ISA Server Installation and Deployment Guide

About This Guide

Introduction

Planning Considerations

Installing ISA Server

Migrating from Microsoft Proxy Server 2.0

Installing and Configuring Clients

Deployment Scenarios

Back to Top


About this Guide

Introduction

The Internet provides organizations with new opportunities to connect with customers, partners, and employees. While this presents great opportunities, it also opens new risks and concerns such as security, performance and manageability. Microsoft Internet Security and Acceleration (ISA) Server 2000 addresses the needs of today’s Internet-enabled businesses. ISA Server provides a muti-layered enterprise firewall that helps protect your network resources from viruses, hackers and unauthorized access. The Web cache of ISA Server enables organizations to save network bandwidth and provide faster Web access for users by serving objects from a local source, rather than over a congested Internet.

Whether it is deployed as dedicated components or as an integrated firewall and caching server, ISA Server provides a unified management console that simplifies security and access management. Built for the Windows 2000 platform, ISA Server provides secure and fast Internet connectivity with powerful integrated management tools.

ISA Server can provide value to IT managers, network administrators and information-security professionals in organizations of all sizes, who are concerned about the security, performance, manageability or operating costs of their networks. ISA Server can be used in a spectrum of scenarios, ranging from small offices and branch offices, to Internet Service Providers (ISPs) and Web hosting companies, to e-commerce sites.

Back to Top


Target Audience

This guide is intended for systems professionals, network administrators, and small business power users who want to learn how to install and deploy ISA Server in their network. The guide assumes that you are familiar with basic networking concepts, including familiarity with DNS, DHCP, Remote Access Server, and other Windows 2000 networking components.

Back to Top


Purpose of this Guide

This guide presents an overview of ISA Server and provides the background information you need to plan your implementation of this software.

The guide includes detailed procedures on the installation process, checklists for post-installation configuration, and detailed sample scenarios of how ISA Server might be used in your network.

This guide is organized into the following chapters:

Back to Top


Introduction

This chapter provides an overview of Microsoft Internet Security and Acceleration (ISA) Server. It also surveys some common scenarios for how ISA Server might be used in your network.

This chapter includes the following sections:

Back to Top


Introducing ISA Server

With the exploding growth of business activities taking place on the Internet and the vast number of corporate networks which are connected to it, the need is greater than ever for a powerful and easy-to-administer Internet gateway that provides a secure connection while also enhancing and improving network performance. Microsoft Internet Security and Acceleration (ISA) Server meets these demands by offering a complete Internet connectivity solution that contains both an enterprise firewall and a complete Web cache solution. These services are complementary: you can use either or both of these functionalities when you install ISA Server in your network.

ISA Server secures your network, allowing you to implement your business security policy by configuring a broad set of rules that specify which sites, protocols, and content can be passed through the ISA Server. ISA Server monitors requests and responses between the Internet and internal client computers, controlling who can access which computers on the corporate network. ISA Server also controls which computers on the Internet can be accessed by internal clients.

ISA Server offers such security options as packet filtering, intrusion detection, and the ability to set security level for your system. You can create policies and configure rules that manage user-level security, client sets based on IP addressing, bandwidth control, and time-of-day access control.

ISA Server features secure publishing. You can use ISA Server to define a publishing policy, protecting the internal publishing servers and making them safely accessible to Internet clients.

ISA Server implements a cache of frequently-requested objects to improve network performance. You can configure the cache to ensure that it contains the data that is most frequently used by the organization or accessed by your Internet clients. The ISA Server cache can be distributed across multiple ISA Server computers in arrays or chains of arrays. This can mean Internet connection cost savings, as clients can access content from the ISA Server cache closest to them.

ISA Server is extensible. ISA Management has a corresponding COM interface, which administrators can program, using Visual Basic or scripting languages. The core firewall functionality can be extended by third party developers, who implement application filters or Web filters. The cache functionality can be enhanced using the cache API. ISA Management interface can be extended to provide integrated administration tools for the third-party extensions.

Back to Top


Usage Scenarios

The Internet has been changing the way people and organizations communicate and conduct business. The Internet presents new opportunities to connect with your customers, partners, and employees. It also brings new concerns and risks that organizations must address. Microsoft has worked with customers to design a product that addresses the needs of today’s Internet-enabled businesses: Security, Performance, and Manageability.

Internet Connectivity with Strong Security

ISA Server can be deployed as a dedicated firewall that acts as the secure gateway to the Internet for internal clients. The ISA Server computer is transparent to the other parties in the communication path. The Internet user should not be able to tell that a firewall server is there, unless the user attempts to access a service or go to a site where the ISA Server computer denies access. By setting the security access policies, administrators can prevent unauthorized access and malicious content from entering the network as well as restrict what traffic is allowed outbound by user and group, application, destination, content type, and schedule.

Fast, Scaleable E-commerce

Whether your organization is an Internet E-commerce retailer or a large enterprise looking to expand your business reach, the Internet is a key part of your business strategy. Organizations cannot afford to have slow, unresponsive E-commerce Web sites, especially when your competition is one mouse-click away. The Web cache of ISA Server provides your Internet clients with a fast web experience that scales with your growing business. Caching is available also for Internet clients requesting objects from computers on your local network.

ISA Server allows you to publish services to the Internet without compromising the security of your internal network. You can configure Web publishing and Server publishing rules that determine which requests should be sent downstream to a server located behind the ISA Server computer, providing an increased layer of security for your internal servers.

For example, you can place your Web server behind the ISA Server and create Web publishing rules that allow the Web server to be published to the Internet, thereby making all its content available to clients on the Internet. Incoming Web requests are intercepted by the ISA Server computer, which gives the appearance of a Web server to clients. ISA Server can filter the requests and forward as appropriate to the Web server. Your Web server is never exposed directly to external users and sits in its secure environment, maintaining access to other internal network services.

Productive Internet Access

Internet access is an essential tool for today’s knowledge worker. With the heavy Internet traffic that goes across network gateways, Web access performance can become the bottleneck for productivity. ISA Server’s Web Caching features provide faster Web access performance by caching Internet content closer to the user, minimizing multiple requests to the congested Internet. In addition, using the policy-based access controls, administrators can limit which web sites are permitted for specific users, by time of day, content type, and more. With fast caching and access control, ISA Server can help lower the cost of managing Internet connectivity and improve the productivity of Internet users.

Back to Top


ISA Server Features

The following sections describe ISA Server’s primary features.

Firewall and Security Features

ISA Server presents you with a comprehensive solution for securing network access. ISA Server includes the following security features:

Publishing Features

Cache Features

The ISA Server maintains a centralized cache of frequently requested FTP and HTTP objects that can be accessed by all ISA Server clients. ISA Server uses RAM caching and efficient file input/output to deliver fast cache performance. Its caching features include:

Monitoring

ISA Server includes these logging and reporting features that you can use to monitor performance:

Centralized Management

Managing security and caching separately usually requires a separate set of network technologies, infrastructure equipment and skilled administrators, therefore increasing complexity, cost and inconsistency. ISA Server’s unified policy-based administration tool helps administrators manage and secure their Internet connectivity from a central location, reducing network complexity and lowering total cost of ownership.

Organizations often benefit from consistent firewall and cache policies. The management integration enabled by Windows 2000 provides a single view of these policies, rather than having to separately manage firewall and cache infrastructure.

Client Deployment

In addition to powerful management capabilities, organizations require products that are easy to deploy. ISA Server eliminates the need to perform any settings other than that of the firewall/cache server, simplifying firewall, server publishing, and caching setup. With ISA Server’s Secure Network Address Translation feature (SecureNAT), administrators do not need to configure additional software on client machines or published servers to use the firewall or cache. ISA Server delivers transparency to clients and servers that can minimize administrative complexity and cost.

Enterprise Management

You can set up ISA Server computers as standalone servers, or group them into arrays. Arrays include one or more ISA Server computers, all of which can be centrally managed. ISA Server extends centralized management for arrays to the enterprise level.

The ISA Server enterprise includes all the arrays in your organization. When you set up the enterprise, you specify the enterprise policy management. You can select a centralized enterprise policy that applies to all arrays in the enterprise, or a more flexible policy whereby each array administrator can define a local policy.

You can create array-level access policies and enterprise-level policies. The enterprise policy can be applied to any array and can be augmented by the array's own policy. This enables administrators at branch and departmental levels to adopt governing enterprise policies.

Network services

ISA Server provides close integration with Windows 2000 Server, including Active Directory, Routing and Remote Access, and other powerful features such as:

Back to Top


Planning Considerations

This chapter assists you before you begin to deploy Microsoft Internet Security and Acceleration (ISA) Server on your enterprise intranet. It concentrates on the information you need to plan and deploy ISA Server in your organization. Although this chapter provides much of the information you need to deploy ISA Server in your enterprise, it does not attempt to cover all networking issues.

