ISA Server 2004 as a Security Appliance

An ISA Server with a single connected NIC interface is still a very powerful tool. Although not a full firewall while deployed like this, the ISA server becomes a security appliance, similar to many of the other security products that are available. This deployment scenario is exceedingly common, so it is important to understand what ISA can do when deployed as a unihomed server, and what limitations it has as well.

Understanding How Reverse Proxies Work

To understand first what a reverse proxy is, it is important to fully define what a proxy server does in the first place. ISA Server 2004 was originally named Proxy Server 1.x/2.x. (The 2004 version was the 4.x version of the product.) The product was designed to assist clients in retrieving web and FTP content from the Internet, but had the clients route all their requests through the server.

The advantage to this approach is that Internet browsing is optimized because the server keeps copies of the pages that are accessed so that when another client requests the same page, the server simply gives that client the cached copy that it made. This eases Internet bandwidth constraints and accelerates the flow of content to the client. For more information on traditional forward proxy with ISA Server 2004, refer to Chapter 8, "Deploying ISA Server 2004 as a Content Caching Server."

Reverse Proxy works in a similar way, except in this case the clients are on the Internet, and the server that is being accessed is in the organization's environment. This concept gave rise to the term "reverse" proxy, in that the client/server relationship is flipped when compared to a standard "forward" proxy. For example, Figure 7.1 illustrates how a reverse proxy protects internal servers by acting as a bastion host to the traffic.

The one additional difference between reverse proxy and forward proxy is that the reverse proxy does not cache the traffic, but instead only exists to secure the connection to the server by preventing any direct communications from untrusted networks to hit the servers.

There are many other reverse proxy products in the market today. Some are considerably more expensive, and a small handful are less expensive than ISA Server 2004. For many organizations, however, the reverse proxy capabilities of ISA Server have earned it a place as a dedicated security device deployed in the DMZs of their firewalls.

Deploying a Unihomed ISA Server as a Security Appliance

It is important to note that ISA Server 2004 does an extremely good job at providing reverse proxy capabilities to organizations, in addition to the other types of functionality that it possesses. It was specifically designed to understand the types of communications that are supposed to occur over commonly used services such as Outlook Web Access and standard web page access. These factors have positioned ISA as one of the more attractive options for securing these particular services.

That said, many organizations are not willing to simply throw away existing security infrastructure, such as packet-filter firewalls, VPN solutions, intrusion detection equipment, and the like. The real advantage in ISA's case is that it is not necessary to replace anything currently in place. Deploying ISA as a dedicated reverse-proxy security appliance simply adds a layer of security to an environment, and the only configuration required to existing firewalls in this deployment scenario is creating rules for the type of traffic (such as HTTP or HTTPS) needed to process the request.

One of the key points to this type of deployment scenario is that it removes the "religious" debates about Microsoft products from the conversation. It no longer becomes necessary to try to convince skeptical security personnel that the keys to the entire organization should be held by a Microsoft product. Instead, ISA is deployed and governed by the rules set forth by the existing security infrastructure. This also keeps Exchange front-end servers and other types of application servers and their need for "swiss-cheese" firewall rules out of the DMZ.

NOTE

It should be pointed out that this chapter does not imply that ISA Server 2004 is not capable of filling other roles within an organization such as edge firewall, VPN server, or caching solution. It simply points out that ISA can be, and is often, deployed in other types of scenarios, such as this one, and can be a welcome improvement to the security of organizations without any modifications to existing infrastructure.

Understanding the Capabilities of ISA Server 2004 Reverse Proxy

Unihomed ISA Servers do not have the full range of capabilities that multi-homed ISA servers do, such as the edge firewall and network filtering firewall that deployment scenarios offer. That said, however, the reverse proxy capabilities that ISA does offer are quite powerful, and may be all that is necessary for ISA Server to be considered a success in an organization. For example, securing Exchange Outlook Web Access (OWA) with publishing rules, which can be easily accomplished on a unihomed server, is quite likely the single most common deployement scenario for ISA today. In addition, ISA posseses the capability to publish and secure other web servers, Microsoft SharePoint sites, and certain other applications as well.

Defining Web Server Publishing Rules for Reverse Proxy

ISA Server 2004 Reverse Proxy makes it possible to secure web and other services through a logical construct known as a web server publishing rule. A web server publishing rule is a firewall policy rule that uses specific filters to monitor web traffic and force that traffic to conform to specific conventions. For example, particular web server publishing rules can be set up to allow Internet access to a web server, but to restrict that access to particular subdirectories on the server, and to require that only specific HTTP commands are used.

There are many variations of web server publishing rules, and it is important to understand how different web publishing rules can be set up.

NOTE

Web server publishing rules are unique in that only they (along with web-based mail publishing rules such as OWA rules) can be used when an ISA server is deployed with a single NIC. Other types of server publishing rules, such as RPC publishing rules, DNS publishing rules, Telnet publishing rules, and any non-HTTPbased rules, cannot be set up on a single-NIC ISA Server. The only exception to this rule is the SMTP Screener component, which can also be effectively used on a unihomed ISA Server.

The process for setting up web server publishing rules is almost exactly the same for multi-homed and uni-homed ISA servers. The only difference is that when the rule is created, the source network for the unihomed server doesn't apply, and can be set to All Networks. (ISA sees everything that is not local as a single network.) With this understanding in mind, more specific information on setting up web server publishing rules can be found in Chapter 14, "Securing Web (HTTP) Traffic."

Using a Unihomed ISA Server for SMTP Filtering

Another common use for a unihomed ISA Server is for securing SMTP traffic through use of the SMTP Screener component. This component enables the ISA server to look and feel like a real SMTP server, enabling mail to be sent through the server just as it would be sent through a regular mail server. This model has the ISA server deployed as an SMTP smarthost, which is mainly used to process and scan mail traffic for content and/or viruses before it is passed into a mail environment.