ISA 2000 Enterprise Edition introduced the concept of an array, and ISA Server 2004 Enterprise improved upon it. Essentially, an array is a grouping of ISA Servers that have the same NIC configuration and are connected to the same networks. They are meant to act as redundant load balanced members of a network team, either with integrated Windows Load Balancing or through the use of a third-party load balancer. For example, an organization may have an array of ISA Servers acting as edge firewalls for an organization. If one of the array members were to go down, the other one would shoulder the load. There also may be other arrays within the organization that protect other critical network segments from internal intrusion. Essentially, arrays provide a critical measure of load balancing and redundancy to a security environment. Creating ArraysArrays can be defined in CSS before the ISA Servers have been installed. In this example, a single edge-firewall array is created via the following procedure:
Configuring Array SettingsCreating an array opens up an entirely new set of nodes in the ISA Enterprise Admin Console, as shown in Figure 6.15. In fact, the array nodes may look familiar to an Administrator familiar with the Standard version because they are nearly identical to that version. Figure 6.15. Examining the newly created array console settings.To view and modify properties for the array, right-click on the array name and choose properties. The following tabs, shown in Figure 6.16, are available for review of an array:
Figure 6.16. Examining the array properties tabs.Creating the NLB Array NetworkIf Windows Network Load Balancing will be used for the ISA Servers, then an additional NIC needs to be added and an isolated network created between those two servers, as shown in Figure 6.2. This network is solely devoted to NLB traffic, which is required because the NLB operates only in unicast mode. As well as being physically set up to provide for NLB, the network needs to be defined within the array. To define this network, do the following:
Defining Array PoliciesAfter the array has been configured, standard firewall policies can be defined for the array. These policies follow the same concepts as the Standard version follows, and specific chapters in this book can be used to configure these policies. For example, a mail publishing rule can be used to secure an OWA site through the array, or a SQL Server can be published. The options are nearly endless. As previously mentioned, the specific array policies are applied after the initial enterprise policies are, and before the final enterprise policies. |