This chapter includes the following sections:

Back to Top


Introduction

The table below lists factors you should consider as you plan your ISA Server deployment.

Issue Description See section on…
How many computers do I need? Hardware configuration and Internet connectively depends on how you use ISA Server. “Capacity Planning”
How should I organize ISA Server computers? Determine the appropriate number of ISA Server computers and how to map these servers into arrays. “Arrays and Enterprise”
How will I use ISA Server? ISA Server can be installed in Cache, Firewall, or Integrated mode. “ISA Server Mode”
How should I connect to the Internet? Consider how you connect to the Internet. “Internet Connectivity”
How should I configure clients? Determine what applications and services your users require, so that you can decide how to configure clients. “User Needs”
Should I reconfigure my existing network? Consider how ISA Server will interact with the existing network. “Existing Network Configuration”

Back to Top


Capacity Planning

For improved performance, you should plan the ISA Server’s hardware and Internet connectivity to meet the expected load. The following sections describe recommended system configurations, for various usage scenarios.

Minimal Requirements

ISA Server requires a computer running Windows 2000 Server. In addition to the network adapter that is used by Windows 2000 to communicate on your internal network, ISA Server needs an external network adapter, modem, or Integrated Services Digital Network (ISDN) adapter to connect to the Internet.

To use ISA Server, you need:

To implement the array and advanced policies configuration, you also need Windows 2000 Active Directory available on your network.

Remote administration requirements

For remote ISA Server administration, you need only install ISA Administrator, which can run on Windows 2000 Professional or above.

Alternatively, you can run Terminal Server to remotely administer clients. Then, you don’t have to install ISA Server at all.

Firewall requirements

ISA Server can be deployed as a dedicated firewall that acts as the secure gateway to the Internet for internal clients. In this case, you will need to consider how much throughput is required for your internal clients when they access the Internet.

The table below lists hardware configurations and network connections for expected throughput for Firewall and SecureNAT clients accessing objects on the Internet.

Throughput Requirements ISA Server running on… Internet Connection
1-25 Megabits/second Pentium II, 300 MHz ISDN, Cable Modem, or xDSL
25-50 Megabits/second Pentium III, 550 MHz T3 connection or better
More than 50 Megabits/second Pentium III, 550 MHz, for each 50 MB/second required. T3 connection or better

Forward Caching Requirements

ISA Server can be deployed as a forward caching server, maintaining a centralized cache of frequently requested Internet objects that can be accessed by any Web browser client. In this case, consider how many Web browser clients will be accessing the Internet. The table below lists hardware configurations for expected number of internal clients accessing objects on the Internet.

# Users ISA Server Computer RAM (MB) Disk Space Allocated for Caching
Up to 250 Single ISA Server with Pentium II, 300 MHz 128 2-4 Gigabytes
Up to 2,000 Single ISA Server with Penium III, 550 MHz 256 10 Gigabytes
More than 2,000 ISA Server with Penium III, 550 MHz, for each 2,000 users.
Alternatively, use Perfromance Monitor to determine bottlenecks and add more servers to the array.
256 per 2,000 users 10 Gigabytes per 2,000 users

If you want to use the ISA Server caching feature, you must install ISA Server on a computer that has at least one partition formatted as an NTFS volume. If your current server disk volume uses FAT partitions, you can convert these partitions to NTFS by using convert.exe, which is included with Windows 2000 Server. Convert does not overwrite the data on the disk. For more information on using Convert, type convert /? at a command prompt.

If you are using ISA Server in cache mode, only one internal network adapter is required.

Publishing (reverse caching) requirements

ISA Server can be deployed in front of an organization's Web server that is hosting a commercial Web business or providing access to business partners. In this case, you need to consider how often external clients will request objects on the publishing servers.

The table below lists hardware configurations for expected number of requests from Internet (external) users, in a reverse caching scenario.

Hits/Second ISA Server RAM (MB)
Less than 500 Single ISA Server with Pentium II, 300 MHz 128
500-900 Single ISA Server with Pentium III, 550 MHz 256
More than 900 ISA Server with Pentium III, 550 MHz, for each 800 hits/second increment.
Alternatively, use the Performance Monitor to determine bottlenecks and add more servers to the array or hardware, as necessary.
256

Back to Top


Array considerations

After you decide how many servers you will install, determine how you will arrange them in your network. If you are installing more than one server, consider setting up an array of ISA Server computers. Arrays allow a group of ISA Server computers to be treated and managed as a single, logical entity.

All the servers in the array share a common configuration. This saves on management overhead, since the array is configured once, and the configuration is applied to all the servers in the array. Furthermore, you can apply an enterprise policy to an array, allowing you to centralize management for all the arrays in your enterprise.

A unique array policy can be applied to each array in the enterprise. This can provide a method of departmentalizing your organization. For example, you might want to allow clients protected by one array unlimited access to the Internet, whereas more restrictions are placed on clients in another array.

An array installation also means performance savings. Arrays allow client requests to be distributed among several ISA Server computers, which increases response time for clients. Because load is distributed across all the servers in the array, you can achieve good performance even with moderate hardware.

In order to install ISA Server as an array member, the computer must be a member of a Windows 2000 domain. Furthermore, you the ISA Server enterprise must be initialized before you can install ISA Server as an array member.

If you choose not to install ISA Server as an array member, you can install ISA Server as a standalone server. Standalone server installations do not require that the computer belong to a Windows 2000 domain.

Array requirements

All array members must be in the same domain and in the same site. A site is a set of computers in a well-connected TCP/IP subnet. A domain is a collection of computers, defined by the administrator, that share a common directory (Active Directory) database. For more information, see the Windows 2000 Help.

Standalone servers and single-server arrays

Even if you are installing just one ISA Server, you should consider installing it as an array member. When ISA Server is installed as an array member, enterprise policy can be applied to the array. Furthermore, an array installation means that future expansion is easier — an additional server can be added to the array fairly simply.

  Array Standalone server
Scalability Can have one or more member servers. Limited to only one member.
Active Directory required? Yes. Can be installed only in Windows 2000 domains with Active Directory installed. The local network can still be a Windows NT 4 domain. No. Can be installed in Windows NT 4 domains. Configuration information is stored in the registry.
Enterprise policy Yes. A single policy can be applied to all arrays in the enterprise. No.

If you set up arrays, you may choose to set up arrays at each branch in your organization. Because each branch then has its own array, each branch can define unique usage policies which will be common to all the servers in the array.

Enterprise

At the array level, you can centrally manage the policy for a set of servers in the same domain and at the same site. The enterprise takes this centralized management one step further, allowing you to define a single corporate policy for all the arrays in your corporate network. Or, you can define several enterprise policies, and apply each to one or more arrays in the enterprise.

At the array level, all the ISA Server computers have the same configuration. At the enterprise level, you can configure all the arrays in the enterprise to use the enterprise policy. Or, you can allow some arrays to create a more restrictive access policy, by creating additional rules that further limit access. At the enterprise level, you can also decide which arrays are allowed to publish servers and which must enforce packet filtering.

By allowing both enterprise and array policies, you ensure that a corporate policy is implemented all through the organization. At the same time, at the array level, rules can be configured to further restrict the policy.

For example, an enterprise policy might only allow access to Hypertext Transfer Protocol (HTTP) addresses and deny communication using all other protocol definitions. An array that uses this enterprise policy can add a rule that limits who can use the http protocol. But the array policy cannot allow communication using other protocols.

Back to Top


ISA Server Mode

As part of the setup process, you can select the ISA Server mode: firewall, cache, or integrated.

In firewall mode, you can secure network communication by configuring rules that control communication between your corporate network and the Internet. In firewall mode, you can also publish internal servers, thereby sharing data on your internal servers with Internet users.

In cache mode, you can improve network performance and save bandwidth by storing commonly accessed objects closer to the user. You can then route requests from Internet users to the appropriate Web server.

Depending on which mode you select, different features are available. The table below lists which features are available for the firewall and cache modes. In integrated mode, all the features are available.

Feature Firewall Cache
Access policy Yes Yes, but only for HTTP protocol
Alerts Yes Yes
Application filters Yes No
Cache configuration No Yes
Enterprise policy Yes Yes
Packet filtering Yes No
Real-time monitoring Yes Yes
Reports Yes Yes
Server publishing Yes No
Web publishing Yes Yes

Back to Top


Internet connectivity considerations

The first step to providing Internet access is connecting to the Internet. Every connection with the Internet goes through the ISP. The business of providing connectivity to the Internet is quite competitive—meaning that you have the opportunity to shop around for an ISP. When you consider suitability, consider these three factors: price, services, and bandwidth.

