HP ProLiant DL320 User guide

HP ProLiant DL320

Firewall/VPN/Cache Server

User Guide

Running Microsoft® Internet Security and

Acceleration Server 2004

June 2005 (Third Edition) Part Number 341672-003

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Microsoft, Windows, and Windows NT are U.S. registered trademarks of Microsoft Corporation.

HP ProLiant DL320 Firewall/VPN/Cache Server User Guide Running Microsoft Internet Security and Acceleration Server 2004

June 2005 (Third Edition) Part Number 341672-003

Introduction ................................................................................................... 5

Initial Setup Considerations......................................................................... 6

Firewall Lockdown Mode .................................................................................................. 6

Affected Functionality ..................................................................................................7

Leaving Lockdown Mode.............................................................................................8

Internal Network Overview................................................................................................ 8

Computer Name and Administrator Password................................................................... 9

Workgroup and Domain Name Considerations................................................................ 10

The ProLiant DL320 Firewall/VPN/Cache Server Internal IP Address........................... 12

DNS Server Address on the Internal Interface ................................................................. 14

Custom Network Adapter Configurations........................................................................ 16

Configuring the External IP Address......................................................... 17

Setting Up the ProLiant DL320 Firewall/VPN/Cache Server .................... 18

Enabling the Web Listener............................................................................................... 18

Enabling the Firewall Client Listener............................................................................... 20

Creating an Internet Access Rule ..................................................................................... 21

HP Virus Throttle ............................................................................................................. 23

Configuring Virus Throttle .........................................................................................23

Available Verified Third-Party Applications and Plug-Ins.............................................. 24

Suggested Third-Party Applications...........................................................................25

Additional Documentation Available from HP................................................................ 25

Managing and Maintaining the Firewall..................................................... 26

Windows Update .............................................................................................................. 27

Remote Desktop ............................................................................................................... 27

Remote ProLiant DL320 Firewall/VPN/Cache Server Management Console................. 28

Remote Assistance ........................................................................................................... 29

Configuring Monitoring, Reporting, and Logging ........................................................... 30

Configuring Firewall Logging ....................................................................................30

Configuring Web Proxy Logging ...............................................................................31

HP ProLiant DL320 Firewall/VPN/Cache Server User Guide 3

Setting Up the Client Installation Share............................................................................32

Supporting Web Proxy and Firewall Client Automatic Discovery...................................33

DNS WPAD Entry .....................................................................................................33

DHCP Option 252 ...................................................................................................... 34

Configuring Time Synchronization............................................................ 36

Remote Access VPN......................................................................................................... 37

Disaster Recovery and Change Management........................................... 38

ProLiant DL320 Firewall/VPN/Cache Server Settings Backup and Restore ...................38

System Backup and Restore..............................................................................................39

Back to Factory Settings................................................................................................... 40

Scheduled Backups........................................................................................................... 41

ProLiant DL320 Firewall/VPN/Cache Server Network Services Support 42

DNS Server....................................................................................................................... 42

DHCP Server ....................................................................................................................44

Hardening Overview and Impact................................................................ 45

HP Customer Support................................................................................. 52

4 HP ProLiant DL320 Firewall/VPN/Cache Server User Guide

Introduction

HP ProLiant DL320 Firewall/VPN/Cache server running Microsoft® Internet

Security and Acceleration (ISA) Server 2004 Service Pack 1 is an advanced

application layer firewall, virtual private network (VPN), and Web cache solution

that enables existing IT investments to be maximized by improving network security

and performance. The ProLiant DL320 Firewall/VPN/Cache server is preinstalled

and hardened to provide secure connections to the Internet and enable a similar level

of security for remote access connections to resources on the protected network.

