Deploying Isa Server
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Deploying Isa Server as PDF for free.
More details
- Words: 5,536
- Pages: 32
C H A P T E R
5
Deploying ISA Server
Microsoft® Internet Security and Acceleration (ISA) Server is an integrated firewall and Internet caching server. Deploying ISA Server saves network bandwidth by providing faster Web access for users. ISA Server secures your network, allowing you to implement your business security policy by configuring a broad set of rules that specify which sites, protocols, and content can be passed through the firewall.
In This Chapter Overview of ISA Server................................................................................... ...216 Determining the Role of ISA Server.................................................. .................218 Evaluating Interoperability Issues...................................... ...............................224 Designing for High Availability......................................................................... ..227 Securing the Design......................................................................... .................235 Implementing Your ISA Server Solution....................................... ......................240 Additional Resources........................................................................ .................245
Related Information •
For more information about creating a virtual private network (VPN), see “Deploying DialUp and VPN Remote Access Servers” in this book.
216
Chapter 5
Deploying ISA Server
Overview of ISA Server ISA Server offers a complete Internet connectivity deployment solution as a firewall and a Web caching server.
Important ISA Server (the successor to Proxy Server 2.0) is a separate product from the Microsoft® Windows® Server 2003 operating system. You must install ISA Server Service Pack (SP1) for ISA Server immediately after installing ISA Server for it to be interoperable with Windows Server 2003.
ISA Server monitors requests and responses between the Internet and internal client computers; ISA Server also controls which computers on the Internet the internal clients can access. ISA Server offers many security and caching options, including: •
Enhanced security with multilayer firewall and integrated intrusion detection. ISA is a complete firewall product that provides packet filtering, stateful packet inspection and application-level awareness for many common protocols, such as Simple Mail Transfer Protocol (SMTP) and Domain Name System (DNS). You can create access policies based on user-level information, IP addresses, or Web content.
•
Secure publishing. You can use ISA Server as a reverse cache server to define a secure publishing policy. This protects internal publishing servers and makes them safely accessible to Internet clients.
•
ISA Server can cache Web content, potentially reducing your external bandwidth requirements. You can configure the cache to contain content that your organization uses frequently or that your Internet clients access.
•
ISA Server is extensible. You can program the COM interface in ISA Server using high-level programming languages or scripting languages. Developers can implement application and web filters to extend the core firewall functionality. You can use the ISA Server management interface to develop additional administration tools and management scripts.
Additional Resources
ISA Server Deployment Process The process for deploying ISA Server includes determining the deployment mode (cache, firewall, or integrated) you need to use, examining the integration between ISA Server and other components in your network, and choosing the best method for securing your network design. Figure 5.1 shows the process for deploying ISA Server. Figure 5.1 Deploying Your ISA Server
217
218
Chapter 5
Deploying ISA Server
Determining the Role of ISA Server ISA Server can act as a firewall, a Web caching server, or both in your network. Figure 5.2 shows the process for determining the role of your ISA server. Figure 5.2 Determining the Role of ISA Server
Additional Resources
219
You can install ISA Server in firewall, cache, or integrated mode. •
In firewall mode, you can secure network communication by configuring rules and access policies that control communication between your internal network and the Internet. You can also publish internal servers.
•
In cache mode, you can improve network performance and save bandwidth by storing frequently accessed content closer to the user. You can also route requests from internal users to the appropriate Web server and publish Web servers in cache mode.
•
In integrated mode, all cache and firewall features are available. You can configure a policy to meet both cache performance and security requirements.
Use Table 5.1 to determine which mode of ISA Server installation is most appropriate in your network. Table 5.1 Determining the ISA Server Installation Mode Goal
Mode
Secure your connection to the Internet, connect remote offices, or implement secure extranets.
Firewall
Increase performance of your Internet connection.
Cache
Secure your connection to the Internet and increase the Integrated performance of your Internet connection.
220
Chapter 5
Deploying ISA Server
Implementing ISA Server in Firewall Mode ISA Server in firewall mode acts as a secure gateway between the Internet and internal clients. By configuring the access policies, you can prevent unauthorized access and malicious content from entering the network, as well as restrict outbound traffic. In Figure 5.3, ISA Server is deployed in firewall mode and as a publisher of internal services, including email and Web services. Figure 5.3 ISA Server in Firewall Mode
All inbound traffic requiring access to the Web or e-mail servers must pass through the firewall first. Likewise, ISA Server can also limit Internet access to specified clients. In this example, ISA Server is acting as a dedicated firewall controlling access to the internal network.
Implementing ISA Server in Cache Mode ISA Server in cache mode accelerates Web access performance by caching Internet content locally. ISA can provide access control for Web content, both in forward cache mode and reverse cache mode.
Forward Cache Mode When a client in the internal network requests a Web page, ISA Server in forward cache mode checks if the content is cached locally. If so, the request is not forwarded to the Internet, and the forward cache server returns the Web pages to the client. If the Web page is not stored locally, ISA Server (acting on behalf of the client) retrieves the Web page from the Internet. ISA Server then saves that Web page in the local cache. The next time a client requests that page, ISA Server can fulfill the request without going to the Internet to retrieve the page. This results in using less bandwidth on the Internet connection. Figure 5.4 illustrates a forward cache mode configuration.
Additional Resources
221
Figure 5.4 ISA Server in Forward Cache Mode
Reverse Cache (Web Publishing) Mode You can also configure ISA Server in reverse cache mode. ISA Server in reverse cache mode caches content provided to the Internet from the Web server. When an Internet client requests a Web page, the request is sent to the ISA Server–based computer first. If the page is stored there locally, there is no need to retrieve the page from the Web server. This increases performance for Internet clients accessing the Web site from the Internet, as well as increasing security for the server. Figure 5.5 illustrates a reverse cache mode configuration. Figure 5.5 ISA Server in Reverse Cache Mode
222
Chapter 5
Deploying ISA Server
Implementing ISA Server in Integrated Mode ISA Server in integrated mode provides a firewall solution and acts as a Web cache server simultaneously by allowing both services to coexist on the same server. Before implementing both the firewall and Web cache on the same server, consider the following points: •
Purchasing less equipment can minimize costs.
•
Centralizing the management of both resources on a single computer can simplify administration.
•
Implementing both services on a single computer presents a single point of failure for both services. If that computer goes offline, multiple services are taken offline.
Determining Client Types ISA Server supports the following types of clients.
Web Proxy client Makes all Internet requests to the ISA Server “Outgoing Web Requests” listener. Most often, this is a Web browser that is either configured manually by the user, or is configured automatically by using Group Policy or a configuration script. ISA restricts user-based Web access controls to Web Proxy clients only.
SecureNAT client Provides IP-based security, but does not allow for user-level authentication. To configure a SecureNAT client, you only have to set the default route between the client and the ISA Server default internal IP address. Because a SecureNAT client uses no other configuration, any computer that uses TCP/IP can be a SecureNAT client.
Firewall client Restricts access on a per-user, per-application basis for outbound access for requests that use Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). To configure a firewall client, you must install the Firewall Client software on each client computer. You can install the Firewall Client software from the shared folder \\ISA Server Name\mspclnt on the ISA Server–based computer.
