Every organization has different needs, and the fact that ISA fits into so many roles means that there are vast numbers of ISA server deployment scenarios. That said, certain typical best practice ISA Server deployment options are commonly seen in many organizations. These deployment options tend to be seen in organizations of specific sizes. To better illustrate this concept, three sample organizations of varying sizes are illustrated in this section to give an example of how ISA is often used today.
Examining an ISA Server 2004 Deployment for a Small Organization
CompanyABC is a 30-person law firm with an office in Minneapolis, MN. All local workstations run in a single, switched network at the office. Several remote users require access to resources in the office from home and while traveling. Often, clients visiting the offices request wireless Internet access, and employees request similar functionality.
The ISA design that CompanyABC deployed, illustrated in Figure 4.4, incorporates a single ISA Server 2004 Standard server as the edge firewall for the organization.
Figure 4.4. Examining an ISA deployment at a small organization.
Three network cards are present in the ISA server, allowing the server to be connected to three physical networks: the Internet, the internal network, and a secured wireless network. All employees on the Internet and on the wireless network must establish VPN connections with the ISA server before gaining access to internal company resources. A web server for the company is secured via ISA reverse proxy functionality and web server publishing rules. In addition, the ISA server provides for content caching for all internal and wireless clients, to speed up and further secure web browsing.
Through this simple, yet robust design, CompanyABC is able to meet its security requirements through the deployment of a single ISA Server that takes advantage of numerous ISA features.
Examining an ISA Server 2004 Deployment for a Midsized Organization
OrganizationY is a city government in the state of Hawaii. With 2000 employees, the city IT department must manage not only external threats, but internal viruses and exploits that often crop up on city desktops and laptops. The city needed to secure its farm of servers, but still maintain functionality for clients on the network.
OrganizationY deployed a single ISA Server 2004 Standard Edition server with six network cards, as illustrated in Figure 4.5. Each network card is attached to a separate physical network within the organization as follows:
Figure 4.5. Examining an ISA deployment at a midsized organization.
The ISA Server is configured to allow only specific types of traffic from the client, wireless, and DMZ networks to the server network. Specifically, the server is configured to filter RPC traffic to allow only MAPI access to an Exchange server, print functionality to a specific print server, and similar rules.
By deploying ISA in this manner, OrganizationY is able to mitigate the threat posed by viruses or exploits that may infect their deployed workstations.
Examining an ISA Server 2004 Deployment for a Large Organization
CompanyA is a large financial services organization with 20,000 employees distributed among three major sites in New York, Tokyo, and Paris. CompanyA has had trouble in the past securing and auditing access to their email services. When the decision was made to upgrade their existing Exchange 5.5 environment to Exchange Server 2003, a design process was followed to further secure the environment within the confines of the existing network and security infrastructure. The results of this design are reflected in Figure 4.6.
Figure 4.6. Examining an ISA deployment at a large organization.
CompanyA secured access to its email environment by placing all email-related components behind ISA Servers. In New York, inbound email is sent to a SMTP Smarthost that scans for viruses and spam and then forwards the messages to the New York Exchange Servers behind an enterprise array of ISA Servers. The ISA array is configured to allow the SMTP inbound traffic from the Smarthost. All other traffic is restricted to inbound MAPI from clients, which is then audited and tracked.
In the DMZ of the existing packet-filter firewall, an ISA Server exists to provide reverse proxy to Exchange Outlook Web Access. Because of the need to fit into the existing security model, the ISA server is deployed as a single-NIC server that is homed to the DMZ network. The packet-filter firewall is then configured to allow only port 443 to the ISA server and out of the ISA server to the internal front-end server.
In remote locations, Exchange services are protected by ISA servers as well, operating in the same capacity. All traffic sent between these isolated networks is scanned at the Application layer by ISA Servers.