Planning the Appropriate Installation Mode

Previous page
Table of content
Next page


There are three types, or modes, of ISA Server installation. You must select one of the three modes when you install ISA. The selections are:

  • Firewall mode

  • Cache mode

  • Integrated mode

The type of installation you choose determines which feature set will be available to you. Table 22.4 lists the features available in firewall and cache modes. Integrated mode allows you to take advantages of both firewall and cache mode features.

Table 22.4: Comparing Firewall and Cache Mode Features

ISA Server Feature

Firewall Mode

Cache Mode

Secure NAT client support

Yes

Yes

Web proxy client support

Yes

Yes

Reports

Yes

Yes

Alerts

Yes

Yes

Real-time service monitoring

Yes

Yes

Web site filtering

Yes

Yes

Web server publishing

Yes

Yes

Enterprise policy

Yes

Yes

Access policy—HTTP

Yes

Yes

Access policy—all protocols

Yes

No

Non-Web server publishing

Yes

No

Packet filtering

Yes

No

Application filters

Yes

No

Web caching

No

Yes

When we take a closer look at this table, it is relatively easy to digest. Let's look at a few factors you'll want to consider in deciding which mode to deploy.

Installing in Firewall Mode

Firewall mode ISA servers support virtually all ISA Server features, with the exception of the Web cache. The Web-caching feature is very memory and processor intensive; therefore, it makes sense to exclude this feature from a server for which the primary purpose is to act as a firewall. A firewall should not run extra services in order to minimize the risk of exposure.

In addition, you want to be able to harness all the available system resources in order to process packet-filtering rules, protocol rules, and site and content rules as quickly as possible on your firewall.

Installing in Cache Mode

When you install the server in cache mode, you intend that server to work as a Web proxy server only. The Web proxy service supports the HTTP, HTTPS, FTP, and Gopher protocols. If you want to support only these protocols and take advantage of the Web-caching features, but you don't want to implement a full-fledged, policy-based firewall, the Web cache option is a good one.

Another reason why you might want to implement a caching-only server is that you already have a firewall in place. Many organizations already have powerful firewall solutions such as Cisco PIX, Checkpoint Software's Firewall-1, and many others. You might even want to consider this scenario when you are using a second ISA server for a firewall on the edge of your network. In this way, you can take advantage of the powerful Web-caching features included with ISA Server and have the protection of a sophisticated firewall.

Note

You should consider the Web proxy mode a minimalist configuration. In fact, if all you want is a Web-caching server, we strongly recommend that for security reasons, you do not place this server at the edge of your network. The cache mode configuration is secure to the extent that it allows you to use private IP addresses on your internal network, but it does not allow the firewall features required for a server that is located on the edge of the network.

A cache mode server is best placed on the internal network, in which case you can use a single interface or multiple interfaces. Be sure that you implement some type of firewall solution at the edge of your network to protect your internal computers from Internet intruders.

Installing in Integrated Mode

The integrated mode ISA Server allows you to take advantage of all the features ISA Server has to offer. However, this configuration is probably best left to organizations that are testing ISA features or are cost contained and cannot bear the expense of purchasing separate caching servers and firewalls.

The reason why you would prefer not to have both the Web-caching services and the firewall services running on the same computer relates back to our discussion of bastion hosts. The more services running on a single computer, the more avenues of attack are open to intruders. Although ISA Server was tested thoroughly prior to its release, you must remain aware that all security software has potential holes that can be exploited. An attacker cannot exploit a hole in the Web proxy services on your mission-critical firewall if the hole is not there.

One exception to this general rule is when the ISA server is placed between a departmental LAN and the corporate backbone. In this case, you might want to avail yourself of some of the firewall features while also taking advantage of the Web-caching features. This is a reasonable configuration because the corporate backbone is less vulnerable to the type of attacks seen on the open Internet.

Table 22.5 shows some common placement scenarios for each configuration.