Additional Resources
You can only install the Firewall Client software on computers running Microsoft® Windows® 95 Service Release 2, Windows NT 4.0, Windows® 98, Windows® Millennium Edition, Windows® 2000 Professional, Windows XP Professional, Windows® XP 64-Bit Edition, or the Windows Server 2003 family. Before you deploy or configure client software assess your organizational needs, determine which applications and services your internal clients require, and assess how you plan to publish servers. Finally, map these needs to the client types supported by ISA Server. Use Table 5.2 to determine which clients to deploy on your network. Table 5.2 Determining Which Clients to Deploy Goal
Client
Reason
Improve the performance Web Proxy of Web requests for internal clients. Combine user-level and content controls to Web access.
Web Proxy clients do not require any software to be installed but does require specific configuration.
Avoid deploying client software or configuring client computers.
SecureNAT
SecureNAT clients do not require any software or specific configuration.
Improve Web performance in an environment with nonMicrosoft operating systems.
SecureNAT
SecureNAT client requests pass transparently to the ISA Server firewall service and then to the caching service.
Publish servers that are located on your internal network.
SecureNAT
You can publish Internal servers as SecureNAT clients, which eliminates the need for creating special configuration settings on the publishing server.
Allow Internet access only for authenticated users.
Firewall or Web Proxy
You can configure user-based access policy rules for firewall clients. There is also an option to require authentication with Web Proxy clients.
223
224
Chapter 5
Deploying ISA Server
Evaluating Interoperability Issues Before you can make ISA Server interoperable with other network services and computers, you need to evaluate possible implementation and integration issues within your configuration, as shown in Figure 5.6. Figure 5.6 Evaluating Interoperability Issues
Additional Resources
Running Other Services with ISA Server You can run ISA Server on a computer with other services running already, such as e-mail or Web servers. However, it is not recommended to place other services on the firewall. For improved security and protection, place services behind the firewall, as shown in Figure 5.7. For example, if your organization needs to deploy ISA Server to connect branch offices to the Internet in integrated mode, ISA Server can be installed on existing e-mail or Web servers to simplify deployment and minimize the cost. Figure 5.7 Running Other Services with ISA Server
225
226
Chapter 5
Deploying ISA Server
Implementing ISA Server in a Domain ISA Server with ISA Server SP1 can be installed as a stand-alone server or as a member of an array in a Microsoft® Windows® 2000 Server or Windows Server 2003 domain. When you install ISA Server as a stand-alone server, the configuration information is saved to the local registry. When you install ISA Server as a member of an array in a Windows 2000 or Windows Server 2003 domain, the ISA Server schema is installed into the Active Directory®. You need to install Active Directory on the ISA Server domain to use ISA Server arrays. ISA Server can be installed as a stand-alone server in a Windows NT Server 4.0 domain. No special configuration is required. You can use arrays of ISA Server computers to connect and secure Windows NT 4.0 domain users and clients to the Internet. However, the array must be set up on a separate Windows 2000 or Windows Server 2003 domain. Then you can establish a trust relationship from the domain containing the ISA Server computer to the Windows NT 4.0 domain.
Using ISA Server with Other Network Services You might have run the Routing and Remote Access service in Windows 2000 or Windows Server 2003 to make network services and computers available to remote clients. ISA Server enables remote connectivity and extends routing and remote access functionality by providing additional security features. ISA Server packet filtering replaces the packet filtering functionality in the Routing and Remote Access service. In addition, ISA Server uses the dial-up connections that you previously configured for routing and remote access. Similarly, you might have used Internet Connection Sharing (ICS) or network address translation (NAT) to access the Internet. ISA Server provides the connectivity enabled by NAT or ICS, while adding sophisticated security and caching features.
Additional Resources
227
Caution You cannot combine ICS or the NAT that is included with the Routing and Remote Access service for Windows Server 2003 with ISA Server or else you will lose firewall functionality. Also, IIS cannot run on the same computer as ISA Server without special configuration. For more information about configuring IIS for use with ISA Server, see the ISA Server link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources, and then search for the keyword socket pooling.
Designing for High Availability Before deploying ISA Server, estimate your Internet connectivity requirements. Use the following sections as guidelines for planning the size and type of your servers, and whether to deploy them as an array. Figure 5.8 shows the process for designing for high availability. Figure 5.8 Designing for High Availability
228
Chapter 5
Deploying ISA Server
Performing Capacity Planning The flowchart in Figure 5.9 outlines the capacity planning process for ISA Server. Figure 5.9 ISA Server Capacity Planning Process
Use the following guidelines for capacity planning: •
Ensure the minimum hardware requirements deploying ISA Server are met.
•
Decide whether to install ISA Server as a firewall. If yes, ensure that the minimum firewall requirements are met.
•
Decide whether or not to install ISA Server as a Web cache server. If yes, ensure that the minimum hardware requirements are met.
Additional Resources
229
The following list describes the minimum hardware requirements for installing ISA Server: •
A computer with a 300 megahertz (MHz) or higher Pentium II-compatible CPU.
•
The computer must be running either a member of the Windows 2000 Server family, or a member of the Windows Server 2003 family. If you are installing ISA Server on a computer running Windows Server 2003, you must also install ISA Server SP1.
Note Using the latest service pack is always recommended.
•
256 megabytes (MB) of memory.
•
20 MB of available hard disk space.
•
A network adapter to communicate with the internal network.
•
One local hard disk partition that is formatted with the NTFS file system.
•
To implement the array and enterprise-level policy configuration, you must also run Active Directory.
•
If you are using ISA Server in firewall or integrated mode, two network adapters are required.
•
If your ISA Server is also supporting other services, such as e-mail or Web services, additional resources might be required.
Use Table 5.3 to determine the type of computers to use and whether you require an array. Table 5.3 Hardware Requirements for Different Network Loads Hits per Second
Minimum Hardware Required
RAM
Less than 500
One computer, Pentium II, 300 MHz processor
256 MB
500 to 900
One computer, Pentium III, 550 MHz processor
256 MB
More than 900
One computer, Pentium III, 550 MHz processor, for each 800 hits per second increment
256 MB per server
Note You can also use Performance Monitor to identify bottlenecks and determine whether to add more servers.
If multiple computers are required to handle the network load, consider setting up an array of ISA Server– based computers. Arrays allow Web cache routing across a group of ISA Server–based computers. For more information, see “Configuring ISA Server in an Array” later in this chapter.
