How ISA Server Operates as a Caching and Firewall Server

ISA Server can perform several functions. It can cache Web content to provide accelerated access for users, which is how it was used in its first release as Microsoft Proxy Server. In the past two releases, the product's focus has been increasingly on being a very robust Layer 7 firewall that can inspect the payload of network packets to ensure they contain secure content.

ISA Server also can be installed to function as a caching server and a firewall, although caching is now disabled by default. Both functions have many complex aspects, so it is important to understand some of the more widely used functions of each.

Firewall: The Secure Server

As a firewall, ISA Server stands between your internal network(s) and the Internet; it protects your internal resources from external attacks, and can prevent internal computers from accessing certain external sites. It can even protect traffic within your network by filtering the traffic at the highest network level. The following are the key firewall benefits of ISA Server:

• Secure publishing This function makes internal resources, like a Microsoft Exchange server, safely available to clients connecting across the Internet. External clients use the public Internet Protocol (IP) address of the ISA Server to access content. The transaction is checked and delivered to the internal server only if the right conditions are met. The internal servers are never directly exposed to the Internet, making them much more secure. See Chapter 8, "Configuring ISA Firewall Policy," for more information about publishing.

• Packet, circuit, and application-layer filtering Filters make explicitly allowed resources available to specified applications, computers, and users only when needed. Filters make it possible to protect your network when the protocols you use aren't secure in themselves; for example, you can force user authentication for legacy Transmission Control Protocol/User Datagram Protocol (TCP/UDP) connections using ISA Server 2004. See Chapter 8 for more information.

• Integrated intrusion detection There are several preconfigured conditions that, when met, will trigger alerts that inform an administrator of attempts to breach the firewall. These attacks include the following: generic port scan attack, enumerated port scan attack, IP half scan attack, SYN/LAND attacks, ping of death attack, UDP bomb attack, and Windows out of band attack. ISA Server also contains application filters that help to identify and prevent common Domain Name System (DNS) and Post Office Protocol 3 (POP3) attacks.

By default, no traffic is allowed through your ISA Server installation. You must set up an access rule to allow communication between the internal clients and the Internet. See Chapter 8 for more information.

A detailed description of each of the named attacks is included in Chapter 6, "Monitoring and Reporting."

Several new features include setting quotas on TCP/UDP connections, protection against syncookies exploits, and spoof detection. See Chapter 10, "ISA Server Security and Administration," for more information.

Caching: The Acceleration Server

ISA Server functioning as a caching server allows Internet content, such as images on a Web page, to be stored (cached) to a location on your internal network. When the Web content is requested again, it is provided to the requestor from an internal server rather than from a more distant Internet location. This improves the speed at which Web content can be served, because the files can be retrieved at the speed of your local network instead of the much slower speed of your Internet connection, also leaving valuable Internet bandwidth for other applications. ISA Server configured as a Web-caching server brings many improvements over earlier versions of the software. The following are some of ISA Server's caching features:

• High-performance Web cache Most cached objects are stored in the server's RAM as well as on disk, which significantly improves the speed at which the ISA server can provide content to requesting clients. The cache is now in a single, indexed file on each ISA server, which allows for quicker and more efficient searches of cached content. You can also configure arrays, which allows you to distribute the cache across several different computers. In ISA Server 2000, Web content had to be forwarded to a separate proxy process (W3proxy.exe)—in ISA Server 2004, Web content now is processed by the new Hypertext Transfer Protocol (HTTP) filter, which improves both authentication and performance.

• Scheduled download service When clients access certain popular and quickly changing Web content, such as the MSN home page, you can schedule ISA Server to download the content automatically on a regular basis (e.g., every 15 minutes). This allows only certain sites to be updated on a regular basis, rather than updating all sites more frequently.

• Distributed and hierarchal caching Rather than duplicating Web content on all servers, ISA Server allows Web content to be distributed across the enterprise. Certain servers are responsible for certain sites and content, making more efficient use of space on internal servers and leveraging the higher speed access of the LAN to share Internet content. Distributed caching is available only in the Enterprise Edition.

• Active caching This feature is no longer available in ISA Server 2004.

For information on how to configure caching, see Chapter 2, "Installing and Configuring Microsoft ISA Server Standard Edition."