall Policy.

5. Test your

connectivity by opening Internet Explorer and connecting to http:// istanbul.fabrikam.co m and by using the Ping command to istanbul.fabrikam.co m and to denver.contoso.com.

a. In the ISA Server console, in the left pane, select Firewall Policy. b. In the task pane, on the Tasks tab, click Show System Policy Rules. Note: In the right pane, 30 predefined access rules to or from the Local Host network are shown. These are called System Policy Rules. Note: ISA Server 2006 Enterprise Edition has four more system policies rules (31 to 34) which specifically apply to traffic to and from ISA Server arrays. a. Open Internet Explorer. In the Address box, type http://istanbul.fabrikam.com, and then press Enter. Note: Internet Explorer is unable to connect to the Web site (Error 403 Forbidden ISA Server denied the specified URL). b. Close Internet Explorer. Note: System policy rules 18, 19, 23, 26, 29 and 30 all list outgoing Web access (HTTP) from the ISA Server (Local Host). However, rules 23, 26 and 30 only apply to specific destinations (watson.microsoft.com, microsoft.com, windows.com, windowsupdate.com and remote management computers), and rules 18, 19 and 29 are disabled, unless updated certificate revocation lists (CRLs) are downloaded (18), HTTP connectivity verifiers for monitoring are created (19), or scheduled download jobs are defined (29). Note: If you want to allow outgoing Web access from the ISA Server to the Istanbul Web server, then you have to create a new access rule. c. Open a Command Prompt window. d. At the command prompt, type ping istanbul.fabrikam.com, and then press Enter. Note: The Istanbul computer on the External network returns four echo replies. e. At the command prompt, type ping denver.contoso.com, and then press Enter. Note: The Denver computer on the Internal network returns four echo replies. f. Close the Command Prompt window. Note: System policy rule 12 allows outgoing Ping from the ISA Server to all networks.

6. Hide the

System Policy Rules in the Firewall Policy.

a. In the ISA Server console, in the left pane, select Firewall Policy. b. In the task pane, on the Tasks tab, click Hide System Policy Rules. Note: In the right pane, the System policy rules are hidden again. c. Close the ISA Server console.

Page 9 of 13

Configuring Outbound Internet Access

Exercise 4 Configuring ISA Server 2006 for Flood Resiliency Scenario In this exercise, you will configure ISA Server to block a large number of TCP connections from the same IP address. Note: This exercise applies to new functionality in ISA Server 2006. Tasks

Detailed Steps

Complete the following 4 tasks on:

Note: Perform the following steps on the Paris computer.

Paris 1. On the Paris computer, examine the flood mitigation settings.

a. On the Paris computer, on the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management. Note: The ISA Server console opens. b. In the ISA Server console, in the left pane, expand Paris, expand Configuration, and then select General. c. In the right pane, under Additional Security Policy, click Configure Flood Mitigation Settings. Note: ISA Server 2006 can help stop the flooding of connections from three different kinds of attacks: • Worm propagation - A computer on the internal network starts sending out network packets to different IP addresses on the Internet. • TCP denial-of-service attack - An attacker sends out TCP packets in order to use up all the resources at the firewall, or server behind the firewall. • HTTP denial-of-service attack - A computer on the internal network sends a very large number of HTTP request over the same connection. Note: In all these cases, the Firewall Engine component of ISA Server limits the number of connections, connection requests, and half-open connections per minute, or per rule, from a particular IP address. d. In the Flood Mitigation dialog box, on the Flood Mitigation tab, click the second Edit button. Note: As an example of a limit, ISA Server allows a maximum of 160 concurrent TCP connections from the same IP address. There is also a custom limit (400) that applies to a set of exception IP addresses. e. Click Cancel to close the Flood Mitigation Settings dialog box. f. In the Flood Mitigation dialog box, select the IP Exceptions tab. Note: You can specify the IP addresses of computers to which the custom limit applies.

2. Disable the logging

of network traffic blocked by flood mitigation settings.

a. In the Flood Mitigation dialog box, select the Flood Mitigation tab. b. Clear the Log traffic blocked by flood mitigation settings check box. Note: To avoid overwhelming the log file with identical block entries, after the flood mitigation settings have blocked an attack, you can disable the logging of those blocked network connections. c. Click OK to close the Flood Mitigation dialog box.

