HP ProLiant DL320 Security Server User Guide February 2006 (First Edition) Part Number 411245-001
© Copyright 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Confidential computer software.
Contents Technical support.......................................................................................................................... 5 Before you contact HP................................................................................................................................ 5 HP contact information ............................................................................................................................... 5 Customer self repair....................................
Network services support............................................................................................................. 29 DNS server............................................................................................................................................. 29 DHCP server ........................................................................................................................................... 29 Hardening overview and impact...................................
Technical support In this section Before you contact HP............................................................................................................................... 5 HP contact information.............................................................................................................................. 5 Customer self repair ................................................................................................................................. 5 HP customer support ...
A convenient, easy-to-use program: • An HP support specialist will diagnose and assess whether a replacement part is required to address a system problem. The specialist will also determine whether you can replace the part. • For specific information about customer replaceable parts, refer to the maintenance and service guide on the HP website (http://www.hp.com/support).
Introduction In this section Overview ................................................................................................................................................ 7 Overview The HP ProLiant DL320 Security Server running Microsoft® Internet Security and Acceleration Server 2004 Service Pack 2 is an advanced application layer firewall, VPN, and web cache solution that enables existing IT investments to be maximized by improving network security and performance.
Initial setup considerations In this section Firewall lockdown mode ........................................................................................................................... 8 Internal network overview.......................................................................................................................... 9 Computer name and administrator password...............................................................................................
• No incoming traffic is allowed unless a system policy rule (listed previously) that specifically allows the traffic is enabled. The one exception is DHCP traffic, which is always allowed. That is, the UDP Send protocol on port 68 is allowed from all networks to the local host network. The corresponding UDP Receive protocol on port 67 is allowed. • VPN remote access clients cannot access the ISA Server. Similarly, access is denied to remote site networks in site-to-site VPN scenarios.
Workgroup and domain name considerations The ProLiant DL320 Security Server can be joined to a workgroup, a Microsoft® Windows Server™ 2003 domain, a Microsoft® Windows® 2000 Active Directory domain, or a Microsoft® Windows NT® 4.0 domain. Add the ProLiant DL320 Security Server to a supported Microsoft® Windows® domain if the domain already exists on your network.
Internal IP address The IP address assigned to the internal interface of the ProLiant DL320 Security Server must be a valid IP address for the network to which the firewall is directly connected. This address must meet the following requirements: • The internal IP address must be on the same network ID as other computers connected to the same network segment. • The internal IP address must not already be in use on the network. • The internal IP address, in most cases, is statically assigned.
The internal interface must be placed in the same network as these computers. In this example, this configuration is accomplished by assigning the internal interface the IP address of 192.168.2.1. The external interface of the ProLiant DL320 Security Server is assigned an Internet IP address that is determined by your ISP. NOTE: IP addressing can be a complex issue.
NOTE: Any network services and client applications installed on the firewall can potentially increase the security risk. If you are familiar with the installation and configuration of DNS servers or if a DNS server already exists on the LAN, the best option is to configure that DNS server to resolve Internet host names and then create an access rule on the firewall enabling that DNS server to use the DNS protocol to connect to the Internet.
External IP address The ISP determines the IP address of the external interface of the ProLiant DL320 Security Server. The address can be a statically assigned IP address or a dynamically assigned IP address. Statically assigned IP addresses do not change over time. Dynamically assigned IP addresses change over the course of hours, days, or weeks. Your ISP determines how frequently the address changes.
Setting up the server In this section Enabling the web listener ........................................................................................................................ 15 Enabling the firewall client listener............................................................................................................ 16 Creating an Internet access rule ............................................................................................................... 16 HP Virus Throttle..........
and read by network analyzers because they are not encrypted. However, all browsers support basic authentication. 12. In the Authentication dialog box, click OK. 13. In the Internal Properties dialog box, click Apply>OK. 14. Click Apply at the top of the details pane to save the changes and update the firewall policy.
The default gateway address and the DNS server address used by the computer on the LAN can be changed from the Control Panel. Create an access rule on the ProLiant DL320 Security Server. The access rule can be configured to allow a limited number of protocols outbound access to the Internet, allow a selected group of users access to a selected group of websites, or create a firewall rule allowing all the users on your LAN access to all sites at all times using virtually any protocol.
To configure parameters for the Virus Throttle filter driver: 1. Double-click the Virus Throttle icon to open the HP Virus Throttle Status and Configuration Utility. If no inconsistencies are detected in the filter driver parameters, the Status tab is displayed. The Status tab shows overall status, statistics, and delay queue information. If inconsistencies are detected, a warning message displays. Click OK. 2. Click the Configuration tab.
Additional documentation available from HP Additional documentation detailing various deployment scenarios is available from the HP website (http://www.hp.com/servers/DL320FW-VPN-Cache).
Managing and maintaining the firewall In this section Microsoft® Windows® Update.................................................................................................................. 20 Remote desktop...................................................................................................................................... 20 Remote management console...................................................................................................................
3. On the General tab, confirm that the Enable checkbox is selected. 4. Click the From tab, and click Add to the right of the This rule applies to traffic from these sources list. 5. In the Add Network Entities dialog box, click the Networks folder, double-click External, and click Close. 6. In the System Policy Editor dialog box, click OK. 7. Click Apply to save the changes and update firewall policy. External computers can now connect to the RDP service on the ProLiant DL320 Security Server.
Configuring monitoring, reporting, and logging The ProLiant DL320 Security Server has a comprehensive logging and reporting facility. Configure firewall logging and web proxy logging immediately to get the full benefit from the feature set. Configuring firewall logging The firewall log records connections from Secure NAT and firewall clients on the internal and external networks. Firewall logging can be configured to use one of several storage methods, each with its own advantages and disadvantages.