You can connect ISA Server to the Internet with either a direct link or a dial-up link. If you connect using a direct link or using xDSL or Cable Modem, you must set up an external network adapter. If you connect using a dial-up link, you must use a modem or an Integrated Services Digital Network (ISDN) adapter with your server.

If you are using ISA Server to publish Web servers and other servers, making them available to Internet clients, you must obtain one or more static IP addresses, in addition to registering domain names. Internet users will access your internal servers by accessing these IP addresses or names.

If you have registered an Internet domain name, you may decide to have your ISP handle the details of how to administer the listing of your domain name in a DNS server for use by others on the Internet.

Publishing and connectivity

When you publish internal servers, you must obtain IP addresses with which to associate the domain or server name. When external clients access your Web site or domain, the ISP’s DNS server will find the IP address associated with the requested Web site name – usually an IP address on your ISA Server or on a perimeter network (DMZ).

Alternatively, you can use an internal DNS server to resolve requests from external clients. This DNS server should be published like any other published server. Refer to the on-line help for more information on how to use server publishing rules to make internal servers accessible to Internet clients.

Back to Top


ISA Server client support

Determine which applications and services your users require. This will help you decide what type of client software (if any) to install on the client computers.

ISA Server supports the following types of clients:

ISA Server ensures that communication with all clients on the network is secured. Furthermore, all clients can enjoy the benefits of the ISA Server cache, for all HTTP and FTP objects.

The table below lists the client types supported by ISA Server, and compares feature support for the clients.

Feature SecureNAT client Firewall client Web Proxy Client
Installation required No Yes No, requires Web browser configuration
Operating system support Any O/S that supports TCP/IP Only Windows platforms All platforms, by way of Web application
Requires changing network configuration Yes—default gateway, routers, DNS server address, etc. No No
Protocol support All Protocol Definitions installed with ISA Server. For other protocols, requires application filters for multi-connection protocols All Winsock protocols HTTP, HTTP-S, Gopher, and FTP
User-level authentication By IP address By user name or IP address Web browser passes authentication information
Server applications No configuration or installation required Requires configuration file N/A

Firewall client and SecureNAT clients are mutually exclusive — that is, a client computer cannot be both a Firewall client and SecureNAT client. However, both Firewall client computers and SecureNAT client computers might also be Web Proxy clients. If the Web application on the computer is configured explicitly to use the ISA Server, then all Web requests (HTTP, FTP, HTTP-S, and Gopher) are sent directly to the Web Proxy service. All other requests are handled first by the Firewall service.

The following sections detail the client types supported by ISA Server.

SecureNAT clients

Client computers that do not have Firewall client software are referred to as secure network address translation (SecureNAT) clients. SecureNAT clients can benefit from many of the features of ISA Server. This includes most access control features, with the exception of high-level protocol support and user-level authentication.

Although SecureNAT clients do not require special software, you should configure the gateway on the clients so that all traffic destined to the Internet is sent by way of ISA Server, either directly or indirectly, through a router. You can configure clients either by using the DHCP service or manually.

Since requests from SecureNAT clients are essentially handled by the Firewall service, SecureNAT clients benefit from the following security features:

SecureNAT and Windows 2000 NAT

ISA Server extends the Windows 2000 NAT functionality by enforcing ISA Server policy for SecureNAT clients. In other words, all ISA Server rules can be applied to SecureNAT clients, despite the fact that Windows 2000 NAT does not have an inherent authentication mechanism—policies regarding protocol usage, destination, and content type are also applied to SecureNAT clients.

SecureNAT clients and server publishing

As with Firewall clients, SecureNAT clients can also actually be servers, such as mail servers, which publish information to the Internet. You configure server publishing rules, to publish servers as SecureNAT clients.

Firewall Clients

A Firewall client is a computer with Firewall client software installed and enabled. The Firewall client runs Winsock applications that use the Firewall service of Microsoft Internet Security and Acceleration (ISA) Server. When a Firewall client uses a Winsock application to request an object from a computer, the client checks its copy of the Local Address Table, to see if the request is for a computer on the local network. If the computer is not in the local network, then the request is sent to the ISA Server's Firewall service. The Firewall service handles the request, forwarding it to the appropriate destination, as permitted. The Firewall client software can send Windows user information, required for authentication purposes, to the ISA Server.

Setting up a Firewall client does not configure individual Winsock applications. Instead, it uses the same Winsock dynamic link library file (.dll) that the other applications use. The Firewall client then intercepts the application calls and decides whether to route the request to the ISA Server computer.

You can install Firewall Client software on client computers that run Windows ME, Windows 95, Windows 98, Windows NT 4.0, or Windows 2000. No other operating systems support Firewall Client software.

Web Proxy Client

A Web Proxy client is a client computer that has an application, such as a Web browser, configured to use a CERN-compliant HTTP proxy server. All Web browsers on client computers pass through the Web Proxy service.

You can configure the Web browser client after installing the ISA Server client software. Each Web browser is configured through its own user interface—typically, by menu items such as Options, Preferences, or Settings.

When you install Firewall Client software, the Web browser settings on the Firewall Client desktop can be configured automatically. Subsequently, you can reconfigure the Web browser clients.

Assessing User Needs

As you plan client deployment, ask yourself the following types of questions. This will help you map your user needs to the client types supported by ISA Server:

Back to Top


ISA Server in the Network

When you install ISA Server, you are adding it to secure and connect an existing network of services, which may all be centralized on a single server or dispersed across many servers. The following sections describe network issues to consider when deploying ISA Server.

Windows NT 4.0 Domain

ISA Server can be installed as a standalone server in a Windows NT 4.0 domain. No special configuration is required.

Arrays can also be used to connect and secure Windows NT 4.0 domain users and clients to the Internet. However, the array of ISA Server computers must be set up on a separate Windows 2000 domain. Then, a trust relationship must be established between the Windows NT 4.0 domain and the domain to which the ISA Server computer belongs.

Active Directory

If you install ISA Server as a standalone server, all configuration information is saved to the registry.

If you install ISA Server in an array configuration, all its configuration information is saved to the Active Directory. In other words, ISA Server arrays require that Active Directory is installed on the ISA Server domain.

Internet Connection Server

In the absence of ISA Server, you may have used Internet Connection Sharing (ICS) to access the Internet. ISA Server can be used instead of the ICS, replacing and enhancing its function in the organization. ISA Server provides the connectivity enabled by ICS, in addition to sophisticated security and caching features.

Warning

Do not install or enable ICS on the computer running ISA Server. If you previously installed and enabled ICS, remove it before installing ISA Server.

Remote access server

In the absence of ISA Server, you may have used Windows 2000 Server’s remote access server to make network services and computers available to remote clients. ISA Server provides the remote connectivity, and extends the remote access server features by offering more extensive and flexible security features. ISA Server packet filtering replaces the remote access server’s packet filtering. ISA Server uses the dial-up entries configured for the remote access server, and extends their functionality.

DNS servers

Every network requires access to a name resolution server, such as DNS, in order to resolve host names to IP addresses for a variety of hosts both on the Internet and Intranet. If you are also publishing internal servers, making them available to external clients, you may have an additional, external DNS server.

DNS Server on the External Network

If the DNS server is on the external network, you will need to configure the ISA Server policy to allow DNS Query traffic between the internal clients and the DNS server. After you install ISA Server, you should create a protocol rule that allows the DNS Query (Client) protocol. For more information, see the on-line help provided with ISA Server.

DNS server on the Internal Network:

If the DNS Server is located on the internal network, then you will need to create a policy that allows two-way traffic. That is, you will create a protocol rule that allows DNS queries from the DNS server to reach external DNS servers, including the Internet root servers.

When you publish internal servers, then external clients may need to resolve their names, using the internal DNS server. As such, the internal DNS server is itself a publishing server. If the DNS Server is a SecureNAT client, then no configuration is required. After you install ISA Server, you simply create a server publishing on the ISA Server that publishes the DNS Server. For more information, see the on-line help provided with ISA Server.

Alternatively, you can set up the DNS Server as a Firewall client. In this case, you should add the following text to a configuration file called wspcfg.ini, located in the same directory as dns.exe:

[dns]
KillOldSession=1
Persistent=1

Use credtool.exe, available in the \i386 folder on the ISA Server CD, to allow the correct user credentials to be passed to the ISA server for satisfying any user ID-based protocol rules.

Back to Top


Installing ISA Server

This chapter assists you as you install ISA Server. Before you install Microsoft Internet Security and Acceleration (ISA) Server, you must set up the hardware and configure the software of the computer that will run ISA Server. Setup is invoked from the ISA Server Setup screen that’s displayed when you insert the ISA Server CD-ROM into the drive.

This chapter includes the following sections:

Back to Top


Before you install ISA Server

Before you install Microsoft Internet Security and Acceleration (ISA) Server, you must set up the hardware and configure the software of the computer that will run ISA Server.

Use the information in the following topics to ensure that it meets pre-installation requirements. For additional information on any task, see the documentation provided with your hardware component or Microsoft Windows 2000.

Setting up the network adapter

You can choose to connect your network to the Internet through either a direct connection (such as T1, T3, xDSL, or CableModem) or a dial-up connection. If you choose a direct connection, you need to set up an external network adapter.

When you set TCP/IP properties for the external network adapter, check with your Internet service provider (ISP) for the correct settings. Specifically, you need the IP address, subnet mask, default gateway, and IP addresses for the DNS servers to be used in DNS name searches. In some cases, your ISP may be using dynamic host configuration protocol (DHCP) or bootstrap protocol (BOOTP) for dynamic assignment of client addresses.

Typically, ISA Server will have only one IP default gateway. You should only configure the IP address of the default gateway on the external network adapter and not on the internal network adapter. Simply leave the internal card’s Default Gateway setting blank.

Refer to the Windows on-line help for instructions on setting up network adapters.

TCP/IP settings

When setting TCP/IP properties for any network adapter, you should enter a permanently–reserved IP address for the ISA Server computer and an appropriate subnet mask for your local network. DHCP-assigned addressing should not be used for the internal network adapter, since it might reset the default gateway you selected for the ISA Server computer. The external NIC can be DHCP-enabled or its IP address is statically defined, including the default gateway and DNS settings.

Windows 2000 identifies each adapter added to the system with a unique MAC address. You can run IPCONFIG.exe with the /ALL option to get the MAC addresses of various network adapters on your ISA Server computer to make sure you are configuring the correct settings on each card.

After setup, you can use the Ping.exe utility which is provided with Windows 2000 Server or a similar utility on another internal IP client computer to verify network connectivity and to check if network adapters and other hardware is configured correctly.

Setting up a modem or ISDN adapter

If you choose to connect to the Internet through a dial-up link instead of a direct link by using an external network adapter, you must use a modem or an ISDN adapter with your server.

Depending on the ISDN adapter, you may not be able to view the two ISDN channels in Windows 2000. Typically, the drivers for the ISDN card manage bandwidth-based connectivity for the second channel; you cannot use RRAS to manage the driver. Be sure that the network adapter is set up so that both channels can be configured, and that your ISP supports connecting to both channels.

Refer to the Windows on-line help for instructions on setting up an ISDN adapter or modem.

Windows 2000 routing table

Configure the routing table to include all of the IP address ranges in your internal network. You can use the Windows 2000 “Route” utility to configure the routing table or define static routes to various connected interfaces in the static routes section of RRAS. Then, during installation, ISA can construct the LAT, based on your Windows 2000 routing table. If the above is not done correctly, the LAT can be corrected manually at any time.

A correctly configured LAT ensures that ISA Server knows which network adapter to use in order to access different portions of your internal network. If you fail to set the routing table correctly, the ISA Server local address table (LAT) may not be built correctly. This can result in a client request for an internal IP address being incorrectly routed to the Internet or being redirected through the Firewall service.

If needed, the LAT should be edited manually to include all other networks, including those across internal routers so that the ISA server and FW clients can correctly determine when to use ISA and when to go directly to a resource.

Back to Top


Initializing the enterprise

An ISA Server computer can be set up as a member of an array. Before you can set up an ISA Server computer as a member of an array, the ISA Server schema must be installed to Active Directory on the domain controller. ISA Server includes an Enterprise Initialization utility that you can use to install the ISA Server schema in Active Directory.

After the ISA Server schema is imported, all subsequent ISA Server installations to computers in the domain can use the ISA Server schema. You do not have to install the schema again.

Notes

To determine if you have permission to write to the Active Directory:

To initialize the enterprise:

  1. Select Run ISA Server Enterprise Initialization Tool from the ISA Server Setup screen.
  2. In the ISA Server Enterprise Initializion dialog box, select how you will apply the enterprise policy. You can select from the following enterprise policy application methods:
  3. If array administrators are allowed to publish internal servers, making those servers accessible to external (Internet) clients, then select Allow publishing rules to be created on the array. If you don’t select this option, no Web publishing or server publishing rules can be created for the array to which the enterprise policy is applied.
  4. Select Use packet filtering on the array if packet filtering should always be enabled for the arrays in the enterprise. If you select this option, then packet filtering will always be enabled for the arrays in the enterprise. The array administrator will not be able to disable packet filtering.

When the ISA Server Enterprise Initialization Tool completes, the ISA Server schema will have been installed to the Active Directory. You can now install ISA Server as an array member, creating the array which the ISA Server should join.

Note   The array creation process takes place for the first computer in the array. The information added to the Active Directory may take some time to replicate. It is therefore recommended that you wait before creating another array.

Back to Top


Installing ISA Server

When you install Microsoft Internet Security and Acceleration (ISA) Server, you will be requested to supply the following information.

  1. CD Key. This is the 10-digit number located on back of the ISA Server CD-ROM case.
  2. Installation options. You can select to perform a Typical installation, Full installation, or Custom installation.
  3. Array selection. If you previously initialized the enterprise, you can select which array to join. If you did not initialize the enterprise, then ISA Server will be installed as a standalone server.
  4. Mode. You can select to install ISA Server in firewall mode, cache mode, or integrated mode.
  5. Cache configuration. If you install ISA Server in integrated or cache mode, then you must configure which cache drives to use.
  6. Local Address Table configuration. If you install ISA Server in integrated or firewall mode, then you must configure the address ranges to include in the local address table.

    Important Be sure to install Windows 2000 Service Pack 1 before you install ISA Server.

To install server software

  1. From the ISA Server Setup screen, select Install ISA Server.
  2. For the ISA Server CD key, type the product identification number listed on the product box.
  3. Read the License Agreement, click I Agree.
  4. Choose which ISA Server components to install. You can select one or more of the following:

    If you install only the ISA Administrator, you can use the computer on which the tool is installed to administer remotely one or more ISA Server computer arrays.

  5. If you did not initialize the enterprise, and you are installing ISA Server as a standalone server, then skip to Step 7.
    Otherwise, the subsequent dialog box asks if you want to join the server to an array. Select Yes, to install ISA Server as an array.

    Notes

    Enterprise policies can be applied only to arrays.

    If the computer on which you are installing ISA Server is not part of a Windows 2000 domain, then ISA Server will be installed as a standalone server. You can subsequently add the server to a Windows 2000 domain, and then join it to an array.

  6. If you selected Yes in Step 5, then select which array the server should join. Or, type a new name, to create a new array.

    If the ISA Server computer joins an existing array, the server adopts all the array's enterprise settings, access policy, publishing policy, and monitoring configuration. The server also adopts the array's filter settings and the configuration of other add-ins. However, you must actually install the other add-ins onto the ISA Server computer, after you install ISA Server.

    If you create a new array, the new array will abide by enterprise settings. For example, if the enterprise settings stipulate that no array policy is allowed, then the new array will not have its own array policy.

    Note   The process of defining a New array in the Active Directory is done by the first server in the new array. You should allow sufficient time for the array information to replicate throughout the site before you add more members to the array.

  7. In the next step, you select ISA Server installation mode: Firewall, Cache, or Integrated.

    In firewall mode, you can secure network communication by configuring rules that control communication between your corporate network and the Internet. In firewall mode, you can also publish internal servers, thereby sharing data on your internal servers with Internet users.

    In cache mode, you can improve network performance and save bandwidth by storing commonly accessed HTTP and FTP objects closer to the user. Using reverse web proxy by creating Web Publishing rules, you can have ISA serve and cache web requests from Internet users to the appropriate internal Web server, thereby enhancing Web publishing performance and reducing the work load on the web server.

    Note

    When you install an ISA Server computer as a member of an existing array, you should install it in the same mode as the other array members. For example, if all the servers in the array were installed in firewall mode, then this server should also be installed in firewall mode.

  8. When warned about the stopping of the IIS service, click OK. The IIS Web service is stopped because its default port is 80, the HTTP standard. The ISA Server uses this port to allow web publishing and will listen for web requests on these ports from both internal and external clients when web publishing rules are created .
  9. If you install ISA Server in cache mode or integrated mode, you will be prompted to select a cache drive.

    You can select the disk drives that are available for caching during ISA Server installation. Only NTFS formatted local disks can be used for caching. Cache size can be increased later by adding more disk volumes. For optimal performance, it is recommended that you format the disk before configuring it for the ISA Server cache.