3. Create a new access

rule. Name: Allow Web access (Flood)

a. In the left pane, select Firewall Policy. b. In the right pane, select the first rule, or select Default rule if no other rule exists, to indicate where the new rule is added to the rule list.

Page 10 of 13

Configuring Outbound Internet Access Tasks Applies to: HTTP From network: Internal To network: External

Detailed Steps c. In the task pane, on the Tasks tab, click Create Access Rule. d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (Flood), and then click Next. e. On the Rule Action page, select Allow, and then click Next. f. On the Protocols page, in the This rule applies to list box, select Selected protocols, and then click Add. g. In the Add Protocols dialog box, • click Common Protocols, click HTTP, click Add, and then click Close to close the Add Protocols dialog box. h. On the Protocols page, click Next. i. On the Access Rule Sources page, click Add. j. In the Add Network Entities dialog box, • click Networks, click Internal, click Add, and then click Close to close the Add Network Entities dialog box. k. On the Access Rule Sources page, click Next. l. On the Access Rule Destinations page, click Add. m. In the Add Network Entities dialog box, • click Networks, click External, click Add, and then click Close to close the Add Network Entities dialog box. n. On the Access Rule Destinations page, click Next. o. On the User Sets page, click Next. p. On the Completing the New Access Rule Wizard page, click Finish. Note: A new firewall policy rule is created that allows the HTTP protocol from the Internal network to the External network.

4. Apply the changes.

a. Click Apply to apply the changes, and then click OK.

Complete the following 4 tasks on:

Note: Perform the following steps on the Denver computer. a. On the Denver computer, open Internet Explorer. b. In Internet Explorer, on the Tools menu, click Internet Options.

Denver 5. On the Denver computer, configure Internet Explorer not to use a proxy server.

c. In the Internet Options dialog box, on the Connections tab, click LAN Settings. d. In the Local Area Network (LAN) Settings dialog box, clear the Use a proxy server for your LAN check box, and then click OK. Note: When you configure Internet Explorer to use a proxy server, all HTTP connections to the ISA Server use the same connection to the Web Proxy TCP port 8080. In this exercise, you use two Internet Explorer windows, which should count as two separate connections. e. Click OK to close the Internet Options dialog box.

6. Use Internet Explorer

to connect to http:// istanbul.fabrikam.co m/ web.asp 7. Use the

C:\Tools\tcpflooder.v bs tool to create 200 concurrent TCP connections.

a. In Internet Explorer, in the Address bar, type http://istanbul.fabrikam.com/web.asp, and then press Enter. Note: Internet Explorer displays the content of the web.asp page from Istanbul. This is a single TCP connection from the Denver computer. b. Do not close Internet Explorer. a. Use Windows Explorer (or My Computer) to open the C:\Tools folder. Note: The Tools folder contains a script named tcpflooder.vbs, which attempts to set up 200 connections to IP addresses 42.1.0.0 through 42.1.19.9. Note: By default, ISA Server allows a maximum of 160 concurrent TCP connections from the same IP address.

Page 11 of 13

Configuring Outbound Internet Access Tasks

Detailed Steps b. Right-click tcpflooder.vbs, and then click Open. c. Click Yes to confirm that you want to start TCP Flooder. Note: Please wait 10 seconds while TCP Flooder attempts to set up the 200 TCP connections. Note: The IP addresses on the 42.1.0.0 network do not exist in the lab environment, but Denver will set up a maximum of 160 TCP connections with ISA Server. ISA Server blocks the remaining 40 TCP connections. d. Press OK to acknowledge that 200 TCP connections are created. e. Close the Tools folder.