Table 22.5: Recommended Roles for ISA Server Modes

ISA Server Mode

Location

Firewall

  1. Edge of the network

  2. Server that interfaces with internal and DMZ networks

Cache

  1. Single-homed or multihomed, with all interfaces connected to the internal network

  2. Interfaces on the internal network and a DMZ network; DMZ is protected by a firewall

Integrated

  1. Test network

  2. Interface with corporate backbone

Prior to implementing your solution, be sure that all members of the network security team are aware of the implications of the various ISA Server modes. This is important when you are comparing the exposure and protection that each mode provides for the network.

Planning for a Stand-Alone or an Array Configuration

ISA Server Enterprise Edition can be installed as either an array member or as a stand-alone server. There are many advantages to installing the server as an array member. These advantages include:

  • The ability to implement enterprise wide array policies via Active Directory

  • The ability to easily implement a common configuration for multiple ISA Server computers

  • The option to expand the scope of a single ISA server to multiple servers with a common configuration

  • Fault tolerance

You must first prepare Active Directory prior to installing an ISA server as an array member. The procedure for preparing Active Directory, called enterprise initialization, is accomplished via the Installation Wizard included on the ISA Server CD. If you like, you can manually run the ISA Enterprise initialization and install ISA Server at a later time. If you choose to install ISA Server in an array configuration, the Setup program will check to see if the schema has been properly modified before it allows you to continue.

Once the array member is installed, a single enterprise array policy can be implemented on any array in your organization. All array members are able to access configuration information, because array configuration settings are stored in Active Directory. This is a nice fault-tolerance method for your configuration because Active Directory is replicated throughout your Active Directory domain controller network.

Note

You might want to implement an enterprise security policy before installing a single member of an array. You can do this by creating the array first in the ISA Management console. After the array is created, you can configure your enterprise policies. Once the policies are completed, you can begin to install ISA servers and join them to the array.

Even if you plan to implement just a single ISA server, you should consider the possibility that you will want to expand your configuration in the future. If you choose the stand-alone ISA Server configuration and later decide to deploy an array of ISA servers, you will need to run the enterprise initialization. Then you can promote the stand-alone server to array member.

Note

If you have the Standard Edition of ISA Server, you won't have the choice to deploy an array. The Standard Edition is a viable solution for small companies with relatively simple requirements, but it is not designed to scale to the needs of complex enterprise networks.

Planning ISA Client Configuration

A critical aspect of your ISA Server design is the ISA Server client base you expect to support. Proxy Server 2.0 supported what were known as the Web proxy client, WinSock proxy client, and SOCKS proxy client. The SOCKS service is no longer required, and the Winsock proxy client has changed its name.

The client types supported by ISA Server are:

  • The Firewall Service client

  • The Web proxy client

  • The secure NAT client

Each client type offers it own advantages and disadvantages. Let's examine the features and capabilities of each client type and assess how they fit into an overall ISA design scheme.

The Firewall Service Client

Network computers configured as Firewall Service clients are able to access all Winsock protocols. When applications on the firewall client send a request to a host on a network ID not contained on the LAT (typically the Internet), the firewall client software installed on the firewall client will intercept the request and forward it to the Firewall Service on the ISA server.

The primary advantage of a configuring machine as a Firewall Service client is that you can control access to protocols, sites, and content on a per-user or per-group basis. This feature allows you more granular control over your access policies than you have compared with the secure NAT or Web proxy client. You cannot control access to specific protocols on a user or group basis with the secure NAT client, only via IP addresses, in a manner similar to the SOCKS Service in Proxy Server 2.0. The Web Proxy Service can be configured to require authentication, but you cannot limit access to the Web Proxy Service mediated protocols on a per-user or per-group basis.

Another significant advantage to the firewall client software is that it supports just about any application protocol it encounters. Some applications require that multiple connections be established between the client and the destination server. The Firewall Client supports these protocols; the NAT client might or might not be able to support them. However, since all NAT calls to the ISA server must be processed by the Firewall Service, almost all applications should be supported.

The disadvantage of configuring a host as a firewall client is that you must install the firewall client software. Not all operating systems support this software. The only operating systems that do support it are:

  • Windows 95 OSR2

  • Windows 98

  • Windows ME

  • Windows NT 4.0

  • Windows 2000

  • Windows XP

  • Windows Server 2003

This represents a departure from the support offered by the firewall client's "older brother," the Winsock proxy client. The Winsock proxy client software included with Proxy Server 2.0 supported Windows 3.x machines using a 16-bit client software installation. The firewall client software does not include a 16-bit client. Keep this in mind if you have the ill fortune of needing to support Windows 3.x machines.