This guide focuses on important issues that should be considered before and after

installing the ProLiant DL320 Firewall/VPN/Cache server in the network. However,

this user guide is not a comprehensive guide to configuring all of the firewall features

of ProLiant DL320 Firewall/VPN/Cache server. In-depth coverage of the

ProLiant DL320 Firewall/VPN/Cache server and Web caching configuration is

included in the Help file, included with the product, on the Microsoft

ISA server 2004 website at

ProLiant DL320 Firewall/VPN/Cache server website at

http://www.hp.com/servers/DL320FW-VPN-Cache.

http://go.microsoft.com/fwlink/?LinkID=27332, and on the

This guide contains basic information about network configuration and setup. An

experienced firewall or network administrator will already be familiar with most of

the concepts and procedures in this guide. However, HP recommends a review of the

subjects covered in this guide because some of the subjects might be new or of

specific interest.

HP ProLiant DL320 Firewall/VPN/Cache Server User Guide 5

Initial Setup Considerations

Before beginning the ProLiant DL320 Firewall/VPN/Cache server setup, consider the following subjects so that the ProLiant DL320 Firewall/VPN/Cache server can provide the best level of security and accessibility.

Firewall Lockdown Mode

The ProLiant DL320 Firewall/VPN/Cache server is defending itself right out of the box by applying the Firewall Lockdown Mode. You can set up the ProLiant DL320 Firewall/VPN/Cache server while it is connected to the internal network and to the Internet because the Firewall Lockdown Mode is active.

A critical function of a firewall is to react to an attack. When an attack occurs, it might seem that the first line of defense is to disconnect from the Internet, isolating the compromised network from malicious outsiders. However, HP does not recommend this approach. Although the attack must be handled, normal network connectivity must be resumed as quickly as possible, and the source of the attack must be identified.

The lockdown feature introduced with ISA Server 2004 combines the need for isolation with the need to stay connected. Whenever the Microsoft firewall service is down, the ISA Server enters the lockdown mode, which occurs when:

• The server is starting up and the firewall service has not yet started.

• An event triggers the firewall service to shut down. When configuring alert

definitions, configure the firewall service by determining which events will cause

the firewall service to shut down.

• The firewall service is manually shut down. If a malicious attack occurs while

configuring the ISA Server computer, shut down the firewall service, and the

network can handle the attack.

6 HP ProLiant DL320 Firewall/VPN/Cache Server User Guide

Affected Functionality

When in lockdown mode, the following functionality applies:

• The Firewall Packet Filter Engine (fweng) applies the firewall policy.

• The following system policy rules are still applicable:

— Allow Internet Control Message Protocol (ICMP) from trusted servers to the

local host.

— Allow remote management of the firewall using Microsoft Management

Console (MMC) (RPC through port 3847).

— Allow remote management of the firewall using Remote Data Protocol.

• Outgoing traffic from the local host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a Domain Name System (DNS) query can receive a DNS response on the same connection.

• No incoming traffic is allowed unless a system policy rule (listed previously) that specifically allows the traffic is enabled. The one exception is DHCP traffic, which is always allowed. That is, the UDP Send protocol on port 68 is allowed from all networks to the local host network. The corresponding UDP Receive protocol on port 67 is allowed.

• VPN remote access clients cannot access ISA Server. Similarly, access is denied to remote site networks in site-to-site VPN scenarios.

• Any changes to the network configuration while in lockdown mode are applied only after the firewall service restarts and ISA Server exits lockdown mode. For example, if you physically move a network segment and reconfigure ISA Server to match the physical changes, the new topology is in effect only after ISA Server exits lockdown mode.

• ISA Server does not trigger any alerts.

HP ProLiant DL320 Firewall/VPN/Cache Server User Guide 7

Leaving Lockdown Mode

When the firewall service restarts, ISA Server exits lockdown mode and continues functioning as it did previously. Any changes made to the ISA Server configuration are applied after ISA Server exits lockdown mode.