    By default, the setup process searches for the largest NTFS partition and sets a default cache size of 100 megabytes (MB) if there are at least 150 MB available. When configuring the cache drives, you must, at a minimum, allocate at least one drive and 5 MB for caching. However, it is recommended that you allocate at least 100 MB and add 0.5 MB for each Web Proxy client, rounded up to the nearest full megabyte.

    You might also want to change the default for the ISA Server cache to your fastest hard disk drive, preferably a Small Computer System Interface (SCSI) drive that has adequate free space.

  10. If you install ISA Server in firewall mode or in integrated mode, then you must configure the local address table (LAT).

    The local address table is a table of all internal IP address ranges used by the internal network behind the ISA Server computer. ISA Server uses the LAT to control how machines on the internal network communicate with external networks, and decides which networks interfaces should be protected by loading the Packet filter driver.

    ISA Server can construct the LAT, based on your Windows 2000 routing table. You can also select the private IP address ranges, as defined by the Internet Assigned Numbers Authority (IANA) in RFC 1918. These three blocks of addresses are reserved for private intranets only and are never used on the public Internet.

    The default LAT includes addresses known as private IP addresses. These addresses are listed in the local routing table. Because the local routing table may not contain information about all your internal networks, the default LAT may not contain all your organization's addresses and may need to be modified. You can add extra address ranges manually.

    When creating a LAT, you should only include addresses on the private network. This means that you should not add the external interface of the ISA Server computer, any Internet sites, or any other external addresses including the DNS server at your Internet service provider, and so forth.

    The LAT is maintained centrally at the ISA Server computer. Firewall clients automatically download and receive LAT updates at preset, regular intervals.

The final dialog box of the installation server asks you to select the checkbox if you want to run the Getting Started wizard when you invoke ISA Server. The Getting Started wizard will walk you through the first steps of the ISA Server configuration process.

Back to Top


Default settings

After installation, ISA Server uses the default settings that are listed in the table below.

Feature Default Setting
Local Address Table Contains entries specified during installation process.
Enterprise policy settings When creating a new array, the array adopts the default enterprise policy settings.
Packet filtering Enabled, in firewall mode and in integrated mode
Disabled, in cache mode
Access control Unless the enterprise policy settings are configured to prohibit array-level "allow" rules, a default site and content rule named "Allow Rule" allows all clients access to all content on all sites always. However, since no protocol rules are defined, no traffic will be allowed to pass.
Publishing No internal servers are accessible to external clients. A default Web publishing rule discards all requests.
Routing All Web Proxy client requests are retrieved directly from the Internet.
Caching The cache size is set to the size that was specified during setup. HTTP and FTP caching are enabled. Active caching is disabled.
Alerts All alerts except the following are active: All port scan attack, Dropped packets, Protocol violation, and UDP bomb attack
Client configuration When installed or configured, Firewall and Web Proxy clients will have automatic discovery enabled. Web browser applications on Firewall clients are configured when the Firewall client is installed.

Back to Top


Testing the configuration: outgoing Web requests

To prove that ISA Server was correctly installed, perform the following steps to check that the local clients can communicate with the Internet.

  1. First, set up one local client as a Web Proxy client. That is, the Web browser application is configured to use ISA Server.
  2. In the client’s Web browser, navigate to any page – for example, http://www.microsoft.com. Assuming that you haven’t changed the default, post-installation settings, the client is not allowed access. Therefore, the client will receive a 502 Proxy Error, indicating that access is denied.
  3. On the ISA Server computer, open ISA Management. Configure rules that will allow client access to the Internet:
  4. On the client, navigate to http://www.microsoft.com. The client should be able to access the page.

Congratulations! ISA Server is securing your local network, while enabling internal clients access to the Internet.

Back to Top


Next steps

Now that you finished installing ISA Server, you can use ISA Management to perform the initial steps required to secure and enhance network connections. Do the following:

  1. Register the ISA Server software, so that you can be informed of updates, enhancements, and complementary offerings.
  2. Install and configure clients in your network. See Chapter 5, Installing and Configuring Clients, for more information.
  3. Deploy ISA Server in your network. See Chapter 6 for some typical deployment scenarios.

Back to Top


Migrating from Microsoft Proxy Server 2.0

Microsoft Internet Security and Acceleration (ISA) Server 2000 supports a full migration path for Microsoft Proxy Server 2.0 users. Most Proxy Server rules, network settings, monitoring configuration, and cache configuration will be migrated in ISA Server. Furthermore, ISA Server will continue to support Winsock proxy client software, together with its own Firewall client software, in a heterogeneous client base.

ISA Server introduces many new features and changes over Proxy Server 2.0. These changes affect the server configuration and upgrade scenarios.

This chapter outlines the key items that an administrator should consider as part of the upgrade process to Microsoft ISA Server.

Important: it is recommended to perform a full backup of the current Proxy 2.0 settings prior to upgrade.

This chapter includes the following sections:

Back to Top


Operating System Considerations

ISA Server can only be installed on computers running Windows 2000 Server or later. Therefore, if your current version of Microsoft Proxy Server 2.0 is installed on Windows NT4.0, follow these steps:

  1. Stop and disable all Proxy Server services:
  2. Upgrade to Windows 2000. You may receive a message indicating that Proxy Server will not work on Windows 2000. This message can be safely ignored. For more detailed instructions, see the Proxy Server 2.0 home page, at http://www.microsoft.com/proxy/default.asp.
  3. You can now begin ISA Server setup. See Installing ISA Server for specific instructions.

Since the core services required for firewall operation are inactive during setup, it is recommended that the computer being upgraded be disconnected from the Internet for the duration of the installation.

Notes:

Back to Top


Array considerations

When you migrate Proxy Server to ISA Server, you can install the ISA Server computer to a new array: an array or a standalone server.

If you migrate the Proxy Server to a standalone server, most of the rules and other configuration elements previously created for Proxy Server are also migrated. If you migrate to a new array, the enterprise policy default settings determine how the Proxy Server rules are migrated.

Before you can migrate an array of proxy servers, you must remove all the members of the Proxy Server 2.0 array. Each member will retain an identical set of rules, which was replicated to all the servers in the array. Similarly, all the servers will retain identical network configuration—such as dial-on-demand settings—and monitoring configuration—such as alerts.

After you remove the Proxy 2.0 servers from the array, you can migrate each Proxy Server to ISA Server. To retain a similar array configuration, perform the following steps:

  1. Create a new ISA Server array. During setup, install the first proxy server to this array. Alternatively, during setup, create the new ISA Server array.
  2. Migrate all subsequent proxy servers to this array.

Back to Top


Migrating to an array

You can migrate a single proxy server to a new array of ISA Server computers. In this case, the configuration information is migrated to the ISA Server array differently, depending on the ISA Server array's default enterprise settings.

ISA Server can be configured to use an enterprise policy only, an array policy only, or a combination of both. Depending on the enterprise policy settings, Proxy Server rules are migrated differently. The table below lists the possible enterprise settings and details how the Proxy Server policy is migrated for each setting.

Enterprise policy settings ISA Server migrates…
Use array policy only …all the existing Proxy Server rules to the array policy.
Use enterprise policy only …all the existing Proxy Server rules, only if you have enterprise administrator permissions. The enterprise policy settings are first modified so that the new array only uses an array policy.
Use enterprise and array policy …all the existing Proxy Server rules, only if you have enterprise administrator permissions. The enterprise policy settings are first modified so that the new array only uses an array policy.

If the enterprise policy allows publishing rules, then the Proxy Server publishing settings are migrated to the array policy.

If the enterprise policy does not allow publishing rules, then if you have enterprise administrator permissions, the enterprise policy settings are changed so that publishing rules are allowed. The proxy server publishing settings are then migrated to the array policy.

If the enterprise policy does not allow publishing rules and you do not have enterprise administrator permissions, then the proxy server publishing settings are not changed.

Back to Top


Migrating Proxy Server 2.0 configuration

Most Proxy Server rules, network settings, monitoring configuration, and cache configuration will be migrated to ISA Server.

Proxy chains

Mixed chains of Proxy 2.0 and ISA servers are supported.

When a Proxy 2.0 server is downstream of the ISA Server, only Web proxy chaining is supported. This is because Proxy 2.0 does not support upstream Winsock Proxy chaining.

When ISA server is the downstream server, both Web proxy and Firewall chaining (or, in Proxy 2.0 terminology, Winsock Proxy chaining) are supported.

Web Proxy client requests

Whereas Proxy 2.0 listened for client HTTP requests on port 8080, ISA Server is configured upon installation to listen on port 8080 for the Web Proxy service. Therefore, all downstream chain members (or browsers) connecting to this ISA Server must connect to port 8080. Alternatively, you can configure ISA to listen on port 80.

