One of the major steps forward for ISA Server was the change in focus from an assumption of ISA in a Microsoft-only environment to a focus where ISA is an additional layer of security to existing security technologies. ISA Server is being deployed more often recently to supplement security in many organizations, and this capability to "play well" with other firewalls and security applications is a welcome improvement.
Utilizing ISA Server 2004 in Conjunction with Other Firewalls
A common deployment scenario for ISA Server 2004 systems has been as a reverse proxy or dedicated VPN server that sits as a unihomed (single network card) server in the Perimeter (DMZ) network of an existing firewall. This is where the integration of ISA with other security devices really shines. The advantage to deploying ISA in this method is that it serves as an additional layer of security in an existing environment, improving the environment's overall security. Security works best in layers because it is more difficult to compromise a system that has multiple mechanisms that must be defeated before an unauthorized user is able to gain access.
To this end, ISA is proving to be a commonly used security tool that satisfies specific needs, rather than a whole host of needs at once. For example, a large number of ISA deployments serve a single purpose: to secure traffic to Outlook Web Access servers or other web-related servers while sitting in the DMZ of an existing packet-layer firewall, similar to what is shown in Figure 1.5. Of course, ISA can do more, but it is this capacity to do specific jobs very well that bodes well for ISA's acceptance among the overall security industry.
Figure 1.5. Deploying ISA in the DMZ of an existing firewall to secure OWA traffic.
For additional reading on this concept, see Chapter 7.
Deploying ISA Server 2004 in a RADIUS Authentication Environment
ISA Server 2004 now supports authentication and logging against a Remote Authentication Dial-In User Service (RADIUS) environment, allowing for security integration in environments with an existing investment in RADIUS technologies. By providing this support, ISA also allows for scenarios where the ISA Server is not a Windows NT/AD Domain Member. This decreases the overall threat associated with deploying an ISA Server in certain circumstances, such as when it is deployed in the DMZ network of an existing firewall.
The addition of RADIUS authentication support enables ISA to integrate with a vast array of third-party authentication mechanisms that can use RADIUS protocols to validate users. This substantially increases the breadth of ISA Server 2004 deployment options.