Creating and Configuring Arrays

ISA 2000 Enterprise Edition introduced the concept of an array, and ISA Server 2004 Enterprise improved upon it. Essentially, an array is a grouping of ISA Servers that have the same NIC configuration and are connected to the same networks. They are meant to act as redundant load balanced members of a network team, either with integrated Windows Load Balancing or through the use of a third-party load balancer.

For example, an organization may have an array of ISA Servers acting as edge firewalls for an organization. If one of the array members were to go down, the other one would shoulder the load. There also may be other arrays within the organization that protect other critical network segments from internal intrusion. Essentially, arrays provide a critical measure of load balancing and redundancy to a security environment.

Creating Arrays

Arrays can be defined in CSS before the ISA Servers have been installed. In this example, a single edge-firewall array is created via the following procedure:


From the ISA Enterprise Admin Console, click on the Arrays Node in the Console tree.


In the Tasks tab, click the Create New Array link.


Enter a name for the array, such as Edge-Array.


Under the Array DNS Name dialog box, shown in Figure 6.13, enter the Fully Qualified Domain Name (FQDN) of the array, such as, and click Next to continue.

Figure 6.13. Creating an array.


In the Assign Enterprise Policy dialog box, select the customized policy previously created from the drop-down box, such as CompanyABC Policy, and click Next to continue.


Under the types of array firewall policy rules that can be created, leave all checked, as displayed in Figure 6.14, and click Next to continue.

Figure 6.14. Defining array policy rule types.


The Array Policy Rule Types dialog box allows the array to be restricted to specific types of rules, such as deny, allow, or publishing rules. This can be useful for securing an array.


Click Finish, OK, Apply, and OK to save the settings.

Configuring Array Settings

Creating an array opens up an entirely new set of nodes in the ISA Enterprise Admin Console, as shown in Figure 6.15. In fact, the array nodes may look familiar to an Administrator familiar with the Standard version because they are nearly identical to that version.

Figure 6.15. Examining the newly created array console settings.

To view and modify properties for the array, right-click on the array name and choose properties. The following tabs, shown in Figure 6.16, are available for review of an array:

  • General Name and description of the array.

  • Policy Settings Which Enterprise policy to apply to the array and what types of policy rule types can be applied.

  • Configuration Storage The FQDN of the main CSS server and an alternate server (if necessary), in addition to the definition of how often the CSS is checked for updates.

  • Intra-Array Credentials Defines what type of credentials (domain or workgroup) are used for inter-array communications.

  • Assign Roles Allows for delegation of administration at the array level.

Figure 6.16. Examining the array properties tabs.

Creating the NLB Array Network

If Windows Network Load Balancing will be used for the ISA Servers, then an additional NIC needs to be added and an isolated network created between those two servers, as shown in Figure 6.2. This network is solely devoted to NLB traffic, which is required because the NLB operates only in unicast mode.

As well as being physically set up to provide for NLB, the network needs to be defined within the array. To define this network, do the following:


In the ISA Enterprise Admin Console, click on Arrays, Edge-Array (Array Name), Configuration, Networks node in the Console tree.


In the Tasks tab of the Tasks pane, click the link for Create a New Network.


In the Network Name field, enter Edge-Array-NLB and click Next.


In the Network Type dialog box, shown in Figure 6.17, select Perimeter Network and click Next.

Figure 6.17. Creating the NLB Array Network.


Under Network Addresses, click Add Range.


Enter a start address and end address, such as and, and click OK.


After the address is entered, click Next to continue.


Click Finish, Apply, and OK.

Defining Array Policies

After the array has been configured, standard firewall policies can be defined for the array. These policies follow the same concepts as the Standard version follows, and specific chapters in this book can be used to configure these policies. For example, a mail publishing rule can be used to secure an OWA site through the array, or a SQL Server can be published. The options are nearly endless.

As previously mentioned, the specific array policies are applied after the initial enterprise policies are, and before the final enterprise policies.

    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: