安全与速度的完美结合

郝雪莹郝雪莹郝雪莹郝雪莹xyhao@xyhao@Microsoft ChinaMicrosoft China安全与速度的完美结合安全与速度的完美结合Microsoft Internet Security and Acceleration Server 2000Agenda n n产品概述产品概述n n布署场景布署场景n n防火墙防火墙n n缓存缓存n n管理管理n n可扩展性可扩展性2 2新的机遇新的机遇, 新的挑战新的挑战用网络连接你的客户用网络连接你的客户用网络连接你的客户用网络连接你的客户, ,合作合作合作合作伙伴与雇员伙伴与雇员伙伴与雇员伙伴与雇员在在在在WEBWEB上的电子商务给你上的电子商务给你上的电子商务给你上的电子商务给你的企业带来了新的商机的企业带来了新的商机的企业带来了新的商机的企业带来了新的商机把有限资源的内部网变成把有限资源的内部网变成把有限资源的内部网变成把有限资源的内部网变成溶合在溶合在溶合在溶合在 Internet Internet的网络的网络的网络的网络把网络暴露在所有的黑客把网络暴露在所有的黑客把网络暴露在所有的黑客把网络暴露在所有的黑客, ,病毒和非法用户面前病毒和非法用户面前病毒和非法用户面前病毒和非法用户面前竞争非常激烈竞争非常激烈竞争非常激烈竞争非常激烈, ,你的你的你的你的WEBWEB必需提供快速可靠的服务必需提供快速可靠的服务必需提供快速可靠的服务必需提供快速可靠的服务管理这样的网络需要更高管理这样的网络需要更高管理这样的网络需要更高管理这样的网络需要更高的技术的技术的技术的技术机遇机遇挑战挑战3 3The Connected Businessn nNew ConcernsNew Concerns§保护你的内部网络免受黑保护你的内部网络免受黑保护你的内部网络免受黑保护你的内部网络免受黑客与其它非法入侵者的侵害客与其它非法入侵者的侵害客与其它非法入侵者的侵害客与其它非法入侵者的侵害§管理与控制网络访问管理与控制网络访问管理与控制网络访问管理与控制网络访问§在加快网络访问速度的同在加快网络访问速度的同在加快网络访问速度的同在加快网络访问速度的同时保护宝贵的带宽资源时保护宝贵的带宽资源时保护宝贵的带宽资源时保护宝贵的带宽资源Internet4 4微软公司对于安全的认识微软公司对于安全的认识n n安全缺陷和病毒攻击是严重、代价沉重、全行业安全缺陷和病毒攻击是严重、代价沉重、全行业安全缺陷和病毒攻击是严重、代价沉重、全行业安全缺陷和病毒攻击是严重、代价沉重、全行业业范围的问题业范围的问题业范围的问题业范围的问题n nInternet Internet 安全是全世界范围内实现数字化商务运安全是全世界范围内实现数字化商务运安全是全世界范围内实现数字化商务运安全是全世界范围内实现数字化商务运作的最基本的考虑因素作的最基本的考虑因素作的最基本的考虑因素作的最基本的考虑因素n n作为业界的领导者，微软公司具有保护作为业界的领导者，微软公司具有保护作为业界的领导者，微软公司具有保护作为业界的领导者，微软公司具有保护InternetInternet和客户数据的特殊责任和客户数据的特殊责任和客户数据的特殊责任和客户数据的特殊责任5 5Microsoft ISA Server 2000安全与速度的完美结合安全与速度的完美结合用可伸缩的用可伸缩的用可伸缩的用可伸缩的, ,多层次的防火墙保护网络环多层次的防火墙保护网络环多层次的防火墙保护网络环多层次的防火墙保护网络环境境境境用可伸缩用可伸缩用可伸缩用可伸缩, ,高性能的高性能的高性能的高性能的WEBWEB缓存实现快速缓存实现快速缓存实现快速缓存实现快速访问访问访问访问与与与与Windows 2000Windows 2000集成的集成的集成的集成的, ,强壮的策略和强壮的策略和强壮的策略和强壮的策略和管理机制管理机制管理机制管理机制安全的网络连接安全的网络连接安全的网络连接安全的网络连接快速的快速的快速的快速的 Web Web 访问访问访问访问统一的管理方式统一的管理方式统一的管理方式统一的管理方式 可扩展的开放平可扩展的开放平可扩展的开放平可扩展的开放平台台台台可以扩展与定制的高级平台可以扩展与定制的高级平台可以扩展与定制的高级平台可以扩展与定制的高级平台6 6什么是什么是 ISA Server 2000n n防防火墙与缓存火墙与缓存n nISA Server 的的版本版本§ISA Server ISA Server 标标标标准版准版准版准版§ISA Server ISA Server 企业企业企业企业版版版版7 7功能标准版企业版▲服务器的建置单机运作多机的集中管理▲原则的设定(policy support)服务器本机服务器阵列▲硬件支持4颗CPU无限制Web缓存缓存▲扩展性适合小型企业适合中大型企业▲分散式与阶层式缓存仅阶层式皆有统一的管理统一的管理▲Windows® 2000 Active Directory整合有限完全▲多层次原则无有▲多服务器管理无有Microsoft® ISA Server 2000标准版与企业版功能比较表标准版与企业版功能比较表 8 8What Is ISA Server 2000 ISA ISA 系统需求系统需求系统需求系统需求ProcessorProcessor300 MHz or higher Pentium II compatible 300 MHz or higher Pentium II compatible Operating SystemOperating SystemMicrosoft Windows 2000 Server or Microsoft Windows 2000 Server or Advanced Server with SP2 or higherAdvanced Server with SP2 or higherMemoryMemory256 MB of RAM256 MB of RAMHard DiskHard DiskØØ20 MB of available hard drive space20 MB of available hard drive spaceØØAn available NTFS partitionAn available NTFS partitionØØ4-8 MB for each proxy client4-8 MB for each proxy clientOther Other To implement the array and advanced To implement the array and advanced configuration policies on the Enterprise configuration policies on the Enterprise edition you also need:edition you also need:Windows Active Directory on the networkWindows Active Directory on the network9 9防火墙防火墙 & 缓存缓存n n两者都应存在于网络的边缘或者说结合点两者都应存在于网络的边缘或者说结合点n n模块化安装模块化安装n n统一的管理统一的管理§MMCMMC§Logging and ReportingLogging and Reporting§Monitoring and AlertingMonitoring and Alertingn n一致的访问策略一致的访问策略n n低廉的培训维护费用低廉的培训维护费用1010与与 Windows 2000 紧密集成紧密集成n nSecuritySecurity§包过滤包过滤包过滤包过滤§网络地址转换网络地址转换网络地址转换网络地址转换 (NAT & SecureNAT)(NAT & SecureNAT)§AuthenticationAuthentication§System HardeningSystem Hardeningn n虚拟专用网虚拟专用网虚拟专用网虚拟专用网 (VPN)(VPN)n n管理管理管理管理§MMCMMC§Terminal ServicesTerminal Services§Event logEvent logn nActive Directory™ Active Directory™ §Array configuration and policy data Array configuration and policy data §NOT required!NOT required!n n带宽控制带宽控制带宽控制带宽控制n n透明地支持在其它平台上的客户机与服务器透明地支持在其它平台上的客户机与服务器透明地支持在其它平台上的客户机与服务器透明地支持在其它平台上的客户机与服务器1111Much More Than “Proxy Server 3.0”n nTransparency for all clients Transparency for all clients and serversand serversn nEnterprise policyEnterprise policyn nGroup policyGroup policyn nSchedulesSchedulesn nActive Directory integrationActive Directory integrationn nExtensible application Extensible application filtersfiltersn nSMTP filterSMTP filtern nStreaming media splittingStreaming media splittingn nH.323 filter & GatekeeperH.323 filter & Gatekeepern nMMC-based UIMMC-based UIn nTask Pads, wizardsTask Pads, wizardsn nRemote administrationRemote administrationn nConfiguring Exchange Configuring Exchange server behind firewallserver behind firewalln nIIS separationIIS separationn nRAM cachingRAM cachingn nNew cache storeNew cache storen nScheduled content Scheduled content downloaddownloadn nVPN integrationVPN integrationn nIntrusion detectionIntrusion detectionn nSystem hardeningSystem hardeningn nNTLM & Kerberos NTLM & Kerberos authenticationauthenticationn nDual-hop SSLDual-hop SSLn nCustomizable alertsCustomizable alertsn nLogging: W3C format, Logging: W3C format, selectable fieldsselectable fieldsn nIntegrated reportingIntegrated reportingn nBandwidth controlBandwidth controln nNew APIsNew APIsn nModular installationModular installation1212Deployment Scenarios Microsoft Internet Security & Acceleration Server 2000Small OrganizationInternetISA Server1414Large EnterpriseInternetISA Server防火墙 & 缓存,共同管理1515DMZ & Secure PublishingInternetISA #2ISA #1DMZ #1Intranet1616ChainingISA ServerISA Server ArrayLeased line orVPN connectionBranchMainInternet1717Firewall用可伸缩用可伸缩, ,多层次防火墙保护多层次防火墙保护网络环境网络环境为什么要使用防火墙为什么要使用防火墙? uu保护自己不受黑客保护自己不受黑客,病毒与非法用户的攻击病毒与非法用户的攻击uu控制向外的控制向外的 Internet访问访问uu保护保护 web servers and email serversuu更加安全的数据访问更加安全的数据访问 保护关键的数据与信息保护关键的数据与信息- 并且并且 - 管理信息访问管理信息访问1919ISA Server Firewalln nPacket, circuit, and application-level traffic Packet, circuit, and application-level traffic screeningscreening§ §Stateful inspection examines traffic in its contextStateful inspection examines traffic in its context§ §Reduce risk of unauthorized accessReduce risk of unauthorized access§ §Analyze or modify content with “Smart” application filtersAnalyze or modify content with “Smart” application filtersn nIntegrated intrusion detectionIntegrated intrusion detection§ §Based on technology licensed from Internet Security Based on technology licensed from Internet Security Systems (ISS) Systems (ISS) n nSecure publishingSecure publishing§ §Protect servers accessible to the outside worldProtect servers accessible to the outside worldn nSystem hardeningSystem hardening§ §“Lock down” the operating system, further strengthening “Lock down” the operating system, further strengthening securitysecurityn nIntegrated with Windows 2000 VPNIntegrated with Windows 2000 VPN§ §Wizard for easy configurationWizard for easy configuration2020多层次的防火墙多层次的防火墙n nBottom up – protection at every level§Packet levelPacket leveln nStatic filtersStatic filtersn nDynamic filtersDynamic filtersn nIntrusion detectionIntrusion detection§Circuit (protocol) levelCircuit (protocol) leveln nSession based filteringSession based filteringn nConnection associationConnection association§Application levelApplication leveln nIntelligent payload inspectionIntelligent payload inspectionPacketlevelApplicationlevelCircuitlevel2121Smart Application Filtersn nProtocol aware filters§Analyze the trafficAnalyze the traffic§Block, redirect, modifyBlock, redirect, modifyn nIntelligent filtering out-of-the-box:§HTTP: Web request cachingHTTP: Web request caching§SMTP: Traffic filteringSMTP: Traffic filtering§Streaming media: Stream splittingStreaming media: Stream splitting§FTP: Read only restrictionFTP: Read only restriction§H.323: NetMeeting® through the firewallH.323: NetMeeting® through the firewall2222Intrusion Detection2323Additional Security Featuresn nVPN integration§Integrated with on Windows 2000 VPNIntegrated with on Windows 2000 VPN§Wizard for easy configurationWizard for easy configurationn nSystem hardening wizard§“Lockdown” for the operating system“Lockdown” for the operating system§Three pre-defined levelsThree pre-defined levelsn nSecure publishingn nSSL Bridging§Encrypted tunnelingEncrypted tunneling2424ISA Server – Microsoft’s Firewall ISA Server ISA Server 特性特性特性特性n n多层次的防火墙多层次的防火墙多层次的防火墙多层次的防火墙n n集中集中集中集中或分布式管理或分布式管理或分布式管理或分布式管理n nPublishingPublishingn nICSA certifiedICSA certified2525ISA Server – Microsoft’s Firewall How A Firewall ProtectsHow A Firewall Protectsn nA firewall filters network traffic that enters A firewall filters network traffic that enters or leaves a protected network.or leaves a protected network.n nDecisions:Decisions:§IP IP 地地地地址址址址, ,协议与端口号协议与端口号协议与端口号协议与端口号§建立连接建立连接建立连接建立连接§IPIP包的有效负载包的有效负载包的有效负载包的有效负载§应应应应用过滤用过滤用过滤用过滤§AuthenticationAuthenticationn nLogging and AlertingLogging and Alerting2626ISA Server – Microsoft’s FirewallISA Server ArchitectureISA Server Architecturez zWeb ProxyWeb ProxyClientClientSecure NATSecure NATClientClientFirewallFirewallClientClientLocalLocalAreaAreaNetworkNetworkWeb Proxy Web Proxy ServiceServiceFirewallFirewallServiceServiceWeb FilterWeb FilterPacket FilteringPacket FilteringThird Party FilterThird Party FilterStreaming FilterStreaming FilterSMTP FilterSMTP FilterH.323 FilterH.323 FilterFTP FilterFTP FilterCacheCacheInternetInternetNATNATDriverDriverHTTPHTTPRedirectorRedirector2727ISA Server – Microsoft’s FirewallOutgoing FW Traffic FlowOutgoing FW Traffic FlowPF PF LogLogSessionSessionLogLogPolicyPolicyTCP/IP TCP/IP StackStackPFDPFDNAT driverNAT driverNDISNDISPFxDPFxDSecureNATSecureNATdriverdriverSecureNAT User ModeSecureNAT User Mode Firewall Firewall Service ServiceKernel ModeKernel ModeUser ModeUser ModeSocketSocketLayerLayerRoutingRoutingReassemblyReassemblyApplicationApplicationFilterFilterInternalInternalInterfaceInterfaceExternalExternalInterfaceInterface2828ISA Server – Microsoft’s FirewallIncoming FW Traffic FlowIncoming FW Traffic FlowPF PF LogLogSessionSessionLogLogPolicyPolicyTCP/IP TCP/IP StackStackPFDPFDNAT driverNAT driverNDISNDISPFxDPFxDSecureNATSecureNATdriverdriverSecureNAT User ModeSecureNAT User Mode Firewall Firewall Service ServiceKernel ModeKernel ModeUser ModeUser ModeSocketSocketLayerLayerRoutingRoutingReassemblyReassemblyApplicationApplicationFilterFilterInternalInternalInterfaceInterfaceExternalExternalInterfaceInterface2929ISA Server – Microsoft’s FirewallISA Server ISA Server 缺省情况缺省情况缺省情况缺省情况n nNo incoming or outgoing traffic unless No incoming or outgoing traffic unless specifically allowedspecifically allowedn n除除除除了以下情况了以下情况了以下情况了以下情况: : §ISA Server ISA Server 可可可可以执行以执行以执行以执行 DNS lookupsDNS lookups§Pinging from ISA ServerPinging from ISA Server3030ISA Server – Microsoft’s Firewall为为为为 Outgoing Outgoing RequestsRequests制定制定制定制定规则规则规则规则n nProtocol RulesProtocol Rules§谁谁谁谁可以使用什么样的协议在什么时间访问什么可以使用什么样的协议在什么时间访问什么可以使用什么样的协议在什么时间访问什么可以使用什么样的协议在什么时间访问什么? ?§Default: No accessDefault: No accessn nSite and Content RulesSite and Content Rules§谁可以在什么时间访问什么站点和内容谁可以在什么时间访问什么站点和内容谁可以在什么时间访问什么站点和内容谁可以在什么时间访问什么站点和内容? ?§Default: All accessDefault: All accessn n对互联网访问时这两个规则都是必要的对互联网访问时这两个规则都是必要的对互联网访问时这两个规则都是必要的对互联网访问时这两个规则都是必要的3131ISA Server – Microsoft’s Firewall为为为为Incoming Incoming RequestsRequests制制制制定规则定规则定规则定规则n nServer Publishing RulesServer Publishing Rules§Redirect traffic for an external address / port to Redirect traffic for an external address / port to an internal addressan internal addressn nWeb Publishing RulesWeb Publishing Rules§Redirect Web requests onlyRedirect Web requests only§Can redirect to multiple internal Web sitesCan redirect to multiple internal Web sites§Can choose port for redirectionCan choose port for redirection§Can perform SSL bridgingCan perform SSL bridging3232ISA Server – Microsoft’s FirewallFirewall PlanningFirewall Planningn nAssess needs for outgoing trafficAssess needs for outgoing traffic§“Deny all” or “Allow all”“Deny all” or “Allow all”§Research user requirementsResearch user requirements§Design required rules and policy elementsDesign required rules and policy elements§Plan for authentication (if required)Plan for authentication (if required)n nAssess needs for incoming traffic Assess needs for incoming traffic §Inventory resources that need to be accessed Inventory resources that need to be accessed from the Internet.from the Internet.§Design the required rules and policy elementsDesign the required rules and policy elements3333ISA Server – Microsoft’s FirewallFirewall Planning (continued)Firewall Planning (continued)n nScalingScaling§ArraysArrays§Network Load Balancing (NLB)Network Load Balancing (NLB)§DNS round robinDNS round robinn nPerimeter Network RequirementsPerimeter Network Requirements3434Firewall Design No External Access RequiredNo External Access RequiredInternetInternal NetworkFirewall3535Firewall Design Screened HostScreened HostInternetInternal NetworkFirewallScreened Host3636Firewall Design Three-Homed PerimeterThree-Homed PerimeterNetwork DesignNetwork DesignFirewallInternetInternal NetworkPerimeter Network3737Firewall Design Back-to-Back PerimeterBack-to-Back PerimeterNetwork DesignNetwork DesignInternetInternalNetworkPerimeterNetworkFirewallFirewallWeb Server3838Using Publishing And RoutingMethods for Passing Network TrafficMethods for Passing Network Trafficn nWeb Proxy ServiceWeb Proxy Servicen nFirewall Service (proxy)Firewall Service (proxy)n nIP Routing (secured by packet filters)IP Routing (secured by packet filters)3939Using Publishing And RoutingComparing Publishing and RoutingComparing Publishing and Routingn nPublishing Rules publish Publishing Rules publish internalinternal sites to sites to the the externalexternal network networkn nLocal Address Table (LAT) defines what is Local Address Table (LAT) defines what is internal internal n nPerimeter Network in three-homed design is Perimeter Network in three-homed design is treated as treated as externalexternal network networkn nNeed to configure routing between two Need to configure routing between two externalexternal networks networks§Routing is secured by packet filtersRouting is secured by packet filters4040Using Publishing And RoutingServer PublishingServer Publishingn nReverse Network Address Translation (NAT)Reverse Network Address Translation (NAT)n nExternal network to internal networkExternal network to internal networkn nSends packets received on external Sends packets received on external network interface to identical port on network interface to identical port on internal serverinternal servern nMapping: each port on each external Mapping: each port on each external address can be mapped separatelyaddress can be mapped separatelyn nNormally used for non-Web serversNormally used for non-Web servers4141Using Publishing And RoutingWeb PublishingWeb Publishingn nRedirects requests for URLs received on Redirects requests for URLs received on external interfaceexternal interfacen nCan redirect to multiple Web sitesCan redirect to multiple Web sitesn nCan redirect to internal or external sitesCan redirect to internal or external sitesI S Network4242Using Publishing And RoutingSecure Web PublishingSecure Web Publishingn nClient connection terminates at ISA Server Client connection terminates at ISA Server computercomputer§ISA Server can perform authenticationISA Server can perform authentication§ISA Server needs Web server certificateISA Server needs Web server certificaten nWhat about connection between ISA Server What about connection between ISA Server and internal Web server?and internal Web server?n nSSL bridgingSSL bridging§Choice of HTTP-S, HTTP, or FTPChoice of HTTP-S, HTTP, or FTP4343Using Publishing And RoutingRoutingRoutingn nRequired for all protocols other than TCP or Required for all protocols other than TCP or UDPUDPn nRequired to access three-homed perimeter Required to access three-homed perimeter network (external to external)network (external to external)n nISA enforces packet filtering with routingISA enforces packet filtering with routing§Note: packet filtering enhances security and Note: packet filtering enhances security and increases performanceincreases performance§Warning: Do not enable routing outside of ISA Warning: Do not enable routing outside of ISA ServerServer4444Demonstration 1Server Publishing And Web Publishing Creating a Server Publishing Rule Creating a WebPublishing Rule ISA Server ConfigurationOutgoing TrafficOutgoing Trafficn nProtocol Rules and Site and Content RulesProtocol Rules and Site and Content Rulesn nPacket filtersPacket filters§Protocols other than UDP or TCPProtocols other than UDP or TCP§Applications or services running on ISA Server Applications or services running on ISA Server computercomputer§Packet filters canPacket filters can override rules override rules4646ISA Server ConfigurationScreened HostScreened Hostn nConfigure Server Publishing RulesConfigure Server Publishing Rulesn nConfigure Web Publishing RulesConfigure Web Publishing Rules4747ISA Server ConfigurationThree-Homed Perimeter NetworkThree-Homed Perimeter Networkn nUse routing with packet filtering for Use routing with packet filtering for perimeter network serversperimeter network servers§Servers need routable IP addressesServers need routable IP addressesn nUse publishing between perimeterUse publishing between perimeternetwork and internal networknetwork and internal network4848ISA Server ConfigurationBack-to-Back Perimeter NetworkBack-to-Back Perimeter Networkn nUse Publishing Rules to publish servers on Use Publishing Rules to publish servers on perimeter network to Internetperimeter network to Internetn nUse publishing rules to publish servers on Use publishing rules to publish servers on internal network to perimeter networkinternal network to perimeter networkn nEach ISA Server requires Each ISA Server requires a separate LATa separate LAT4949Miscellaneous ConfigurationAuthenticationAuthenticationn nFirewall ClientsFirewall Clients§User-based, automaticUser-based, automatic§Requires client software, Win32 clients only, Requires client software, Win32 clients only, TCP and UDP onlyTCP and UDP onlyn nSecureNAT ClientsSecureNAT Clients§By IP addressBy IP address§No client software, all platforms, all protocolsNo client software, all platforms, all protocols5050Miscellaneous ConfigurationAuthentication (continued)Authentication (continued)n nWeb Proxy clientWeb Proxy client§By user (logged-on user or authentication dialog By user (logged-on user or authentication dialog box)box)§Need to configure browser, etc.Need to configure browser, etc.§Need to configure authentication methods:Need to configure authentication methods:n nBasicBasicn nDigestDigestn nIntegratedIntegratedn nCertificatesCertificates5151Miscellaneous ConfigurationIntrusion DetectionIntrusion Detectionn nTechnology licensed from Internet Security Technology licensed from Internet Security Systems (ISS)Systems (ISS)n nMonitors for a number of common attacksMonitors for a number of common attacksn nExtensive options for alertingExtensive options for alerting5252Miscellaneous ConfigurationServer HardeningServer Hardeningn nWizard applies security settings to make Wizard applies security settings to make Windows 2000 Server even more secureWindows 2000 Server even more secure5353Miscellaneous ConfigurationH.323 GatekeeperH.323 Gatekeepern n“Switchboard” for H.323 Applications“Switchboard” for H.323 Applications§NetMeetingNetMeeting§Voice over IP (VOIP)Voice over IP (VOIP)§Etc.Etc.5454Miscellaneous ConfigurationMessage ScreenerMessage Screenern nWorks with SMTP Filter to screen SMTP Works with SMTP Filter to screen SMTP Messages forMessages for§Users and domainsUsers and domains§AttachmentsAttachments§KeywordsKeywords§SMTP commandsSMTP commandsn nCan run on ISA Server computer or other Can run on ISA Server computer or other computercomputer5555Demonstration 2Message Screener Blocking Users and DomainsBlocking AttachmentsBlocking Key WordsMiscellaneous ConfigurationVPN ConfigurationVPN Configurationn nTwo types of connections:Two types of connections:§Access by remote usersAccess by remote users§Connecting two networksConnecting two networksn nWizards configure ISA Server and RRASWizards configure ISA Server and RRAS§ISA Server packet filtersISA Server packet filters§RRAS configured as a VPN ServerRRAS configured as a VPN Servern nRRAS performs all VPN functionsRRAS performs all VPN functions§May require additional configurationMay require additional configuration5757Demonstration 3VPN Configuration Configuring a Local VPN Configuring a Remote VPN Reviewing VPN Configuration SettingsCaching可伸缩可伸缩,高性能的高性能的WEB缓存缓存Cache Scenarios - Forward ProxyGET GET InternetLizLizISA ServerISA ServerJohnJohnGET GET CacheCacheGET GET Corpnet users connect to the internet via ISA6060Cache Scenarios – Reverse CachingDNSInternet“”“ ServerWeb ServerSecure NetworkISA ServerISA ServerCacheCacheJoeJoeInternetlISA Server looks like a Web serverlInternally routes requests to multiple servers6161为什么要使用缓存为什么要使用缓存? n n快速浏览快速浏览n n降低网络带宽费用降低网络带宽费用n n减轻减轻 web 服务器的压力服务器的压力n n更加可靠的数据访问更加可靠的数据访问Increase performance - and - reduce costs6262ISA Server Caching Featuresn nWeb Web 访问加速访问加速访问加速访问加速 §RAM caching: “Hot content” served from RAMRAM caching: “Hot content” served from RAM§有效地缓存机制最小化了磁盘有效地缓存机制最小化了磁盘有效地缓存机制最小化了磁盘有效地缓存机制最小化了磁盘I/OI/On nActive cachingActive cachingn nScheduled content downloadScheduled content downloadn n分布式的缓存机制分布式的缓存机制分布式的缓存机制分布式的缓存机制§Cache Array Routing Protocol (CARP)Cache Array Routing Protocol (CARP)§Hierarchical CachingHierarchical Cachingn n层次型策略层次型策略层次型策略层次型策略6363CARP on the SDo you have ?Do you have ?GET GET CacheCacheInternetClientClientServer 1Server 1Server 2Server 2Server 3Server 36464CARP (Cache Array Routing Protocol)n n高效高效高效高效§Distributed cacheDistributed cache§ArraysArrays的规模是线性的的规模是线性的的规模是线性的的规模是线性的, ,平衡负载平衡负载平衡负载平衡负载§各个服务器的内容没有重复各个服务器的内容没有重复各个服务器的内容没有重复各个服务器的内容没有重复§最高效地应用缓存的大小与缓存的命中率最高效地应用缓存的大小与缓存的命中率最高效地应用缓存的大小与缓存的命中率最高效地应用缓存的大小与缓存的命中率n n可靠可靠可靠可靠§容错的容错的容错的容错的, ,自调节的自调节的自调节的自调节的 arrays arrays§当服务器增加或减少时当服务器增加或减少时当服务器增加或减少时当服务器增加或减少时, ,内容的转移与重新配置是动态内容的转移与重新配置是动态内容的转移与重新配置是动态内容的转移与重新配置是动态的的的的n n灵活灵活灵活灵活§Routing can be implemented on server for best Routing can be implemented on server for best transparency, or on client for maximum efficiencytransparency, or on client for maximum efficiency6565Hierarchical Caching (Chaining)Internet~50%~50%Traffic $avingsTraffic $avingsOver Every WANOver Every WANLinkLinkNew YorkNew YorkTokyoTokyoLondonLondon6666Other Bandwidth Savingsn nTraffic Prioritization§Impose bandwidth policy via UIImpose bandwidth policy via UI§Manage inbound and outbound network Manage inbound and outbound network traffic independentlytraffic independently§Adds this layer on top of Windows 2000 Adds this layer on top of Windows 2000 QoSQoSn nLive media stream splitting6767Configuring CachingBusiness ScenarioBusiness ScenarioISAClientsInternet6868Configuring CachingAllowing Internet AccessAllowing Internet AccessVerify LATCreate a protocol access ruleTurn on HTTP and FTP Caching*Define Proxy setting on all clientsuu4 simple steps*enabled by default*enabled by default6969Configuring CachingCache ExpirationCache Expirationn nFrequently§Cache is kept current, network Cache is kept current, network performance may be degradedperformance may be degradedn nNormally§Cache is somewhat current, network Cache is somewhat current, network performance is consideredperformance is consideredn nLess Frequently§Cache is less current, network Cache is less current, network performance is not degradedperformance is not degradedn nCustom Settings7070Configuring CachingActive CachingActive Cachingn nEnables ISA to fetch a new version of cached objects§FrequentlyFrequentlyn nCache is kept current, network Cache is kept current, network performance is degradedperformance is degraded§NormallyNormallyn nNetwork performance is considered Network performance is considered when updating the cachewhen updating the cache§Less FrequentlyLess Frequentlyn nCache is less current, network Cache is less current, network performance is not degradedperformance is not degraded7171Configuring Caching Advanced Cache SettingsAdvanced Cache Settingsn nAllows control over what content is cached§Size of objects to cacheSize of objects to cache§Dynamic contentDynamic content§Maximum URL cached in memoryMaximum URL cached in memoryn nControl what action to take with expired cache objects§Return an errorReturn an error-or-§Return expired objectReturn expired object7272Configuring Caching Adjusting Cache SizeAdjusting Cache SizeLONDON PropertiesCache