Detailing Deployment Strategies with ISA Server 2004
What makes ISA Server stand out as a product is its versatility and capability to play the part of multiple roles in an environment. In addition to the capability to be deployed as a fully functional Application-layer firewall, ISA can also provide web caching, Virtual Private Network support, reverse proxy, and combinations of any of them. It is subsequently important to understand all the potential deployment scenarios for ISA when considering the product for deployment.
Deploying ISA Server 2004 as an Advanced Application-Layer Inspection Firewall
ISA Server 2004 was designed as a full-function firewall that provides for the type of functionality expected out of any other firewall device. At a base level, ISA enables you to block Internet traffic from using a specific port, such as the RPC or FTP ports, to access internal resources. This type of filtering, done by traditional firewalls as well, provides for filtering of Internet Protocol (IP) traffic at the Network layer (Layer 3). The difference between ISA and most other firewalls, however, comes with its capabilities to filter IP traffic at the more complex Application layer (Layer 7). This functionality enables an ISA firewall to intelligently determine whether or not IP traffic contains dangerous payloads, for example.
Because of the advanced IP filtering capabilities of ISA, it is becoming more common to see small to mid-
Figure 1.3. Deploying ISA Server 2004 as a firewall.
For more information on the capabilities of ISA Server 2004 as a firewall device, refer to Chapter 5.
Securing Applications with ISA Server 2004's Reverse Proxy Capabilities
Although ISA Server 2004 is marketed as an edge firewall, it is more common in organizations, particularly in mid-sized and larger ones, to see it deployed
For more information on
Accelerating Internet Access with ISA Server 2004's Web Caching Component
The original function of ISA Server when it was still known as Proxy Server was to act as a simple web proxy for client web traffic. This functionality is still available in ISA Server, even as the focus has been directed more to the system's firewall and VPN capabilities. By enabling the caching service on an ISA Server, many organizations have realized improved access times for web and FTP services, while effectively increasing the available bandwidth of the Internet connection at the same time.
The concept of web and FTP caching in ISA Server 2004 is
Figure 1.4. Deploying ISA Server 2004 as a web caching server.
An added advantage to using ISA Server 2004 as a content caching server is that all the web traffic that clients request is scanned for exploits and viruses as well,
For more information on configuring ISA for web and FTP caching, refer to Chapter 8.
Controlling and Managing Client Access to Company Resources with Virtual Private Networks (VPNs)
Some of the more major improvements to ISA Server 2004 have been in the area of Virtual Private Networks (VPNs). VPN functionality has been greatly improved, and the flexibility of the VPN Networks for access rules is robust. Deployment of an ISA Server 2004 VPN solution is an increasingly common scenario for many organizations. The capabilities for clients to securely access internal resources from
VPN Deployment with ISA Server 2004 typically involves a secure, encrypted tunnel being set up between clients on the Internet and an Internet-
In addition to this control, ISA Server also makes it possible to quarantine VPN users that do not
Finally, ISA Server also includes the ability to set up site-to-site VPN connections to remote sites across the Internet. This enables networks to be joined across VPN links. An added advantage is that the Internet Key Exchange (IKE) protocol used to set up this connection can also be used to set up a site-to-site VPN between an ISA server and another third-party VPN product.
For more information on working with VPNs in ISA Server 2004, refer to Chapters 9 and 10.
Using the Firewall Client to Control Individual User Access
In addition to the default capability to support traffic from any Internet client (SecureNAT clients), ISA includes the capability to restrict, control, and log individual user firewall access through the installation and configuration of ISA firewall clients. Although it is a less common deployment scenario by virtue of the need to install and support a client component, using the ISA firewall client can create scenarios that are more secure, and also enable an administrator to control firewall policy based on individual users or groups of users.
For more information on deployment scenarios involving the ISA Firewall Client, see Chapter 11, "Understanding Client Deployment Scenarios with ISA Server 2004."