Firewall Client Support for Windows 3.x Machines

If you must support Win 3.x machines, one workaround is to use the Winsock proxy client provided with Proxy Server 2.0. Of course, you must have a copy of Proxy Server 2.0 to implement this solution. The reason why you can do this is that the firewall client and the Winsock client are interchangeable in terms of their functionality.

For this reason, you do not need to install the firewall client on your machines that already have the Winsock proxy client installed. You can also use the firewall client software to connect to the Winsock proxy service on a Proxy Server 2.0 server. The Firewall Service client on ISA Server is more sophisticated than the Winsock proxy service in Proxy Server 2.0, but the client side essentially works the same way.

Firewall Client Does Not Support IPX/SPX

Another feature that was supported by the old Winsock proxy client software was the IPX/SPX gateway. In Proxy Server 2.0, you could configure Winsock proxy clients to use the IPX/SPX protocol to gain access to the Internet via the WinSock Proxy Service. The Firewall Service does not provide this support. If you are still running IPX/SPX on your internal network, you'll have to take this factor into consideration.

In fact, prior to considering an ISA Server proxy solution, you need to convert your network to a TCP/IP-based infrastructure. This conversion is required in order to implement ISA Server, but there are many other compelling reasons to retire your IPX infrastructure. If yours has been a Novell shop for some time, you might need to retrain your administrators. The cost of investing in learning and implementing TCP/IP on your network will expand the possibilities of expansion for your network and allow you to more easily troubleshoot network problems because of the large number of tools available to investigate TCP/IP networks.

The Web Proxy Client

The Web Proxy Service provides access to a limited set of protocols:

  • HTTP

  • HTTPS (HTTP secured via SSL)

  • FTP

  • Gopher

Whereas we can safely dismiss Gopher from our consideration, the other protocols represent the bulk of typical Internet connectivity requirements for the majority of organizations that want to implement ISA Server solutions.

If all you require are these "Web" protocols, a Web proxy client/server configuration might best fit your organization. Even if you need to install the firewall client software to take advantage of other Winsock applications, you might still want to configure your machines as Web proxy clients due to a slight performance advantage you'll gain for Web access via HTTP 1.1 CERN-compliant browsers.

Note

Among the group of ISA Server application filters is the HTTP Redirector filter. If you configure this filter to redirect HTTP requests to the Web Proxy Service (so that firewall and secure NAT clients can take advantage of the Web cache), security information sent from the firewall client will be lost. This means that the firewall client might need to manually enter authentication information to access HTTP. You can circumvent this manual authentication process by making the firewall (and secure NAT) client a Web proxy client as well.

The Web proxy client has the advantage of not requiring installation of any dedicated client software and is compatible with all operating systems. If you have a browser that supports proxy client configuration, such as Internet Explorer, you can take direct advantage of the Web Proxy Service. You can even configure Netscape Navigator running on Linux to use the Web Proxy Service. The Web Proxy Service also supports user authentication, which gives it an advantage over the secure NAT client.

The Secure NAT Client

Secure NAT clients are the simplest type of ISA client to set up, because virtually no configuration is required. In order to create a secure NAT client, all you need to do is one or the other of these:

  • Configure the client to use the ISA server as its default gateway.

  • Point the secure NAT client to a gateway that will be able to route Internet-bound packets to an ISA server.

The secure NAT client is able to take advantage of the Web cache when the HTTP Redirector filter is enabled. However, even though the secure NAT client is able to use the Web cache portion of the Web Proxy Service, secure NAT clients cannot be authenticated against Active Directory or a server's local security accounts database. Access controls for secure NAT clients are implemented via IP addresses rather than user or group membership. If you want a secure NAT client to be authenticated before accessing "Web protocols," configure the secure NAT client as a Web proxy client.

Small organizations that do not have easy access to technical support assistance or those that do not want to install or configure client software will benefit most from the secure NAT client.