Internal Network Overview

The internal network consists of addresses on the protected network that are not associated with a perimeter or external network interface. Addresses on the LAN are typically part of the internal network. The ProLiant DL320 Firewall/VPN/Cache server installation process depends on the correct configuration of the internal network adapter so that ProLiant DL320 Firewall/VPN/Cache server system policy is applied correctly. Network infrastructure services, such as Active Directory service domain controllers, internal DNS servers, DHCP servers, Microsoft Windows® Internet Name Service (WINS) servers, Terminal Services, ICMP, Common Internet File System (CIFS), and others depend on the correct configuration of the internal network.

Incorrect configuration of the internal network addresses could lead to a compromise of the ProLiant DL320 Firewall/VPN/Cache server.

The internal network consists of a collection of addresses representing a portion of a network ID, an entire network ID, or several network IDs. The internal network can represent all addresses accessible from one or more network adapters.

8 HP ProLiant DL320 Firewall/VPN/Cache Server User Guide

Computer Name and Administrator Password

Select a computer name for the ProLiant DL320 Firewall/VPN/Cache server. The ProLiant DL320 Firewall/VPN/Cache server name must be different from any other computer on the network. No two computers on the network can have the same name. The computer name must be 15 characters or less in length and include only letters, numbers, and non-alphanumeric characters (spaces are not allowed). Refer to the computer name database if the ProLiant DL320 Firewall/VPN/Cache server is installed on a larger network.

The administrator account has complete access to all components of the ProLiant DL320 Firewall/VPN/Cache server. Any person connecting to the ProLiant DL320 Firewall/VPN/Cache server with the administrator account can take control of the firewall and attack the network. Use a complex and difficult-to-guess password for the administrator account to help prevent attackers from easily guessing the password.

Record the administrator password used for the ProLiant DL320 Firewall/VPN/Cache server, and memorize this password. Store this paper in a protected location after the ProLiant DL320 Firewall/VPN/Cache server installation is completed.

NOTE: If the ProLiant DL320 Firewall/VPN/Cache server will join a domain, be sure to comply with existing domain-wide password policy.

HP ProLiant DL320 Firewall/VPN/Cache Server User Guide 9

Workgroup and Domain Name Considerations

The ProLiant DL320 Firewall/VPN/Cache server can be joined to a workgroup, a Microsoft Windows Server 2003 domain, a Microsoft Windows 2000 Active Directory domain, or a Microsoft Windows NT® 4.0 domain. Add the ProLiant DL320 Firewall/VPN/Cache server to the Windows domain if a Windows Server 2003, Windows 2000 Active Directory, or Windows NT 4.0 domain already exists on your network.

An advantage of joining the ProLiant DL320 Firewall/VPN/Cache server to your domain includes the ability to assign permissions for Internet access on a domain user or group basis and centralized management of the firewall computer through Group Policy.

A disadvantage of joining the ProLiant DL320 Firewall/VPN/Cache server to the domain is that many firewall experts believe that joining the ProLiant DL320 Firewall/VPN/Cache server to the domain might reduce the overall level of protection that the firewall can provide to the network.

Join the ProLiant DL320 Firewall/VPN/Cache server to a Windows workgroup if there is not a Windows domain or if there is no need to join the ProLiant DL320 Firewall/VPN/Cache server to an already existing domain.

NOTE: When joining the ProLiant DL320 Firewall/VPN/Cache server to a Windows domain, the domain Group Policy can be applied to the firewall computer, possibly changing the level of security on the server. The server can be added to a workgroup and later added to a Windows domain after developing a better understanding of how Group Policy can potentially change the security configuration of the firewall.

1. Decide whether to join the ProLiant DL320 Firewall/VPN/Cache server to the

Windows domain before installing the ProLiant DL320 Firewall/VPN/Cache server onto the network.

2. Record the name of your domain and the user name and password of a user that

has permissions to add a computer to the domain.

3. If a Windows domain does not exist or if there is no need to join the

ProLiant DL320 Firewall/VPN/Cache server to the Windows domain, record the name of the workgroup already in use on your LAN.

10 HP ProLiant DL320 Firewall/VPN/Cache Server User Guide

4. If a workgroup name is not already established for your LAN, use the workgroup name, WORKGROUP.

If the ProLiant DL320 Firewall/VPN/Cache server was not added to a Windows domain during initial setup, complete the following procedure to add the server to a domain anytime after the initial setup process is complete.

1. Select Start>Control Panel>System.

2. In the System Properties dialog box, click the Computer Name tab.

3. On the Computer Name tab, click Change.

4. In the Computer Name Changes dialog box, select Domain.

5. In the Domain text box, enter the name of the Windows domain to join, and

click OK.

6. In the Computer Name Changes Authentication dialog box, enter the name and password of a user with permission to add computers to the domain, and click OK.

7. In the Computer Name Changes dialog box welcoming you to the domain, click OK.

8. In the Computer Name Changes dialog box informing that you must restart the computer for the changes to take effect, click OK.

9. In the System Properties dialog box, click OK.

10. In the System Settings Change dialog box prompting you to restart your

computer now, click Yes.

The ProLiant DL320 Firewall/VPN/Cache server is now a member of the internal network Active Directory domain and can access user accounts contained in the Active Directory or Windows NT 4.0 domain and domains trusted by that domain.

HP ProLiant DL320 Firewall/VPN/Cache Server User Guide 11

The ProLiant DL320 Firewall/VPN/Cache Server Internal IP Address

The IP address assigned to the internal interface of the ProLiant DL320 Firewall/VPN/Cache server must be a valid IP address for the network to which the firewall is directly connected. This address must meet the following requirements:

• The internal IP address must be on the same network ID as other computers connected to the same network segment.

• The internal IP address must not already be in use on the network.

• The internal IP address, in most cases, is statically assigned. Do not use DHCP to

assign an address to the internal interface unless you have a specific requirement to do so. This configuration helps prevent name resolution issues for the firewall and Web proxy clients.

• Examples of network IDs commonly used on LANs include: — 192.168.1.0 with a subnet mask of 255.255.255.0 — 10.1.0.0 with a subnet mask of 255.255.0.0 — 172.16.0.0 with a subnet mask of 255.255.0

NOTE: The ProLiant DL320 Firewall/VPN/Cache server uses a default internal IP address of

192.168.2.1. Change this during setup to meet the unique addressing requirements of the network.

For example, consider the network depicted in the following figure. All of the computers on the network have the same subnet mask, which is 255.255.255.0. The three computers on the LAN have the IP addresses:

• 192.168.2.2

• 192.168.2.3

• 192.168.2.4

12 HP ProLiant DL320 Firewall/VPN/Cache Server User Guide

The internal interface must be placed in the same network as these computers. In this example, this configuration is accomplished by assigning the internal interface the IP address of 192.168.2.1. The external interface of the ProLiant DL320 Firewall/VPN/Cache server is assigned an Internet IP address that is determined by your Internet service provider (ISP).

NOTE: IP addressing can be a complex issue. If you do not understand how the IP addresses were assigned to computers on your LAN, consult with a networking professional who can assist you with network IP addressing issues.

1. Before installing the ProLiant DL320 Firewall/VPN/Cache server, determine the

network ID used on the network directly connected to the internal interface.

2. Assign the internal interface of the ProLiant DL320 Firewall/VPN/Cache server

an IP address on the same network ID as the other computers on the directly connected network of the internal interface.

If you are not sure what IP address to assign to the internal interface of the ProLiant DL320 Firewall/VPN/Cache server, consult with a network professional who can help with IP address issues.

HP ProLiant DL320 Firewall/VPN/Cache Server User Guide 13

DNS Server Address on the Internal Interface

The ProLiant DL320 Firewall/VPN/Cache server must resolve names to IP addresses. For example, each time the Web browser is used to connect to a website on the Internet, such as match (or resolve) that name to the IP address of the website. After the Web browser has the IP address of the website, it connects to the website using the IP address.