230
Chapter 5
Deploying ISA Server
Firewall Requirements Table 5.4 lists hardware requirements and network connections based on expected throughput for firewall clients accessing content on the Internet. Table 5.4 Hardware Requirements for Firewall Throughput Requirements
Internet Connection Type
Minimum Hardware Required
36 Kilobits per second (Kbps) to 1 Megabits per second (Mbps)
One computer, Pentium II, 300 MHz processor
POTS modem, cable modem, or xDSL
384 Kbps to 1.5 Megabits per second (Mbps)
One computer, Pentium II, 300 MHz processor
T1
3 Mbps - 44 Mbps
One computer, Pentium III, 550 MHz processor
T3 or faster
More than 44 Mbps
One computer, Pentium III, 550 MHz, for each 50 MB/second required
OC3 or faster
Forward Caching Requirements You can deploy ISA Server as a forward-caching server, which maintains a centralized cache of frequentlyrequested Internet content. In this case, consider how many users might access the Internet. Table 5.5 lists the hardware requirements for using ISA Server in forward cache mode. Table 5.5 Hardware Requirements for Forward Caching Internet Users
Minimum Hardware Required
RAM
Disk Space for Caching
Up to 500
One computer, Pentium II, 300 MHz processor
256 MB
2–4 Gigabytes (GB)
500 -1,000
One computer, two Pentium III, 550 MHz processors
256 MB
10 GB
More than 1,000
Two computers, Pentium III, 550 MHz processors
256 MB for each server
10 GB for each server
If your user-base exceeds 1,000 users, you can use hardware with faster processors and more memory, or you can add more ISA Server installations.
Additional Resources
231
Reverse Caching Requirements You can deploy ISA Server as a reverse-caching server to fulfill Web requests from the Internet to your network. For example, you might place an ISA Server computer between the Internet and an organization’s Web server that is hosting a commercial Web business or providing access to business partners. In that case, you need to consider how often external clients might request content from the publishing servers. Table 5.6 lists hardware requirements for ISA Server in reverse cache mode, based on the number of hits per second from Internet users. Table 5.6 Hardware Requirements for Reverse Caching Hits Per Second
Minimum Hardware Required
Fewer than 100
One computer, Pentium II, 300 MHz processor
101 to 250
One computer, Pentium III, 450 MHz processor
More than 250
One computer, Pentium III, 550 MHz processor for each 250 hits per second. You can use Performance Monitor to determine bottlenecks, and then add more servers or more powerful hardware, as necessary.
Memory requirements depend on the size of the cacheable content that you are publishing, and the working set of the content. Ideally, all cacheable content should fit into the available memory. By default, the ISA Web Proxy service uses half of the available server memory for RAM caching. For example, if the Web site you are publishing has 250 MB of cacheable content, then your ISA server computer should have at least twice this much available RAM before the Web Proxy service starts.
Adding Computers In some cases, you need to decide whether to add an additional ISA Server–based computer or to improve the performance of the existing computer by adding an additional processor. Each option has different advantages. When you add a new computer and create an array of ISA Server–based computers, you set up a faulttolerant system. If one computer fails, the other continues to function. On the other hand, adding a computer means that you have to purchase and manage additional hardware and any software that is installed on the computer.
232
Chapter 5
Deploying ISA Server
Designing for Scalability When designing for scalability, consider differences between Microsoft® Internet Security and Acceleration (ISA) Server Standard Edition and Microsoft® Internet Security and Acceleration (ISA) Server Enterprise Edition, such as: •
ISA Server Standard Edition supports only a single computer configuration, and therefore, cannot be used in an array.
•
ISA Server Enterprise Edition can be configured either in a single computer configuration or in an array.
Configuring ISA Server in an Array Computers running ISA Server Enterprise Edition can be grouped together in arrays. An array is a group of ISA Server–based computers used to perform Web cache routing. Arrays allow a group of ISA Server–based computers to be treated and managed as a single, logical entity. An array installation also provides increased performance and bandwidth savings. Grouping your ISA Server–based computers in an array allows your client requests to be distributed among multiple servers, thereby improving response time for clients. All the servers in an array share a common configuration. This saves management time because the array is configured once and the configuration is applied to all the servers in the array. Furthermore, you can apply an enterprise policy to an array. This allows centralized management for all the arrays in the enterprise. A unique array policy can be applied to each array in the enterprise. It is recommended that you consider installing ISA Server as an array even if there is only one server. The advantages to this include the ability to easily add an additional server to the array in the future and the ability to use the advanced array management features.
Note All array members must be in the same domain and in the same site.
Table 5.7 compares ISA Server features as a stand-alone server and in an array configuration. Table 5.7 Comparing Features of ISA Server as a Stand-Alone Server or as an Array ISA Server Stand-Alone Server
ISA Server Array
Can be installed in a Windows NT 4.0 domain.
Requires Active Directory.
Cannot use array or enterprise policies.
Uses both enterprise- and array-level policies.
Installs from either ISA Server Standard or ISA Server Enterprise Edition.
Installs from ISA Server Enterprise Edition only.
Additional Resources
233
234
Chapter 5
Deploying ISA Server
ISA Server and DNS Round Robin Firewall and Web proxy clients can achieve fault tolerance when two or more computers running ISA Server are used together with a Domain Name System (DNS) server. You can use DNS to assign the same name to all the ISA Server–based computers in a cluster. With this configuration, when a client requests an object from the ISA Server–based computer specifying the DNS name, the DNS server resolves the name to one of the computers running ISA Server in the array in a round robin fashion. This increases fault tolerance through redundancy and improves performance through the use of multiple computers answering client requests.
Note For DNS round robin to work for an ISA array, the duplicated resource records must all use the array name.
Figure 5.10 shows the DNS server receiving a request from the clients and forwarding the request to the computers running ISA Server in a round-robin configuration. Figure 5.10 DNS Round Robin
Additional Resources
235
Securing the Design ISA Server secures your connection to the Internet or to remote sites and extranets. Security decisions for implementing ISA Server are discussed in the following sections. Figure 5.11 shows the process for securing the design. Figure 5.11 Securing the Design
236
Chapter 5
Deploying ISA Server
Connecting Remote Sites Using ISA Server Using ISA Server to connect remote offices includes the following benefits: •
The ability to connect remote offices together through the Internet using a virtual private network (VPN).
•
Hierarchical caching can also be implemented across the wide area network (WAN) on ISA Server–based computers.
Securing Network Perimeters with ISA Server A perimeter network, also known as a screened subnet, is a network that is set up separately from an organization’s private network and the Internet. The perimeter network allows external users access to the specific servers located in the perimeter network, while preventing access to the internal network. In addition, an organization might allow very limited access from computers in the perimeter networks to computers in the internal network. A perimeter network is commonly used for deploying the e-mail and Web servers. The perimeter network can be set up using either of the following configurations: •
Back-to-back perimeter network configuration with two ISA Server–based computers on either side of the perimeter network.
•
Three-homed ISA Server–based computer with both the perimeter and internal network protected by the same computer.
