Concepts | Microsoft Windows 2000 Server Administrators Companion

The main goals of ISA Server are to insulate the network from hackers, improve Internet performance for clients on the network, and control client access to the Internet.

ISA Server maintains control of connectivity and isolates the internal network by having two (or more) completely separate physical connections—one to the Internet and one to the internal network. Each network is connected to a different network card, and all packets must pass through the ISA Server software to get from one connection to the other.

The mechanisms that ISA Server uses to achieve these aims are fairly straightforward. The following three basic techniques are used:

Network address translation
Packet filtering
Caching

The following sections discuss each of these techniques, as well as the different methods available to support clients, how ISA Server works in a large enterprise environment, and how to plan your ISA Server deployment.

There are two versions of ISA Server: the Standard Edition and the Enterprise Edition. The only difference is that the Enterprise Edition allows you to create and centrally manage arrays, which consist of one or more ISA servers linked together under a single Enterprise policy.

Real World

Methods of Sharing Internet Connections

There are two basic methods of providing Internet connectivity to clients on the network; using stand-alone devices such as a router or firewall device, and software-based solutions running on a PC.

Microsoft offers a number of software-based solutions: Internet Connection Sharing (a simple method of sharing an Internet connection on a workgroup, built into Microsoft Windows XP, Windows 2000 Professional, Windows Me, and Windows 98 SE), Routing and Remote Access (a somewhat more sophisticated solution that comes integrated into Windows 2000 Server), and ISA Server, which replaces Proxy Server 2.0.

Although Routing and Remote Access is capable of sharing an Internet connection with multiple clients and providing limited security to the internal network using NAT, ISA Server provides better security and user control, in addition to accelerating Internet access for users.

Firewall devices such as those manufactured by SonicWall (http://www.sonicwall.com) can also provide powerful network security, although they are typically expensive and lack the acceleration and user access control features provided by ISA Server.

Network Address Translation

Network address translation (NAT) hides your actual IP address from machines beyond the device doing the translation. Only the device doing NAT needs to have a valid Internet IP address; all clients and servers on the internal network can be given free private addresses from the address ranges reserved for private networks (see sidebar).

To provide NAT, you can use a stand-alone router or firewall device, a proxy server or firewall software package such as ISA Server, or the built-in NAT functionality of Windows 2000 (provided by either the Routing and Remote Access service or the Internet Connection Sharing service).

Although NAT is the backbone of any Internet connection sharing technique, the security it provides is inadequate for networks where security is a priority (even home and small office users are increasingly requiring additional security methods). This is why ISA Server supplements NAT with additional security measures, most notably packet filtering.

Real World

IP Addresses for Internal Networks

Back when folks were deciding how to parcel out IP addresses (and long before anyone figured out how to perform NAT), the need for addresses that could be used for test networks was recognized. A special set of IP addresses called private network addresses was defined in RFC 1918 for test or other networks not physically connected to the Internet.

These private network addresses allow a much larger address space than would be possible with officially assigned addresses while protecting the integrity of the Internet. If a machine with one of these addresses were to connect to the Internet, it wouldn't cause a conflict with another machine because routers automatically filter out these addresses.

The following addresses are designated for private networks that won't be directly connected to the Internet. They can, of course, be connected to the Internet through ISA Server or another method that performs NAT.

 10.0.0.0 through 10.255.255.255 (a single Class A network)
172.16.0.0 through 172.31.255.255 (16 contiguous Class B networks)
192.168.0.0 through 192.168.255.255 (256 contiguous Class C networks)

ISA Server automatically includes these addresses in its local address table (LAT) when you initially install the program.

Another by-product of using ISA Server for address translation is that all the machines on a network appear to have the same single address to the outside world—the external address of the ISA server itself. This allows an entire organization to connect to the Internet with as little as a single public IP address, and even that one address doesn't need to be a fixed IP address—ISA Server can handle a DHCP-supplied public IP address.

Packet Filtering

Because every packet that passes to or from the Internet must first pass through the ISA server, ISA Server is in a perfect position to act as a gatekeeper. Besides performing simple NAT, ISA Server can inspect each packet to see which protocol is being used and whether it's a permitted connection. This is called packet filtering, and it greatly increases the security of ISA Server.

