Multi-networking with ISA Server 2004


ISA Server 2004 introduced "multi-networking" support. What this means is that it is possible to deploy an ISA server across multiple physical network segments, as illustrated in Figure 5.1. The goal of this is to filter, control, and monitor the traffic that traverses between the networks. In essence, this allows ISA to then become a true firewall for the traffic between multiple network segments.

Figure 5.1. Examining ISA multi-networking support.


This functionality is a true departure from the tedious ISA 2000 concept of the Local Address Table (LAT), which effectively allowed for a concept of only an Internal network and an external network. Now, with ISA Server 2004, multiple networks can be configured, and specific ISA rules can be established based on the network origin and destination.

Setting Up a Perimeter Network with ISA

Multi-networking capabilities in ISA Server 2004 allow for the creation of a traditional perimeter (DMZ) network. This network model, shown in Figure 5.2, isolates Internet-facing services into a dedicated network that has little access to resources in the internal network. The idea behind this model is that if one of the servers in the DMZ were to be compromised, the attacker would have access to only DMZ resources, and would not be able to directly hit any of the clients or servers on the internal network.

Figure 5.2. Viewing a perimeter network model.


Establishing a perimeter network is as simple as putting a third network card into an ISA firewall and setting up a dedicated network. The third NIC is then plugged into that network to establish ISA's presence in the network and force traffic through the ISA server. The final step is to define the IP address of the network in the ISA console and to set up the network and firewall rules between the new perimeter network and the internal network. More information on these topics, including step-by-step instructions, can be found later in this chapter.

Deploying Additional Networks

ISA is not limited to three defined networks. On the contrary, the software is limited only to setting up as many networks as there are network cards in the server itself. Theoretically, additional networks can be established for wireless access points, server-only networks, client networks, and any other type of network. Defining the network is as straightforward as configuring the proper network definitions and network rules in the ISA Console.



    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    Similar book on Amazon

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net