Before you install ISA Server, it is essential to take several key prerequisites into account. Many of these prerequisites are required, and some are good general best practices. Reviewing them before deploying an ISA Server 2004 infrastructure is therefore recommended. Reviewing Hardware PrerequisitesOne of the advantages of ISA Server is its capability to be installed on standard, Intel-based server hardware. This helps to reduce the overall cost associated with deploying this type of security technology because replacement parts for server hardware are relatively inexpensive and easy to obtain. Many other solutions on the market today rely on proprietary hardware, which can be expensive to replace and/or difficult to obtain. An ideal ISA Server implementation has redundant components and enough memory and processor speed to allow for the type of ISA functionality it will be responsible for. For example, an ISA Server that simply acts as a firewall does not need as much processor overhead as one that also performs web caching and VPN connectivity. ISA Server 2004 implementation should ideally be run on server-class hardware, such as rack-mountable or tower models from major hardware vendors. The 1U server models (or their tower equivalents) are the most commonly deployed server models used for ISA Servers, although many other types of servers can also function in this capacity. NOTE When sizing and scoping hardware for ISA, keep in mind that for the current ISA Server 2004 licensing scheme, licenses are purchased on a per-processor basis. What this effectively means is that a dual-CPU server costs twice as much in licensing costs for ISA than a single-CPU server. For this reason, many organizations limit ISA servers to single-CPU servers, unless the load anticipated is great enough to warrant either multiple servers or multiple CPU machines. Microsoft maintains a list of the minimal hardware requirements for ISA Server 2004 to run, as shown in Table 2.1. Bear in mind that these hardware levels are bare-minimum requirements and are not best-practice configurations. They support ISA deployments of 100 rules or less, require no special configurations, and require an Internet connection of less than 7Mb. Even in these cases, it may be wise to deploy more capable hardware for realistic deployments of ISA.
If an ISA server performs more functions, the configuration may require additional hardware and/or additional ISA Servers. Details on exact server hardware deployment recommendations can be found in Chapter 4, "Designing an ISA Server 2004 Environment." Understanding ISA Operating System RequirementsThe ISA Server software itself requires only a few software prerequisites before it can be installed. The first and foremost is a Windows operating system (OS) on which to run. ISA Server 2004 installation can be performed on the following operating system versions:
CAUTION It is highly recommended to consider deploying ISA Server 2004 on the Windows Server 2003 operating system. Windows Server 2003 was designed to be the most secure Windows operating system to date and is strongly recommended for an ISA deployment. ISA on Windows 2000 was essentially only supported to allow for in-place upgrades of existing ISA 2000 implementations. Beyond that short-term scenario, there are very few reasons to deploy Windows 2000 as the ISA OS, and ISA functionality when installed on Windows 2000 is limited. In addition, all the examples in this book were performed with ISA installed on Windows Server 2003. Examining Windows and ISA Service PacksIn addition to the base operating system, ISA should be deployed on the latest Service Pack version for the OS itself. For Windows Server 2003, this presently means Service Pack 1, although new service packs are bound to be developed over the life of the ISA Server 2004 product. Although ISA Server 2004 can be installed on a Windows Server 2003 system without SP1, it is recommended to deploy it because it includes the following key security features that ISA can take advantage of:
It should be noted that ISA Server 2004 Standard can run on Windows Server 2003 SP1 only if it is installed with ISA Server 2004 Service Pack 1 as well. ISA Server 2004 SP1 is also highly recommended; it introduces the following enhancements:
NOTE The Enterprise Edition of ISA Server 2004 has its own set of software requirements. For more information on these requirements and on using the Enterprise edition, refer to Chapter 6, "Deploying ISA Server Arrays with ISA Server 2004 Enterprise Edition." Outlining ISA Network PrerequisitesUnlike its predecessor, ISA Server 2000, ISA Server 2004 can be installed on and configured with rules for multiple networks. The only limitation to this concept is the number of network interface cards, ISDN adapters, or modems that can be physically installed in the server to provide for access to those networks. For example, the diagram in Figure 2.1 illustrates an ISA design where the ISA Server is attached to a total of five different internal networks and the Internet, scanning and filtering the data sent across each network with a total of six network cards. Figure 2.1. An ISA Server deployed across multiple networks.This type of flexibility within a network environment allows for a high degree of design freedom, allowing an ISA Server to assume multiple roles within the network. |