Additional Resources
237
Designing a Back-to-Back Perimeter Network In a back-to-back perimeter network configuration, two ISA Server–based computers are located on either side of the perimeter network. Figure 5.12 shows a back-to-back perimeter network configuration. Figure 5.12 Back-to-Back Perimeter Network
Both ISA Server–based computers are set up in integrated or firewall mode. This configuration reduces the risk of compromise by requiring anyone attempting to access the internal network from the Internet to access both systems to reach the internal network. Perform the following steps to make the servers on the perimeter network available to Internet clients: 1. Configure the local address table (LAT) on the ISA Server–based computer that is connected to the internal network to include the IP addresses of the computers in the internal network. 2. Configure the LAT on the ISA Server–based computer connected to the Internet to include the IP address of the ISA Server–based computer connected to the internal network, and the IP addresses of all the publishing servers in the perimeter network. 3. Create a Web publishing rule on the ISA Server–based computer connected to the Internet to publish the Web server. 4. Create a server publishing rule on the ISA Server–based computer connected to the Internet to publish the e-mail server. Configure the server publishing rule to apply to the e-mail server. 5. Create a Web publishing rule to publish the Web server, and configure the rule to redirect requests to the hosted site. 6. With this back-to-back perimeter network design, selected traffic can access the e-mail or Web server without accessing the internal network. This example publishes the e-mail and the Web servers without exposing the internal network to the Internet.
238
Chapter 5
Deploying ISA Server
Designing a Three-Homed Perimeter Network In a three-homed perimeter network, a single ISA Server–based computer is set up with three network adapters: •
The first network adapter connects to clients on the internal network.
•
The second network adapter connects to the servers located in the perimeter network.
•
The third network adapter connects to the Internet.
Figure 5.13 illustrates the three-homed perimeter network configuration. Figure 5.13 Three-Homed Perimeter Network
Perform the following configuration steps for the three-homed ISA Server perimeter network: •
Configure the LAT to include all of the addresses on the internal network. The LAT should not include the addresses on the perimeter network.
•
Enable packet filtering and IP routing.
•
Create IP packet filters for each of the servers in the perimeter network. For each IP packet filter, the local computer should be specified as the IP address of the server on the perimeter network.
Additional Resources
239
Using ISA Server in Extranets An extranet is a private network that is configured for use outside your internal network. The extranet is installed to support selected partners who require access to your network. ISA Server supports the installation of extranets through the built-in capability of VPNs. Figure 5.14 shows ISA Server within an extranet design. Figure 5.14 ISA Server in Extranets
240
Chapter 5
Deploying ISA Server
Implementing Your ISA Server Solution After determining the roles you want for ISA Server and completing your ISA Server design, you will implement your ISA Server solution. Figure 5.15 shows when to implement your ISA Server solution. Figure 5.15 Implementing Your ISA Server Solution
Additional Resources
Figure 5.16 shows the process for implementing the ISA Server solution in your network. Figure 5.16 Details of Implementing Your ISA Server Solution
Use the following steps to deploy ISA Server in your network: 1. Ensure that you are running either Windows 2000 Server or the Windows Server 2003 family. If necessary, upgrade the operating system before continuing with the deployment. 2. Ensure that the latest service pack in installed. If necessary, install the service pack before proceeding with the deployment.
241
242
Chapter 5
Deploying ISA Server
3. Ensure that the network adapters are installed and working correctly; make sure you have a valid connection to the Internet. •
You can choose to connect your network to the Internet through either a persistent connection (T1, T3, xDSL, or cable modem) or a dial-up connection. If you choose a direct connection, you need to set up a network adapter that connects the ISA Server– based computer to the Internet.
•
When you set TCP/IP properties for the external network adapter, consult with your ISP for the correct settings. Specifically, you need the IP address, subnet mask, default gateway, and IP addresses for the DNS servers to use in DNS name searches. In some cases, your ISP might be using Dynamic Host Configuration Protocol (DHCP) or bootstrap protocol (BOOTP) for dynamic assignment of client addresses.
•
Typically, ISA Server has only one IP default gateway. You should configure the IP address of the default gateway on the external — not internal — network adapter. Leave the Default Gateway setting for the internal network adapter blank.
•
When setting TCP/IP properties for any internal network adapter, you should enter a permanently reserved IP address for the ISA Server–based computer and an appropriate subnet mask for your internal network. Addressing that is assigned by DHCP should not be used for the internal network adapter, because DHCP might reset the default gateway you selected for the ISA Server–based computer. The external network adapter can be DHCP-enabled, including the default gateway and DNS settings, or these settings can be statically defined.
4. If you are installing ISA Server Enterprise Edition you need to initialize the enterprise. You can run the Enterprise Initialization Tool in ISA Server startup. •
If this is the first time you are installing ISA Server as an array member, you should run the ISA Server Enterprise Initialization Tool.
•
If you are installing a stand-alone server, or if you have previously installed ISA Server in your enterprise as an array member, you do not need to run the Enterprise Initialization Tool, and you can select Install ISA Server.
Additional Resources
243
Important In order to install the ISA Server schema to Active Directory, you must be a member of both the Enterprise Administrators and Schema Administrators groups.
5. Install ISA Server. Setup asks for the following information: •
Installation options. You can select a Typical installation, Full installation, or Custom installation.
•
Array selection. If you previously initialized the enterprise, you can select which array to join. If you did not initialize the enterprise, then ISA Server is installed as a stand-alone server.
•
Mode. You can install ISA Server in firewall mode, integrated mode, or cache mode.
•
Cache configuration. If you install ISA Server in integrated or cache mode, you need to configure which cache drives to use and the size of the cache.
•
LAT configuration. If you install ISA Server in integrated or firewall mode, you need to configure the address ranges to include in the LAT.
6. Before building your LAT, ensure that you enter all subnets correctly. •
The LAT is automatically constructed from the Windows Server 2003 routing table. If the computer is connected to a routed internal network and you are unsure of the routing topology of your network or how to add static routes, you can manually construct the LAT to contain the range(s) of IP addresses that your internal clients use.
•
Because a default gateway cannot be set on the internal interface of the ISA Server– based computer, you need to create static routes for your internal network at a later time to achieve full connectivity. You can do this using the route command from the command prompt.
•
A LAT that is configured correctly ensures that ISA Server can determine which network adapter to use, in order to access different portions of your internal network. If the LAT is not configured correctly, a client request for an internal IP address might be incorrectly routed to the Internet or redirected through the firewall service.
7. After installation, ISA Server effectively blocks all communication between your internal network and the Internet. No communication can occur until you configure an access policy with the protocol, site, and content rules specifically allowing access. Similarly, you must configure publishing rules if you want to allow Internet clients access to computers on your internal network.
244
Chapter 5
Deploying ISA Server
If you installed ISA Server as an array member, then an enterprise policy might be applied to the array. In this case, ISA Server might allow communication if the enterprise policy is configured appropriately. 8. Install the latest service pack for ISA Server.
Additional Resources
245
Additional Resources These resources contain additional information and tools related to this chapter.
Related Information •
“Deploying Dial-Up and VPN Remote Access Servers” in this book for more information about creating a virtual private network (VPN).
•
The Migrating from Proxy Server 2.0 link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources for more information about migrating from Proxy Server 2.0 to ISA Server.
•
The Internet Engineering Task Force link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources for more information about RFC documents and Internet Engineering Task Force (IETF) Internet-Drafts.
•
The ISA Server link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources for more information about extending ISA Server.
•
The Hardware Compatibility List (HCL) link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources for more information about hardware compatibility.