Server Publishing

Proxy Server 2.0 required that you configure publishing servers as Winsock Proxy clients. ISA Server allows you to publish internal servers, without requiring any special configuration or software installation on the publishing server. Instead, the ISA Server treats the publishing servers as SecureNAT clients. Web publishing rules and server publishing rules, configured on the ISA Server, make the servers securely accessible to specific external clients. No additional configuration is required on the publishing server.

Cache

The Proxy Server cache configuration is migrated to the ISA Server, including cache drive specifications, size, and all other properties.

Proxy 2.0 cache content will not be migrated due to the vastly different and sophisticated cache storage engine in ISA Server. It will be deleted as part of ISA Server Setup and the new storage engine will be instituted based on existing cache and drive settings.

Note   Depending on the cache size and the number of objects in the cache, the deletion process may take some time.

Rules and policies

The table below lists how Proxy Server rules and other configuration information are migrated on the ISA Server computer:

Proxy Server 2.0 ISA Server computer
Domain filters Site and content rules
Winsock permission settings Protocol rules
Publishing properties Web publishing rules
Static packet filters Open or blocked IP packet filters
Web Proxy routing rules Routing rules

Policy elements are created, as necessary, for the new rules. Additional configuration information is also migrated: local address table, automatic dial settings, alerts, log settings, and client configuration settings.

Back to Top


Installing and Configuring Clients

After you install Microsoft Internet Security and Acceleration (ISA) Server 2000, you can configure the clients, and install the Firewall client software, as appropriate.

This chapter describes how to configure the clients supported by ISA Server. This chapter includes the following sections:

Back to Top


Configuring SecureNAT clients

Although SecureNAT clients do not require specific software to be deployed on the client computers, you must configure the network appropriately. This section details network considerations for SecureNAT clients.

Setting up the default gateway for SecureNAT clients

SecureNAT clients do not require specific software to be deployed on the client computers. However, you must configure your network topology for the ISA Server computer to protect the SecureNAT clients and ensure that their requests are serviced.

Specifically, the default gateway for the SecureNAT clients must be properly configured. When setting the default gateway property, identify which type of network topology you are configuring:

To configure SecureNAT clients on a simple network, you should set the SecureNAT client's Internet protocol (IP) default gateway settings to the IP address of the ISA Server computer's internal network address card. You can set this manually, using the TCP/IP network control panel settings on the client. Alternatively, you can configure these settings automatically for the client using the DHCP service.

To configure SecureNAT clients on a complex network, you should set the default gateway settings to the router on the client’s local segment and make sure that the router routes traffic destined for the Internet correctly to the ISA server’s internal interface.

Optimally, the router should use the shortest path to the ISA Server computer. Also, the router should not be configured to discard packets destined for addresses outside the corporate network; ISA Server will determine how to route the packets.

SecureNAT clients will probably request objects both from computers in the local network and from the Internet. Thus, SecureNAT clients will require DNS servers that can resolve names both for external and internal hosts.

Internal network and Internet access

For Internet access only, the SecureNAT clients should configure the TCP/IP settings to use the DNS servers on the Internet. You should create a protocol rule that allows the SecureNAT clients to use the pre-defined DNS Query (client) protocol.

If the SecureNAT clients will request data both from the Internet and from the internal network servers, then the clients should use a DNS server located on the internal network. You should configure the DNS server to resolve both internal addresses and Internet addresses by using ‘Forwarders’ as necessary.

Back to Top


Firewall client configuration

Before you can install Firewall client software, the ISA Server software must be installed. When you set up ISA Server, you configure the array to which Firewall clients should connect when sending requests to the Internet, where all the Array members’ IP addresses are listed with the same Host name.

After installing the client software, you can modify the server name to which the client connects by specifying a different name in the browser’s proxy settings and by changing the name in the Firewall client software. For more information, see the Firewall Client Help.

To install Firewall client software

  1. At a command prompt, type path\setup where path is the path to the shared ISA Server client installation files. Typically, these files are located in \Program Files\Microsoft ISA Server\Clients on the ISA Server and shared as MSPclnt.
  2. Follow the on-screen instructions.

Note

Do not install Firewall client software on the ISA Server computer.

Client local address table file

When the client setup program runs, it installs a file named Msplat.txt into the \Program Files\Microsoft Firewall Client folder on the client computer. The Msplat.txt file contains the local address table (LAT) which defines the IP addresses of your internal network. To keep the LAT files current, ISA Server regularly updates the Msplat.txt file from the server. Each time a Winsock application on that client attempts to establish a connection to an IP address, the LAT is used to determine whether the IP address is on the internal network or is external. If the address is internal, the connection is made directly. If the address is external, the connection is made through the Firewall service on ISA Server.

In some situations, the LAT that the server downloads may not completely define some addresses that a particular client needs to gain access to the internal network. Because ISA Server overwrites the Msplat.txt file at regular intervals with a fresh version downloaded from the server, any changes you make at the client are lost each time the server updates the file. To avoid this, use a text editor to create a custom client LAT file named Locallat.txt and place it in the client \Program Files\Microsoft Firewall Client folder. You can add additional IP address ranges that the client recognizes as part of the internal network. The client uses both the Msplat.txt and Locallat.txt files to determine which IP addresses are part of the internal network and which are on the Internet.

Back to Top


Configuring Web Proxy clients

You can set an option by which Microsoft Internet Security and Acceleration (ISA) Server automatically downloads a client configuration script located on the ISA Server computer every time a Web browser is opened. For Firewall clients, this script can be downloaded to the browser and run against every URL that the browser requests. The output of this script provides an ordered series of ISA Server computers that the browser uses to retrieve the object that is specified by the URL.

The script is stored at a specific URL on any ISA Server computer in an array. You can easily update all Web browser settings without having to reconfigure each individual Web browser. Microsoft Internet Explorer version 3.02 and later and Netscape 2.0 and later support this feature.

As an alternative, you can manually construct your own configuration script and place it on your Web server. When a Web browser looks for the configuration script, your Web server intercepts the request and returns the custom script to the browser.

The default configuration URL is

http://Computer_name:port/array.dll?Get.Routing.Script

where Computer_name is the name of the ISA Server computer and port is the port to which Web Proxy requests are sent. This is the URL where the configuration script is located. ISA Server automatically generates this configuration script based on the direct access and backup route options and array member cache configuration.

Automatic Web browser configuration for Firewall clients

You can configure ISA Server so that the Firewall client's Web browser is configured during setup. This way, the client's Web browser will use the specified automatic configuration script. For configuration instructions, refer to the on-line help provided with ISA Server.

When the Web browser for a Firewall client looks for the configuration script, the Firewall service intercepts the request and returns the default script that is automatically generated to the browser. The script is based on the options set in Advanced Client Configuration. If the option to use Proxy server is selected in the web browser the web browser bypasses the Firewall client and talks directly to the specified ISA server, the script helps the client send requests directly to the array member most likely to have the requested object in its cache.

Configuring the browser on the ISA Server computer

If you use a Web browser on the ISA Server computer, you should configure the browser to use the IP address of the server network adapter that is connected to the internal network. Do not use the server computer name or DNS name as the resolved address may be the external address where web proxy services may not be available.

Additionally, requests from the browser are denied because the local address table (LAT) does not contain the external IP address. Consequently, the browser on the server must be configured to connect through the Web Proxy service.

Back to Top


Deployment Scenarios

Microsoft Internet Security and Acceleration (ISA) Server can be deployed in varied network topologies. This section describes some typical network configurations. While your actual network configuration may differ from those described here, the basic concepts and configuration logic may provide insights.

This chapter includes the following sections:

Internet firewall in a small network

Enterprise policy scenario with

Back to Top


Firewall scenario in a small network

ISA Server can be deployed as a dedicated firewall that acts as the secure gateway to the Internet for internal clients. The ISA Server computer is transparent to the other parties in the communication path. The Internet user should not be able to tell that a firewall server is there, unless the user attempts to access a service or go to a site where the ISA Server computer denies access. By setting the security access policies, administrators can prevent unauthorized access and malicious content from entering the network as well as restrict what traffic is allowed outbound.

Key features include:

Network configuration

In the small office network configuration, the ISA Server computer can be placed between the corporate local area network (LAN)/wide area network (WAN) and the Internet. A small office network might have fewer than 250 clients on a single LAN segment, use the Internet protocol (IP) network protocol, and demand-dial connectivity to an Internet service provider. A single ISA Server computer can provide Internet connectivity and security for the entire network, as shown in the figure.

The scenario illustrated here and described below assumes a small organization, so the array contains just one ISA Server computer. To allow for future expansion, the server is set up as an array member.