When packet filtering is enabled, you can also restrict access to specific external sites or enable only certain external sites to be seen. In addition, third-party ISA Server plug-ins can add controls and functionality.

Caching

Every organization has certain sites that almost everyone uses regularly. Because even dynamic sites have much information that doesn't change often (like HTML documents, graphics files, and so on), ISA Server can cache information from these frequently accessed sites so that when users connect to the site, much of the information is actually delivered by the ISA server, not the remote site. Caching significantly improves the apparent speed of the connection to the Internet and leaves more Internet bandwidth available.

ISA Server can use off hours when few users are connected to the Internet to check frequently accessed sites to make sure that the information it has stored for that site is current. This monitoring, called active caching, helps to balance and smooth out demand, providing improved throughput during busier times because fewer pages and images need to be downloaded.

ISA Server also performs fancy tricks like splitting audio or video streams and sharing them with multiple users on the network, and performing reverse caching, which accelerates the perceived performance of the Web servers to Internet clients.

Client Types

Clients can connect to the ISA server using the Firewall client, the SecureNAT client, or the Web Proxy client.

For Windows clients, install the Firewall client software. This lets you manage clients by user group. For Macintosh and UNIX clients and network devices, set up their TCP/IP properties to use the ISA Server as the default gateway. (This is what a SecureNAT client is, a client that uses ISA Server as a gateway.) Set up all systems to use the Web proxy service for Web browsing. This is done automatically when installing the Firewall client software, but needs to be done manually for SecureNAT clients.

Table 31-1 describes each method.

Table 31-1. ISA Server client modes

Feature	Firewall Client	SecureNAT Client	Web Proxy Client
Operating system support	Windows clients	All TCP/IP systems	All HTTP 1.1-compliant Web browsers
Software configuration	Firewall client software	TCP/IP default gateway	Web browser proxy configuration

Windows version 3.1 and Windows NT version 3.51 and earlier aren't supported as Firewall clients. These systems must be configured as SecureNAT or Web Proxy clients, or both.

ISA Server Policies and Policy Elements

Setting an ISA Server rule requires two separate steps: creating the policy elements that define to what protocol, client group, time of day, address, or other element the policy will apply, and then creating the actual policy that will be applied to one or more policy elements. You might define a schedule policy element that is "Weekends"—that is all day Saturday and Sunday. Then you might create a policy that prohibits the use of the FTP protocol. When you combine those two, you have a rule that doesn't allow anyone to download files onto their computer on the weekend.

So when you create or modify a policy element such as a Client Address Set, Protocol Definition, or Schedule, you aren't actually creating any rules; you're just changing the options to which the rules apply. Policies are the rules you actually create, and you apply them to policy elements.

ISA Server Deployment

The next sections discuss how to select hardware based on the number of clients on the network; using multiple ISA servers in an array for enhanced performance and fault tolerance; setting up multiple ISA servers in series to create two levels of protection from the Internet, as well as migrating from Proxy Server 2.0.

Choosing Appropriate Hardware

The number of clients you plan to service determines what kind of hardware on which to deploy ISA Server. Besides all the usual requirements and recommendations for Windows 2000 (see Chapter 5), use Table 31-2 to help determine the appropriate hardware for your ISA servers.

Table 31-2. ISA Server hardware requirements

Number of Users	Minimum Processor	RAM	Disk Space for Caching
1-500	Pentium II 300 MHz	256 MB	2-4 GB on an NTFS partition
500-1000	Pentium III 550	256 MB	10 GB on an NTFS partition
1000-2000	2 Pentium III 550s	256 MB per server	10 GB per server on an NTFS partition

Alternatively, you could deploy servers with faster processors, such as a 1 GHz or faster system. A 1.4 GHz system should be able to handle roughly 2000 clients; however, you should test this on the network before deploying a number of servers.

More Info

For information about performance monitoring and reporting in ISA Server, see the section entitled Monitoring ISA Server later in this chapter, or see the online Help system.