5
Deploying ISA Server
Microsoft® Internet Security and Acceleration (ISA) Server is an integrated firewall and Internet caching server. Deploying ISA Server saves network bandwidth by providing faster Web access for users. ISA Server secures your network, allowing you to implement your business security policy by configuring a broad set of rules that specify which sites, protocols, and content can be passed through the firewall.
In This Chapter Overview of ISA Server................................................................................... ...216 Determining the Role of ISA Server.................................................. .................218 Evaluating Interoperability Issues...................................... ...............................224 Designing for High Availability......................................................................... ..227 Securing the Design......................................................................... .................235 Implementing Your ISA Server Solution....................................... ......................240 Additional Resources........................................................................ .................245
Related Information •
For more information about creating a virtual private network (VPN), see “Deploying DialUp and VPN Remote Access Servers” in this book.
216
Chapter 5
Deploying ISA Server
Overview of ISA Server ISA Server offers a complete Internet connectivity deployment solution as a firewall and a Web caching server.
Important ISA Server (the successor to Proxy Server 2.0) is a separate product from the Microsoft® Windows® Server 2003 operating system. You must install ISA Server Service Pack (SP1) for ISA Server immediately after installing ISA Server for it to be interoperable with Windows Server 2003.
ISA Server monitors requests and responses between the Internet and internal client computers; ISA Server also controls which computers on the Internet the internal clients can access. ISA Server offers many security and caching options, including: •
Enhanced security with multilayer firewall and integrated intrusion detection. ISA is a complete firewall product that provides packet filtering, stateful packet inspection and application-level awareness for many common protocols, such as Simple Mail Transfer Protocol (SMTP) and Domain Name System (DNS). You can create access policies based on user-level information, IP addresses, or Web content.
•
Secure publishing. You can use ISA Server as a reverse cache server to define a secure publishing policy. This protects internal publishing servers and makes them safely accessible to Internet clients.
•
ISA Server can cache Web content, potentially reducing your external bandwidth requirements. You can configure the cache to contain content that your organization uses frequently or that your Internet clients access.
•
ISA Server is extensible. You can program the COM interface in ISA Server using high-level programming languages or scripting languages. Developers can implement application and web filters to extend the core firewall functionality. You can use the ISA Server management interface to develop additional administration tools and management scripts.
Additional Resources
ISA Server Deployment Process The process for deploying ISA Server includes determining the deployment mode (cache, firewall, or integrated) you need to use, examining the integration between ISA Server and other components in your network, and choosing the best method for securing your network design. Figure 5.1 shows the process for deploying ISA Server. Figure 5.1 Deploying Your ISA Server
217
218
Chapter 5
Deploying ISA Server
Determining the Role of ISA Server ISA Server can act as a firewall, a Web caching server, or both in your network. Figure 5.2 shows the process for determining the role of your ISA server. Figure 5.2 Determining the Role of ISA Server
Additional Resources
219
You can install ISA Server in firewall, cache, or integrated mode. •
In firewall mode, you can secure network communication by configuring rules and access policies that control communication between your internal network and the Internet. You can also publish internal servers.
•
In cache mode, you can improve network performance and save bandwidth by storing frequently accessed content closer to the user. You can also route requests from internal users to the appropriate Web server and publish Web servers in cache mode.
•
In integrated mode, all cache and firewall features are available. You can configure a policy to meet both cache performance and security requirements.
Use Table 5.1 to determine which mode of ISA Server installation is most appropriate in your network. Table 5.1 Determining the ISA Server Installation Mode Goal
Mode
Secure your connection to the Internet, connect remote offices, or implement secure extranets.
Firewall
Increase performance of your Internet connection.
Cache
Secure your connection to the Internet and increase the Integrated performance of your Internet connection.
220
Chapter 5
Deploying ISA Server
Implementing ISA Server in Firewall Mode ISA Server in firewall mode acts as a secure gateway between the Internet and internal clients. By configuring the access policies, you can prevent unauthorized access and malicious content from entering the network, as well as restrict outbound traffic. In Figure 5.3, ISA Server is deployed in firewall mode and as a publisher of internal services, including email and Web services. Figure 5.3 ISA Server in Firewall Mode
All inbound traffic requiring access to the Web or e-mail servers must pass through the firewall first. Likewise, ISA Server can also limit Internet access to specified clients. In this example, ISA Server is acting as a dedicated firewall controlling access to the internal network.
Implementing ISA Server in Cache Mode ISA Server in cache mode accelerates Web access performance by caching Internet content locally. ISA can provide access control for Web content, both in forward cache mode and reverse cache mode.
Forward Cache Mode When a client in the internal network requests a Web page, ISA Server in forward cache mode checks if the content is cached locally. If so, the request is not forwarded to the Internet, and the forward cache server returns the Web pages to the client. If the Web page is not stored locally, ISA Server (acting on behalf of the client) retrieves the Web page from the Internet. ISA Server then saves that Web page in the local cache. The next time a client requests that page, ISA Server can fulfill the request without going to the Internet to retrieve the page. This results in using less bandwidth on the Internet connection. Figure 5.4 illustrates a forward cache mode configuration.
Additional Resources
221
Figure 5.4 ISA Server in Forward Cache Mode
Reverse Cache (Web Publishing) Mode You can also configure ISA Server in reverse cache mode. ISA Server in reverse cache mode caches content provided to the Internet from the Web server. When an Internet client requests a Web page, the request is sent to the ISA Server–based computer first. If the page is stored there locally, there is no need to retrieve the page from the Web server. This increases performance for Internet clients accessing the Web site from the Internet, as well as increasing security for the server. Figure 5.5 illustrates a reverse cache mode configuration. Figure 5.5 ISA Server in Reverse Cache Mode
222
Chapter 5
Deploying ISA Server
Implementing ISA Server in Integrated Mode ISA Server in integrated mode provides a firewall solution and acts as a Web cache server simultaneously by allowing both services to coexist on the same server. Before implementing both the firewall and Web cache on the same server, consider the following points: •
Purchasing less equipment can minimize costs.
•
Centralizing the management of both resources on a single computer can simplify administration.
•
Implementing both services on a single computer presents a single point of failure for both services. If that computer goes offline, multiple services are taken offline.
Determining Client Types ISA Server supports the following types of clients.
Web Proxy client Makes all Internet requests to the ISA Server “Outgoing Web Requests” listener. Most often, this is a Web browser that is either configured manually by the user, or is configured automatically by using Group Policy or a configuration script. ISA restricts user-based Web access controls to Web Proxy clients only.
SecureNAT client Provides IP-based security, but does not allow for user-level authentication. To configure a SecureNAT client, you only have to set the default route between the client and the ISA Server default internal IP address. Because a SecureNAT client uses no other configuration, any computer that uses TCP/IP can be a SecureNAT client.
Firewall client Restricts access on a per-user, per-application basis for outbound access for requests that use Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). To configure a firewall client, you must install the Firewall Client software on each client computer. You can install the Firewall Client software from the shared folder \\ISA Server Name\mspclnt on the ISA Server–based computer.