In a slightly larger organization, an array of ISA Server computers might be set up. Assuming that most of the clients are located on a single site and in a single domain, one ISA Server array can be set up to service the entire organization. The array can contain one or more ISA Server computers, depending on bandwidth and cache requirements.

Setting up clients

Firewall Client software can be installed and made available on client desktops in the organization to ensure secured access for Winsock applications. Only Firewall Clients can be identified and fully authenticated by ISA Server, which can process rules on a per-user basis. For example, a site and content rule might limit access to a particular authenticated user; in this case, only Firewall clients can be granted access.

If the organization does not want to deploy client software to all its users, the users can be set up as secure network address translation (SecureNAT) clients. SecureNAT clients do not require any special software installed on the computer. The default gateway is configured to the ISA Server computer's Internet protocol (IP) address or to a router that routes requests to the ISA Server computer. That way, all requests to the Internet will be forwarded to the ISA Server computer, which will handle the request in accordance with the array or enterprise policy.

For Web Proxy clients, the Web browsers are configured so that the proxy server is the ISA Server computer or ISA Server array. The proxy server port on the Web browser should be set to 8080—assuming that the ISA Server computer's outgoing Web request settings are also set to listen on port 8080.

If the desktop users have the Firewall Client software installed, then the Web browser need not be set up as a Web Proxy client. Instead, HTTP requests are forwarded to the ISA Server computer, which determines whether access is allowed. If it is, then the HTTP redirector filter, installed as part of ISA Server, forwards the request to the Web Proxy Service, which determines whether the requested object is in the cache.

In this scenario, the ISA Server computer is set up using the automatic dial-out feature of ISA Server. The ISA Server computer also has a network card connected to the internal network.

Configuring the ISA Server policy

After setting up the server, the administrator considers the organization's business needs—who requires access to the Internet. These needs are mapped to an ISA Server policy, which the administrator configures either by scripting or using ISA Administrator. For this example, assume that the corporation includes three departments: Sales, Research and Development, and Human Resources. The organization stipulates that Sales and Research and Development are allowed unlimited HTTP access, but only to a specific list of Web sites. The Human Resources department is allowed HTTP access after hours. In addition, all employees can access Windows media applications after hours, but at a lower bandwidth priority.

The administrator configures an array policy, creating a set of access policy rules that allow or limit access, in accordance with the scenario described above. The administrator follows these steps to implement the policy:

  1. Set the enterprise policy default settings to Use array policy.
  2. Create a dial-up entry called Dial to My ISP.
  3. Create a routing rule with the following parameters:
  4. Configure Firewall chaining as follows:
  5. Create three client sets, one for each of the departments. Each set should include the users or IP addresses for the department.
  6. Create a schedule called After Hours.
  7. Create a bandwidth priority called Windows Media Bandwidth, with the outbound bandwidth and the inbound bandwidth are set to 10.
  8. Create a protocol rule with the following settings:
  9. Create a protocol rule with the following settings:
  10. Create a protocol rule with the following settings:
  11. Create a site and content rule with the following settings:
  12. Create a bandwidth rule with the following settings:

Back to Top


Enterprise policy scenario

The scenario described here assumes a large corporation, with Headquarters in the United States and two branch offices, one in Canada and one in the United Kingdom. Each location has an array of one or more ISA Server computers installed. For this scenario, at the central office, an enterprise policy is created, defining one access policy for all clients. The network administrator at Headquarters is responsible for implementing a corporate policy and ensuring that all branch offices follow the guidelines stipulated in the corporate policy. The Headquarters network administrator allows branch administrators to create more restrictive rules.

Network Configuration

The branch office in Canada is connected via a router to the Headquarters. The branch office in the United Kingdom is connected via a virtual private network (VPN) to the Headquarters.

The figure below illustrates the network configuration.

Each member of the array at Headquarters is configured with two network interfaces: one network adapter to connect to the internal network, and one network adapter to connect to the Internet. For this scenario, you can assume direct connectivity to the Internet service provider takes place through a router and a T1/E1 line, with fallback to a backup dial-up line.

The ISA Server in Canada office is installed in cache mode, and is chained to the ISA Server in Headquarters. The Server has two network adapters: one is connected to a local router and the other is connected to a router at Headquarters.

The ISA Server array in the United Kingdom is set up in integrated mode, serving as the branch's firewall and cache server. In addition, the ISA Server computers are tri-homed, so that requests for domestic Internet computers are routed directly to the Internet.

Enterprise policy at Headquarters

An enterprise policy is set at Headquarters and can be applied to the entire organization. For this example, assume that the United States Headquarters stipulates that employees in all offices are allowed HTTP and Windows media streaming access to all sites. Furthermore, the array in the United Kingdom can have array policies, stipulating more restrictive access.

Follow these steps to create an enterprise policy:

  1. Create an enterprise policy called HQ, with a protocol rule that allows HTTP and MMS Windows media (client) protocols.
  2. Configure the enterprise policy properties, so that all arrays are allowed to create an array policy.

Chained array at branch office

Since the ISA Server in the Canada branch office is on the Headquarters’ network, it requires only one network adapter, which connects it to the ISA Server at Headquarters.

At the branch offices, ISA Server can be installed in cache mode. The ISA Server computers at the branch offices are used to reduce the traffic along the pipe by caching Web content. This is good for internal Web content as well as Internet Web content.

The access policy configured at the enterprise level is applied to the array policy at the branch office.

Caching is made available and configured in order to minimize the occurrence of demand-dialing to the central office, to reduce long-distance phone charges. Caching is used to store a local copy of the most frequently requested Internet URLs in dedicated disk drive volumes, with active caching occurring at the central office ISA Server array. This provides load balancing by offloading some of the work performed by the central office ISA Server computers. Scheduled content download jobs can be configured to pre-cache specific content at the branch offices. This will further improve perceived network performance.

Perform the following steps to configure the local ISA Server:

  1. Configure a routing rule that redirects requests from Web Proxy clients to the upstream ISA Server at Headquarters. Select Routing them to a specified upstream proxy server. Since Headquarters has an array of ISA Server computers, select Automatically poll upstream proxy for array configuration and type the URL for the array.
    Alternatively, set the branch ISA Server’s default gateway to the upstream ISA Server. Then, when you configure the routing rule, select Sending them directly to the Internet.
  2. Create scheduled content download jobs, to download frequently-accessed objects to the local cache. If the objects are already in the cache at Headquarters, they will be downloaded from there. Otherwise, the ISA Server computers at Headquarters will forward the requests on to the Internet.
    Refer to the on-line help for specific instructions on configuring scheduled content download jobs.
  3. Since the access policy at the branch office is identical to the access policy at Headquarters, there is no need to configure additional rules.

VPN at remote branch office

The ISA Server computers in the United Kingdom are set up with two internal network interfaces: one network adapter to connect to the local network at the branch office, and a modem or ISDN adapter to connect to the Internet. The branch office is connected over the Internet, via VPN, to the Headquarters.

The branch office LAT lists the network IP address space at the branch office networks. Any external (Internet) IP addresses must be excluded. A name server, such as DNS, should be installed at the branch office to make available local name resolution.

Follow these steps to configure the branch office:

  1. Run the Local VPN Wizard on the ISA Server computer that will be connecting to Headquarters.
  2. Run the Remote VPN Wizard on the ISA Server computer at Headquarters to which the United Kingdom will connect.
  3. Create a routing rule that routes all requests for Internet objects in the United Kingdom (.uk suffix in the domain name) directly to the Internet.
  4. Create a routing rule that routes all requests for Internet objects not on servers in the United Kingdom (.uk suffix in the domain name) to the upstream ISA Server array at Headquarters.

Back to Top


Web Publishing scenarios

The Web publishing functions of Microsoft Internet Security and Acceleration (ISA) Server benefit organizations who want to securely publish Web content from within their protected intranet. With incoming Web requests, ISA Server can protect an organization's Web server that is hosting a commercial Web business or providing access to business partners. The ISA Server impersonates a Web server to the outside world, while the Web server maintains access to internal network services.

Before configuring Web publishing access control, you have to configure the incoming Web request properties of the ISA Server. The incoming Web request properties specify which IP addresses and ports on each ISA Server computer in the array listen for incoming Web requests. The incoming Web request properties also determine the necessary authentication required when accessing internal servers.

To make Web publishing available, you must specify which interface card on the ISA Server computer will be used for Web publishing. You should also configure if requests from clients should be authenticated by the ISA Server. Typically, the Web server should authenticate client requests—in other words, do not require authentication for the ISA Server computer.

The Web server you are publishing can be located either on the same computer as ISA Server or on a different computer.

