ISA Server secures your connection to the Internet or to remote sites and extranets. Security decisions for implementing ISA Server are discussed in the following sections. Figure 5.11 shows the process for securing the design.
Figure 5.11: Securing the Design
Using ISA Server to connect remote offices includes the following benefits:
The ability to connect remote offices together through the Internet using a virtual private network (VPN).
Hierarchical caching can also be implemented across the wide area network (WAN) on ISA Server-based computers.
A perimeter network, also known as a screened subnet, is a network that is set up separately from an organization's private network and the Internet. The perimeter network allows external users access to the specific servers located in the perimeter network, while preventing access to the internal network. In addition, an organization might allow very limited access from computers in the perimeter networks to computers in the internal network.
A perimeter network is commonly used for deploying the e-mail and Web servers. The perimeter network can be set up using either of the following configurations:
Back-to-back perimeter network configuration with two ISA Server-based computers on either side of the perimeter network.
Three-homed ISA Server-based computer with both the perimeter and internal network protected by the same computer.
In a back-to-back perimeter network configuration, two ISA Server-based computers are located on either side of the perimeter network. Figure 5.12 shows a back-to-back perimeter network configuration.
Figure 5.12: Back-to-Back Perimeter Network
Both ISA Server-based computers are set up in integrated or firewall mode. This configuration reduces the risk of compromise by requiring anyone attempting to access the internal network from the Internet to access both systems to reach the internal network.
Perform the following steps to make the servers on the perimeter network available to Internet clients:
Configure the local address table (LAT) on the ISA Server-based computer that is connected to the internal network to include the IP addresses of the computers in the internal network.
Configure the LAT on the ISA Server-based computer connected to the Internet to include the IP address of the ISA Server-based computer connected to the internal network, and the IP addresses of all the publishing servers in the perimeter network.
Create a Web publishing rule on the ISA Server-based computer connected to the Internet to publish the Web server.
Create a server publishing rule on the ISA Server-based computer connected to the Internet to publish the e-mail server. Configure the server publishing rule to apply to the e-mail server.
Create a Web publishing rule to publish the Web server, and configure the rule to redirect requests to the hosted site.
With this back-to-back perimeter network design, selected traffic can access the e-mail or Web server without accessing the internal network. This example publishes the e-mail and the Web servers without exposing the internal network to the Internet.
In a three-homed perimeter network, a single ISA Server-based computer is set up with three network adapters:
The first network adapter connects to clients on the internal network.
The second network adapter connects to the servers located in the perimeter network.
The third network adapter connects to the Internet.
Figure 5.13 illustrates the three-homed perimeter network configuration.
Figure 5.13: Three-Homed Perimeter Network
Perform the following configuration steps for the three-homed ISA Server perimeter network:
Configure the LAT to include all of the addresses on the internal network. The LAT should not include the addresses on the perimeter network.
Enable packet filtering and IP routing.
Create IP packet filters for each of the servers in the perimeter network. For each IP packet filter, the local computer should be specified as the IP address of the server on the perimeter network.
An extranet is a private network that is configured for use outside your internal network. The extranet is installed to support selected partners who require access to your network. ISA Server supports the installation of extranets through the built-in capability of VPNs. Figure 5.14 shows ISA Server within an extranet design.
Figure 5.14: ISA Server in Extranets