SQL database format option is best when a SQL database exists on the internal network and you have the expertise to manage a SQL database. The MSDE database format option is an excellent option when do not want to use SQL or text-based logging. 5. Select the File format option. From the Format list, select the ISA Server file format. This format saves log file entries using the local time configured on the ProLiant DL320 Security Server to stamp the log entries. 6. Click Apply>OK. 7.
3. Right-click the domain name, and click the New Alias (CNAME) command. 4. In the Alias name (uses parent domain if left blank) text box, enter the name wpad, and click Browse. 5. In the Browse dialog box, double-click the server name in the Records list, the Forward Lookup Zones entry in the Records list, and then the domain name in the Records list. 6. Select the resource record for the ProLiant DL320 Security Server in the Records list, and then click OK.
For example, if a Microsoft® Windows® domain exists on the internal network, configure the PDC emulator to use the ProLiant DL320 Security Server as its time server. If a Microsoft® Windows® domain does not exist, configure the individual clients to synchronize with the ProLiant DL320 Security Server time server. Create an access policy enabling both the ProLiant DL320 Security Server and the computers on the LAN to contact Internet time servers. 1.
Disaster recovery and change management In this section Backing up and restoring server settings ................................................................................................... 26 Backing up and restoring the system......................................................................................................... 26 Restoring original factory settings ............................................................................................................. 27 Scheduling backups.
1. Select Start, and select Run. 2. In the Open text box, enter ntbackup, and click OK. 3. Confirm that the Always start in wizard mode checkbox is selected, and click Next. 4. On the Backup or Restore page, select the Back up files and settings option, and click Next. 5. On the What to Back Up page, select the All information on this computer option, and click Next. 6. On the Backup Type, Destination, and Name page, click Browse to select a location to save the backup file.
11. Click Start Backup, and make any desired changes in the Backup Job Information dialog box. 12. To set advanced backup options, such as data verification or hardware compression, click Advanced. 13. Select advanced backup options, and then click OK. 14. In the Backup Job Information dialog box, click Schedule. 15. In the Set Account Information dialog box, enter the appropriate user name and password. 16. In the Scheduled Job Options dialog box in Job name, enter a name for the scheduled backup job. 17.
Network services support In this section DNS server............................................................................................................................................ 29 DHCP server .......................................................................................................................................... 29 DNS server The ProLiant DL320 Security Server depends on a DNS server to resolve Internet host names.
• The ProLiant DL320 Security Server • A computer on the internal network The DHCP server can be installed on the ProLiant DL320 Security Server if there are no other server computers on the internal network where a DHCP server can be installed. Installing the DHCP server on the ProLiant DL320 Security Server is a second choice because VPN clients cannot obtain an IP address from the DHCP server on the ProLiant DL320 Security Server itself.
Hardening overview and impact In this section Firewall and operating system services overview........................................................................................ 31 ProLiant DL320 Security Server services .................................................................................................... 32 Firewall and operating system services overview The ProLiant DL320 Security Server must be capable of acting in several specific roles and performing 11 specific server tasks.
• Disabled—Prevents the service from being started by the system, a user, or any dependent service. Any services that explicitly depend on a disabled service will fail to start. To change the startup mode for a service: IMPORTANT: Disabling or turning off services that are on by default might adversely affect the functionality and performance of the server. 1. Right-click My Computer, and select Manage. 2. Click Services and Applications>Services. 3.
Service name Service short name Startup mode Background Intelligent Transfer Service BITS Manual COM+Event System EventSystem Manual Logical Disk Manager Administrative Service dmadmin Manual Network Connections Netman Manual Network Location Awareness NLA Manual NTLM Security Support Provider NtLmSsp Manual Remote Access Connection Manager RasMan Manual Remote Desktop Help Session Manager RDSessMgr Manual Server lanmanserver Manual Smart Card ScardSvr Manual Telephony Tapi
Service name Service short name Startup mode Network DDE NetDDE Disabled Network DDE DSDM NetDDEdsdm Disabled Portable Media Serial Number Service WmdmPmSN Disabled Print Spooler Spooler Disabled Remote Access Auto Connection Manager RasAuto Disabled Remote Procedure Call Locator RpcLocator Disabled Remote Registry RemoteRegistry Disabled Resultant Set of Policy Provider RSoPProv Disabled Routing and Remote Access RemoteAccess Disabled Shell Hardware Detection ShellHWDetection
Acronyms and abbreviations CIFS Common Internet File System DHCP Dynamic Host Configuration Protocol DMZ demilitarized zone computer DNS domain name system FQDN Fully Qualified Domain Name FTP file transfer protocol fweng Firewall Packet Filter Engine IAS Internet Authentication Service ICMP Internet Control Message Protocol IP Internet Protocol ISA Internet Security and Acceleration ISP Internet service provider Acronyms and abbreviations 35
LAN local-area network MMC Microsoft® Management Console MSDE Microsoft® Data Engine NAT Network Address Translation NLA Network Location Awareness NTP network time protocol PDC Primary Domain Controller RADIUS Remote Authentication Dial-In User Service RDP Remote Desktop Protocol RPC Remote Procedure Call SQL structured query language UDP User Datagram Protocol VDS Virtual Disk Service VPN virtual private networking Acronyms and abbreviations 36
WIA Windows® Image Acquisition WINS Windows® Internet Naming Service WPAD Web proxy autodiscovery protocol Acronyms and abbreviations 37