Reviewing ISA Server 2004 Prerequisites


Before you install ISA Server, it is essential to take several key prerequisites into account. Many of these prerequisites are required, and some are good general best practices. Reviewing them before deploying an ISA Server 2004 infrastructure is therefore recommended.

Reviewing Hardware Prerequisites

One of the advantages of ISA Server is its capability to be installed on standard, Intel-based server hardware. This helps to reduce the overall cost associated with deploying this type of security technology because replacement parts for server hardware are relatively inexpensive and easy to obtain. Many other solutions on the market today rely on proprietary hardware, which can be expensive to replace and/or difficult to obtain.

An ideal ISA Server implementation has redundant components and enough memory and processor speed to allow for the type of ISA functionality it will be responsible for. For example, an ISA Server that simply acts as a firewall does not need as much processor overhead as one that also performs web caching and VPN connectivity.

ISA Server 2004 implementation should ideally be run on server-class hardware, such as rack-mountable or tower models from major hardware vendors. The 1U server models (or their tower equivalents) are the most commonly deployed server models used for ISA Servers, although many other types of servers can also function in this capacity.

NOTE

When sizing and scoping hardware for ISA, keep in mind that for the current ISA Server 2004 licensing scheme, licenses are purchased on a per-processor basis. What this effectively means is that a dual-CPU server costs twice as much in licensing costs for ISA than a single-CPU server. For this reason, many organizations limit ISA servers to single-CPU servers, unless the load anticipated is great enough to warrant either multiple servers or multiple CPU machines.


Microsoft maintains a list of the minimal hardware requirements for ISA Server 2004 to run, as shown in Table 2.1. Bear in mind that these hardware levels are bare-minimum requirements and are not best-practice configurations. They support ISA deployments of 100 rules or less, require no special configurations, and require an Internet connection of less than 7Mb. Even in these cases, it may be wise to deploy more capable hardware for realistic deployments of ISA.

Table 2.1. Hardware Requirements

Component

Requirement

Processor

Single 550MHz Pentium III Equivalent

Memory

256MB of Memory

Disk Space

150MB Available (for installation of ISA Software)

Network Cards / ISDN adapter / Modem

One OS-compatible card per connected network1


If an ISA server performs more functions, the configuration may require additional hardware and/or additional ISA Servers. Details on exact server hardware deployment recommendations can be found in Chapter 4, "Designing an ISA Server 2004 Environment."

Understanding ISA Operating System Requirements

The ISA Server software itself requires only a few software prerequisites before it can be installed. The first and foremost is a Windows operating system (OS) on which to run. ISA Server 2004 installation can be performed on the following operating system versions:

  • Windows Server 2003 Standard Edition

  • Windows Server 2003 Enterprise Edition

  • Windows Server 2003 Appliance Edition

  • Windows 2000 Standard Server (with Service Pack 4) and Internet Explorer 6 or later

  • Windows 2000 Advanced Server (with Service Pack 4) and Internet Explorer 6 or later

CAUTION

It is highly recommended to consider deploying ISA Server 2004 on the Windows Server 2003 operating system. Windows Server 2003 was designed to be the most secure Windows operating system to date and is strongly recommended for an ISA deployment. ISA on Windows 2000 was essentially only supported to allow for in-place upgrades of existing ISA 2000 implementations. Beyond that short-term scenario, there are very few reasons to deploy Windows 2000 as the ISA OS, and ISA functionality when installed on Windows 2000 is limited. In addition, all the examples in this book were performed with ISA installed on Windows Server 2003.


Examining Windows and ISA Service Packs

In addition to the base operating system, ISA should be deployed on the latest Service Pack version for the OS itself. For Windows Server 2003, this presently means Service Pack 1, although new service packs are bound to be developed over the life of the ISA Server 2004 product. Although ISA Server 2004 can be installed on a Windows Server 2003 system without SP1, it is recommended to deploy it because it includes the following key security features that ISA can take advantage of:

  • Cumulative security updates The entire list of updates and patches to Windows Server 2003 are included in the Service Pack 1 offering. This reduces the amount of time it takes to patch a Windows Server 2003 system.

  • Higher default security and privilege reduction on services Windows Server 2003 SP1 includes technology to reduce the running privilege of many services that run on the system. This way, if the service were to be compromised, the damage that could be done would be minimal because the exploit or virus would not have full administrative privilege.

  • Support for DEP (Data Execute Protection) hardware Microsoft has been working with hardware vendors on a technology called Data Execute Protection (DEP), which is essentially a way for the hardware, such as memory and processors, to physically not allow modification of code running within itself. This prevents a modification of base Windows functionality even if an exploit takes complete control of the system. Service Pack 1 is the first update to take advantage of DEP technology when it is installed on hardware that supports it.

  • Security Configuration Wizard One of the best additions to Service Pack 1 is the Security Configuration Wizard (SCW.) SCW enables a server to be locked down easily via a wizard that scans for running services and provides advice and guidance throughout the process. SCW can also create security templates that can be used on multiple deployed servers, thus improving their overall security. Because SCW essentially shuts off all those sub-processes and applications that are not necessary for ISA to function, it effectively secures the ISA Server by reducing the attack surface that is exposed on the server. A detailed description of using SCW to secure an ISA Server is provided in the section of this chapter titled "Securing the Operating System with the Security Configuration Wizard."

It should be noted that ISA Server 2004 Standard can run on Windows Server 2003 SP1 only if it is installed with ISA Server 2004 Service Pack 1 as well. ISA Server 2004 SP1 is also highly recommended; it introduces the following enhancements:

  • Support for Windows Server 2003 Service Pack 1 Because it is generally advisable to deploy Windows Server 2003 with Service Pack 1 installed, it is necessary to update ISA Server 2004 to its own SP1 to maintain a supported configuration. ISA Server 2004 without any service packs is not supported on Windows Server 2003 with Service Pack 1.

  • ISA hotfixes Hotfixes to address issues uncovered in ISA Server 2004 since its release have been included in the Service Pack.

  • Improved forms-based authentication Additional options and improvements to the functionality of forms-based authentication (FBA) have been added in SP1.

NOTE

The Enterprise Edition of ISA Server 2004 has its own set of software requirements. For more information on these requirements and on using the Enterprise edition, refer to Chapter 6, "Deploying ISA Server Arrays with ISA Server 2004 Enterprise Edition."


Outlining ISA Network Prerequisites

Unlike its predecessor, ISA Server 2000, ISA Server 2004 can be installed on and configured with rules for multiple networks. The only limitation to this concept is the number of network interface cards, ISDN adapters, or modems that can be physically installed in the server to provide for access to those networks. For example, the diagram in Figure 2.1 illustrates an ISA design where the ISA Server is attached to a total of five different internal networks and the Internet, scanning and filtering the data sent across each network with a total of six network cards.

Figure 2.1. An ISA Server deployed across multiple networks.


This type of flexibility within a network environment allows for a high degree of design freedom, allowing an ISA Server to assume multiple roles within the network.



    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net