8. In Internet Explorer,

refresh the existing Web page, and attempt to create a second connection to http:// istanbul.fabrikam.co m/ web.asp

a. In the Internet Explorer windows, on the toolbar, click the Refresh button. Note: If the Internet Explorer connection did not time out yet, then the Server time on the Web page is changed. That is an indication that the page refreshed successfully. Note: Even though ISA Server has blocked connections from Denver (10.1.1.5), existing connections, such as the one in the Internet Explorer window can still be used. b. On the Start menu, click All Programs, and then click Internet Explorer. Note: A second Internet Explorer window opens. c. In Internet Explorer, in the Address box, type http://istanbul.fabrikam.com/web.asp, and then press Enter. Note: ISA Server blocks new connections from 10.1.1.5. After a few moments, Internet Explorer displays an error page to indicate that it cannot display the page. d. Close the Internet Explorer windows. Note: ISA Server blocks traffic based on the flood mitigation settings for 60 seconds. To avoid the situation where an attacker uses a large number of network packets with a spoofed sender IP address to intentionally block another computer, ISA Server will first complete a TCP three-way handshake to verify that the sender IP address is not spoofed.

Complete the following 3 tasks on: Paris 9. On the Paris

computer, examine the flooding alert.

10. Configure the log

viewer filter conditions: Log Time: Last Hour Client IP: Equals 10.1.1.5 Destination IP: Greater or Equal 42.1.0.0

Note: Perform the following steps on the Paris computer. a. On the Paris computer, in the ISA Server console, in the left pane, select Monitoring. b. In the right pane, select the Alerts tab. c. In the task pane, on the Tasks tab, click Refresh Now. d. In the alert list, expand the Concurrent TCP Connections from One IP Address Limit Exceeded alert, and then select the alert line below that. Note: Notice in the Alert Information description that ISA Server identifies which IP address (10.1.1.5) exceeded the configured limit of concurrent TCP connections. This information allows you to further investigate the cause of the high number of connection attempts. a. In the right pane, select the Logging tab. Note: You may (temporarily) need to close the task pane in order to see the Logging tab. b. In the task pane, on the Tasks tab, click Edit Filter. c. In the Edit Filter dialog box, in the conditions list, select the Log Time - Live condition. d. In the Condition drop-down list box, select Last Hour, and then click Update. Note: The condition is changed to Log Time - Last Hour. e. Complete the following information: • Filter by: Client IP Page 12 of 13

Configuring Outbound Internet Access Tasks

Detailed Steps • Condition: Equals • Value: 10.1.1.5 and then click Add To List. f. Complete the following information: • Filter by: Destination IP • Condition: Greater or Equal • Value: 42.1.0.0 and then click Add To List. g. Click Start Query to close the Edit Filter dialog box. Note: After a few moments, the log viewer displays all log entries from 10.1.1.5 to the 42.1.0.0 network from the last hour. The most recent log entry is listed first. h. Scroll to the top of the list of log entries. Note: Notice that the most recent log entry is for the connection to an IP address that is a close to 42.1.15.9. That is a exactly 160 concurrent TCP connections. The last IP address may be a little lower, if ISA Server had existing connections, or may be a little higher if ISA Server closed a few TCP connections already. Note: To avoid overwhelming the log file with identical block entries, you configured Flood Mitigation to not log traffic that is blocked by the flood mitigation settings (all connections to IP address close to 42.1.16.0 through 42.1.19.9).

11. Restore the log

viewer filter conditions:

Note: The following tasks are needed to avoid conflicts with other lab exercises. a. In the task pane, on the Tasks tab, click Edit Filter. b. In the Edit Filter dialog box, in the conditions list, select Log Time - Last Hour.

Log Time: Live

c. In the Condition drop-down list box, select Live, and then click Update. Note: The condition is changed to Log Time - Live.

Client IP: (remove)

d. In the conditions list, select the Destination IP condition, and then click Remove.

Destination IP: (remove)

e. In the conditions list, select the Client IP condition, and then click Remove. f. Click Start Query to close the dialog box. g. In the task pane, on the Tasks tab, click Stop Query.

Complete the following task on:

Note: Perform the following steps on the Denver computer. h. On the Denver computer, open Internet Explorer. i. In Internet Explorer, on the Tools menu, click Internet Options.

Denver 12. On the Denver computer, configure Internet Explorer to use a proxy server.

j. In the Internet Options dialog box, on the Connections tab, click LAN Settings. k. In the Local Area Network (LAN) Settings dialog box, complete the following information: • Use a proxy server for your LAN: enable • Address: 10.1.1.1 • Port: 8080 • Bypass proxy server for local address: enable and then click OK to close the Local Area Network (LAN) Settings dialog box. l. Click OK to close the Internet Options dialog box. m. Close Internet Explorer.

Page 13 of 13