Professional Documents
Culture Documents
08_CHAPTER_5_Deploying_ISA_Server
08_CHAPTER_5_Deploying_ISA_Server
C H A P T E R 5
Microsoft® Internet Security and Acceleration (ISA) Server is an integrated firewall and Internet caching
server. Deploying ISA Server saves network bandwidth by providing faster Web access for users. ISA Server
secures your network, allowing you to implement your business security policy by configuring a broad set of
rules that specify which sites, protocols, and content can be passed through the firewall.
In This Chapter
Overview of ISA Server.........................................................................................................................216
Determining the Role of ISA Server......................................................................................................218
Evaluating Interoperability Issues..........................................................................................................224
Designing for High Availability.............................................................................................................227
Securing the Design...............................................................................................................................234
Implementing Your ISA Server Solution...............................................................................................239
Additional Resources.............................................................................................................................243
Related Information
For more information about creating a virtual private network (VPN), see “Deploying
Dial-Up and VPN Remote Access Servers” in this book.
216 Chapter 5 Deploying ISA Server
Important
ISA Server (the successor to Proxy Server 2.0) is a separate product
from the Microsoft® Windows® Server 2003 operating system. You must
install ISA Server Service Pack (SP1) for ISA Server immediately after
installing ISA Server for it to be interoperable with Windows Server 2003.
All inbound traffic requiring access to the Web or e-mail servers must pass through the firewall first.
Likewise, ISA Server can also limit Internet access to specified clients. In this example, ISA Server is acting
as a dedicated firewall controlling access to the internal network.
You can only install the Firewall Client software on computers running Microsoft® Windows® 95 Service
Release 2, Windows NT 4.0, Windows® 98, Windows® Millennium Edition, Windows® 2000 Professional,
Windows XP Professional, Windows® XP 64-Bit Edition, or the Windows Server 2003 family.
Before you deploy or configure client software assess your organizational needs, determine which
applications and services your internal clients require, and assess how you plan to publish servers. Finally,
map these needs to the client types supported by ISA Server.
Use Table 5.2 to determine which clients to deploy on your network.
Table 5.2 Determining Which Clients to Deploy
Goal Client Reason
Improve the performance Web Proxy Web Proxy clients do not
of Web requests for require any software to be
internal clients. installed but does require
Combine user-level and specific configuration.
content controls to Web
access.
Avoid deploying client SecureNAT SecureNAT clients do not
software or configuring require any software or specific
client computers. configuration.
Improve Web SecureNAT SecureNAT client requests
performance in an pass transparently to the
environment with non- ISA Server firewall service and
Microsoft operating then to the caching service.
systems.
Publish servers that are SecureNAT You can publish Internal
located on your internal servers as SecureNAT clients,
network. which eliminates the need for
creating special configuration
settings on the publishing
server.
Allow Internet access Firewall or Web You can configure user-based
only for authenticated Proxy access policy rules for firewall
users. clients. There is also an option
to require authentication with
Web Proxy clients.
224 Chapter 5 Deploying ISA Server
Caution
You cannot combine ICS or the NAT that is included with the Routing
and Remote Access service for Windows Server 2003 with ISA Server or
else you will lose firewall functionality. Also, IIS cannot run on the same
computer as ISA Server without special configuration. For more
information about configuring IIS for use with ISA Server, see the
ISA Server link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources, and then
search for the keyword socket pooling.
Note
You can
Using thealso
latest
useservice
Performance
pack is Monitor
always recommended.
to identify bottlenecks and
determine whether to add more servers.
The following list describes the minimum hardware requirements for installing ISA Server:
A computer with a 300 megahertz (MHz) or higher Pentium II-compatible CPU.
The computer must be running either a member of the Windows 2000 Server family,
or a member of the Windows Server 2003 family. If you are installing ISA Server on
a computer running Windows Server 2003, you must also install ISA Server SP1.
256 megabytes (MB) of memory.
20 MB of available hard disk space.
A network adapter to communicate with the internal network.
One local hard disk partition that is formatted with the NTFS file system.
To implement the array and enterprise-level policy configuration, you must also run
Active Directory.
If you are using ISA Server in firewall or integrated mode, two network adapters are
required.
If your ISA Server is also supporting other services, such as e-mail or Web services,
additional resources might be required.
Use Table 5.3 to determine the type of computers to use and whether you require an array.
Table 5.3 Hardware Requirements for Different Network Loads
Hits per Second Minimum Hardware Required RAM
Less than 500 One computer, Pentium II, 300 MHz 256 MB
processor
500 to 900 One computer, Pentium III, 550 MHz 256 MB
processor
More than 900 One computer, Pentium III, 550 MHz 256 MB per server
processor, for each 800 hits per
second increment
If multiple computers are required to handle the network load, consider setting up an array of
ISA Server–based computers. Arrays allow Web cache routing across a group of ISA Server–based
computers. For more information, see “Configuring ISA Server in an Array” later in this chapter.
230 Chapter 5 Deploying ISA Server
Firewall Requirements
Table 5.4 lists hardware requirements and network connections based on expected throughput for firewall
clients accessing content on the Internet.
Table 5.4 Hardware Requirements for Firewall
Throughput Internet Connection
Minimum Hardware Required
Requirements Type
36 Kilobits per second One computer, Pentium II, POTS modem, cable
(Kbps) to 1 Megabits per 300 MHz processor modem, or xDSL
second (Mbps)
384 Kbps to 1.5 One computer, Pentium II, T1
Megabits per second 300 MHz processor
(Mbps)
3 Mbps - 44 Mbps One computer, Pentium III, T3 or faster
550 MHz processor
More than 44 Mbps One computer, Pentium III, OC3 or faster
550 MHz, for each
50 MB/second required
If your user-base exceeds 1,000 users, you can use hardware with faster processors and more memory, or you
can add more ISA Server installations.