Web Server on local network

The figure below illustrates a Web publishing scenario, with the Web servers located behind the Microsoft Internet Security and Acceleration (ISA) Server computer.

Two Web servers are located on the internal network is protected by ISA Server. When an Internet user requests an object on example.microsoft.com\Marketing or example.microsoft.com\Development, the request is actually sent to the ISA Server computer, which routes the request to the appropriate Web server.

Notice that when external clients request objects from the Web servers, they actually gain access to the ISA Server computer. This way, ISA Server ensures that the network is never penetrated by external users. Furthermore, the Internet protocol (IP) addresses of the Web servers are never exposed. Instead, the Internet users gain access to the Web servers by specifying the ISA Server computer's IP address.

Suppose you want to publish two internal servers, on the example.microsoft.com domain, one called Dev and one called Mktg. The Mktg computer should return objects when a client requests example.microsoft.com/Marketing, and Dev should return objects when a client requests example.microsoft.com/Development.

Follow these steps to publish the Web servers, as illustrated in the figure:

  1. Verify that the DNS server maps the fully-qualified domain name to the IP address of the ISA Server computer. Internet clients use the domain name to request content.
  2. Configure the ISA Server incoming Web request properties. The IP address should include the IP address of the external interface.
  3. Create a destination set, called Marketing, which should include the computer example.microsoft.com and the path \Marketing\*.
  4. Create a destination set, called Development, which should include the computer example.microsoft.com and the path \Development\*.
  5. Configure a Web publishing rule with the following parameters:
  6. Configure the second Web publishing rule with the following parameters:

Co-located Web Server

The figure below illustrates another common Web publishing scenario, with the Web server located on the same computer as the ISA Server.

In this scenario, you configure the ISA Server computer to listen for incoming requests on port 80 of the external interface card.

However, by default, the Web server also listens on port 80 for incoming requests. To avoid this conflict, configure the Web server so that it listens on a port other than 80. Then, modify the ISA Server Web publishing rule so that ISA Server forwards the requests to the appropriate port on the Web server.

Alternatively, you can configure the Internet Information Services (IIS) server to listen on a different IP address. You might set the IIS Server to listen on 127.0.0.1, thereby accepting requests only from the ISA Server computer.

For example, you can configure the Web server to listen on port 9999. Then, create a Web publishing rule with the following parameters:

Back to Top


Secure server publishing

ISA Server allows you to publish services to the Internet without compromising the security of your internal network. You can configure Web publishing and Server publishing rules that determine which requests should be sent downstream to a server located behind the ISA Server computer, providing an increased layer of security for your internal servers. For example, you can place your Web server behind the ISA Server and create Web publishing rules that allow the Web server to be published to the Internet. Incoming requests to the Web server are intercepted by the ISA Server computer, which gives the appearance of a Web server to clients. ISA Server fulfills client requests for Web content from its cache and forwards requests to the Web server only when the requests cannot be served from its cache. Meanwhile, your Web server sits in its secure environment and maintains access to other internal network services.

Key features include:

Before configuring Web publishing access control, you have to configure the incoming Web request properties of the ISA Server. The incoming Web request properties specify which IP addresses and ports on each ISA Server computer in the array listen for incoming Web requests. The incoming Web request properties also determine the necessary authentication required when accessing internal servers.

To make Web publishing available, you must specify which interface card on the ISA Server computer will be used for Web publishing. You should also configure whether requests from clients should be authenticated by the ISA Server. Typically, the Web server should authenticate client requests—in other words, do not require authentication for the ISA Server computer.

The Web server you are publishing can be located either on the same computer as ISA Server or on a different computer.

Exchange Server publishing scenario

As business-to-business e-commerce becomes more prevalent, more organizations realize the need to protect internal servers, while at the same time making them accessible to specific external users. The reverse publishing feature in Microsoft Internet Security and Acceleration (ISA) Server facilitates securing internal server access by external clients.

A common ISA Server scenario involves securing the Simple Mail Transfer Protocol (SMTP) communication of mail servers. For example, ISA Server can protect a Microsoft Exchange Server. The Exchange Server Setup Wizard configures the policy needed to allow communication between an Exchange Server computer and the Internet. The wizard adds a set of server publishing rules which redirect communication from Internet users at a particular port to a specified internal Internet protocol (IP) address. The wizard also creates protocol rules that dynamically open ports for outgoing communication. For more information, see Running mail server security wizard.

The Exchange server that you are publishing can be co-located on the ISA Server computer, on a perimeter network (DMZ), or on the local network. The following sections describe some Exchange Server publishing scenarios.

Exchange Server on local network

In this scenario, the Microsoft Exchange Server computer is on the local network, protected the Microsoft Internet Security and Acceleration (ISA) Server computer, as illustrated in the figure.

You can use the ISA Server Mail Server Security Wizard to configure the Exchange Server, so that it's available to external clients, using one or more of the following protocols:

The wizard creates one or more server publishing rules, corresponding to each mail service that ISA Server protects. The server publishing rules created by the wizard have the following parameters:

The new rules created by the wizard are all named with the prefix Mail wizard rule.

The Mail Server Security Wizard also creates protocol rules, to allow outgoing mail traffic. The protocol rules have the following parameters:

Name resolution for clients

Since POP3, IMAP4 and HTTP clients can access the computer that is running Exchange Server either by DNS name or IP address, it is recommended that you map the DNS name used by mail clients to the ISA Server computer's external IP addresses.

For MAPI clients, a DNS server on the Internet must resolve the name of the computer running Exchange Server and match it to an IP address on the ISA Server computer's external network interface card. Note that, in this case, the DNS server should map the internal name of the Exchange Server computer to the ISA Server's external IP address. Therefore, the server type should be set to Server and not to Mail server.

Co-located Exchange Server

In this scenario, ISA Server and Exchange Server are on the same computer, as illustrated below.

You can use the Mail Server Security Wizard to publish the Exchange server located on the ISA Server computer. In this scenario, the Mail Server Security Wizard creates an IP packet filter. IP packet filters are created for each mail service that you select. For example, suppose you run the Mail Server Security Wizard, and specify Outgoing SMTP mail and POP3 client requests. In this case, the following IP packet filters will be created:

Perimeter network (DMZ) scenarios

A perimeter network (also known as a DMZ) is a small network that is set up separately from an organization's private network and the Internet. The perimeter network allows external users access to the specific servers located in the perimeter network, while preventing access to the internal corporate network. An organization may also allow very limited access from computers in the perimeter networks to computers in the internal network.

A perimeter network is commonly used for deploying the e-mail and Web servers for the company. The perimeter network can be set up in one of these configurations:

For example, the perimeter network may include the company's Web server, so that Web content can be sent to the Internet. However, the perimeter network does not allow access to any other company data that may be available on computers in the local network. Even if an external user penetrates the perimeter network security, only the perimeter network servers are compromised.

Back-to-back perimeter network configuration

In a back-to-back perimeter network configuration, two Microsoft Internet Security and Acceleration (ISA) Server computers are located on either side of the perimeter network. The figure illustrates a back-to-back perimeter network configuration.

In this configuration, two ISA Server computers are hooked up to each other, with one connected to the Internet and the other to the local network. The perimeter network resides between the two servers. Both ISA Servers are set up in integrated or firewall mode, thereby essentially reducing the risk of compromise, since an attacker would need to break into both systems in order to get to the internal network.

Perform the following steps to make the servers on the perimeter network available to external (Internet) clients:

  1. Configure the Local Address Table (LAT) on the ISA Server connected to the corporate network (marked ISA Server 2) to include the IP addresses of the computers in the corporate network.
  2. Configure the LAT on the ISA Server connected to the Internet to include the IP address of the ISA Server connected to the corporate network and the IP addresses of all the publishing servers in the perimeter network.
  3. Create a server publishing rule for each of the publishing servers on the screened network. To publish Web servers, create a Web publishing rule. For example, the figure illustrates a Telnet server and an IIS server. To publish the Telnet server, create a server publishing rule with the following parameters:
  4. To publish the IIS Server, create a Web publishing rule with the following parameters:

Three-homed perimeter network (DMZ) configuration

In a three-homed screened perimeter network, a single Microsoft Internet Security and Acceleration (ISA) Server computer (or an array of ISA Server computers) are set up with three network cards:

The figure illustrates this perimeter network scenario.

Follow these steps to set up a perimeter network with a three-homed ISA Server.

  1. Configure the Local Address Table (LAT) to include all the addresses on the corporate network. The LAT should not include the addresses on the perimeter network.
  2. Enable packet filtering.
  3. Enable IP routing.
  4. Create IP packet filters for each of the servers in the perimeter network. Each IP packet filter should have the following parameters:

Back to Top