Determining the Role of ISA Server
ISA Server can act as a firewall, a Web caching server, or both in your network. Figure 5.2 shows the process for determining the role of your ISA server.
Figure 5.2: Determining the Role of ISA Server
You can install ISA Server in firewall, cache, or integrated mode.
-
In firewall mode, you can secure network communication by configuring rules and access policies that control communication between your internal network and the Internet. You can also publish internal servers.
-
In cache mode, you can improve network performance and save bandwidth by storing frequently accessed content closer to the user. You can also route requests from internal users to the appropriate Web server and publish Web servers in cache mode.
-
In integrated mode, all cache and firewall features are available. You can configure a policy to meet both cache performance and security requirements.
Use Table 5.1 to determine which mode of ISA Server installation is most appropriate in your network.
| Goal | Mode |
|---|---|
| Secure your connection to the Internet, connect remote offices, or implement secure extranets. | Firewall |
| Increase performance of your Internet connection. | Cache |
| Secure your connection to the Internet and increase the performance of your Internet connection. | Integrated |
Implementing ISA Server in Firewall Mode
ISA Server in firewall mode acts as a secure gateway between the Internet and internal clients. By configuring the access policies, you can prevent unauthorized access and malicious content from entering the network, as well as restrict outbound traffic.
In Figure 5.3, ISA Server is deployed in firewall mode and as a publisher of internal services, including e-mail and Web services.
Figure 5.3: ISA Server in Firewall Mode
All inbound traffic requiring access to the Web or e-mail servers must pass through the firewall first. Likewise, ISA Server can also limit Internet access to specified clients. In this example, ISA Server is acting as a dedicated firewall controlling access to the internal network.
Implementing ISA Server in Cache Mode
ISA Server in cache mode accelerates Web access performance by caching Internet content locally. ISA can provide access control for Web content, both in forward cache mode and reverse cache mode.
Forward Cache Mode
When a client in the internal network requests a Web page, ISA Server in forward cache mode checks if the content is cached locally. If so, the request is not forwarded to the Internet, and the forward cache server returns the Web pages to the client. If the Web page is not stored locally, ISA Server (acting on behalf of the client) retrieves the Web page from the Internet. ISA Server then saves that Web page in the local cache. The next time a client requests that page, ISA Server can fulfill the request without going to the Internet to retrieve the page. This results in using less bandwidth on the Internet connection. Figure 5.4 illustrates a forward cache mode configuration.
Figure 5.4: ISA Server in Forward Cache Mode
Reverse Cache (Web Publishing) Mode
You can also configure ISA Server in reverse cache mode. ISA Server in reverse cache mode caches content provided to the Internet from the Web server. When an Internet client requests a Web page, the request is sent to the ISA Server-based computer first. If the page is stored there locally, there is no need to retrieve the page from the Web server. This increases performance for Internet clients accessing the Web site from the Internet, as well as increasing security for the server. Figure 5.5 illustrates a reverse cache mode configuration.
Figure 5.5: ISA Server in Reverse Cache Mode
Implementing ISA Server in Integrated Mode
ISA Server in integrated mode provides a firewall solution and acts as a Web cache server simultaneously by allowing both services to coexist on the same server.
Before implementing both the firewall and Web cache on the same server, consider the following points:
-
Purchasing less equipment can minimize costs.
-
Centralizing the management of both resources on a single computer can simplify administration.
-
Implementing both services on a single computer presents a single point of failure for both services. If that computer goes offline, multiple services are taken offline.
Determining Client Types
ISA Server supports the following types of clients.
Web Proxy client
Makes all Internet requests to the ISA Server "Outgoing Web Requests" listener. Most often, this is a Web browser that is either configured manually by the user, or is configured automatically by using Group Policy or a configuration script. ISA restricts user-based Web access controls to Web Proxy clients only.
SecureNAT client
Provides IP-based security, but does not allow for user-level authentication. To configure a SecureNAT client, you only have to set the default route between the client and the ISA Server default internal IP address. Because a SecureNAT client uses no other configuration, any computer that uses TCP/IP can be a SecureNAT client.
Firewall client
Restricts access on a per-user, per-application basis for outbound access for requests that use Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). To configure a firewall client, you must install the Firewall Client software on each client computer. You can install the Firewall Client software from the shared folder \\ISA Server Name\mspclnt on the ISA Server-based computer.
You can only install the Firewall Client software on computers running Microsoft Windows 95 Service Release 2, Windows NT 4.0, Windows 98, Windows Millennium Edition, Windows 2000 Professional, Windows XP Professional, Windows XP 64-Bit Edition, or the Windows Server 2003 family.
Before you deploy or configure client software assess your organizational needs, determine which applications and services your internal clients require, and assess how you plan to publish servers. Finally, map these needs to the client types supported by ISA Server.
Use Table 5.2 to determine which clients to deploy on your network.
| Goal | Client | Reason |
|---|---|---|
| Improve the performance of Web requests for internal clients. Combine user-level and content controls to Web access. | Web Proxy | Web Proxy clients do not require any software to be installed but does require specific configuration. |
| Avoid deploying client software or configuring client computers. | SecureNAT | SecureNAT clients do not require any software or specific configuration. |
| Improve Web performance in an environment with non-Microsoft operating systems. | SecureNAT | SecureNAT client requests pass transparently to the ISA Server firewall service and then to the caching service. |
| Publish servers that are located on your internal network. | SecureNAT | You can publish Internal servers as SecureNAT clients, which eliminates the need for creating special configuration settings on the publishing server. |
| Allow Internet access only for authenticated users. | Firewall or Web Proxy | You can configure user-based access policy rules for firewall clients. There is also an option to require authentication with Web Proxy clients. |
EAN: N/A
Pages: 146
- Chapter I e-Search: A Conceptual Framework of Online Consumer Behavior
- Chapter III Two Models of Online Patronage: Why Do Consumers Shop on the Internet?
- Chapter XI User Satisfaction with Web Portals: An Empirical Study
- Chapter XV Customer Trust in Online Commerce
- Chapter XVIII Web Systems Design, Litigation, and Online Consumer Behavior