Additional Resources 231
Memory requirements depend on the size of the cacheable content that you are publishing, and the working
set of the content. Ideally, all cacheable content should fit into the available memory. By default, the ISA
Web Proxy service uses half of the available server memory for RAM caching. For example, if the Web site
you are publishing has 250 MB of cacheable content, then your ISA server computer should have at least
twice this much available RAM before the Web Proxy service starts.
Adding Computers
In some cases, you need to decide whether to add an additional ISA Server–based computer or to improve
the performance of the existing computer by adding an additional processor. Each option has different
advantages.
When you add a new computer and create an array of ISA Server–based computers, you set up a fault-
tolerant system. If one computer fails, the other continues to function. On the other hand, adding a computer
means that you have to purchase and manage additional hardware and any software that is installed on the
computer.
232 Chapter 5 Deploying ISA Server
Note
All array members must be in the same domain and in the same site.
Note
For DNS round robin to work for an ISA array, the duplicated resource
records must all use the array name.
Both ISA Server–based computers are set up in integrated or firewall mode. This configuration reduces the
risk of compromise by requiring anyone attempting to access the internal network from the Internet to access
both systems to reach the internal network.
Perform the following steps to make the servers on the perimeter network available to Internet clients:
1. Configure the local address table (LAT) on the ISA Server–based computer that is
connected to the internal network to include the IP addresses of the computers in the
internal network.
2. Configure the LAT on the ISA Server–based computer connected to the Internet to
include the IP address of the ISA Server–based computer connected to the internal
network, and the IP addresses of all the publishing servers in the perimeter network.
3. Create a Web publishing rule on the ISA Server–based computer connected to the
Internet to publish the Web server.
4. Create a server publishing rule on the ISA Server–based computer connected to the
Internet to publish the e-mail server. Configure the server publishing rule to apply to
the e-mail server.
5. Create a Web publishing rule to publish the Web server, and configure the rule to
redirect requests to the hosted site.
6. With this back-to-back perimeter network design, selected traffic can access the e-
mail or Web server without accessing the internal network. This example publishes
the e-mail and the Web servers without exposing the internal network to the Internet.
Additional Resources 237
Perform the following configuration steps for the three-homed ISA Server perimeter network:
Configure the LAT to include all of the addresses on the internal network. The LAT
should not include the addresses on the perimeter network.
Enable packet filtering and IP routing.
Create IP packet filters for each of the servers in the perimeter network. For each IP
packet filter, the local computer should be specified as the IP address of the server on
the perimeter network.
238 Chapter 5 Deploying ISA Server
Figure 5.16 shows the process for implementing the ISA Server solution in your network.
Figure 5.16 Details of Implementing Your ISA Server Solution
3. Ensure that the network adapters are installed and working correctly; make sure you
have a valid connection to the Internet.
You can choose to connect your network to the Internet through either a
persistent connection (T1, T3, xDSL, or cable modem) or a dial-up connection. If
you choose a direct connection, you need to set up a network adapter that
connects the ISA Server–based computer to the Internet.
When you set TCP/IP properties for the external network adapter, consult with
your ISP for the correct settings. Specifically, you need the IP address, subnet
mask, default gateway, and IP addresses for the DNS servers to use in DNS
name searches. In some cases, your ISP might be using Dynamic Host
Configuration Protocol (DHCP) or bootstrap protocol (BOOTP) for dynamic
assignment of client addresses.
Typically, ISA Server has only one IP default gateway. You should configure the
IP address of the default gateway on the external — not internal — network
adapter. Leave the Default Gateway setting for the internal network adapter
blank.
When setting TCP/IP properties for any internal network adapter, you should
enter a permanently reserved IP address for the ISA Server–based computer and
an appropriate subnet mask for your internal network. Addressing that is
assigned by DHCP should not be used for the internal network adapter, because
DHCP might reset the default gateway you selected for the ISA Server–based
computer. The external network adapter can be DHCP-enabled, including the
default gateway and DNS settings, or these settings can be statically defined.
4. If you are installing ISA Server Enterprise Edition you need to initialize the
enterprise. You can run the Enterprise Initialization Tool in ISA Server startup.
If this is the first time you are installing ISA Server as an array member, you
should run the ISA Server Enterprise Initialization Tool.
If you are installing a stand-alone server, or if you have previously installed
ISA Server in your enterprise as an array member, you do not need to run the
Enterprise Initialization Tool, and you can select Install ISA Server.
242 Chapter 5 Deploying ISA Server
Important
In order to install the ISA Server schema to Active Directory, you must be
a member of both the Enterprise Administrators and Schema
Administrators groups.
If you installed ISA Server as an array member, then an enterprise policy might be applied to
the array. In this case, ISA Server might allow communication if the enterprise policy is
configured appropriately.
8. Install the latest service pack for ISA Server.
244 Chapter 5 Deploying ISA Server
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
“Deploying Dial-Up and VPN Remote Access Servers” in this book for more
information about creating a virtual private network (VPN).
The Migrating from Proxy Server 2.0 link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about
migrating from Proxy Server 2.0 to ISA Server.
The Internet Engineering Task Force link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about
RFC documents and Internet Engineering Task Force (IETF) Internet-Drafts.
The ISA Server link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about
extending ISA Server.
The Hardware Compatibility List (HCL) link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about
hardware compatibility.