Additional Resources
You can only install the Firewall Client software on computers running Microsoft® Windows® 95 Service Release 2, Windows NT 4.0, Windows® 98, Windows® Millennium Edition, Windows® 2000 Professional, Windows XP Professional, Windows® XP 64-Bit Edition, or the Windows Server 2003 family. Before you deploy or configure client software assess your organizational needs, determine which applications and services your internal clients require, and assess how you plan to publish servers. Finally, map these needs to the client types supported by ISA Server. Use Table 5.2 to determine which clients to deploy on your network. Table 5.2 Determining Which Clients to Deploy Goal
Client
Reason
Improve the performance Web Proxy of Web requests for internal clients. Combine user-level and content controls to Web access.
Web Proxy clients do not require any software to be installed but does require specific configuration.
Avoid deploying client software or configuring client computers.
SecureNAT
SecureNAT clients do not require any software or specific configuration.
Improve Web performance in an environment with nonMicrosoft operating systems.
SecureNAT
SecureNAT client requests pass transparently to the ISA Server firewall service and then to the caching service.
Publish servers that are located on your internal network.
SecureNAT
You can publish Internal servers as SecureNAT clients, which eliminates the need for creating special configuration settings on the publishing server.
Allow Internet access only for authenticated users.
Firewall or Web Proxy
You can configure user-based access policy rules for firewall clients. There is also an option to require authentication with Web Proxy clients.
223
224
Chapter 5
Deploying ISA Server
Evaluating Interoperability Issues Before you can make ISA Server interoperable with other network services and computers, you need to evaluate possible implementation and integration issues within your configuration, as shown in Figure 5.6. Figure 5.6 Evaluating Interoperability Issues
Additional Resources
Running Other Services with ISA Server You can run ISA Server on a computer with other services running already, such as e-mail or Web servers. However, it is not recommended to place other services on the firewall. For improved security and protection, place services behind the firewall, as shown in Figure 5.7. For example, if your organization needs to deploy ISA Server to connect branch offices to the Internet in integrated mode, ISA Server can be installed on existing e-mail or Web servers to simplify deployment and minimize the cost. Figure 5.7 Running Other Services with ISA Server
225
226
Chapter 5
Deploying ISA Server
Implementing ISA Server in a Domain ISA Server with ISA Server SP1 can be installed as a stand-alone server or as a member of an array in a Microsoft® Windows® 2000 Server or Windows Server 2003 domain. When you install ISA Server as a stand-alone server, the configuration information is saved to the local registry. When you install ISA Server as a member of an array in a Windows 2000 or Windows Server 2003 domain, the ISA Server schema is installed into the Active Directory®. You need to install Active Directory on the ISA Server domain to use ISA Server arrays. ISA Server can be installed as a stand-alone server in a Windows NT Server 4.0 domain. No special configuration is required. You can use arrays of ISA Server computers to connect and secure Windows NT 4.0 domain users and clients to the Internet. However, the array must be set up on a separate Windows 2000 or Windows Server 2003 domain. Then you can establish a trust relationship from the domain containing the ISA Server computer to the Windows NT 4.0 domain.
Using ISA Server with Other Network Services You might have run the Routing and Remote Access service in Windows 2000 or Windows Server 2003 to make network services and computers available to remote clients. ISA Server enables remote connectivity and extends routing and remote access functionality by providing additional security features. ISA Server packet filtering replaces the packet filtering functionality in the Routing and Remote Access service. In addition, ISA Server uses the dial-up connections that you previously configured for routing and remote access. Similarly, you might have used Internet Connection Sharing (ICS) or network address translation (NAT) to access the Internet. ISA Server provides the connectivity enabled by NAT or ICS, while adding sophisticated security and caching features.
Additional Resources
227
Caution You cannot combine ICS or the NAT that is included with the Routing and Remote Access service for Windows Server 2003 with ISA Server or else you will lose firewall functionality. Also, IIS cannot run on the same computer as ISA Server without special configuration. For more information about configuring IIS for use with ISA Server, see the ISA Server link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources, and then search for the keyword socket pooling.
Designing for High Availability Before deploying ISA Server, estimate your Internet connectivity requirements. Use the following sections as guidelines for planning the size and type of your servers, and whether to deploy them as an array. Figure 5.8 shows the process for designing for high availability. Figure 5.8 Designing for High Availability
228
Chapter 5
Deploying ISA Server
Performing Capacity Planning The flowchart in Figure 5.9 outlines the capacity planning process for ISA Server. Figure 5.9 ISA Server Capacity Planning Process
Use the following guidelines for capacity planning: •
Ensure the minimum hardware requirements deploying ISA Server are met.
•
Decide whether to install ISA Server as a firewall. If yes, ensure that the minimum firewall requirements are met.
•
Decide whether or not to install ISA Server as a Web cache server. If yes, ensure that the minimum hardware requirements are met.
Additional Resources
229
The following list describes the minimum hardware requirements for installing ISA Server: •
A computer with a 300 megahertz (MHz) or higher Pentium II-compatible CPU.
•
The computer must be running either a member of the Windows 2000 Server family, or a member of the Windows Server 2003 family. If you are installing ISA Server on a computer running Windows Server 2003, you must also install ISA Server SP1.
Note Using the latest service pack is always recommended.
•
256 megabytes (MB) of memory.
•
20 MB of available hard disk space.
•
A network adapter to communicate with the internal network.
•
One local hard disk partition that is formatted with the NTFS file system.
•
To implement the array and enterprise-level policy configuration, you must also run Active Directory.
•
If you are using ISA Server in firewall or integrated mode, two network adapters are required.
•
If your ISA Server is also supporting other services, such as e-mail or Web services, additional resources might be required.
Use Table 5.3 to determine the type of computers to use and whether you require an array. Table 5.3 Hardware Requirements for Different Network Loads Hits per Second
Minimum Hardware Required
RAM
Less than 500
One computer, Pentium II, 300 MHz processor
256 MB
500 to 900
One computer, Pentium III, 550 MHz processor
256 MB
More than 900
One computer, Pentium III, 550 MHz processor, for each 800 hits per second increment
256 MB per server
Note You can also use Performance Monitor to identify bottlenecks and determine whether to add more servers.
If multiple computers are required to handle the network load, consider setting up an array of ISA Server– based computers. Arrays allow Web cache routing across a group of ISA Server–based computers. For more information, see “Configuring ISA Server in an Array” later in this chapter.