Assessing the Best Solution for Your Network

You should decide in advance what type of ISA client configuration you want to implement on your network before beginning the ISA Server rollout. Table 22.6 can be of some assistance when weighing your options.

Table 22.6: Comparing ISA Server Client Features

ISA Client Type

Best-Fit Scenarios

Secure NAT client

  1. Organization has a simple setup.

  2. Organization has no technical support in house.

  3. Organization wants to avoid client software installation.

  4. Organization does not require user or group authorization to access resources.

  5. Organization has non-Windows clients or non-CERN-compliant browsers

  6. Organization wants to publish servers on the internal network or on a DMZ segment.

Firewall client

  1. Client software installation is not an issue.

  2. Organization requires user- or group-based authentication for access control on a per-protocol basis.

  3. Organization requires access to all Winsock protocols.

  4. Organization has administrative support for client installation, policy configuration, and client/server troubleshooting.

Web proxy client

  1. Organization requires only HTTP, HTTPS, FTP, and Gopher access

  2. Organization uses HTTP 1.1 CERN-compliant browsers.

  3. Organization does not require access to other Winsock protocols.

  4. Organization requires authentication for Web protocols.

  5. Organization does not want to configure a default gateway on network clients.

  6. Organization has non-Windows clients.

Of course, you are not limited to implementing a single ISA client configuration. You can take advantage of various combinations of clients. For example, you can configure an ISA client as a Web proxy and firewall client to improve performance of Web protocol access, or you can configure a client to be a secure NAT and Web proxy client and take advantage of authentication for Web protocols.

The only mutually exclusive client configuration pair is the firewall client and the secure NAT client. That is because the firewall client will always be subject to the firewall client configuration parameters. The firewall client software will intercept all Winsock requests and forward them to the ISA server. This is in contrast to the secure NAT client, for which the native Winsock interface forwards packets to the machine's default gateway.

Internet Connectivity and DNS Considerations

ISA Server supports just about any interface you want to use to connect to the Internet. Your external interface can be:

  • ISDN

  • Analog

  • DSL

  • Cable

  • T-Carrier

  • X.25

  • ATM

An important consideration is whether you want to implement a dedicated or a dial-up solution for Internet connectivity. The advantages of a dedicated connection are speed and reliability. The prime disadvantage of dedicated connections is often cost. However, even the cost of dedicated connections is coming down. In areas that support cable and DSL connections, you can have a dedicated connection to the Internet for well under $100 per month.

Level of Service

Consider the level of service you require before deciding on the type of connection you will use on the external interface. Many businesses seem almost hypnotized by the low prices and potential for high-speed access that DSL and cable connections offer. However, those businesses are often left grinding their teeth and cursing their providers later.

The problem lies in the fact that you are not guaranteed bandwidth or level of service with these types of connections. Although you typically purchase a certain level of service based on an agreement for minimum and maximum throughput, those numbers represent upper limits of service more often than they ever guarantee a minimum level of service. At this time, neither cable nor DSL should be considered reliable enough alternatives on which to base your corporate Internet solution.

If your business requires a reliable and dedicated connection to the Internet, you are best served by using established technologies such as T-carrier and ISDN. Although the cost of these connections is much higher, you won't find yourself worrying about when your connection might become unavailable.

However, it is important to keep in mind that your bandwidth is guaranteed for a couple of router hops. You have no guarantees to bandwidth once your request leaves the control of your service provider. Therefore, although you should be watchful of your average sustainable bandwidth parameters, your primary concern is uptime.

Finally, when researching ISPs, look for a provider that will be able to grow with your organization. Your company might have modest needs for access at this time, but you hope to grow, and your Internet requirements will likely grow with you. You can avoid a significant amount of stress and strain if you can avoid having to move a large and complex Web site in the future when your ISP can no longer handle the traffic.

External Interface Configuration

Regardless of your connection method, you need to configure the external interface's IP configuration. Depending on the design of your Internet access solution, you might have a single IP address or multiple IP addresses bound to the external network interface. You can also choose to use multiple external interfaces. ISA Server does support multiple external interfaces as well as multiple IP addresses bound to a single interface. In fact, it does not even differentiate between them.

