ISA Server 2004 introduced "multi-networking" support. What this means is that it is possible to deploy an ISA server across multiple physical network segments, as illustrated in Figure 5.1. The goal of this is to filter, control, and monitor the traffic that traverses between the networks. In essence, this allows ISA to then become a true firewall for the traffic between multiple network segments.
Figure 5.1. Examining ISA multi-networking support.
This functionality is a true departure from the tedious ISA 2000 concept of the Local Address Table (LAT), which effectively allowed for a concept of only an Internal network and an external network. Now, with ISA Server 2004, multiple networks can be configured, and specific ISA rules can be established based on the network origin and destination.
Setting Up a Perimeter Network with ISA
Multi-networking capabilities in ISA Server 2004 allow for the creation of a traditional perimeter (DMZ) network. This network model, shown in Figure 5.2, isolates Internet-facing services into a dedicated network that has little access to resources in the internal network. The idea behind this model is that if one of the servers in the DMZ were to be compromised, the attacker would have access to only DMZ resources, and would not be able to directly hit any of the clients or servers on the internal network.
Figure 5.2. Viewing a perimeter network model.
Establishing a perimeter network is as simple as putting a third network card into an ISA firewall and setting up a dedicated network. The third NIC is then plugged into that network to establish ISA's presence in the network and force traffic through the ISA server. The final step is to define the IP address of the network in the ISA console and to set up the network and firewall rules between the new perimeter network and the internal network. More information on these topics, including step-by-step instructions, can be found later in this chapter.
Deploying Additional Networks
ISA is not limited to three defined networks. On the contrary, the software is limited only to setting up as many networks as there are network cards in the server itself. Theoretically, additional networks can be established for wireless access points, server-only networks, client networks, and any other type of network. Defining the network is as straightforward as configuring the proper network definitions and network rules in the ISA Console.