230
Chapter 5
Deploying ISA Server
Firewall Requirements Table 5.4 lists hardware requirements and network connections based on expected throughput for firewall clients accessing content on the Internet. Table 5.4 Hardware Requirements for Firewall Throughput Requirements
Internet Connection Type
Minimum Hardware Required
36 Kilobits per second (Kbps) to 1 Megabits per second (Mbps)
One computer, Pentium II, 300 MHz processor
POTS modem, cable modem, or xDSL
384 Kbps to 1.5 Megabits per second (Mbps)
One computer, Pentium II, 300 MHz processor
T1
3 Mbps - 44 Mbps
One computer, Pentium III, 550 MHz processor
T3 or faster
More than 44 Mbps
One computer, Pentium III, 550 MHz, for each 50 MB/second required
OC3 or faster
Forward Caching Requirements You can deploy ISA Server as a forward-caching server, which maintains a centralized cache of frequentlyrequested Internet content. In this case, consider how many users might access the Internet. Table 5.5 lists the hardware requirements for using ISA Server in forward cache mode. Table 5.5 Hardware Requirements for Forward Caching Internet Users
Minimum Hardware Required
RAM
Disk Space for Caching
Up to 500
One computer, Pentium II, 300 MHz processor
256 MB
2–4 Gigabytes (GB)
500 -1,000
One computer, two Pentium III, 550 MHz processors
256 MB
10 GB
More than 1,000
Two computers, Pentium III, 550 MHz processors
256 MB for each server
10 GB for each server
If your user-base exceeds 1,000 users, you can use hardware with faster processors and more memory, or you can add more ISA Server installations.
Additional Resources
231
Reverse Caching Requirements You can deploy ISA Server as a reverse-caching server to fulfill Web requests from the Internet to your network. For example, you might place an ISA Server computer between the Internet and an organization’s Web server that is hosting a commercial Web business or providing access to business partners. In that case, you need to consider how often external clients might request content from the publishing servers. Table 5.6 lists hardware requirements for ISA Server in reverse cache mode, based on the number of hits per second from Internet users. Table 5.6 Hardware Requirements for Reverse Caching Hits Per Second
Minimum Hardware Required
Fewer than 100
One computer, Pentium II, 300 MHz processor
101 to 250
One computer, Pentium III, 450 MHz processor
More than 250
One computer, Pentium III, 550 MHz processor for each 250 hits per second. You can use Performance Monitor to determine bottlenecks, and then add more servers or more powerful hardware, as necessary.
Memory requirements depend on the size of the cacheable content that you are publishing, and the working set of the content. Ideally, all cacheable content should fit into the available memory. By default, the ISA Web Proxy service uses half of the available server memory for RAM caching. For example, if the Web site you are publishing has 250 MB of cacheable content, then your ISA server computer should have at least twice this much available RAM before the Web Proxy service starts.
Adding Computers In some cases, you need to decide whether to add an additional ISA Server–based computer or to improve the performance of the existing computer by adding an additional processor. Each option has different advantages. When you add a new computer and create an array of ISA Server–based computers, you set up a faulttolerant system. If one computer fails, the other continues to function. On the other hand, adding a computer means that you have to purchase and manage additional hardware and any software that is installed on the computer.
232
Chapter 5
Deploying ISA Server
Designing for Scalability When designing for scalability, consider differences between Microsoft® Internet Security and Acceleration (ISA) Server Standard Edition and Microsoft® Internet Security and Acceleration (ISA) Server Enterprise Edition, such as: •
ISA Server Standard Edition supports only a single computer configuration, and therefore, cannot be used in an array.
•
ISA Server Enterprise Edition can be configured either in a single computer configuration or in an array.
Configuring ISA Server in an Array Computers running ISA Server Enterprise Edition can be grouped together in arrays. An array is a group of ISA Server–based computers used to perform Web cache routing. Arrays allow a group of ISA Server–based computers to be treated and managed as a single, logical entity. An array installation also provides increased performance and bandwidth savings. Grouping your ISA Server–based computers in an array allows your client requests to be distributed among multiple servers, thereby improving response time for clients. All the servers in an array share a common configuration. This saves management time because the array is configured once and the configuration is applied to all the servers in the array. Furthermore, you can apply an enterprise policy to an array. This allows centralized management for all the arrays in the enterprise. A unique array policy can be applied to each array in the enterprise. It is recommended that you consider installing ISA Server as an array even if there is only one server. The advantages to this include the ability to easily add an additional server to the array in the future and the ability to use the advanced array management features.
Note All array members must be in the same domain and in the same site.
Table 5.7 compares ISA Server features as a stand-alone server and in an array configuration. Table 5.7 Comparing Features of ISA Server as a Stand-Alone Server or as an Array ISA Server Stand-Alone Server
ISA Server Array
Can be installed in a Windows NT 4.0 domain.
Requires Active Directory.
Cannot use array or enterprise policies.
Uses both enterprise- and array-level policies.
Installs from either ISA Server Standard or ISA Server Enterprise Edition.
Installs from ISA Server Enterprise Edition only.
Additional Resources
233
234
Chapter 5
Deploying ISA Server
ISA Server and DNS Round Robin Firewall and Web proxy clients can achieve fault tolerance when two or more computers running ISA Server are used together with a Domain Name System (DNS) server. You can use DNS to assign the same name to all the ISA Server–based computers in a cluster. With this configuration, when a client requests an object from the ISA Server–based computer specifying the DNS name, the DNS server resolves the name to one of the computers running ISA Server in the array in a round robin fashion. This increases fault tolerance through redundancy and improves performance through the use of multiple computers answering client requests.
Note For DNS round robin to work for an ISA array, the duplicated resource records must all use the array name.
Figure 5.10 shows the DNS server receiving a request from the clients and forwarding the request to the computers running ISA Server in a round-robin configuration. Figure 5.10 DNS Round Robin
Additional Resources
235
Securing the Design ISA Server secures your connection to the Internet or to remote sites and extranets. Security decisions for implementing ISA Server are discussed in the following sections. Figure 5.11 shows the process for securing the design. Figure 5.11 Securing the Design
236
Chapter 5
Deploying ISA Server
Connecting Remote Sites Using ISA Server Using ISA Server to connect remote offices includes the following benefits: •
The ability to connect remote offices together through the Internet using a virtual private network (VPN).
•
Hierarchical caching can also be implemented across the wide area network (WAN) on ISA Server–based computers.
Securing Network Perimeters with ISA Server A perimeter network, also known as a screened subnet, is a network that is set up separately from an organization’s private network and the Internet. The perimeter network allows external users access to the specific servers located in the perimeter network, while preventing access to the internal network. In addition, an organization might allow very limited access from computers in the perimeter networks to computers in the internal network. A perimeter network is commonly used for deploying the e-mail and Web servers. The perimeter network can be set up using either of the following configurations: •
Back-to-back perimeter network configuration with two ISA Server–based computers on either side of the perimeter network.
•
Three-homed ISA Server–based computer with both the perimeter and internal network protected by the same computer.
Additional Resources
237
Designing a Back-to-Back Perimeter Network In a back-to-back perimeter network configuration, two ISA Server–based computers are located on either side of the perimeter network. Figure 5.12 shows a back-to-back perimeter network configuration. Figure 5.12 Back-to-Back Perimeter Network
Both ISA Server–based computers are set up in integrated or firewall mode. This configuration reduces the risk of compromise by requiring anyone attempting to access the internal network from the Internet to access both systems to reach the internal network. Perform the following steps to make the servers on the perimeter network available to Internet clients: 1. Configure the local address table (LAT) on the ISA Server–based computer that is connected to the internal network to include the IP addresses of the computers in the internal network. 2. Configure the LAT on the ISA Server–based computer connected to the Internet to include the IP address of the ISA Server–based computer connected to the internal network, and the IP addresses of all the publishing servers in the perimeter network. 3. Create a Web publishing rule on the ISA Server–based computer connected to the Internet to publish the Web server. 4. Create a server publishing rule on the ISA Server–based computer connected to the Internet to publish the e-mail server. Configure the server publishing rule to apply to the e-mail server. 5. Create a Web publishing rule to publish the Web server, and configure the rule to redirect requests to the hosted site. 6. With this back-to-back perimeter network design, selected traffic can access the e-mail or Web server without accessing the internal network. This example publishes the e-mail and the Web servers without exposing the internal network to the Internet.