The ProLiant DL320 Firewall/VPN/Cache server must be configured to use a DNS server that resolves Internet computer names to IP addresses. There are several ways to do this:

• Install a DNS server on the LAN, configure that DNS server to resolve Internet host names, and configure the ProLiant DL320 Firewall/VPN/Cache server to use that DNS server.

• Use the IP address of your ISP DNS server. The DNS server at your ISP will be able to resolve Internet computer names, but it will not be able to resolve computer names on your LAN.

• Install and configure a DNS server on the ProLiant DL320 Firewall/VPN/Cache server. This DNS server would be able to resolve both Internet computer names and computer names on your LAN.

NOTE: Any network services and client applications installed on the firewall can potentially increase the security risk.

http://www.microsoft.com, that name is sent to a DNS server to

If you are familiar with the installation and configuration of DNS servers or if a DNS server already exists on the LAN, the best option is to configure that DNS server to resolve Internet host names and then create an access rule on the firewall enabling that DNS server to use the DNS protocol to connect to the Internet.

14 HP ProLiant DL320 Firewall/VPN/Cache Server User Guide

If you are not familiar with DNS server installation and configuration, or if you choose not to install and configure a DNS server, use the ISP DNS server. The main limitation of this option is that the ISP DNS server cannot resolve names of computers on the LAN.

1. Determine if a DNS server already exists on the LAN.

2. If a DNS server exists on the LAN, configure that DNS server to resolve Internet

host names, and then create a firewall rule allowing this DNS server access to the DNS protocol to all sites on the Internet.

3. If a DNS server does not exist on the LAN, install a DNS server on the

ProLiant DL320 Firewall/VPN/Cache server. For details on DNS setup and configuration, refer to the Windows Server 2003 or Windows 2000 Help and Support Center.

4. If a DNS server does exist on the LAN and you do not want to install a DNS

server on the ProLiant DL320 Firewall/VPN/Cache server, configure the internal interface to use the IP address of your ISP DNS server. Consult the ISP to determine the correct IP address of their DNS server.

HP ProLiant DL320 Firewall/VPN/Cache Server User Guide 15

Custom Network Adapter Configurations

The ProLiant DL320 Firewall/VPN/Cache server might be equipped with additional network interfaces. In addition to the internal and external interfaces, there might be additional LAN, partner access, perimeter network (also known as a demilitarized zone or DMZ), and screened subnet interfaces.

Additional network interfaces can provide the following benefits:

• Additional LAN interfaces can connect several internal networks to the firewall. The ProLiant DL320 Firewall/VPN/Cache server can control what network traffic moves among the LANs and between the LANs and the Internet.

• Perimeter network interfaces can be used to connect perimeter networks hosting publicly accessible servers and services. For example, you might want to host your own e-mail or Web servers on the perimeter network.

• Partner networks enable business partners to connect to resources on a network segment outside of the LAN and perimeter networks. These networks are not public networks because only the partners can connect to them. Partner networks are sometimes referred to as extranets.

IP addresses assigned to additional LAN, perimeter network, and extranet interfaces are specific to the requirements of your unique network configuration. The only requirement from the standpoint of the ProLiant DL320 Firewall/VPN/Cache server is that each of these interfaces is configured with IP addresses on different network IDs. The setup wizard enables the configuration of up to three interfaces. Additional interfaces must be configured after setup is completed.

1. Before installing the ProLiant DL320 Firewall/VPN/Cache server, determine and record what IP addresses and subnet masks should be configured on the additional perimeter network or extranet interfaces.

2. If you are configuring a perimeter network, additional LAN networks, or an extranet but do not know what IP addresses to assign the ProLiant DL320 Firewall/VPN/Cache server interfaces, consult with a network professional who can help you determine the correct configuration.

16 HP ProLiant DL320 Firewall/VPN/Cache Server User Guide

+ 36 hidden pages