Arrays and the Enterprise

If your firewall and caching needs exceed the capabilities of a single ISA server, you can link multiple ISA servers together in an array to provide fault tolerance and better performance, provided you own copies of the ISA Server Enterprise Edition.

ISA Server arrays are powerful and easy to use. The number of clients you can handle scales linearly with the number of ISA servers you deploy in an array: add a second system of the same specifications and you double the number of clients you can handle. Arrays require no additional setup work on the clients and are centrally administered as if they were a single server.

Array members communicate with each other to ensure that the Web cache is split between members of the array with no overlap (and therefore no wasted space or bandwidth consumed). Clients are automatically routed to the array member that contains the desired Web page in its cache.

To deploy an array, the ISA servers must be members of the same Active Directory domain (Windows NT domains won't work), and you must install the ISA Server schema to Active Directory, as described in the section entitled Installation later in this chapter.

Installing the ISA Server schema into Active Directory allows you to set policies that apply to all ISA Server arrays in the enterprise. For this reason, many administrators choose to create all ISA servers as arrays, even if they only contain one server. This allows you to control their settings using enterprise policies.

Don't install ISA Server on a domain controller, even if you're going to set up an array. ISA doesn't need to be physically on a domain controller to interact with Active Directory and placing a domain controller outside the firewall is an enormous security risk.

Perimeter Networks and Cascading ISA Servers

To make a number of servers available from the Internet, such as Web servers, media servers, and mail servers, you can implement a so-called perimeter network, also known as a DMZ (demilitarized zone) network. Perimeter networks allow the setting of two levels of security so Internet clients can access the Internet servers behind a firewall but can't get to the internal network, which is located behind a second firewall with a tighter security policy. A back-to-back perimeter network is shown in Figure 31-1.

Figure 31-1. A back-to-back perimeter network.

To implement a back-to-back perimeter network, follow these steps:

Set up the LAT (local address table) on the ISA server connected to the Internet to include the addresses of all servers in the perimeter network. Also include the address of the second ISA server (make sure to specify the address associated with the network card connected to the perimeter network, not the network card connected to the internal network.
Set up the LAT on the second ISA server (the one connected to the internal network) to include the addresses of all computers on the internal network. Do not include the addresses of any computers on the perimeter network or the first ISA server.
Create publishing rules on the first ISA server (the one connected to the Internet) for the desired servers on the perimeter network, such as your Web server and e-mail server. This process is covered later in this chapter.

You can implement a perimeter network with a single ISA server by installing three network cards in the desired server. This saves the cost of an extra ISA Server computer and software license. If you do implement a perimeter network with a single ISA server, make sure that all addresses in the perimeter segment are valid Internet addresses (talk to your ISP about this). Also, make sure only to include addresses from the internal network segment in the LAT. Consult the Help system on perimeter networks for more information.

Migrating from Proxy Server 2.0

Although Microsoft ISA Server isn't simply Proxy Server 3.0, you can still perform an upgrade from Proxy Server to ISA Server. Most Proxy Server settings are migrated to ISA Server, and existing Proxy clients continue to function.

However, there are some prerequisites and actions you need to take to upgrade to ISA Server, as described in the following list:

The Proxy Server computer you upgrade must be running Proxy Server 2.0 on Windows 2000 Service Pack 1 or later.
If Proxy Server is still running on Windows NT 4, stop all Proxy Server services, upgrade the server to Windows 2000, and then install ISA Server (ignore the warning that ISA Server isn't compatible with these operating systems).
If your network uses the IPX/SPX protocol for internal clients you need to install TCP/IP and configure all clients to use it because ISA Server doesn't support IPX.
If you're migrating a Proxy Server array to a stand-alone ISA Server, most of the settings are migrated. If you're migrating to an ISA Server array, the enterprise policies you create affect how Proxy Server's settings are transferred.
To migrate a Proxy Server array, first remove all members from the array. During ISA Server setup, create a new array, and migrate each Proxy Server array member to this new array.

More Info

For more information about migrating from Proxy Server 2.0, including how tasks are performed differently on ISA Server, see the ISA Server online Help system.