In general, the larger the environment, the more likely it is that ISA will be deployed in an unihomed ISA configuration. This has less to do with deficiencies in ISA itself and more to do with the investment that these organizations have with their existing security infrastructure. For many, it is simply too difficult, time-consuming, or politically challenging to replace firewalls, SSL-VPNs, and other security infrastructure with a new system such as ISA Server 2004.
What these organizations are finding, however, is that ISA as a reverse proxy is a valid option for them, and can be configured to secure and protect internal company resources. What happens in many cases is that ISA gets deployed in this scenario, and eventually finds its way into other layers of an organization's security infrastructure after ISA's features are gradually understood.
Large organizations have specific special needs that aren't fully met by a standard ISA deployment. Fortunately, the Enterprise version of the product provides for these needs, above and beyond the capabilities of the Standard version.
Deploying ISA Security Appliances for Redundancy and Load Balancing
To achieve redundancy of ISA components requires either the use of a third-party load balancing solution, such as Cisco Content Switch, or the inclusion of an internal load balancing solution, such as Network Load Balancing.
Unfortunately, ISA Server 2004 Standard edition does not natively support Network Load Balancing (NLB). This has to do with the limitations of ISA Standard in properly matching load-balanced traffic sent between two separate networks (also known as bi-directional affinity).
Because the limitations of ISA Server 2004 Standard with Network Load Balancing are related to issues of bi-directional affinity, it is theoretically possible to use NLB between different unihomed ISA Standard servers. Although this is possible, it is not a supported configuration and is not recommended.
Larger organizations, when deploying unihomed ISA servers, often turn to the Enterprise version to provide failover of services by using NLB. This enables the reverse proxy functionality to remain up and running upon the failure of a single server. For these organizations, downtime of an OWA site or a company website is simply not acceptable, and the Enterprise version of the software supports improving the overall uptime of the solution.
For more information on ISA Server 2004 Enterprise Edition, see Chapter 6, "Deploying ISA Server Arrays with ISA Server 2004 Enterprise Edition."
Monitoring and Intrusion Detection on ISA Servers in the DMZ
Monitoring an ISA Server in a firewall's DMZ can prove to be particularily challenging. The firewall itself is often configured to not allow remote access traffic over common ports, such as the MMC console (RPC-based) access and/or Remote Desktop Prototocol (RDP). For this type of access to be allowed, the ISA server must first allow it, and then the firewall itself must allow it as well. This involves opening the proper ports on the firewall from management consoles to the ISA server itself. In worst-case scenarios, management of ISA itself can take place only via the attached keyboard, mouse, and video connection on the server itself.
For more information on monitoring an ISA Server, see Chapter 19, "Monitoring and Troubleshooting an ISA Server 2004 Environment."