DrivesLONDONOKCancelApplySet100Maximum cache size (MB):Total disk space (MB):39064Total maximum cache size (MB):100DriveTypeDisk space… Free space…Cache Size…Specify the size of the cache.n nProperties of serverProperties of server§Creates a .cdat file of Creates a .cdat file of equivalent sizeequivalent size§4-8 MB for each client4-8 MB for each client7373Demonstration 4Configure Caching Enabling HTTP and FTP CachingEnabling HTTP and FTP CachingExamining Cache configurationExamining Cache configurationAllowing Internet AccessAllowing Internet AccessManagementTiered policy and flexible management integrates with Windows 2000 Policy & Rulesn nEnterprise & Enterprise & array-levelarray-leveln nAccess controlAccess control§ §By user/groupBy user/group§ §By applicationBy application§ §By destinationBy destination§ §By content typeBy content type§ §By scheduleBy schedulen nBandwidth Bandwidth prioritiesprioritiesActive policy: Access rulesISA server namespace7676Tasks Pads and Wizardsn nTasks Pads§The easy way The easy way to set up and to set up and maintainmaintainn nWizards§Step-by-step Step-by-step for complex for complex taskstasksCommon tasks7777Alertingn nAlerting§Flexible alert dispatch mechanismFlexible alert dispatch mechanismIntrusionSystem eventViolationISAServer7878Logging, reporting, monitoringn nLogging§Packet logPacket log§Session logSession logn nReporting§Daily summariesDaily summaries§Popular reportsPopular reportsn nMonitoring§Active connectionsActive connections§Performance countersPerformance counters7979ExtensibilitySuperior extensibility and customizabilityExtensibility Mechanismsn nApplication filtersApplication filters§Smart inspection of data streamsSmart inspection of data streamsn nWeb filters Web filters §Based on ISAPIBased on ISAPIn nAdministration COM objectAdministration COM object§All administrative properties and actions All administrative properties and actions available programmatically (read/write)available programmatically (read/write)n nCache APIsCache APIsn nMMC snap-insMMC snap-ins§Extend the ISA Server user interfaceExtend the ISA Server user interfacen nStorageStorage§Integrate with array propagation, Integrate with array propagation, backup/restorebackup/restoren nAlertsAlerts8181A Community of ISVsSummarySecure, Fast Internet ConnectivityISA Server Competitive AdvantagesISA Server Competitive Advantagesn nBest Windows IntegrationBest Windows Integration§ §Active DirectoryActive Directory§ §Networking FeaturesNetworking Features§ §Windows applicationsWindows applicationsn nIntegrated Firewall and Web Cache ManagementIntegrated Firewall and Web Cache Management§ §Unified Policy and Access ControlUnified Policy and Access Control§ §Unified ManagementUnified Management n nScale up and Scale Out for the EnterpriseScale up and Scale Out for the Enterprise§ §Tiered Policy ManagementTiered Policy Management§ §Scale Up - SMP optimizedScale Up - SMP optimized§ §Scale Out - NLB and CARP Scale Out - NLB and CARP n nLower TCOLower TCO§ §Integrated ServicesIntegrated Services§ §Leverage Existing SkillsLeverage Existing Skills§ §Works with what you haveWorks with what you have§ §Extensible Open PlatformExtensible Open Platform8484Key Takeawaysn nFirewall & cache integrationn nMulti-layered firewall with smart filtersn nHigh performance and scalable cachen nDesigned for reverse caching and secure publishingn nIntegrated VPN, intrusion detection, reporting, bandwidth controln nTiered policy modeln nExtensibility8585。