If you plan to provide Internet users with access to internal network resources, you will probably want to get one or more static IP addresses to bind to the external interface. If your organization is exceptionally sensitive to cost issues, you can get around the problem of using dedicated IP addresses by taking advantage of third-party dynamic DNS hosting.

Warning

Many companies use ISDN to access the Internet. ISPs sell ISDN corporate packages that often include a higher level of service and support. They also provide a subnetted block of IP addresses for your internal servers. Although you would not want to run a busy Web presence via an ISDN terminal connection, you can use multiple IP addresses and register different domain names to each one. However, you cannot do this with dial-up connections, which includes "dedicated" ISDN. The dial-up account interface only allows you to bind a single IP address to the ISDN terminal adapter.

Services such as www.tzo.com allow you to have a dynamically assigned IP address register in your own domain name on their servers. If you have a cable, ISDN, or DSL configuration that uses DHCP, you can get around changing IP addresses using such a service. You can even create publishing rules that will allow you to register a single domain name and redirect requests to multiple servers on your internal network without having to enter individual Host (A) records on the Tzo.com DNS servers. Larger organizations will foot the cost of dedicated addresses if Internet users must have access to internal network resources.

When configuring the external interface, be sure to include the IP address, subnet mask, and default gateway (remote router) used by that interface. Do not configure any internal interface on the ISA server with a default gateway. Since the ISA Server services handle all requests coming into the internal interfaces, you do not need to have a gateway configured on the internal interface. Finally, do not configure the external interface to use DHCP unless your ISP explicitly gives you instructions to do so. For most ISA Server installations on the edge of a network, you will use dedicated IP addresses, so it would be rare to use DHCP.

DNS Issues

ISA Server supports Web publishing and server publishing. By publishing servers, you are able to offer Internet clients services on your internal network. ISA Server Publishing allows you to publish services such as HTTP, NNTP, SMTP, and POP mail to users on the Internet in a secure context.

Most users want to connect to your published network resources via an FQDN rather than an IP address. Therefore, you need to obtain one or more domain names to implement a fully functional publishing solution. Once you have obtained these domain names, you can have your ISP's DNS server host your domain database, or you can manage your own DNS servers. If you choose to manage your own DNS, you need to provide the IP addresses of at least two publicly available DNS servers.

After registering your domain names, you need to populate your DNS database with Host (A) address records. Typically, you'll add a record for host names such as "www," "ftp," "mail" and "news" for the Web, FTP, SMTP, and NNTP access, respectively. ISA allows you to publish servers on your internal network or on a perimeter network, so you can use just a single IP address on the external interface and access multiple servers hosting these services.

Note

When users connect to an Internet or intranet resource via a Winsock application, they typically do so using a fully qualified domain name, or FQDN. The FQDN is actually a combination or two names: a host name and a domain name.

For example, if you are managing the DNS for a domain such as tacteam.net and you have a host in that domain named www, the FQDN for that host is www.tacteam.net. An unqualified name would either not include the host name or, more frequently, would include an incomplete path for the domain name. If someone used the name www.tacteam, that would represent an unqualified request. Resolution of unqualified requests depends on the DNS client configuration of a particular machine.

For example, you have two machines on your internal network, one that will host your Web server, and a second that will host your mail server. You have registered your domain name, isaserver.net. You have one external IP address: 222.222.222.222. In the DNS, you enter a Host (A) address record for www.isaserver.net and mail.isaserver.net. Both of these Host (A) records will point to 222.222.222.222. When a user types www.isaserver.net into his or her browser address bar, the user will be connected to 222.222.222.222 Port 80. The server-publishing rule will forward the request to the internal Web server. In the same fashion, when an SMTP application attempts to connect to mail.isaserver.net, it will connect to 222.222.222.222 Port 25. The ISA server will forward the request to your published internal mail server.

DNS planning is pivotal to a successful server-publishing scheme. You must configure multiple DNS zones to account for machines located on the internal and external domains.


Previous page
Table of content
Next page
The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240
Authors: Cherie Amon, Thomas W. Shinder, Anne Carasik-Henmi
BUY ON AMAZON
Java I/O
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
A+ Fast Pass
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy