Defining the Role of the ISA Administrator

ISA Administrators are defined in different ways, depending on the organization using the product. For smaller environments, the role of the ISA Administrator most often falls upon those individuals already tasked with general user administration and server support. Larger organizations may delegate ISA admin tasks to messaging administrators, security admins, or network admins, depending on the factors surrounding the deployment of ISA itself.

Understanding Who Administers the ISA Environment

The fact that ISA can fit into so many roles is a tribute to the diverse range of function ality that the server possesses. For example, the following roles are affected in one way or another with an ISA Server:

• Network Administrator Network administrators are in charge of shaping network traffic and routing it to proper destinations. Because ISA can act as a router, and is often deployed in that capacity to secure an isolated network server network segment, it often falls upon the network admin's shoulders to understand and potentially administer portions of ISA functionality.

• Messaging Administrator Because ISA is so often deployed specifically to secure messaging solutions, particularly Exchange solutions such as Outlook Web Access, the role of administering ISA is often undertaken, at least in part, by messaging administrators.

• Security/Firewall Administrator Firewall administrators will be most familiar with ISA itself. ISA uses the familiar concept of Firewall rules, security concepts, and the look and feel of the console itself.

It is really not important who eventually takes over administrative control of an ISA server, but what is important is that the important characteristics of the ISA Server itself are taken into account. An ISA Server acts and performs in a profoundly different way than other servers, particularly other Microsoft Servers.

Exploring ISA Administrator Roles

ISA Server 2004 Standard edition comes installed with three pre-defined Administrator groups, depending on the type of administration that needs to be performed:

• ISA Full Administrator An ISA Full Administrator can perform all ISA Admin tasks, including all firewall, VPN, and content caching configuration.

• ISA Basic Monitoring The ISA Basic Monitoring role can only view and acknowledge alerts, services, and sessions, and cannot configure any of the ISA Settings.

• ISA Extended Monitoring The ISA Extended Monitoring role allows for configuration of specific alerts, viewing log information and creating reports and definitions, and stopping and restarting individual sessions and services.

Each one of these roles can be delegated to individual users or, preferably, to groups of users, through use of ISA Server's Administrative Delegation wizard. First, however, best practice security precautions and a controllable and auditable access mechanism should be deployed before the wizard is run.