Chapter 7. Deploying ISA Server as a Reverse Proxy in an Existing Firewall DMZ
IN THIS CHAPTER
Although ISA Server can fit many roles within organizations, such as VPN server, Edge Firewall, Content caching device, and many more, it is not always used to fill these roles. In many deployment scenarios, ISA Server 2004 is used solely in its reverse proxy functionality. In these configurations, ISA is typically deployed in the perimeter (DMZ) network of an existing firewall, and protects web and related services such as Exchange Outlook Web Access (OWA) from external intrusion and attack. Although it does not take full advantage of ISA features, this is a perfectly valid deployment scenario, and a relatively common one at that.
Many organizations are finding that ISA Server 2004 provides for a relatively inexpensive solution to the problem of securing Internet-facing services. It doesn't require them to replace existing firewall or security infrastructure or make ISA a domain member. An ISA Server, deployed with a single NIC, looks and acts like the target web or OWA server, while instead acting as a proxy for the traffic, intercepting it and scanning it at the Application layer of the TCP/IP stack. Indeed, this is often how ISA first makes it into an organization: as security dictates an answer to the problems faced when services are exposed to the Internet.
This chapter focuses on the deployment scenarios involved with deploying ISA as a Security Appliance in the DMZ network of an existing firewall. Attention to the differences in setup and configuration between this model and the other ISA deployment models is outlined, and best practice configuration information on deploying ISA in this manner is provided, including such common tasks as securing OWA, SharePoint sites, and web servers.