238
Chapter 5
Deploying ISA Server
Designing a Three-Homed Perimeter Network In a three-homed perimeter network, a single ISA Server–based computer is set up with three network adapters: •
The first network adapter connects to clients on the internal network.
•
The second network adapter connects to the servers located in the perimeter network.
•
The third network adapter connects to the Internet.
Figure 5.13 illustrates the three-homed perimeter network configuration. Figure 5.13 Three-Homed Perimeter Network
Perform the following configuration steps for the three-homed ISA Server perimeter network: •
Configure the LAT to include all of the addresses on the internal network. The LAT should not include the addresses on the perimeter network.
•
Enable packet filtering and IP routing.
•
Create IP packet filters for each of the servers in the perimeter network. For each IP packet filter, the local computer should be specified as the IP address of the server on the perimeter network.
Additional Resources
239
Using ISA Server in Extranets An extranet is a private network that is configured for use outside your internal network. The extranet is installed to support selected partners who require access to your network. ISA Server supports the installation of extranets through the built-in capability of VPNs. Figure 5.14 shows ISA Server within an extranet design. Figure 5.14 ISA Server in Extranets
240
Chapter 5
Deploying ISA Server
Implementing Your ISA Server Solution After determining the roles you want for ISA Server and completing your ISA Server design, you will implement your ISA Server solution. Figure 5.15 shows when to implement your ISA Server solution. Figure 5.15 Implementing Your ISA Server Solution
Additional Resources
Figure 5.16 shows the process for implementing the ISA Server solution in your network. Figure 5.16 Details of Implementing Your ISA Server Solution
Use the following steps to deploy ISA Server in your network: 1. Ensure that you are running either Windows 2000 Server or the Windows Server 2003 family. If necessary, upgrade the operating system before continuing with the deployment. 2. Ensure that the latest service pack in installed. If necessary, install the service pack before proceeding with the deployment.
241
242
Chapter 5
Deploying ISA Server
3. Ensure that the network adapters are installed and working correctly; make sure you have a valid connection to the Internet. •
You can choose to connect your network to the Internet through either a persistent connection (T1, T3, xDSL, or cable modem) or a dial-up connection. If you choose a direct connection, you need to set up a network adapter that connects the ISA Server– based computer to the Internet.
•
When you set TCP/IP properties for the external network adapter, consult with your ISP for the correct settings. Specifically, you need the IP address, subnet mask, default gateway, and IP addresses for the DNS servers to use in DNS name searches. In some cases, your ISP might be using Dynamic Host Configuration Protocol (DHCP) or bootstrap protocol (BOOTP) for dynamic assignment of client addresses.
•
Typically, ISA Server has only one IP default gateway. You should configure the IP address of the default gateway on the external — not internal — network adapter. Leave the Default Gateway setting for the internal network adapter blank.
•
When setting TCP/IP properties for any internal network adapter, you should enter a permanently reserved IP address for the ISA Server–based computer and an appropriate subnet mask for your internal network. Addressing that is assigned by DHCP should not be used for the internal network adapter, because DHCP might reset the default gateway you selected for the ISA Server–based computer. The external network adapter can be DHCP-enabled, including the default gateway and DNS settings, or these settings can be statically defined.
4. If you are installing ISA Server Enterprise Edition you need to initialize the enterprise. You can run the Enterprise Initialization Tool in ISA Server startup. •
If this is the first time you are installing ISA Server as an array member, you should run the ISA Server Enterprise Initialization Tool.
•
If you are installing a stand-alone server, or if you have previously installed ISA Server in your enterprise as an array member, you do not need to run the Enterprise Initialization Tool, and you can select Install ISA Server.
Additional Resources
243
Important In order to install the ISA Server schema to Active Directory, you must be a member of both the Enterprise Administrators and Schema Administrators groups.
5. Install ISA Server. Setup asks for the following information: •
Installation options. You can select a Typical installation, Full installation, or Custom installation.
•
Array selection. If you previously initialized the enterprise, you can select which array to join. If you did not initialize the enterprise, then ISA Server is installed as a stand-alone server.
•
Mode. You can install ISA Server in firewall mode, integrated mode, or cache mode.
•
Cache configuration. If you install ISA Server in integrated or cache mode, you need to configure which cache drives to use and the size of the cache.
•
LAT configuration. If you install ISA Server in integrated or firewall mode, you need to configure the address ranges to include in the LAT.
6. Before building your LAT, ensure that you enter all subnets correctly. •
The LAT is automatically constructed from the Windows Server 2003 routing table. If the computer is connected to a routed internal network and you are unsure of the routing topology of your network or how to add static routes, you can manually construct the LAT to contain the range(s) of IP addresses that your internal clients use.
•
Because a default gateway cannot be set on the internal interface of the ISA Server– based computer, you need to create static routes for your internal network at a later time to achieve full connectivity. You can do this using the route command from the command prompt.
•
A LAT that is configured correctly ensures that ISA Server can determine which network adapter to use, in order to access different portions of your internal network. If the LAT is not configured correctly, a client request for an internal IP address might be incorrectly routed to the Internet or redirected through the firewall service.
7. After installation, ISA Server effectively blocks all communication between your internal network and the Internet. No communication can occur until you configure an access policy with the protocol, site, and content rules specifically allowing access. Similarly, you must configure publishing rules if you want to allow Internet clients access to computers on your internal network.
244
Chapter 5
Deploying ISA Server
If you installed ISA Server as an array member, then an enterprise policy might be applied to the array. In this case, ISA Server might allow communication if the enterprise policy is configured appropriately. 8. Install the latest service pack for ISA Server.
Additional Resources
245
Additional Resources These resources contain additional information and tools related to this chapter.
Related Information •
“Deploying Dial-Up and VPN Remote Access Servers” in this book for more information about creating a virtual private network (VPN).
•
The Migrating from Proxy Server 2.0 link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources for more information about migrating from Proxy Server 2.0 to ISA Server.
•
The Internet Engineering Task Force link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources for more information about RFC documents and Internet Engineering Task Force (IETF) Internet-Drafts.
•
The ISA Server link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources for more information about extending ISA Server.
•
The Hardware Compatibility List (HCL) link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources for more information about hardware compatibility.
Related Documents
Deploying Isa Server
November 2019 16
Isa Server
July 2020 9
Isa Server 2000
November 2019 14
Isa Server Firewall 2004
November 2019 14
Isa Server 2006 Administration
June 2020 10